Juniper Networks - SRX300
Version: 21.4R3-S4.9
NTP Servers
set system ntp server 169.159.200.1
set system ntp server 169.159.200.123
Filter-Based Forwarding (aka Policy-Based Routing)
Magic WAN Protected Site to Other Magic WAN Protected Sites
Internet traffic is routed through the local Internet breakout
set firewall family inet filter MAGIC_WAN_FBF term VLAN0020_MAGIC_WAN from source-address 10.1.20.0/24
set firewall family inet filter MAGIC_WAN_FBF term VLAN0020_MAGIC_WAN from destination-address 10.1.11.0/24
set firewall family inet filter MAGIC_WAN_FBF term VLAN0020_MAGIC_WAN from destination-address 10.1.100.0/24
set firewall family inet filter MAGIC_WAN_FBF term VLAN0020_MAGIC_WAN then count MAGIC_WAN_FBF_count
set firewall family inet filter MAGIC_WAN_FBF term VLAN0020_MAGIC_WAN then routing-instance MAGIC_WAN_RI
Magic WAN + Gatewat - Protected Site to Other Magic WAN Protected Sites AND Internet Traffic via Cloudflare Gateway
set firewall family inet filter MAGIC_WAN_GATEWAY_FBF term VLAN0020_MAGIC_WAN_GW from source-address 10.1.20.0/24
set firewall family inet filter MAGIC_WAN_GATEWAY_FBF term VLAN0020_MAGIC_WAN_GW from destination-address 0.0.0.0/0
set firewall family inet filter MAGIC_WAN_GATEWAY_FBF term VLAN0020_MAGIC_WAN_GW then count MAGIC_WAN_GATEWAY_FBF_count
set firewall family inet filter MAGIC_WAN_GATEWAY_FBF term VLAN0020_MAGIC_WAN_GW then routing-instance MAGIC_WAN_RI
Routing Instance
set routing-instances MAGIC_WAN_RI instance-type forwarding set routing-instances MAGIC_WAN_RI routing-options static route 0.0.0.0/0 next-hop 10.252.3.0 set routing-instances MAGIC_WAN_RI routing-options static route 0.0.0.0/0 next-hop 10.252.3.2
Full Configuration
groups {
jweb-security-logging {
system {
syslog {
file local-security.log {
any any;
archive files 10;
structured-data;
}
}
}
}
}
system {
host-name srx300;
root-authentication {
encrypted-password "[REDACTED]"; ## SECRET-DATA
}
login {
user admin {
uid 2001;
class super-user;
authentication {
encrypted-password "[REDACTED]"; ## SECRET-DATA
}
}
}
services {
ssh {
client-alive-interval 60;
}
netconf {
ssh;
}
web-management {
https {
system-generated-certificate;
interface irb.224;
}
}
}
domain-name coyotelabs.com;
time-zone America/New_York;
internet-options {
path-mtu-discovery;
}
name-server {
1.1.1.1;
1.0.0.1;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file interactive-commands {
interactive-commands any;
}
file messages {
any notice;
authorization info;
}
}
max-configurations-on-flash 49;
max-configuration-rollbacks 49;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 169.159.200.1;
server 169.159.200.123;
}
}
security {
log {
utc-timestamp;
mode stream;
format sd-syslog;
report;
}
ike {
traceoptions {
file ike-debug.log size 1m files 3 world-readable;
flag all;
}
proposal cf_ike_magic_wan_prop {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
proposal cf_aes256cbc_sha384_dh14_psk {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-384;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
proposal cf_aes256cbc_sha256_dh14_psk {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
proposal cf_aes128cbc_sha384_dh14_psk {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-384;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
proposal cf_aes128cbc_sha256_dh14_psk {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
proposal cf_aes256gcm_sha384_dh14_psk {
authentication-method pre-shared-keys;
dh-group group14;
encryption-algorithm aes-256-gcm;
lifetime-seconds 28800;
}
proposal cf_aes256gcm_sha256_dh14_psk {
authentication-method pre-shared-keys;
dh-group group14;
encryption-algorithm aes-256-gcm;
lifetime-seconds 28800;
}
