Question

Port Forwarding in Juniper Firewall ssg140

Asked by: binumhaneef

What my focus is to access  three systems remotely thru web pages by giving different port nos. i m getting the remote desktop screen and i can put the ip address of remote system after the configuration of port forwarding in juniper ssg 140 firewall, i am when i hit on the button "connect" , i am receiving an error "

VBScript: Remote Desktop Disconnected

The client could not connect to the remote computer. Remote connections might not be enables or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, please contact your administrator.




This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-04-11 at 00:53:44ID24314230
Tags

Router

Topics

Checkpoint Firewall

,

Networking Hardware

,

Network Management

Participating Experts
3
Points
0
Comments
42

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Juniper Network Connect fails
    Hi, Having an issue with Juniper Network connect over ssl, all machines can connect with no problems, except one or two, when loading network connect they connect then recieve the error nc.windows.app.1022. The Juniper shows a clean connect from the client machine and a gra...
  2. VPN Configuration Netscreen Juniper SSG20
    Greetings, I am trying to configure VPN with Juniper ssg20 and the netscreen remote app. Had a few queries regarding the same caz the one i setup seems to time out and not successful. I want the vpn to terminate in the untrust zone and then use policy untrust-trust to rou...
  3. installing juniper firewall
    ok, I've installed a juniper firewall SSG5 (2 subnets - personal and business) and I have 13 ips assigned to me by my isp. when I log into my juniper hardware firewall, it's not showing me my ip assigned though. However, when I connect the isp router directly to the laptop,...
  4. Juniper SSG140 Settings ?
    Hello Gurus, I have installed a Juniper SSG140 firewall on my LAN. My setup is as follows. I have 5 groups of PCs. each group is wired with a Switch 3Com 1Gb. each group has 1 Cat6 cable going to my Juniper. Group 1 is my servers (SQL / Email / Data Server) Group 2 is Ac...
  5. Juniper ns5gt
    Hi, Any idea how to open port 987 on Juniper ns5gt firewall. Thanks.

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: QlemoPosted on 2009-04-11 at 03:03:49ID: 24121398

That screen is used before a connection is tried, so it is not of any relevance.
I suppose you use one single public IP address and three ports different from the standard 3389. You will have to tell the RDP client to use the corresponding port, so the address would be e.g.  publicIP:53389

 

by: binumhaneefPosted on 2009-04-11 at 04:01:43ID: 24121566

i have already changed the RDP ports of three systems..and configured on juniper firewall.so i m getting the first page of remote desktop connection.when i hit on the button , getting the above mentioned error

 

by: QlemoPosted on 2009-04-11 at 04:15:51ID: 24121609

Why aren't you using the MSTSC client for direct RDP? I'm quite uncertain where you are getting with http access. But as you have to apply a server name, you are NOT at the target machine for sure. Inside of the page, are you using internal or external addresses? Is the machine with Web access establishing the connection and sending the result to you, or is it your client to make the connection? You client will have to use the external addresses and ports, while the Web target will have to use internal ones.

 

by: binumhaneefPosted on 2009-04-11 at 04:25:40ID: 24121634

Inside i m using local ip address of the remote machine. This is for another purpose, so we want to use http://213.52.145.21:5874  for accessing our three machines . We dont want to use 'mstsc'.what should i do next.  i cannot get the remote desktop eventhough getting the first page. help me plz

 

by: QlemoPosted on 2009-04-11 at 04:28:31ID: 24121644

What is answering on that public IP/port? I.e., what service you forwarded the port 5874 to?

 

by: binumhaneefPosted on 2009-04-11 at 04:42:12ID: 24121670

Right now only Remote desktop connection

 

by: QlemoPosted on 2009-04-11 at 05:06:18ID: 24121743

With Remote Desktop Web Connection, you are connecting to IIS first, and then to RDP, both from your browser. Consequences:

  • The port 5874 is forwarded to IIS with port 80 (or whatever port you defined). 
  • In the connect dialog, you need to put in the public IP and forwarded RDP port, or nothing (if the IIS is on RDP target - but as you are not using 3389 port, I reckon this does not work).
     

 

by: sangamcPosted on 2009-04-14 at 21:06:17ID: 24144626

Are you using VIP with multi-port enabled or MIPs on the juniper? i believe you dont have all the ports open to make it work with three computers. if you could post your config and also let us know if you were able to make it work with one computer, im sure we could help you.

 

by: binumhaneefPosted on 2009-04-14 at 21:36:35ID: 24144725

i am attaching the config of ssg140.  i did VIP for accesing 3 three systems remotely thru http
give me the solution

 

by: sangamcPosted on 2009-04-15 at 07:12:24ID: 24148173

Ok there are several problems with your config, starting with the top i do not see the necessary VIP configurations. you have:

set interface ethernet0/0 vip 192.168.1.74 (why did you put a VIP on your LAN?)
set interface serial1/1 vip 213.42.128.93 5412 "HTTP" 192.168.50.111

you do not have the multi-port vip enabled , but you will need that since you have to http to the ip address, then rdp to the same ip. enter the following from the console (iit cant be done from the webui) then reset the device so it can take effect.

set vip multi-port

secondly your vip on the serial only allows one protocol to hit the ip. HTTP, but you specified your custom RDP port. unless this is a custom service that references both port80 and port 5412 for RDP then it wont work. what you need is:

set interface serial1/1 vip 213.42.128.93 80 "HTTP" 192.168.50.111
set interface serial1/1 vip 213.42.128.93 5412 "RDP" 192.168.50.111

i am assuming you removed the settings for the other two computers and are just trying to configure the firewall to allow one computer. a multi-port vip to multiple LAn ip addresses is not the ideal way to go. if you are able to use MIPs instead for the other two workstations that would be the best.

i wont go into great detail about the policies, leave the vip policy wide open until you get it working, then lock it down to your specific ports once it performs the way you want.



