Hi Folks,
Yet another device to learn and configure
Have a new router juniper ssg140. I like to know how to configure it so I can have remote access to the router from my home.
here is what I have done:
set address "Untrust" "home" my ip add 255.255.255.0 "Remote support from home"
set policy id 9 from "Untrust" to "Trust" "home" "Any" "ANY" permit log set policy id 9
and here is the entire config:
SSG140-> get config
Total Config size 6395:
set clock timezone -8
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin http redirect
set admin mail alert
set admin mail server-name "xx.xx.xx.xx"
set admin mail mail-addr1 ""
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "MGT"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/8" zone "DMZ"
set interface "ethernet0/9" zone "Trust"
set interface ethernet0/0 ip xx.xx.xx.xx/30
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/2 ip xx.xx.xx.xx/30
set interface ethernet0/2 route
set interface ethernet0/8 ip xx.xx.xx.xx/27
set interface ethernet0/8 route
set interface ethernet0/9 ip xx.xx.xx.xx/30
set interface ethernet0/9 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/2 ip manageable
set interface ethernet0/8 ip manageable
set interface ethernet0/9 ip manageable
set interface ethernet0/2 manage ping
set interface vlan1 manage mtrace
set interface ethernet0/2 ext ip xx.xx.xx.xx 255.255.255.252 dip 4 xx.xx.xx.xx xx.xx.xx.xx
set interface ethernet0/2 ext ip xx.xx.xx.xx 255.255.255.255 dip 5 xx.xx.xx.xx xx.xx.xx.xx fix-port
set interface ethernet0/2 ext ip xx.xx.xx.xx 255.255.255.255 dip 6 xx.xx.xx.xx xx.xx.xx.xx fix-port
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "xx.xx.xx.xx/16" xx.xx.xx.xx 255.255.0.0
set address "Trust" "Servers" xx.xx.xx.xx 255.255.255.0
set address "Trust" "xx" xx.xx.xx.xx 255.255.255.255
set address "Trust" "I" xx.xx.xx.xx 255.255.255.255
set address "Trust" "Public" xx.xx.xx.xx 255.255.255.255
set address "Trust" "Public" xx.xx.xx.xx 255.255.255.255
set address "Trust" "Office 1F" xx.xx.xx.xx 255.255.255.0
set address "Trust" "Office 2F" xx.xx.xx.xx 255.255.255.0
set address "Trust" "Office 2F" xx.xx.xx.xx 255.255.255.0
set address "Trust" "Voice.x" xx.xx.xx.xx 255.255.255.0
set address "Untrust" "xx.xx.xx.xx/26" xx.xx.xx.xx 255.255.255.192
set address "Untrust" "C" xx.xx.xx.xx 255.255.255.192
set address "Untrust" "home" xx.xx.xx.xx 255.255.255.0 "Remote support from home"
set address "DMZ" "64" xx.xx.xx.xx 255.255.255.192
set group address "Trust" "Office"
set group address "Trust" "Office" add "L"
set group address "Trust" "Office" add "Office 1F"
set group address "Trust" "Office" add "Office 2F"
set group address "Trust" "Office" add "Office 2F"
set group address "Trust" "Office" add "Voicex"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 7 from "Trust" to "Untrust" "L" "Any" "ANY" nat src dip-id 6 permit log set policy id 7
exit
set policy id 6 from "Trust" to "Untrust" "L" "Any" "ANY" nat src dip-id 5 permit log set policy id 6
exit
set policy id 1 name "NAT to outside" from "Trust" to "Untrust" "Office" "Any" "ANY" nat src dip-id 4 permit set policy id 1
exit
set policy id 2 from "DMZ" to "Untrust" "64" "Any" "ANY" permitset policy id 2
exit
set policy id 4 from "Untrust" to "Trust" "Any" "L" "ANY" nat dst ip xx.xx.xx.xx permit log set policy id 4
exit
set policy id 5 from "Untrust" to "Trust" "Any" "L" "ANY" nat dst ip xx.xx.xx.xx permit log set policy id 5
exit
set policy id 3 name "Broadvox" from "Untrust" to "Trust" "xx.xx.xx.xx/26" "Any" "ANY" permit log set policy id 3 disable set policy id 3
exit
set policy id 8 from "Untrust" to "Trust" "C" "Any" "ANY" permit log set policy id 8
exit
set policy id 9 from "Untrust" to "Trust" "home" "Any" "ANY" permit log set policy id 9
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2 gateway xx.xx.xx.xx preference 20
set route xx.xx.xx.xx/28 interface ethernet0/9 gateway xx.xx.xx.xx preference 20
set route xx.xx.xx.xx/24 interface ethernet0/9 gateway xx.xx.xx.xx preference 20 permanent
set route xx.xx.xx.xx/32 interface ethernet0/9 preference 20
set route xx.xx.xx.xx/32 interface ethernet0/9 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
SSG140->
Yet another device to learn and configure
Have a new router juniper ssg140. I like to know how to configure it so I can have remote access to the router from my home.