proposal cf_aes128gcm_sha384_dh14_psk {
authentication-method pre-shared-keys;
dh-group group14;
encryption-algorithm aes-128-gcm;
lifetime-seconds 28800;
}
proposal cf_aes128gcm_sha256_dh14_psk {
authentication-method pre-shared-keys;
dh-group group14;
encryption-algorithm aes-128-gcm;
lifetime-seconds 28800;
}
policy cf_mwan_comcast_ike_pol_01 {
mode main;
proposals [ cf_aes256cbc_sha384_dh14_psk cf_aes256cbc_sha256_dh14_psk cf_aes128cbc_sha384_dh14_psk cf_aes128cbc_sha256_dh14_psk ];
pre-shared-key ascii-text "$9$ynkKWxVb2oZUXxbY2aDj0O1RSeW8x-bsfThrKvN-iHq.fzFnCt01ZU3/CuB1sYgojHFn9uBIylVsg4ZG/9AtORLX-YgaFncrvWN-4oJZjq36CO1E360IESMWbwYoJD"; ## SECRET-DATA
}
policy cf_mwan_comcast_ike_pol_02 {
mode main;
proposals [ cf_aes256cbc_sha384_dh14_psk cf_aes256cbc_sha256_dh14_psk cf_aes128cbc_sha384_dh14_psk cf_aes128cbc_sha256_dh14_psk ];
pre-shared-key ascii-text "$9$Wj4Xx-4aZiqmUjkmPQ9CtuOIES8XNsgaX7Dkq.F3RhSrvWg4ZiqPz3hyrl8LUjH.Tz1IcMWXSysgoZiHmfTz/tuO1rKWApWX-V4oZUjHfTQF/uBIreVYoajimP5Tn/"; ## SECRET-DATA
}
policy cf_mwan_tmobile_ike_pol_01 {
mode main;
proposals [ cf_aes256cbc_sha384_dh14_psk cf_aes256cbc_sha256_dh14_psk cf_aes128cbc_sha384_dh14_psk cf_aes128cbc_sha256_dh14_psk ];
pre-shared-key ascii-text "$9$FmfVnpBlK8XNbIEKW8XdVgoJZiq3n9pu1wYzn6/tp8Xx-s2ZUHqmTBIVs2aGU9ApuRc8X7YoZEc-bY2aJFn/ApBMWX7dbXxNVws4o.P5Q69Ap0IEymfIcreLXk.P5n9"; ## SECRET-DATA
}
policy cf_mwan_tmobile_ike_pol_02 {
mode main;
proposals [ cf_aes256cbc_sha384_dh14_psk cf_aes256cbc_sha256_dh14_psk cf_aes128cbc_sha384_dh14_psk cf_aes128cbc_sha256_dh14_psk ];
pre-shared-key ascii-text "$9$-VdbYoaGqPQk./ApBSy4oJDkm9CpIRcP5zn/9OBdbwYZDq.56/AQFeMX7wsPfTFnCtuBREylKoZGUHkz369p01RSeKWyr7VwYaJ369tuBRhSKWxylVY2oiHu0BIrK"; ## SECRET-DATA
}
inactive: gateway cf_mwan_comcast_ike_tun_01 {
ike-policy cf_mwan_comcast_ike_pol_01;
address 162.159.68.68;
local-identity hostname dcaa1f4e2e93464690f69770c3afc5b8.53346555.ipsec.cloudflare.com;
remote-identity inet 162.159.68.68;
external-interface ge-0/0/2.0;
version v2-only;
}
inactive: gateway cf_mwan_comcast_ike_tun_02 {
ike-policy cf_mwan_comcast_ike_pol_02;
address 172.64.244.68;
local-identity hostname 767fe6dd39d74e10b65c67023cc717c6.53346555.ipsec.cloudflare.com;
remote-identity inet 172.64.244.68;
external-interface ge-0/0/2.0;
version v2-only;
}
gateway cf_mwan_tmobile_ike_tun_01 {
ike-policy cf_mwan_tmobile_ike_pol_01;
address 162.159.68.68;
local-identity hostname 04eb35ddeefc44f8ad50138e3770671e.53346555.ipsec.cloudflare.com;
external-interface ge-0/0/0.0;
version v2-only;
}
gateway cf_mwan_tmobile_ike_tun_02 {
ike-policy cf_mwan_tmobile_ike_pol_02;
address 172.64.244.68;
local-identity hostname ae7b9747325a458cb8089ca8ea688a04.53346555.ipsec.cloudflare.com;
external-interface ge-0/0/0.0;
version v2-only;
}
}
ipsec {
traceoptions {
flag all;
}
proposal cf_ipsec_magic_wan_prop {
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
proposal cf_aes256cbc_sha256-128_esp {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
proposal cf_aes256cbc_sha1_esp {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
proposal cf_aes128cbc_sha256-128_esp {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
proposal cf_aes128cbc_sha1_esp {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
proposal cf_aes256gcm_sha256-128_esp {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 28800;
}
proposal cf_aes256gcm_sha1_esp {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 28800;
}
proposal cf_aes128gcm_sha256-128_esp {
protocol esp;
encryption-algorithm aes-128-gcm;
lifetime-seconds 28800;
}
proposal cf_aes128gcm_sha1_esp {
protocol esp;
encryption-algorithm aes-128-gcm;
lifetime-seconds 28800;
}
policy cf_magic_wan_ipsec_pol {
