Tim Eberhard wrote:
Is the firewall itself freezing or is it just not passing traffic?
I understand step 1 when working with a remote device like that is
typically have the customer reboot it to see if that restores service
but is it really frozen?
You could be having interface issues (I see most are auto neg) or
circuit issues.
-Tim Eberhard
On Wed, Mar 11, 2009 at 3:53 PM, ChrisSerafin <ch...@chrisserafin.com
<mailto:ch...@chrisserafin.com>> wrote:
UUGGGHH,
major problem for myself over here. I have installed a brand new
SSG140 firewall at a client and for some reason it keeps freezing
and will not pass traffic. We are never onsite and can't get
console messages or troubleshoot while it's down. (i'm putting a
laptop attached to the console tomorrow for this) We have tried
multiple firmware changes, swapped UPS's, and actually RMA'ed the
device for a new one. Same thing persists. Pulling my hair out and
JTAC says they need console access while it is down...hard to do
for a HQ VPN hub site.
Any ideas are more than appreciated.....THANKS! Info below
--chris
Product Name SSG-140
Host Name QST-CHI-HQ
Serial Number 0185062007000016
Control Number ffffffff
Hardware Version 1010(0)-( 0), FPGA checksum: 0, VLAN1 IP
(0.0.0.0)
Software Version 6.0.0r7.0, Type: Firewall+VPN
Feature AV-K
Base Mac 0019.e241.4880
File Name screenos_image, Checksum: e5cb9ed
Total Memory 512MB
Date 03/11/2009 15:51:44, Daylight Saving Time enabled.
The Network Time Protocol is enabled.
Up 0 hours 6 minutes 27 seconds since 11Mar2009:15:45:17
Total Device Resets: 0.
System in NAT/route mode.
Use interface IP, Config Port: 80
User Name: netscreen
set clock ntp
set clock timezone -6
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0
11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "DNB" protocol tcp src-port 1024-65535 dst-port
23202-23202
set service "IM_Custom" protocol tcp src-port 0-65535 dst-port
5200-5200
set service "SOCKS" protocol tcp src-port 1024-65535 dst-port
1080-1080
set service "TCP-1024-5000" protocol tcp src-port 1024-65535
dst-port 1024-5000
set service "TCP-18190" protocol tcp src-port 1024-65535 dst-port
18190-18190
set service "TCP-264" protocol tcp src-port 1024-65535 dst-port
264-264
set service "TCP-8100" protocol tcp src-port 1024-65535 dst-port
8100-8100
set service "TCP-82" protocol tcp src-port 1024-65535 dst-port 82-82
set service "Terminal_Srvc" protocol tcp src-port 0-65535 dst-port
3389-3389
set service "UDP-2746" protocol udp src-port 0-65535 dst-port
2746-2746
set service "UDP-500" protocol udp src-port 0-65535 dst-port 500-500
set service "IPSEC" protocol 50 src-port 0-65535 dst-port 0-65535
set service "IPSEC" + 51 src-port 0-65535 dst-port 0-65535
set service "IPSEC" + udp src-port 0-65535 dst-port 500-500
set service "Juniper-IDP-Comms" protocol udp src-port 0-65535
dst-port 7101-7102
set service "Juniper-IDP-Comms" + udp src-port 0-65535 dst-port
7201-7202
set service "RSA Services" protocol udp src-port 0-65535 dst-port
5500-5500
set service "RSA Services" + tcp src-port 0-65535 dst-port 5500-5500
set service "MexicanGov" protocol tcp src-port 0-65535 dst-port
8081-8081
set service "MexicanGov" + tcp src-port 0-65535 dst-port 8089-8089
set service "Mexico_software" protocol tcp src-port 0-65535
dst-port 7824-7824
set service "Mexico_software" + tcp src-port 0-65535 dst-port
8080-8080
set service "Mexico_MS_VPN" protocol tcp src-port 0-65535 dst-port
1723-1723
set service "Mexico_MS_VPN" + tcp src-port 0-65535 dst-port 47-47
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nO6/LZrBMXXXXXXXXXXXXXXCHtN6KXVn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
unset zone "Untrust" screen tear-drop
unset zone "Untrust" screen syn-flood
unset zone "Untrust" screen ping-death
unset zone "Untrust" screen ip-filter-src
unset zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet0/0 phy full 100mb
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "DMZ"
set interface "ethernet0/4" zone "DMZ"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.3" zone "Trust"
set interface ethernet0/0 ip 192.168.180.26/24