 

by: binumhaneefPosted on 2009-04-15 at 21:46:36ID: 24154566

i cannot see any RDP service in juniper ssg140 firewall

 

by: binumhaneefPosted on 2009-04-15 at 21:52:09ID: 24154579

set interface serial1/1 vip 213.42.128.93 5412 "RDP" 192.168.50.111
I am getting this error. i tried to do this thru web page of router , then there is no service named "RDP"

Failed command   set interface serial1/1 vip 213.42.128.93 5412 192.168.50.111

 

by: sangamcPosted on 2009-04-15 at 22:05:34ID: 24154618

You can create a custom service and call it rdp1. Use the custom rdp port you specified when setting up your remote desktop connections.

 

by: binumhaneefPosted on 2009-04-15 at 22:56:59ID: 24154803

hw can i create a custom port in juniper

 

by: binumhaneefPosted on 2009-04-16 at 02:55:47ID: 24155913

As u said i created a custom RDP , service port is 1111 and Virtual port is 5412, then tried to access via
http://213.42.128.93:5412/ ..., but the message came "Page cannot be displayed"

 

by: sangamcPosted on 2009-04-16 at 06:35:35ID: 24157495

im going to setup a vip today to connect to an RDP session that is intiated from the RDP web console and document each step for you.

 

by: binumhaneefPosted on 2009-04-17 at 21:22:50ID: 24173711

thanx sangame ...

 

by: binumhaneefPosted on 2009-04-18 at 23:10:32ID: 24178022

i hav not yet received any updated solution for port forwarding.plz help me

 

by: binumhaneefPosted on 2009-04-19 at 05:05:46ID: 24178740

No response

 

by: binumhaneefPosted on 2009-04-25 at 01:30:07ID: 24231322

y r u not  responding regarding port forwarding

 

by: deimarkPosted on 2009-04-25 at 07:51:30ID: 24232367

He might be a bit busy recently bud, give him a chance

 

by: QlemoPosted on 2009-04-26 at 13:06:25ID: 24237382

While waiting for sangamc, could you try to establish a RDP-only session via mstsc and the chosen public RDP port? Just to make sure that part is working ...

 

by: sangamcPosted on 2009-04-27 at 12:37:48ID: 24244963

ok, after a week away from work to attend a wedding and following that up with a sever bout of flu, i finally got back to business. sorry for the delay inresponding to your messages. i went back over all the posts and your config file again, then proceeded to setup a remote desktop web connection on a couple of servers.

your original configuration that displayed the remote desktop web connection was correct except for one thing. port 3389 TCP was not permitted and that is why you got the error message: "The client could not connect to the remote computer. Remote connections might not be enables or the computer might be too busy to accept new connections .... "

so this is how to setup a VIP to allow remote desktop web connection to one computer. by using the juniper webui.

1. first login to the console via telnet and run the following to enable multi-port VIP
# set vip -multi-port
# save

2. from the webui go to
Network > Interfaces > Edit > VIP/VIP Services
- select the check mark for 'Same as the untrusted interface IP address" then click on add
- click on new vip service button and input the following
    virutal ip; already set for you
    virtual port 3389   # you need this port because rdp over web use std rdp ports anyway
    Map to service RDP (3389)
    map to ip: the ip address of the pc you wish to connect to
    (you do not have to check server auto detection)
  Click on 'ok'

3. go to        Objects > Services > Custom >
- Create your custom service for the remote desktop web connection port you decide to use. i believe you chose TCP5412 ( this is actually HTTP traffic and not RDP traffic as we assumed before)

4. from the webui go to
Network > Interfaces > Edit > VIP/VIP Services
- click on new vip service button and input the following
    virutal ip; already set for you
    virtual port 5412  # this is the port connecting to IIS
    Map to service *custom service* (5412)
    map to ip: the ip address of the pc you chose before
- after you click ok you should have two virtual ports pointing to the same server IP address

5. go to        Policies (From Untrust To Trust)
- Click on new to create a new policy with the following information
   source: ANY
   destination: VIP(untrust)
   service: Click on multiple and choose RDP(3389) and *custom-service(5412)*
   action: permit
   logging: enabled
this will create the rule that allows the HTTP traffic on port 5412 to the IIS web server as well as the actuall RDP traffic to the workstation.

that is it. i typed this up while configuring a juniper with the same settings and it works. if you want to connect to more than one computer using a single VIP you will need to configure IIS with a unique port on each copmuter and you will need to change the RDP port on the other computers by modifyign the following registry key.