proposals [ cf_aes256cbc_sha256-128_esp cf_aes256cbc_sha1_esp cf_aes128cbc_sha256-128_esp cf_aes128cbc_sha1_esp ];
}
inactive: vpn cf_mwan_comcast_ipsec_tun_01 {
bind-interface st0.1;
ike {
gateway cf_mwan_comcast_ike_tun_01;
no-anti-replay;
ipsec-policy cf_magic_wan_ipsec_pol;
}
establish-tunnels immediately;
}
inactive: vpn cf_mwan_comcast_ipsec_tun_02 {
bind-interface st0.2;
ike {
gateway cf_mwan_comcast_ike_tun_02;
no-anti-replay;
ipsec-policy cf_magic_wan_ipsec_pol;
}
establish-tunnels immediately;
}
vpn cf_mwan_tmobile_ipsec_tun_01 {
bind-interface st0.3;
ike {
gateway cf_mwan_tmobile_ike_tun_01;
no-anti-replay;
ipsec-policy cf_magic_wan_ipsec_pol;
}
establish-tunnels immediately;
}
vpn cf_mwan_tmobile_ipsec_tun_02 {
bind-interface st0.4;
ike {
gateway cf_mwan_tmobile_ike_tun_02;
no-anti-replay;
ipsec-policy cf_magic_wan_ipsec_pol;
}
establish-tunnels immediately;
}
}
address-book {
global {
address Cloudflare_IPv4_01 173.245.48.0/20;
address Cloudflare_IPv4_02 103.21.244.0/22;
address Cloudflare_IPv4_03 103.22.200.0/22;
address Cloudflare_IPv4_04 103.31.4.0/22;
address Cloudflare_IPv4_05 141.101.64.0/18;
address Cloudflare_IPv4_06 108.162.192.0/18;
address Cloudflare_IPv4_07 190.93.240.0/20;
address Cloudflare_IPv4_08 188.114.96.0/20;
address Cloudflare_IPv4_09 197.234.240.0/22;
address Cloudflare_IPv4_10 198.41.128.0/17;
address Cloudflare_IPv4_11 162.158.0.0/15;
address Cloudflare_IPv4_12 104.16.0.0/13;
address Cloudflare_IPv4_13 104.24.0.0/14;
address Cloudflare_IPv4_14 172.64.0.0/13;
address Cloudflare_IPv4_15 131.0.72.0/22;
address icecast-kh 10.1.2.160/32;
address icecast2 10.1.2.159/32;
address-set Cloudflare_IPv4_Prefixes {
address Cloudflare_IPv4_01;
address Cloudflare_IPv4_02;
address Cloudflare_IPv4_03;
address Cloudflare_IPv4_04;
address Cloudflare_IPv4_05;
address Cloudflare_IPv4_06;
address Cloudflare_IPv4_07;
address Cloudflare_IPv4_08;
address Cloudflare_IPv4_09;
address Cloudflare_IPv4_10;
address Cloudflare_IPv4_11;
address Cloudflare_IPv4_12;
address Cloudflare_IPv4_13;
address Cloudflare_IPv4_14;
address Cloudflare_IPv4_15;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1360;
}
gre-in {
mss 1436;
}
gre-out {
mss 1436;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set Trust-to-Untrust {
from zone Trust;
to zone Untrust;
rule Trust-to-Untrust-Src-NAT {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set JeffH-to-Untrust {
from zone JeffH;
to zone Untrust;
rule JeffH-to-Untrust-Src-NAT {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set Static_NAT_Untrust_to_Trust {
from zone Untrust;
rule icecast-kh_23-127-128-87 {
match {
destination-address 23.127.128.87/32;
}
then {
static-nat {
prefix {
10.1.2.160/32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/2.0 {
address {
23.127.128.87/32;
}
}
}
}
policies {
from-zone Trust to-zone Trust {
policy Trust-to-Trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
count;
}
}
}
from-zone Trust to-zone Untrust {
policy Trust-to-Untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
count;
}
}
}
from-zone JeffH to-zone JeffH {
policy JeffH-to-JeffH {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
count;
}
}
}
from-zone JeffH to-zone Trust {
policy JeffH-to-Trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone JeffH to-zone Untrust {
policy JeffH-to-Untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
count;
}
}
}
from-zone JeffH to-zone Cloudflare {
policy JeffH-to-Cloudflare {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
count;
}
}
}
from-zone Cloudflare to-zone JeffH {
policy Cloudflare-to-JeffH {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
count;
}
}
}
from-zone Cloudflare to-zone Cloudflare {