<http://192.168.180.26/24>
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/1 ip 12.106.237.89/29
<http://12.106.237.89/29>
set interface ethernet0/1 nat
set interface ethernet0/2 ip 12.63.231.146/28
<http://12.63.231.146/28>
set interface ethernet0/2 route
set interface ethernet0/3 ip 192.168.3.1/24 <http://192.168.3.1/24>
set interface ethernet0/3 route
set interface ethernet0/4 ip 192.168.4.1/24 <http://192.168.4.1/24>
set interface ethernet0/4 route
set interface tunnel.1 ip unnumbered interface ethernet0/2
set interface tunnel.2 ip unnumbered interface ethernet0/2
set interface tunnel.3 ip unnumbered interface ethernet0/2
set interface ethernet0/4 mtu 1460
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/3 ip manageable
set interface ethernet0/4 ip manageable
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage snmp
set interface ethernet0/1 manage web
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
set interface ethernet0/0 monitor track-ip weight 1
unset interface ethernet0/0 monitor track-ip dynamic
set interface ethernet0/2 dip 4 12.63.231.150 12.63.231.150
set interface "ethernet0/2" mip 12.106.250.6 host 192.168.180.20
netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 12.106.250.7 host 192.168.180.1
netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 12.106.250.5 host 192.168.180.3
netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 12.106.250.8 host 192.168.184.115
netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 12.106.250.9 host 192.168.184.124
netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 12.63.231.147 host 192.168.180.6
netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 12.63.231.148 host 192.168.4.10
netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 12.63.231.149 host 192.168.4.11
netmask 255.255.255.255 vr "trust-vr"
set interface ethernet0/0 ntp-server
set flow tcp-mss
unset flow no-tcp-seq-check
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set console page 0
set hostname QST-CHI-HQ
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 192.168.180.10 src-interface ethernet0/0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set dns host schedule 06:28 interval 8
set address "Trust" "12.63.231.147/32 <http://12.63.231.147/32>"
12.63.231.147 255.255.255.255
set address "Trust" "12.63.231.150/32 <http://12.63.231.150/32>"
12.63.231.150 255.255.255.255
set address "Trust" "192.168.0.0/16 <http://192.168.0.0/16>"
192.168.0.0 255.255.0.0
set address "Trust" "192.168.180.0/24 <http://192.168.180.0/24>"
192.168.180.0 255.255.255.0
set address "Trust" "192.168.180.10" 192.168.180.10 255.255.255.255
set address "Trust" "192.168.180.150/32
<http://192.168.180.150/32>" 192.168.180.150 255.255.255.255
set address "Trust" "192.168.180.163/32
<http://192.168.180.163/32>" 192.168.180.163 255.255.255.255
set address "Trust" "192.168.180.208/32
<http://192.168.180.208/32>" 192.168.180.208 255.255.255.255
set address "Trust" "192.168.180.6" 192.168.180.6 255.255.255.255
"PDC"
set address "Trust" "192.168.180.98/32 <http://192.168.180.98/32>"
192.168.180.98 255.255.255.255
set address "Trust" "192.168.180.99/32 <http://192.168.180.99/32>"
192.168.180.99 255.255.255.255
set address "Trust" "192.168.184.0" 192.168.184.0 255.255.255.0
set address "Trust" "192.168.186.0/24 <http://192.168.186.0/24>"
192.168.186.0 255.255.255.0
set address "Trust" "192.168.188.0/24 <http://192.168.188.0/24>"
192.168.188.0 255.255.255.0
set address "Trust" "Chicago" 192.168.180.0 255.255.255.0
set address "Trust" "Dallas" 192.168.182.0 255.255.255.0
set address "Trust" "Dominican Republic" 192.168.183.0 255.255.255.0
set address "Trust" "InternalDMZ" 12.106.237.89 255.255.255.248
set address "Trust" "Los_Angeles" 192.168.185.0 255.255.255.0
set address "Trust" "MailServer2" 192.168.181.8 255.255.255.255
set address "Trust" "MailServer3" 192.168.184.11 255.255.255.255
set address "Trust" "Mexico Vendor 2" 192.168.184.124 255.255.255.255
set address "Trust" "Mexico Vendor1" 192.168.184.115 255.255.255.255
set address "Trust" "Mexico_internal" 192.168.186.0 255.255.255.0