   1. Start Registry Editor.
   2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
   3. On the Edit menu, click Modify, and then click Decimal.
   4. Type the new port number, and then click OK.
   5. Quit Registry Editor.

you can not point the same port at multiple computers when configuring a VIP so each pc will need t use a unique RDP port. Also in this setup you can simply bypass the web server by doing an RDP to the unique port number of each workstation.

i hope this answers your questions

 

 

by: QlemoPosted on 2009-04-27 at 15:30:33ID: 24246312

sangamc,
if multiple RDP connections to set up, isn't there some info missing? Does IIS read the local RDP port to use from registry by itself, and using that when you do not provide any further info?
As far as I understand, you have to set up VIP with the same port as the RDP mapped port for both public and private network (no port translation hence).
If public IP and RDP port is provided in the Web dialog, the change of RDP port on each workstation looks unnecessary. But I'm not certain about that all.

 

by: binumhaneefPosted on 2009-04-28 at 01:44:43ID: 24248706

could u please just go thru this config? i hav done watever u suggested. but i could not access
thru http://213.42.128.94:5412/tsweb

 

by: sangamcPosted on 2009-04-28 at 05:27:12ID: 24250085

@qlemo: if i misunderstood your question please correct me ...
when creating a VIP the rdp port is mapped to a specific ip address in your lan. lets say 10.10.10.27 when you open up the web page, if you put the ip address of a different workstation in the LAN, (10.10.10.55) you will not be able to control that workstation because your VIP only allows RDP(3389) traffic to one ip address 10.10.10.27.
because you can not map one port to multiple LAN ip address, you have to change the RDP port on the second workstation and add that port to the list of ports in your VIP as well as in the policy

in my opinion since the author insists on using remote desktop web. what should be done is have IIS setup on each workstation on its own unique port and then open the web page for the workstation you wish to connect to. doing this instead of opening one web page and connecting to multiple workstations will help eliminate some confusion

@binumhaneef
soon as i get to the office ill check your config.

 

by: sangamcPosted on 2009-04-28 at 08:21:25ID: 24251745

This is from your current configuration

# set interface serial1/1 vip interface-ip 3389 "RDP" 192.168.50.111 manual
# set interface serial1/1 vip interface-ip 5412 "CService" 192.168.50.111 manual

in your initial configuration i noticed you had the following

# set interface serial1/1 vip 213.42.128.93 5412 "HTTP" 192.168.50.111

so instead of using Same as the untrusted interface IP address, go ahead and use the other ip address you have available in that subnet for the VIP (213.42.128.93)

also for the policy, instead of restricting the services to the ones specified in the VIP you can set the service to 'ANY' for the sake of testing, and then once we have a sucessful test, lock it down to the specific service you need.

 

by: binumhaneefPosted on 2009-04-29 at 21:31:43ID: 24266950

It s working now. The actual problem is it needs service pack 3 for accessing another workstation Remotely thru http. Thanks

 

by: QlemoPosted on 2009-04-30 at 01:58:35ID: 24267977

Do you really think the changes sangamc suggested are not related to the solution? If they are, you should award some points!

 

by: sangamcPosted on 2009-04-30 at 04:12:11ID: 24268613

i am pretty sure that service pack three was not the only reason that you were unable to make the connection. i am disappointed that after some aggressive posts 'demanding' my response that you would choose this route. my test config worked with xp virtual machines with NO Service packs installed.

 

by: binumhaneefPosted on 2009-05-01 at 22:20:10ID: 24284933

Actually i tried the way which sangamc suggested me. Really i configured the same before, my friends also said ther s no other configuration to make port forwarding. What i did is just config the firewall means exception. i checked in windowsXP SP-II but it didnt work. but when i upgrade to sp-3 it s working.

 

by: binumhaneefPosted on 2009-05-01 at 22:22:28ID: 24284937

To be frank, sangamc gave me the configuration, but after configured it was not working. RDP wil work only with SP-iii

 

by: sangamcPosted on 2009-05-01 at 23:12:10ID: 24285023

ok, if thats what you believe. im absolutely positive it works with a brand new xp install with no service packs. that is the way i tested the setup that i posted above (i  didnt have time to wait for 2 service packs to download b4 testing). either way your intial config was incorrect since you only had the port open for the web server and not the port for the actual rdp connection. and you did not have multi-port vip enabled either. good luck with your future netscreen configs and dont forget to check the juniper website for great documentation on different aspects of using the device. their knowledge base is very good and is open to the public

 

by: QlemoPosted on 2009-05-02 at 03:18:59ID: 24285604

Remove sangamc's configuration, and re-establish yours, and you will not succeed in connecting, I'm pretty sure. XP SP2 might add to the problem (but never heard of it), but is not the solely reason.

 

by: binumhaneefPosted on 2009-05-02 at 05:26:39ID: 24285929

i m very sure that it wil not work with service pack -2. as sangamc said, i have enabled multi-port , which i didnt enabled earlier. if u want to make sure and wish to go thru my configuration , i wil attach the file

 