policy Cloudflare-to-Cloudflare {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
count;
}
}
}
from-zone Untrust to-zone Trust {
policy Icecast_Permit {
match {
source-address Cloudflare_IPv4_Prefixes;
destination-address icecast-kh;
application [ icecast2_services junos-ping ];
}
then {
permit;
log {
session-close;
}
count;
}
}
policy Default_Deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-close;
}
count;
}
}
}
}
zones {
security-zone Trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.20;
irb.223;
irb.2;
}
}
security-zone JeffH {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.224;
}
}
security-zone Untrust {
screen untrust-screen;
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ike;
ping;
}
}
}
ip-0/1/0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
security-zone Cloudflare {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.1;
st0.2;
st0.3;
st0.4;
}
}
}
}
interfaces {
ge-0/0/0 {
disable;
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
disable;
unit 0 {
family ethernet-switching;
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 23.127.128.89/28;
}
}
}
ge-0/0/3 {
disable;
unit 0 {
family ethernet-switching;
}
}
ge-0/0/4 {
disable;
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/0/6 {
disable;
unit 0 {
family ethernet-switching;
}
}
ge-0/0/7 {
disable;
unit 0 {
family ethernet-switching;
}
}
ip-0/1/0 {
unit 0 {
tunnel {
source 23.127.128.89;
destination 216.66.22.2;
}
family inet6 {
address 2001:470:7:44e::2/64;
}
}
}
irb {
unit 2 {
family inet {
address 10.1.2.254/24;
}
}
unit 20 {
family inet {
filter {
input MAGIC_WAN_FBF;
}
address 10.1.20.254/24;
}
}
unit 223 {
family inet {
address 192.168.223.254/24;
}
}
unit 224 {
family inet {
address 192.168.224.254/24;
}
}
}
st0 {
unit 1 {
family inet {
address 10.252.3.1/31;
}
}
unit 2 {
family inet {
address 10.252.3.3/31;
}
}
unit 3 {
family inet {
mtu 1350;
address 10.252.3.37/31;
}
}
unit 4 {
family inet {
address 10.252.3.39/31;
}
}
}
}
snmp {
description "Juniper SRX300";
location "The Dungeon";
contact "Dungeon Master";
community coyotelabs-ro {
authorization read-only;
}
}
firewall {
family inet {
filter MAGIC_WAN_FBF {
term VLAN0020_MAGIC_WAN {
from {
source-address {
10.1.20.0/24;
}
destination-address {
10.1.11.0/24;
10.1.100.0/24;
}
}
then {
count MAGIC_WAN_FBF_count;
routing-instance MAGIC_WAN_RI;
}
}
}
filter MAGIC_WAN_GATEWAY_FBF {
term VLAN0020_MAGIC_WAN_GW {
from {
source-address {
10.1.20.0/24;
}
destination-address {
0.0.0.0/0;
}
}
then {
count MAGIC_WAN_GATEWAY_FBF_count;
routing-instance MAGIC_WAN_RI;
}
}
}
}
}
routing-instances {
MAGIC_WAN_RI {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop [ 10.252.3.0 10.252.3.2 ];
}
}
}
}
applications {
application icecast2_8000_tcp {
protocol tcp;
destination-port 8000;
}
application icecast2_8080_tcp {
protocol tcp;
destination-port 8080;
}
application-set icecast2_services {
application icecast2_8000_tcp;
application icecast2_8080_tcp;
}
}
vlans {
vlan0002 {
description infrastructure;
vlan-id 2;
l3-interface irb.2;
}
vlan0011 {
description lab-vlan0011;
vlan-id 11;
}
vlan0020 {
description lab-vlan0020;
vlan-id 20;
l3-interface irb.20;
}
vlan0223 {
description home-network;
vlan-id 223;
l3-interface irb.223;
}
vlan0224 {
description jeffh;
vlan-id 224;
l3-interface irb.224;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
routing-options {
rib inet6.0 {
static {
route ::/0 next-hop 2001:470:7:44e::1;
}
}
interface-routes {
rib-group inet MAGIC_WAN_RG;
}
traceoptions {
file routing-options-trace.log size 1m files 3 world-readable;
flag all;
}
static {
route 0.0.0.0/0 next-hop 23.127.128.94;
}
rib-groups {
MAGIC_WAN_RG {
import-rib [ inet.0 MAGIC_WAN_RI.inet.0 ];
}
}
}