set address "Trust" "New_York" 192.168.187.0 255.255.255.0
set address "Trust" "newmail-192.168.180.206" 192.168.180.206
255.255.255.255
set address "Trust" "newmail-192.168.180.207" 192.168.180.207
255.255.255.255
set address "Trust" "newmail-192.168.180.208" 192.168.180.208
255.255.255.255
set address "Trust" "North_Carolina" 192.168.181.0 255.255.255.0
set address "Trust" "Server05" 192.168.180.8 255.255.255.255
set address "Trust" "Server07" 192.168.180.5 255.255.255.255 "PDC"
set address "Trust" "Server09" 192.168.180.3 255.255.255.255
set address "Trust" "Server10" 192.168.180.1 255.255.255.255
set address "Trust" "TolucaMX" 192.168.184.0 255.255.255.0
set address "Trust" "Torreno_Mx" 192.168.186.0 255.255.255.0
set address "Untrust" "10.0.0.0/24 <http://10.0.0.0/24>" 10.0.0.0
255.255.255.0
set address "Untrust" "10.0.0.0/8 <http://10.0.0.0/8>" 10.0.0.0
255.0.0.0
set address "Untrust" "12.106.237.89/29 <http://12.106.237.89/29>"
12.106.237.89 255.255.255.248
set address "Untrust" "12.208.94.0/24 <http://12.208.94.0/24>"
12.208.94.0 255.255.255.0
set address "Untrust" "192.168.0.0/16 <http://192.168.0.0/16>"
192.168.0.0 255.255.0.0
set address "Untrust" "192.168.0.0/24 <http://192.168.0.0/24>"
192.168.0.0 255.255.255.0
set address "Untrust" "192.168.121.0/24 <http://192.168.121.0/24>"
192.168.121.0 255.255.255.0
set address "Untrust" "192.168.180.0/24 <http://192.168.180.0/24>"
192.168.180.0 255.255.255.0
set address "Untrust" "192.168.183.0/24 <http://192.168.183.0/24>"
192.168.183.0 255.255.255.0
set address "Untrust" "192.168.186.0/24 <http://192.168.186.0/24>"
192.168.186.0 255.255.255.0
set address "Untrust" "192.168.188.0/24 <http://192.168.188.0/24>"
192.168.188.0 255.255.255.0
set address "Untrust" "192.168.190.0/24 <http://192.168.190.0/24>"
192.168.190.0 255.255.255.0
set address "Untrust" "192.168.191.0/24 <http://192.168.191.0/24>"
192.168.191.0 255.255.255.0
set address "Untrust" "192.168.20.0/24 <http://192.168.20.0/24>"
192.168.20.0 255.255.255.0
set address "Untrust" "200.12.52.113/32 <http://200.12.52.113/32>"
200.12.52.113 255.255.255.255
set address "Untrust" "216.184.126.113" 216.184.126.113
255.255.255.255
set address "Untrust" "64.74.172.210/32 <http://64.74.172.210/32>"
64.74.172.210 255.255.255.255
set address "Untrust" "66.29.23.0/24 <http://66.29.23.0/24>"
66.29.23.0 255.255.255.0
set address "Untrust" "69.27.238.0/24 <http://69.27.238.0/24>"
69.27.238.0 255.255.255.0
set address "Untrust" "Cali" 192.168.121.0 255.255.255.0
set address "Untrust" "Defkon_NSM" 205.234.155.199 255.255.255.255
set address "Untrust" "Defkon_RKON" 205.234.155.0 255.255.255.0
set address "Untrust" "Guatemala" 192.168.188.0 255.255.255.0
set address "Untrust" "HongKong" 192.168.1.0 255.255.255.0
"Interior office range"
set address "Untrust" "ISA-1-12.63.231.148" 12.63.231.148
255.255.255.255
set address "Untrust" "ISA-2-12.63.231.149" 12.63.231.149
255.255.255.255
set address "Untrust" "Katharion_SPAM_1" 64.74.172.0 255.255.255.0
set address "Untrust" "Katharion_SPAM_2" 64.74.173.0 255.255.255.0
set address "Untrust" "Katharion_SPAM_3" 207.154.50.9 255.255.255.0
set address "Untrust" "Katharion_SPAM_4" 208.70.88.0 255.255.255.0
set address "Untrust" "Katharion_SPAM_5" 208.70.89.0 255.255.255.0
set address "Untrust" "Katharion_SPAM_6" 208.70.90.0 255.255.255.0
set address "Untrust" "Katharion_SPAM_7" 208.70.91.0 255.255.255.0
set address "Untrust" "Katharion_SPAM_NEW1" 174.36.154.0 255.255.255.0
set address "Untrust" "Katharion_SPAM_NEW2" 208.43.37.0 255.255.255.0
set address "Untrust" "Mexico_internal" 192.168.186.0 255.255.255.0
set address "Untrust" "Mexico_Vendor_VPN" 12.26.200.0 255.255.255.0
set address "Untrust" "Singapore" 192.168.190.0 255.255.255.0
"Interior office range"
set address "Untrust" "Texas" 192.168.182.0 255.255.255.0
set address "Untrust" "TriActive" 66.45.78.1 255.255.255.0
set address "Global" "200.57.157.65/32 <http://200.57.157.65/32>"
200.57.157.65 255.255.255.255
set address "DMZ" "10.1.1.0/24 <http://10.1.1.0/24>" 10.1.1.0
255.255.255.0
set address "DMZ" "12.63.231.148/32 <http://12.63.231.148/32>"