by: binumhaneefPosted on 2009-05-02 at 05:27:25ID: 24285931

set clock timezone 3
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389 timeout 5
set service "CService" protocol tcp src-port 0-65535 dst-port 5412-5412
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "ascorp"
set admin password "nEZqE+rwLcwFcb5PlskLlzMtC6CAMn"
set admin user "shaji" password "nGe+BwrFDDyHcZZNrs2Ow/LtXLCcVn" privilege "all"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface adsl2/0 phy operating-mode auto
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "Trust"
set interface "ethernet0/4" zone "Trust"
set interface "ethernet0/5" zone "Trust"
set interface "serial1/0" zone "Untrust"
set interface "serial1/1" zone "Untrust"
set interface "adsl2/0" pvc 8 35 mux llc protocol bridged  zone "Untrust"
set interface "tunnel.1" zone "Trust"
set interface "serial1/1" encap cisco-hdlc
set interface ethernet0/0 ip 192.168.3.2/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.8.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 192.168.0.151/24
set interface ethernet0/2 route
set interface ethernet0/3 ip 192.170.10.39/24
set interface ethernet0/3 nat
set interface ethernet0/4 ip 192.168.50.1/24
set interface ethernet0/4 nat
set interface serial1/1 ip 213.42.128.94/30
set interface serial1/1 route
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/3 ip manageable
set interface ethernet0/4 ip manageable
set interface serial1/1 ip manageable
unset interface ethernet0/1 manage ssh
unset interface ethernet0/1 manage snmp
unset interface ethernet0/1 manage ssl
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
unset interface ethernet0/3 manage ssh
unset interface ethernet0/3 manage snmp
unset interface ethernet0/3 manage ssl
unset interface ethernet0/4 manage ssh
unset interface ethernet0/4 manage ssl
unset interface ethernet0/5 manage ping
unset interface ethernet0/5 manage ssh
unset interface ethernet0/5 manage telnet
unset interface ethernet0/5 manage snmp
unset interface ethernet0/5 manage ssl
unset interface ethernet0/5 manage web
set interface serial1/1 manage ping
set interface serial1/1 manage ssh
set interface serial1/1 manage telnet
set interface serial1/1 manage snmp
set interface serial1/1 manage ssl
set interface serial1/1 manage web
set interface serial1/1 vip interface-ip 5416 "HTTP" 192.168.50.111
set interface serial1/1 vip interface-ip 5417 "HTTP" 192.168.50.83

set interface ethernet0/4 dot1x control-mode interface
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain dell.ascorpholdings1.com
set hostname dell.ascorpholdings1.com
set pki authority default scep mode "auto"
set pki x509 default cert-path partial

set dns host dns3 0.0.0.0
set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "Trust" "192.168.1.101/32" 192.168.1.101 255.255.255.255
set address "Trust" "192.168.2.0/24" 192.168.2.0 255.255.255.0
set address "Trust" "192.168.40.1/24" 192.168.40.1 255.255.255.0
set address "Trust" "192.168.50.0/24" 192.168.50.0 255.255.255.0
set address "Trust" "192.168.50.10" 192.168.50.10 255.255.255.255
set address "Trust" "192.168.50.100" 192.168.50.100 255.255.255.255
set address "Trust" "192.168.50.101" 192.168.50.101 255.255.255.255
set address "Trust" "192.168.50.102" 192.168.50.102 255.255.255.255
set address "Trust" "192.168.50.11" 192.168.50.11 255.255.255.255
set address "Trust" "192.168.50.111" 192.168.50.111 255.255.255.255
set address "Trust" "192.168.50.114" 192.168.50.114 255.255.255.255
set address "Trust" "192.168.50.12" 192.168.50.12 255.255.255.255
set address "Trust" "192.168.50.13" 192.168.50.13 255.255.255.255
set address "Trust" "192.168.50.14" 192.168.50.14 255.255.255.255