here is what I have done:
set address "Untrust" "home" my ip add 255.255.255.0 "Remote support from home"
set policy id 9 from "Untrust" to "Trust" "home" "Any" "ANY" permit log set policy id 9
and here is the entire config:
SSG140-> get config
Total Config size 6395:
set clock timezone -8
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin http redirect
set admin mail alert
set admin mail server-name "xx.xx.xx.xx"
set admin mail mail-addr1 ""
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "MGT"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/8" zone "DMZ"
set interface "ethernet0/9" zone "Trust"
set interface ethernet0/0 ip xx.xx.xx.xx/30
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/2 ip xx.xx.xx.xx/30
set interface ethernet0/2 route
set interface ethernet0/8 ip xx.xx.xx.xx/27
set interface ethernet0/8 route
set interface ethernet0/9 ip xx.xx.xx.xx/30
set interface ethernet0/9 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/2 ip manageable
set interface ethernet0/8 ip manageable
set interface ethernet0/9 ip manageable
set interface ethernet0/2 manage ping
set interface vlan1 manage mtrace
set interface ethernet0/2 ext ip xx.xx.xx.xx 255.255.255.252 dip 4 xx.xx.xx.xx xx.xx.xx.xx
set interface ethernet0/2 ext ip xx.xx.xx.xx 255.255.255.255 dip 5 xx.xx.xx.xx xx.xx.xx.xx fix-port
set interface ethernet0/2 ext ip xx.xx.xx.xx 255.255.255.255 dip 6 xx.xx.xx.xx xx.xx.xx.xx fix-port
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "xx.xx.xx.xx/16" xx.xx.xx.xx 255.255.0.0
set address "Trust" "Servers" xx.xx.xx.xx 255.255.255.0
set address "Trust" "xx" xx.xx.xx.xx 255.255.255.255
set address "Trust" "I" xx.xx.xx.xx 255.255.255.255
set address "Trust" "Public" xx.xx.xx.xx 255.255.255.255
set address "Trust" "Public" xx.xx.xx.xx 255.255.255.255
set address "Trust" "Office 1F" xx.xx.xx.xx 255.255.255.0
set address "Trust" "Office 2F" xx.xx.xx.xx 255.255.255.0
set address "Trust" "Office 2F" xx.xx.xx.xx 255.255.255.0
set address "Trust" "Voice.x" xx.xx.xx.xx 255.255.255.0
set address "Untrust" "xx.xx.xx.xx/26" xx.xx.xx.xx 255.255.255.192
set address "Untrust" "C" xx.xx.xx.xx 255.255.255.192
set address "Untrust" "home" xx.xx.xx.xx 255.255.255.0 "Remote support from home"
set address "DMZ" "64" xx.xx.xx.xx 255.255.255.192
set group address "Trust" "Office"
set group address "Trust" "Office" add "L"
set group address "Trust" "Office" add "Office 1F"
set group address "Trust" "Office" add "Office 2F"
set group address "Trust" "Office" add "Office 2F"
set group address "Trust" "Office" add "Voicex"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 7 from "Trust" to "Untrust" "L" "Any" "ANY" nat src dip-id 6 permit log set policy id 7
exit
set policy id 6 from "Trust" to "Untrust" "L" "Any" "ANY" nat src dip-id 5 permit log set policy id 6
exit
set policy id 1 name "NAT to outside" from "Trust" to "Untrust" "Office" "Any" "ANY" nat src dip-id 4 permit set policy id 1
exit
set policy id 2 from "DMZ" to "Untrust" "64" "Any" "ANY" permitset policy id 2
exit
set policy id 4 from "Untrust" to "Trust" "Any" "L" "ANY" nat dst ip xx.xx.xx.xx permit log set policy id 4
exit
set policy id 5 from "Untrust" to "Trust" "Any" "L" "ANY" nat dst ip xx.xx.xx.xx permit log set policy id 5
exit
set policy id 3 name "Broadvox" from "Untrust" to "Trust" "xx.xx.xx.xx/26" "Any" "ANY" permit log set policy id 3 disable set policy id 3
exit
set policy id 8 from "Untrust" to "Trust" "C" "Any" "ANY" permit log set policy id 8
exit
set policy id 9 from "Untrust" to "Trust" "home" "Any" "ANY" permit log set policy id 9
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2 gateway xx.xx.xx.xx preference 20
set route xx.xx.xx.xx/28 interface ethernet0/9 gateway xx.xx.xx.xx preference 20
set route xx.xx.xx.xx/24 interface ethernet0/9 gateway xx.xx.xx.xx preference 20 permanent
set route xx.xx.xx.xx/32 interface ethernet0/9 preference 20
set route xx.xx.xx.xx/32 interface ethernet0/9 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
SSG140->