12.63.231.148 255.255.255.255
set address "DMZ" "12.63.231.149/32 <http://12.63.231.149/32>"
12.63.231.149 255.255.255.255
set address "DMZ" "192.168.3.10/32 <http://192.168.3.10/32>"
192.168.3.10 255.255.255.255
set address "DMZ" "AT&TConcentrator" 12.106.237.94 255.255.255.255
set address "DMZ" "Cisco VPN" 12.106.237.90 255.255.255.255
set address "DMZ" "DMZ" 12.106.237.89 255.255.255.248
set address "DMZ" "Guatemala VPN" 12.106.237.92 255.255.255.255
set address "DMZ" "ISA-private" 192.168.3.10 255.255.255.255
set address "DMZ" "Juniper-IDP" 12.106.237.91 255.255.255.255
set address "DMZ" "Juniper-SSL" 12.106.237.92 255.255.255.255
set address "DMZ" "OWA" 12.106.237.93 255.255.255.255
set group address "Trust" "Internal Servers"
set group address "Trust" "Internal Servers" add "192.168.180.6"
set group address "Trust" "Internal Servers" add "Server05"
set group address "Trust" "Internal Servers" add "Server07"
set group address "Trust" "Internal Servers" add "Server09"
set group address "Trust" "Internal Servers" add "Server10"
set group address "Trust" "Mexico Vendor"
set group address "Trust" "Mexico Vendor" add "Mexico Vendor 2"
set group address "Trust" "Mexico Vendor" add "Mexico Vendor1"
set group address "Trust" "QST_Global"
set group address "Trust" "QST_Global" add "Chicago"
set group address "Trust" "QST_Global" add "Dallas"
set group address "Trust" "QST_Global" add "Dominican Republic"
set group address "Trust" "QST_Global" add "Los_Angeles"
set group address "Trust" "QST_Global" add "New_York"
set group address "Trust" "QST_Global" add "North_Carolina"
set group address "Trust" "QST_Global" add "TolucaMX"
set group address "Trust" "QST_Global" add "Torreno_Mx"
set group service "rbza_Requirements"
set group service "rbza_Requirements" add "FTP"
set group service "rbza_Requirements" add "HTTP"
set group service "rbza_Requirements" add "HTTPS"
set group service "rbza_Requirements" add "ICMP-ANY"
set group service "rbza_Requirements" add "SSH"
set group service "rbza_Requirements" add "TELNET"
set group service "rbza_Requirements" add "Terminal_Srvc"
set ike gateway "To_Guatemala" address 209.161.118.113 Main
outgoing-interface "ethernet0/2" preshare
"YFpv1oMqXfKeCnyCxbe3neNbtT4g==" proposal "pre-g2-3des-sha"
set ike gateway "To_Singapore" address 203.125.41.238 Main
outgoing-interface "ethernet0/2" preshare
"Byr0lsK2NFIXCDHUZMnAn0YnpSvQ==" proposal "pre-g2-3des-sha"
set ike gateway "To_Hong_Kong" address 210.177.75.29 Main
outgoing-interface "ethernet0/2" preshare
"sP2QFLPyNXMMCGhYVAHRn19dnfQg==" proposal "pre-g2-3des-sha"
set ike gateway "To_Cali" address 205.159.31.253 Main
outgoing-interface "ethernet0/2" preshare
"HaC5RtnENOXE6CX/qUNiHnvuelgzA==" proposal "pre-g2-3des-sha"
set ike gateway "To_Texas" address 68.165.74.138 Main
outgoing-interface "ethernet0/2" preshare
"UnCKD/bWNFXCL1rKADGnWi2f+sg==" proposal "pre-g2-3des-sha"
set ike gateway "To_Mexico" address 201.101.8.250 Main
outgoing-interface "ethernet0/2" preshare
"UNij3gU+NeU+XYnheYJSnWOANkRQ==" sec-level compatible
set ike gateway "Gateway for 10.0.0.0/24 <http://10.0.0.0/24>"
address 196.3.88.102 Main outgoing-interface "ethernet0/2"
preshare "Vxy5XbssXV1CC5mQdwBnQJyLJVg==" proposal "pre-g2-3des-md5"
set ike gateway "Gateway for LA" address 67.110.248.194 Main
outgoing-interface "ethernet0/2" preshare
"0smtBN/UNpXIQtKdntAYGiAA==" proposal "pre-g2-3des-md5"
set ike gateway "To_Torreon" address 201.117.236.9 Main local-id
"192.168.0.0" outgoing-interface "ethernet0/2" preshare
"acqpXbXC9ymdI9sn4g4MNbg==" proposal "pre-g2-3des-md5"
set ike gateway "To_Morracco" address 81.192.101.145 Main local-id
"192.168.0.0" outgoing-interface "ethernet0/2" preshare
"JtS3S9Xk8svPkCP9ZgWTUnb9IxPOw==" proposal "pre-g2-3des-md5"
set ike gateway "To_UK" address 81.137.215.196 Main
outgoing-interface "ethernet0/2" preshare
"F+YIj2vANCrJWUsbSXCZuXnm1ZFwew==" sec-level compatible
set ike respond-bad-spi 1
set ike soft-lifetime-buffer 30
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "To_Guatemala" gateway "To_Guatemala" no-replay tunnel