set address "Trust" "192.168.50.15" 192.168.50.15 255.255.255.255
set address "Trust" "192.168.50.16" 192.168.50.16 255.255.255.255
set address "Trust" "192.168.50.17" 192.168.50.17 255.255.255.255
set address "Trust" "192.168.50.18" 192.168.50.18 255.255.255.255
set address "Trust" "192.168.50.19" 192.168.50.19 255.255.255.255
set address "Trust" "192.168.50.20" 192.168.50.20 255.255.255.255
set address "Trust" "192.168.50.200" 192.168.50.200 255.255.255.255
set address "Trust" "192.168.50.21" 192.168.50.21 255.255.255.255
set address "Trust" "192.168.50.22" 192.168.50.22 255.255.255.255
set address "Trust" "192.168.50.23" 192.168.50.23 255.255.255.255
set address "Trust" "192.168.50.24" 192.168.50.24 255.255.255.255
set address "Trust" "192.168.50.25" 192.168.50.25 255.255.255.255
set address "Trust" "192.168.50.26" 192.168.50.26 255.255.255.255
set address "Trust" "192.168.50.27" 192.168.50.27 255.255.255.255
set address "Trust" "192.168.50.28" 192.168.50.28 255.255.255.255
set address "Trust" "192.168.50.29" 192.168.50.29 255.255.255.255
set address "Trust" "192.168.50.30" 192.168.50.30 255.255.255.255
set address "Trust" "192.168.50.33" 192.168.50.33 255.255.255.255
set address "Trust" "192.168.50.34" 192.168.50.34 255.255.255.255
set address "Trust" "192.168.50.49" 192.168.50.49 255.255.255.255
set address "Trust" "192.168.50.50" 192.168.50.50 255.255.255.255
set address "Trust" "192.168.50.51" 192.168.50.51 255.255.255.255
set address "Trust" "192.168.50.52" 192.168.50.52 255.255.255.255
set address "Trust" "192.168.50.53" 192.168.50.53 255.255.255.255
set address "Trust" "192.168.50.54" 192.168.50.54 255.255.255.255
set address "Trust" "192.168.50.55" 192.168.50.55 255.255.255.255
set address "Trust" "192.168.50.56" 192.168.50.56 255.255.255.255
set address "Trust" "192.168.50.57" 192.168.50.57 255.255.255.255
set address "Trust" "192.168.50.58" 192.168.50.58 255.255.255.255
set address "Trust" "192.168.50.59" 192.168.50.59 255.255.255.255
set address "Trust" "192.168.50.60" 192.168.50.60 255.255.255.255
set address "Trust" "192.168.50.61" 192.168.50.61 255.255.255.255
set address "Trust" "192.168.50.62" 192.168.50.62 255.255.255.255
set address "Trust" "192.168.50.63" 192.168.50.63 255.255.255.255
set address "Trust" "192.168.50.64" 192.168.50.64 255.255.255.255
set address "Trust" "192.168.50.65" 192.168.50.65 255.255.255.255
set address "Trust" "192.168.50.66" 192.168.50.66 255.255.255.255
set address "Trust" "192.168.50.67" 192.168.50.67 255.255.255.255
set address "Trust" "192.168.50.68" 192.168.50.68 255.255.255.255
set address "Trust" "192.168.50.69" 192.168.50.69 255.255.255.255
set address "Trust" "192.168.50.70" 192.168.50.70 255.255.255.255
set address "Trust" "192.168.50.71" 192.168.50.71 255.255.255.255
set address "Trust" "192.168.50.72" 192.168.50.72 255.255.255.255
set address "Trust" "192.168.50.73" 192.168.50.73 255.255.255.255
set address "Trust" "192.168.50.83" 192.168.50.83 255.255.255.255
set address "Trust" "192.168.50.84" 192.168.50.84 255.255.255.255
set address "Trust" "192.168.50.85" 192.168.50.85 255.255.255.255
set address "Trust" "192.168.50.86" 192.168.50.86 255.255.255.255
set address "Trust" "192.168.50.87" 192.168.50.87 255.255.255.255
set address "Trust" "192.168.50.88" 192.168.50.88 255.255.255.255
set address "Trust" "192.168.50.89" 192.168.50.89 255.255.255.255
set address "Trust" "192.168.50.90" 192.168.50.90 255.255.255.255
set address "Trust" "192.168.50.91" 192.168.50.91 255.255.255.255
set address "Trust" "192.170.5.0/24" 192.170.5.0 255.255.255.0
set address "Trust" "192.170.5.156/32" 192.170.5.156 255.255.255.255
set address "Trust" "213.42.128.94/32" 213.42.128.94 255.255.255.255

set address "Untrust" "192.168.3.0/24" 192.168.3.0 255.255.255.0
set address "Untrust" "192.168.4.0/24" 192.168.4.0 255.255.255.0
set address "Untrust" "217.12.4.245/32" 217.12.4.245 255.255.255.255
set address "Untrust" "64.4.32.7/32" 64.4.32.7 255.255.255.255
set address "Untrust" "64.4.33.7/32" 64.4.33.7 255.255.255.255
set address "Untrust" "68.142.230.232/32" 68.142.230.232 255.255.255.255
set address "Untrust" "68.142.230.234/32" 68.142.230.234 255.255.255.255
set address "Untrust" "68.142.230.235/32" 68.142.230.235 255.255.255.255
set address "Untrust" "68.142.230.236/32" 68.142.230.236 255.255.255.255
set address "Untrust" "69.147.112.160/32" 69.147.112.160 255.255.255.255
set group address "Trust" "Exclusive Users" comment "OPEN"
set group address "Trust" "Exclusive Users" add "192.168.50.100"
set group address "Trust" "Exclusive Users" add "192.168.50.101"
set group address "Trust" "Exclusive Users" add "192.168.50.102"
set group address "Trust" "Exclusive Users" add "192.168.50.114"
set group address "Trust" "Exclusive Users" add "192.168.50.200"
set group address "Trust" "Exclusive Users" add "192.168.50.34"
set group address "Trust" "Exclusive Users" add "192.168.50.49"
set group address "Trust" "Exclusive Users" add "192.168.50.84"
set group address "Trust" "Exclusive Users" add "192.168.50.85"
set group address "Trust" "Exclusive Users" add "192.168.50.87"
set group address "Trust" "Exclusive Users" add "192.168.50.88"
set group address "Trust" "Exclusive Users" add "192.168.50.90"
set group address "Trust" "Exclusive Users" add "192.168.50.91"
set group address "Trust" "GmailUsers" comment "khalid,mustafa"
set group address "Trust" "GmailUsers" add "192.168.50.10"
set group address "Trust" "GmailUsers" add "192.168.50.13"
set group address "Trust" "GmailUsers" add "192.168.50.51"
set group address "Trust" "GmailUsers" add "192.168.50.86"
set group address "Trust" "IT Users" comment "Dept"
set group address "Trust" "IT Users" add "192.168.50.111"
set group address "Trust" "IT Users" add "192.168.50.14"
set group address "Trust" "IT Users" add "192.168.50.15"
set group address "Trust" "IT Users" add "192.168.50.16"
set group address "Trust" "IT Users" add "192.168.50.17"
set group address "Trust" "IT Users" add "192.168.50.18"
set group address "Trust" "IT Users" add "192.168.50.19"
set group address "Trust" "IT Users" add "192.168.50.21"
set group address "Trust" "IT Users" add "192.168.50.22"
set group address "Trust" "IT Users" add "192.168.50.33"
set group address "Trust" "IT Users" add "192.168.50.58"
set group address "Trust" "IT Users" add "192.168.50.70"
set group address "Trust" "IT Users" add "192.168.50.72"
set group address "Trust" "IT Users" add "192.168.50.83"
set group address "Trust" "IT Users" add "192.168.50.89"
set group address "Trust" "Others" comment "Restricted!!"
set group address "Trust" "Others" add "192.168.50.12"
set group address "Trust" "Others" add "192.168.50.23"
set group address "Trust" "Others" add "192.168.50.50"
set group address "Trust" "Others" add "192.168.50.52"
set group address "Trust" "Others" add "192.168.50.53"
set group address "Trust" "Others" add "192.168.50.54"
set group address "Trust" "Others" add "192.168.50.55"
set group address "Trust" "Others" add "192.168.50.56"
set group address "Trust" "Others" add "192.168.50.57"
set group address "Trust" "Others" add "192.168.50.59"
set group address "Trust" "Others" add "192.168.50.60"
set group address "Trust" "Others" add "192.168.50.61"
set group address "Trust" "Others" add "192.168.50.62"
set group address "Trust" "Others" add "192.168.50.63"
set group address "Trust" "Others" add "192.168.50.64"
set group address "Trust" "Others" add "192.168.50.65"
set group address "Trust" "Others" add "192.168.50.66"
set group address "Trust" "Others" add "192.168.50.67"
set group address "Trust" "Others" add "192.168.50.68"
set group address "Trust" "Others" add "192.168.50.69"
set group address "Trust" "Others" add "192.168.50.71"
set group address "Trust" "Others" add "192.168.50.72"
set group address "Trust" "Others" add "192.168.50.73"
set ppp profile "serial"
set ppp profile "serial" static-ip
set ike gateway "vpn_p1" address 0.0.0.0 id "ascorp@ascorp.com" Aggr outgoing-interface "serial1/1" preshare "YlPrXwxDNyCgqSs7eVCkjQqjkXnm2zI78A==" proposal "pre-g2-3des-sha"
set ike gateway "vpn_p1" cert peer-ca-hash 48B76449F3D5FEFA1133AA805E420F0FCA643651
unset ike gateway "vpn_p1" nat-traversal
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "vpn_p2" gateway "vpn_p1" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "vpn_p2" monitor
set vpn "vpn_p2" id 1 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set attack "CS:yahoo" ymsg-chatroom-name "Yahoo" severity high
set attack group "CS:AG"
set attack group "CS:AG" add "CS:yahoo"
set av http trickling default
set url protocol type sc-cpa
set url protocol sc-cpa
set category "ASCORP" url "ca.my.yahoo.com/"
set category "ASCORP" url "uk.mail.yahoo.com/"
set category "ASCORP" url "www.gmail.com/"
set category "ASCORP" url "www.hotmail.com/"
set category "ASCORP" url "www.rediffmail.com/"
set category "ASCORP" url "www.yahoo.com/"
set category "Firewall" url "ca.my.yahoo.com/"
set category "Firewall" url "ca.yahoo.com/"
set category "Firewall" url "developer.yahoo.com/"
set category "Firewall" url "dir.yahoo.com/"
set category "Firewall" url "edit.europe.com/"
set category "Firewall" url "finance.yahoo.com/"
set category "Firewall" url "gateway.messenger.hotmail.com/"
set category "Firewall" url "login.yahoo.com/"
set category "Firewall" url "login.yahoo.com/config"
set category "Firewall" url "mail.google.com/mai"
set category "Firewall" url "mail.google.com/mail"
set category "Firewall" url "mail.rediff.com/"
set category "Firewall" url "mail.yahoo.com/"
set category "Firewall" url "messenger.yahoo.com/"
set category "Firewall" url "msg.edit.yahoo.com/"
set category "Firewall" url "my.yahoo.com/"
set category "Firewall" url "myc1.msg.vip.re2.yahoo.com/"
set category "Firewall" url "news.yahoo.com/"
set category "Firewall" url "sip35.voice.re2.yahoo.com/"
set category "Firewall" url "uk.mail.yahoo.com/"
set category "Firewall" url "uk.news.yahoo.com/"
set category "Firewall" url "uk.yahoo.com/"
set category "Firewall" url "ultra1/ultrasurf.htm"