idletime 0 sec-level compatible
set vpn "To_Guatemala" monitor
set vpn "To_Singapore" gateway "To_Singapore" no-replay tunnel
idletime 0 sec-level compatible
set vpn "To_Hong_Kong" gateway "To_Hong_Kong" no-replay tunnel
idletime 0 sec-level compatible
set vpn "To_Hong_Kong" id 45 bind interface tunnel.1
set vpn "To_Cali" gateway "To_Cali" no-replay tunnel idletime 0
sec-level compatible
set vpn "To_Texas" gateway "To_Texas" no-replay tunnel idletime 0
sec-level compatible
set vpn "To_Mexico" gateway "To_Mexico" replay tunnel idletime 0
sec-level standard
set vpn "To_Mexico" monitor
set vpn "Gateway for LA" gateway "Gateway for LA" no-replay tunnel
idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "To_Torreon" gateway "To_Torreon" replay tunnel idletime 0
proposal "nopfs-esp-3des-md5"
set vpn "To_Morracco" gateway "To_Morracco" replay tunnel idletime
0 proposal "nopfs-esp-3des-md5"
set vpn "To_UK" gateway "To_UK" no-replay tunnel idletime 0
sec-level compatible
set vpn "To_UK" monitor rekey
set vpn "To_UK" id 61 bind interface tunnel.3
set vpn "VPN for 10.0.0.0/24 <http://10.0.0.0/24>" gateway
"Gateway for 10.0.0.0/24 <http://10.0.0.0/24>" no-replay tunnel
idletime 0 proposal "nopfs-esp-3des-md5"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set di service HTTP content_type_length 8192
set di service HTTP user_agent_length 8192
set di service HTTP host_length 8192
set di service HTTP failed_logins 50
set di service HTTP brute_search 100
set url protocol type scfp
set url protocol scfp
set config enable
set server 192.168.180.20 62252 60
set fail-mode permit
set server src-interface ethernet0/0
exit
set vpn "To_Hong_Kong" proxy-id local-ip 0.0.0.0/0
<http://0.0.0.0/0> remote-ip 0.0.0.0/0 <http://0.0.0.0/0> "ANY"
set vpn "Gateway for LA" proxy-id local-ip 192.168.0.0/16
<http://192.168.0.0/16> remote-ip 192.168.0.0/24
<http://192.168.0.0/24> "ANY"
set vpn "To_Torreon" proxy-id local-ip 192.168.0.0/16
<http://192.168.0.0/16> remote-ip 192.168.186.0/24
<http://192.168.186.0/24> "ANY"
set vpn "To_Morracco" proxy-id local-ip 192.168.0.0/16
<http://192.168.0.0/16> remote-ip 192.168.191.0/24
<http://192.168.191.0/24> "ANY"
set vpn "VPN for 10.0.0.0/24 <http://10.0.0.0/24>" proxy-id
local-ip 192.168.0.0/16 <http://192.168.0.0/16> remote-ip
192.168.183.0/24 <http://192.168.183.0/24> "ANY"
set policy id 106 from "Trust" to "Untrust"
"newmail-192.168.180.206" "10.0.0.0/8 <http://10.0.0.0/8>" "ANY"
permit log
set policy id 106
set src-address "newmail-192.168.180.207"
set src-address "newmail-192.168.180.208"
set dst-address "192.168.0.0/16 <http://192.168.0.0/16>"
exit
set policy id 105 from "Trust" to "Untrust"
"newmail-192.168.180.206" "Any" "ANY" nat src dip-id 4 permit log
set policy id 105
set src-address "newmail-192.168.180.207"
set src-address "newmail-192.168.180.208"
exit
set policy id 104 from "Untrust" to "DMZ" "Any"
"MIP(12.63.231.149)" "HTTP" permit log
set policy id 104
set service "PING"
exit
set policy id 103 from "Untrust" to "DMZ" "Any"
"MIP(12.63.231.148)" "HTTP" permit log
set policy id 103
set service "HTTPS"
set service "PING"
exit
set policy id 102 from "DMZ" to "Trust" "192.168.3.10/32
<http://192.168.3.10/32>" "192.168.180.208/32
<http://192.168.180.208/32>" "HTTPS" permit log
set policy id 102
exit
set policy id 101 from "DMZ" to "Trust" "192.168.3.10/32
<http://192.168.3.10/32>" "192.168.180.10" "DNS" permit log
set policy id 101
set dst-address "192.168.180.6"
set service "LDAP"
exit
set policy id 99 from "Untrust" to "Trust" "192.168.183.0/24
<http://192.168.183.0/24>" "192.168.0.0/16
<http://192.168.0.0/16>" "ANY" tunnel vpn "VPN for 10.0.0.0/24
<http://10.0.0.0/24>" id 62 pair-policy 98 log
set policy id 99
exit
set policy id 107 from "Untrust" to "Trust" "Katharion_SPAM_1"
"12.63.231.150/32 <http://12.63.231.150/32>" "ICMP-ANY" nat dst ip
192.168.180.208 permit log
set policy id 107
set src-address "Katharion_SPAM_2"
set src-address "Katharion_SPAM_3"
set src-address "Katharion_SPAM_4"
set src-address "Katharion_SPAM_5"
set src-address "Katharion_SPAM_6"
set src-address "Katharion_SPAM_7"