set category "Firewall" url "us.lrd.yahoo.com/"
set category "Firewall" url "video.yahoo.com/"
set category "Firewall" url "wap.oa.yahoo.com/"
set category "Firewall" url "widgets.yahoo.com/"
set category "Firewall" url "www.anchorfree.com/"
set category "Firewall" url "www.gmail.com/"
set category "Firewall" url "www.gotoforum.com/"
set category "Firewall" url "www.hotmail.com/"
set category "Firewall" url "www.hotspotshield.com/"
set category "Firewall" url "www.onlytorrents.com/torrent"
set category "Firewall" url "www.rediffmail.com/"
set category "Firewall" url "www.yahoomail.com/"
set category "Firewall" url "www.youtube.com/"
set category "GmailUsers" url "ca.my.yahoo.com/"
set category "GmailUsers" url "developer.yahoo.com/"
set category "GmailUsers" url "edit.europe.yahoo.com/"
set category "GmailUsers" url "login.live.com/"
set category "GmailUsers" url "login.yahoo.com/"
set category "GmailUsers" url "mail.rediff.com/"
set category "GmailUsers" url "mail.yahoo.com/"
set category "GmailUsers" url "msg.edit.yahoo.com/"
set category "GmailUsers" url "uk.mail.yahoo.com/"
set category "GmailUsers" url "uk.news.yahoo.com/"
set category "GmailUsers" url "us.lrd.yahoo.com/"
set category "GmailUsers" url "www.gotoforum.com/"
set category "GmailUsers" url "www.hotmail.com/"
set category "GmailUsers" url "www.hotspotshield.com/"
set category "GmailUsers" url "www.rediffmail.com/"
set category "GmailUsers" url "www.yahoo.com/"
set category "GmailUsers" url "www.yahoomail.com/"
set profile "ASCORP Firewall" "Firewall" black-list
set profile "ASCORP Firewall" "Chat" block
set profile "ASCORP Firewall" "Hacking" block
set profile "ASCORP Firewall" "Sex Education" block
set profile "ASCORP Firewall" "Adult/Sexually Explicit" block
set profile "Firewall4Gmail" "GmailUsers" black-list
set profile "Firewall4Gmail" "Chat" block
set profile "Firewall4Gmail" "Hacking" block
set profile "Firewall4Gmail" "Sex Education" block
set profile "Firewall4Gmail" "Adult/Sexually Explicit" block
set enable
set fail-mode permit
set server europe
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set vpn "vpn_p2" proxy-id local-ip 192.168.1.2/24 remote-ip 192.168.3.1/24 "ANY"
set policy id 23 from "Trust" to "Untrust"  "192.170.5.156/32" "Any" "ANY" permit
set policy id 23 disable
set policy id 23
exit
set policy id 3 from "Trust" to "Untrust"  "192.168.1.0/24" "Any" "ANY" permit
set policy id 3
exit
set policy id 4 from "Trust" to "Untrust"  "192.170.5.0/24" "Any" "DNS" permit
set policy id 4
set service "PING"
set service "POP3"
set service "SMTP"
set service "TCP-ANY"
exit
set policy id 5 from "Trust" to "Untrust"  "Exclusive Users" "Any" "ANY" permit
set policy id 5
exit
set policy id 6 from "Trust" to "Untrust"  "IT Users" "Any" "ANY" permit
set policy id 6
exit
set policy id 7 from "Trust" to "Untrust"  "Others" "Any" "ANY" permit url-filter
set policy id 7 disable
set policy id 7
exit
set policy id 8 from "Trust" to "Untrust"  "GmailUsers" "Any" "ANY" permit
set policy id 8
exit
set policy id 22 from "Untrust" to "Trust"  "Any" "VIP(serial1/1)" "ANY" permit log
set policy id 22
exit
set policy id 9 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.249)" "ANY" permit log
set policy id 9
exit
set policy id 10 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.251)" "ANY" permit
set policy id 10
exit
set policy id 12 from "Trust" to "Untrust"  "192.168.2.0/24" "Any" "DNS" permit
set policy id 12
set service "FTP"
set service "POP3"
set service "SMTP"
exit
set policy id 13 from "Trust" to "Untrust"  "192.168.1.0/24" "192.168.3.0/24" "ANY" permit
set policy id 13
exit
set policy id 14 from "Untrust" to "Trust"  "192.168.3.0/24" "192.168.1.0/24" "ANY" permit
set policy id 14
set src-address "192.168.4.0/24"
set dst-address "192.168.2.0/24"
set dst-address "192.168.50.0/24"
set dst-address "192.170.5.0/24"
exit
set policy id 17 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.252)" "ANY" permit
set policy id 17
exit
set policy id 20 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.250)" "ANY" permit
set policy id 20
exit
set log module system level warning destination console
set log module system level notification destination console
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface serial1/1 gateway 213.42.128.93 preference 20 permanent
set route 192.168.1.2/24 interface tunnel.1 preference 20
set route 192.168.3.1/24 interface tunnel.1 preference 20
set route 192.168.4.1/24 interface tunnel.1 preference 20
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 8080-8080 protocol tcp entry 1
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 80-80 protocol tcp entry 2
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 53-53 protocol tcp entry 3
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 5
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 6
set access-list extended 2 src-ip 192.170.5.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 1
set access-list extended 2 src-ip 192.170.5.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 2
set access-list extended 3 src-ip 192.168.2.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 1
set access-list extended 3 src-ip 192.168.2.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 2
set match-group name MG2
set match-group MG2 ext-acl 2 match-entry 1
set match-group name MG4Mail2.0
set match-group MG4Mail2.0 ext-acl 3 match-entry 1
set match-group name MG1
set match-group MG1 ext-acl 1 match-entry 1
set action-group name AGforAcctMail
set action-group AGforAcctMail next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set action-group name AGFor50.0
set action-group AGFor50.0 next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set action-group name AG2.0
set action-group AG2.0 next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set pbr policy name Forexusers
set pbr policy Forexusers match-group MG1 action-group AGFor50.0 1
set pbr policy name plcy4mail2.0
set pbr policy plcy4mail2.0 match-group MG4Mail2.0 action-group AG2.0 1
set pbr policy name AcctMail
set pbr policy AcctMail match-group MG2 action-group AGforAcctMail 1
exit
set interface ethernet0/1 pbr plcy4mail2.0
set interface ethernet0/3 pbr AcctMail
set interface ethernet0/4 pbr Forexusers
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