set src-address "Katharion_SPAM_NEW1"
set src-address "Katharion_SPAM_NEW2"
set service "SMTP"
exit
set policy id 98 from "Trust" to "Untrust" "192.168.0.0/16
<http://192.168.0.0/16>" "192.168.183.0/24
<http://192.168.183.0/24>" "ANY" tunnel vpn "VPN for 10.0.0.0/24
<http://10.0.0.0/24>" id 62 pair-policy 99 log
set policy id 98
exit
set policy id 97 from "Untrust" to "Trust" "Any" "Any" "NTP"
permit log
set policy id 97
exit
set policy id 96 from "Trust" to "Untrust" "Any" "Any" "NTP"
permit log
set policy id 96
exit
set policy id 95 from "Untrust" to "Trust" "192.168.20.0/24
<http://192.168.20.0/24>" "192.168.0.0/16 <http://192.168.0.0/16>"
"ANY" permit log
set policy id 95
exit
set policy id 94 from "Trust" to "Untrust" "192.168.0.0/16
<http://192.168.0.0/16>" "192.168.20.0/24
<http://192.168.20.0/24>" "ANY" permit log
set policy id 94
exit
set policy id 93 from "Untrust" to "Trust" "192.168.191.0/24
<http://192.168.191.0/24>" "192.168.0.0/16
<http://192.168.0.0/16>" "ANY" tunnel vpn "To_Morracco" id 60
pair-policy 92 log
set policy id 93
exit
set policy id 92 from "Trust" to "Untrust" "192.168.0.0/16
<http://192.168.0.0/16>" "192.168.191.0/24
<http://192.168.191.0/24>" "ANY" tunnel vpn "To_Morracco" id 60
pair-policy 93 log
set policy id 92
exit
set policy id 90 from "Trust" to "Untrust" "192.168.0.0/16
<http://192.168.0.0/16>" "192.168.186.0/24
<http://192.168.186.0/24>" "ANY" tunnel vpn "To_Torreon" id 59
pair-policy 91 log
set policy id 90
exit
set policy id 88 from "Trust" to "Untrust" "192.168.0.0/16
<http://192.168.0.0/16>" "192.168.0.0/24 <http://192.168.0.0/24>"
"ANY" tunnel vpn "Gateway for LA" id 57 pair-policy 89 log
set policy id 88
exit
set policy id 84 name "Filter SPAM In - LDAP Requests" from
"Untrust" to "Trust" "Defkon_RKON" "MIP(12.63.231.147)"
"ICMP-ANY" permit log
set policy id 84
set src-address "Katharion_SPAM_1"
set src-address "Katharion_SPAM_2"
set src-address "Katharion_SPAM_3"
set src-address "Katharion_SPAM_4"
set src-address "Katharion_SPAM_5"
set src-address "Katharion_SPAM_6"
set src-address "Katharion_SPAM_7"
set src-address "Katharion_SPAM_NEW1"
set src-address "Katharion_SPAM_NEW2"
set service "LDAP"
exit
set policy id 83 from "Trust" to "Untrust" "192.168.180.0/24
<http://192.168.180.0/24>" "Mexico_internal" "rbza_Requirements"
tunnel vpn "To_Mexico" id 50 pair-policy 81 log
set policy id 83
exit
set policy id 80 from "Trust" to "Untrust" "Any"
"192.168.180.0/24 <http://192.168.180.0/24>" "rbza_Requirements"
permit log
set policy id 80
exit
set policy id 79 from "Untrust" to "Trust" "Texas" "Chicago"
"ANY" tunnel vpn "To_Texas" id 49 pair-policy 78 log
set policy id 79
exit
set policy id 78 from "Trust" to "Untrust" "Chicago" "Texas"
"ANY" tunnel vpn "To_Texas" id 49 pair-policy 79 log
set policy id 78
exit
set policy id 77 from "Untrust" to "DMZ" "HongKong" "OWA" "ANY"
permit log
set policy id 77
exit
set policy id 76 from "DMZ" to "Untrust" "OWA" "HongKong" "ANY"
permit log
set policy id 76
exit
set policy id 75 from "Untrust" to "Trust" "HongKong"
"QST_Global" "ANY" permit log
set policy id 75
exit
set policy id 74 from "Trust" to "Untrust" "QST_Global"
"HongKong" "ANY" permit log
set policy id 74
exit
set policy id 73 from "Untrust" to "Trust" "Cali" "Chicago"
"rbza_Requirements" tunnel vpn "To_Cali" id 43 pair-policy 72 log
set policy id 73
exit
set policy id 72 from "Trust" to "Untrust" "Chicago" "Cali"
"rbza_Requirements" tunnel vpn "To_Cali" id 43 pair-policy 73 log
set policy id 72
exit
set policy id 71 from "DMZ" to "Untrust" "AT&TConcentrator" "Any"
"ANY" permit log
set policy id 71
exit
set policy id 66 name "To_Singapore" from "Trust" to "Untrust"
"Chicago" "Singapore" "ANY" tunnel vpn "To_Singapore" id 27
pair-policy 65
set policy id 66
exit
set policy id 65 name "To_Singapore" from "Untrust" to "Trust"
"Singapore" "Chicago" "ANY" tunnel vpn "To_Singapore" id 27
pair-policy 66
set policy id 65
exit
set policy id 48 name "Guatemala" from "Untrust" to "Trust"
"Guatemala" "Chicago" "ANY" tunnel vpn "To_Guatemala" id 12
pair-policy 49 log no-session-backup
set policy id 48
exit
set policy id 49 name "Guatemala" from "Trust" to "Untrust"
"Chicago" "Guatemala" "ANY" tunnel vpn "To_Guatemala" id 12
pair-policy 48 log no-session-backup
set policy id 49
exit
set policy id 61 name "Test Message" from "Trust" to "Global"
"Any" "200.57.157.65/32 <http://200.57.157.65/32>" "ANY" permit log
set policy id 61
exit
set policy id 51 from "Untrust" to "DMZ" "Any" "AT&TConcentrator"
"ANY" permit log
set policy id 51
exit
set policy id 50 from "Untrust" to "Trust" "69.27.238.0/24
<http://69.27.238.0/24>" "MIP(12.106.250.5)" "MAIL" permit log
set policy id 50
set src-address "Katharion_SPAM_1"
set src-address "Katharion_SPAM_2"
set src-address "Katharion_SPAM_3"
set src-address "Katharion_SPAM_4"
set src-address "Katharion_SPAM_5"
set src-address "Katharion_SPAM_6"
set src-address "Katharion_SPAM_7"
set src-address "Katharion_SPAM_NEW1"
set src-address "Katharion_SPAM_NEW2"
exit
set policy id 40 name "CiscoVPN" from "Trust" to "DMZ" "Any"
"Cisco VPN" "ANY" permit
set policy id 40
exit
set policy id 39 name "Surf Control" from "Untrust" to "Trust"
"Any" "MIP(12.106.250.6)" "ICMP-ANY" permit
set policy id 39 disable
set policy id 39
set service "Terminal_Srvc"
exit
set policy id 29 from "Trust" to "Untrust" "Any"
"192.168.121.0/24 <http://192.168.121.0/24>" "ANY" permit
set policy id 29
set dst-address "192.168.188.0/24 <http://192.168.188.0/24>"
set dst-address "192.168.190.0/24 <http://192.168.190.0/24>"
set dst-address "Mexico_internal"
exit
set policy id 2 from "Trust" to "Untrust" "Internal Servers"
"Any" "FTP" nat src permit
set policy id 2
set service "HTTP"
set service "HTTPS"
exit
set policy id 27 from "Trust" to "Untrust" "Any" "Any" "FTP" nat
src permit log url-filter
set policy id 27
set service "HTTP"
set service "HTTPS"
set service "ICMP-ANY"
set service "Mexico_software"
set service "TELNET"
exit
set policy id 38 name "MexicanGov" from "Trust" to "Global" "Any"
"Any" "MexicanGov" permit log
set policy id 38
set service "Mexico_software"
exit
set policy id 37 name "SNMP Allowed Out" from "DMZ" to "Untrust"
"Juniper-SSL" "Any" "ANY" permit
set policy id 37
exit
set policy id 36 name "Allow Juniper SSL Gateway" from "Untrust"
to "DMZ" "Any" "Juniper-SSL" "HTTP" permit
set policy id 36
set service "HTTPS"
set service "ICMP-ANY"
set service "RSA Services"
set service "SNMP"
exit
set policy id 34 from "DMZ" to "Untrust" "Any" "Any" "ANY" permit
set policy id 34
exit
set policy id 70 from "DMZ" to "Trust" "AT&TConcentrator" "Any"
"ANY" permit log
set policy id 70
exit
set policy id 33 name "IDPTest" from "DMZ" to "Trust"
"Juniper-IDP" "Any" "ANY" permit
set policy id 33
exit
set policy id 32 name "IDP Comms Out" from "DMZ" to "Untrust"
"Juniper-IDP" "Any" "ANY" permit
set policy id 32
exit
set policy id 31 name "Juniper Comm" from "Untrust" to "DMZ"
"Defkon_NSM" "Juniper-IDP" "ANY" permit log
set policy id 31
exit
set policy id 26 name "Acces to Checkpoint Server" from "Trust" to
"Untrust" "192.168.180.98/32 <http://192.168.180.98/32>" "Any"
"TCP-18190" nat src permit
set policy id 26
exit
set policy id 28 from "Untrust" to "Trust" "192.168.121.0/24
<http://192.168.121.0/24>" "Any" "ANY" permit
set policy id 28
set src-address "192.168.188.0/24 <http://192.168.188.0/24>"
set src-address "192.168.190.0/24 <http://192.168.190.0/24>"
set src-address "Mexico_internal"
exit
set policy id 18 name "OLD RULE 26" from "Trust" to "Untrust"
"Any" "Any" "DNB" nat src permit log
set policy id 18
set service "DNS"
set service "IM_Custom"
set service "MAIL"
set service "POP3"
set service "SOCKS"
set service "SSH"
set service "TCP-1024-5000"
set service "TCP-8100"
exit
set policy id 14 from "DMZ" to "Trust" "10.1.1.0/24
<http://10.1.1.0/24>" "Any" "ANY" permit
set policy id 14
set src-address "Cisco VPN"
exit
set policy id 13 from "Untrust" to "DMZ" "Any" "Cisco VPN" "ANY"
permit log
set policy id 13
exit
set policy id 12 from "Trust" to "DMZ" "Any" "OWA" "ANY" permit log
set policy id 12
exit
set policy id 10 from "DMZ" to "Trust" "OWA" "Any" "ANY" permit log
set policy id 10
exit
set policy id 8 from "Untrust" to "DMZ" "Any" "OWA" "HTTPS"
permit log
set policy id 8
exit
set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny
set policy id 3
exit
set policy id 4 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log
set policy id 4
exit
set policy id 5 from "Untrust" to "DMZ" "Any" "Any" "ANY" deny
set policy id 5
exit
set policy id 7 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log
set policy id 7
exit
set policy id 16 from "DMZ" to "Untrust" "Guatemala VPN"
"200.12.52.113/32 <http://200.12.52.113/32>" "IPSEC" permit
set policy id 16
set service "TELNET"
exit
set policy id 20 from "DMZ" to "Untrust" "Guatemala VPN"
"216.184.126.113" "IPSEC" permit
set policy id 20
exit
set policy id 17 from "DMZ" to "Untrust" "Any" "Any" "ANY" deny
set policy id 17
exit
set policy id 21 from "Trust" to "Global" "Any" "Any" "TCP-82" permit
set policy id 21
exit
set policy id 24 from "Trust" to "Global" "Any" "Any" "TCP-264"
permit
set policy id 24
set service "UDP-2746"
set service "UDP-500"
exit
set policy id 81 name "To_Mexico" from "Untrust" to "Trust"
"Mexico_internal" "192.168.180.0/24 <http://192.168.180.0/24>"
"rbza_Requirements" tunnel vpn "To_Mexico" id 50 pair-policy 83 log
set policy id 81
exit
set policy id 82 from "Untrust" to "Trust" "Any" "Any" "ANY" deny
set policy id 82
exit
set policy id 89 from "Untrust" to "Trust" "192.168.0.0/24
<http://192.168.0.0/24>" "192.168.0.0/16 <http://192.168.0.0/16>"
"ANY" tunnel vpn "Gateway for LA" id 57 pair-policy 88 log
set policy id 89
exit
set policy id 91 from "Untrust" to "Trust" "192.168.186.0/24
<http://192.168.186.0/24>" "192.168.0.0/16
<http://192.168.0.0/16>" "ANY" tunnel vpn "To_Torreon" id 59
pair-policy 90 log
set policy id 91
exit
set syslog config "205.234.155.251"
set syslog config "205.234.155.251" facilities local0 local0
set syslog src-interface ethernet0/2
set syslog enable
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
unset license-key auto-update
set ntp server "1.pool.ntp.org <http://1.pool.ntp.org>"
set ntp server src-interface "ethernet0/2"
set ntp server backup1 "2.pool.ntp.org <http://2.pool.ntp.org>"
set ntp server backup1 src-interface "ethernet0/2"
set ntp server backup2 "0.pool.ntp.org <http://0.pool.ntp.org>"
set ntp server backup2 src-interface "ethernet0/2"
set ntp max-adjustment 60
set snmp community "rkOnmssp" Read-Write Trap-on traffic version v2c
set snmp community "rkOnm$$p" Read-Write Trap-on traffic version v2c
set snmp host "rkOnm$$p" XXXXXX 255.255.255.0
set snmp host "rkOnmssp" XXXXXXX 255.255.255.255 src-interface
ethernet0/2 trap v2
set snmp location "Chicago HQ"
set snmp contact "supp...@rkon.com <mailto:supp...@rkon.com>"
set snmp name "QST-Chi-Firewall"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route 192.168.1.0/24 <http://192.168.1.0/24> interface
tunnel.1 preference 10
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 <http://0.0.0.0/0> interface ethernet0/2
gateway 12.63.231.145 preference 20
set route 192.168.181.0/24 <http://192.168.181.0/24> interface
ethernet0/0 gateway 192.168.180.19 preference 10
set route 192.168.184.0/24 <http://192.168.184.0/24> interface
ethernet0/0 gateway 192.168.180.19 preference 10 permanent
set route 192.168.185.0/24 <http://192.168.185.0/24> interface
ethernet0/0 gateway 192.168.180.19 preference 10
set route 192.168.187.0/24 <http://192.168.187.0/24> interface
ethernet0/0 gateway 192.168.180.19 preference 10
set route 10.1.1.0/24 <http://10.1.1.0/24> interface ethernet0/0
gateway 192.168.180.231 preference 10 permanent
set route 192.168.1.0/24 <http://192.168.1.0/24> interface
tunnel.1 preference 10
set route 192.168.20.0/24 <http://192.168.20.0/24> interface
tunnel.3 preference 20 permanent
set route 12.63.231.150/32 <http://12.63.231.150/32> interface
ethernet0/0 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.11.10/1995 - Release Date: 03/11/09 08:28:00
I di see the WAn interface is showing 100/half and the upstream device
is locked at 100/full....
That will be the first thing I change tomorrow AM......
--chris
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