by: binumhaneefPosted on 2009-05-02 at 05:28:52ID: 24285936

check this config

 

by: binumhaneefPosted on 2009-05-02 at 05:29:11ID: 24285938

set clock timezone 3
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit

set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "ascorp"
set admin password "nEZqE+rwLcwFcb5PlskLlzMtC6CAMn"
set admin user "shaji" password "nGe+BwrFDDyHcZZNrs2Ow/LtXLCcVn" privilege "all"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface adsl2/0 phy operating-mode auto
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "Trust"
set interface "ethernet0/4" zone "Trust"
set interface "ethernet0/5" zone "Trust"
set interface "serial1/0" zone "Untrust"
set interface "serial1/1" zone "Untrust"
set interface "adsl2/0" pvc 8 35 mux llc protocol bridged  zone "Untrust"
set interface "tunnel.1" zone "Trust"
set interface "serial1/1" encap cisco-hdlc
set interface ethernet0/0 ip 192.168.3.2/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.8.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 192.168.0.151/24
set interface ethernet0/2 route
set interface ethernet0/3 ip 192.170.10.39/24
set interface ethernet0/3 nat
set interface ethernet0/4 ip 192.168.50.1/24
set interface ethernet0/4 nat
set interface serial1/1 ip 213.42.128.94/30
set interface serial1/1 route
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/3 ip manageable
set interface ethernet0/4 ip manageable
set interface serial1/1 ip manageable
unset interface ethernet0/1 manage ssh
unset interface ethernet0/1 manage snmp
unset interface ethernet0/1 manage ssl
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
unset interface ethernet0/3 manage ssh
unset interface ethernet0/3 manage snmp
unset interface ethernet0/3 manage ssl
unset interface ethernet0/4 manage ssh
unset interface ethernet0/4 manage ssl
unset interface ethernet0/5 manage ping
unset interface ethernet0/5 manage ssh
unset interface ethernet0/5 manage telnet
unset interface ethernet0/5 manage snmp
unset interface ethernet0/5 manage ssl
unset interface ethernet0/5 manage web
set interface serial1/1 manage ping
set interface serial1/1 manage ssh
set interface serial1/1 manage telnet
set interface serial1/1 manage snmp
set interface serial1/1 manage ssl
set interface serial1/1 manage web
set interface serial1/1 vip interface-ip 5416 "HTTP" 192.168.50.111
set interface serial1/1 vip interface-ip 5417 "HTTP" 192.168.50.83

set interface ethernet0/4 dot1x control-mode interface
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain dell.ascorpholdings1.com
set hostname dell.ascorpholdings1.com
set pki authority default scep mode "auto"
set pki x509 default cert-path partial

set dns host dns3 0.0.0.0
set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "Trust" "192.168.1.101/32" 192.168.1.101 255.255.255.255
set address "Trust" "192.168.2.0/24" 192.168.2.0 255.255.255.0
set address "Trust" "192.168.40.1/24" 192.168.40.1 255.255.255.0
set address "Trust" "192.168.50.0/24" 192.168.50.0 255.255.255.0
set address "Trust" "192.168.50.10" 192.168.50.10 255.255.255.255
set address "Trust" "192.168.50.100" 192.168.50.100 255.255.255.255
set address "Trust" "192.168.50.101" 192.168.50.101 255.255.255.255
set address "Trust" "192.168.50.102" 192.168.50.102 255.255.255.255
set address "Trust" "192.168.50.11" 192.168.50.11 255.255.255.255
set address "Trust" "192.168.50.111" 192.168.50.111 255.255.255.255
set address "Trust" "192.168.50.114" 192.168.50.114 255.255.255.255
set address "Trust" "192.168.50.12" 192.168.50.12 255.255.255.255
set address "Trust" "192.168.50.13" 192.168.50.13 255.255.255.255
set address "Trust" "192.168.50.14" 192.168.50.14 255.255.255.255
set address "Trust" "192.168.50.15" 192.168.50.15 255.255.255.255
set address "Trust" "192.168.50.16" 192.168.50.16 255.255.255.255
set address "Trust" "192.168.50.17" 192.168.50.17 255.255.255.255
set address "Trust" "192.168.50.18" 192.168.50.18 255.255.255.255
set address "Trust" "192.168.50.19" 192.168.50.19 255.255.255.255
set address "Trust" "192.168.50.20" 192.168.50.20 255.255.255.255
set address "Trust" "192.168.50.200" 192.168.50.200 255.255.255.255
set address "Trust" "192.168.50.21" 192.168.50.21 255.255.255.255
set address "Trust" "192.168.50.22" 192.168.50.22 255.255.255.255
set address "Trust" "192.168.50.23" 192.168.50.23 255.255.255.255
set address "Trust" "192.168.50.24" 192.168.50.24 255.255.255.255
set address "Trust" "192.168.50.25" 192.168.50.25 255.255.255.255
set address "Trust" "192.168.50.26" 192.168.50.26 255.255.255.255
set address "Trust" "192.168.50.27" 192.168.50.27 255.255.255.255
set address "Trust" "192.168.50.28" 192.168.50.28 255.255.255.255
set address "Trust" "192.168.50.29" 192.168.50.29 255.255.255.255
set address "Trust" "192.168.50.30" 192.168.50.30 255.255.255.255
set address "Trust" "192.168.50.33" 192.168.50.33 255.255.255.255
set address "Trust" "192.168.50.34" 192.168.50.34 255.255.255.255
set address "Trust" "192.168.50.49" 192.168.50.49 255.255.255.255
set address "Trust" "192.168.50.50" 192.168.50.50 255.255.255.255
set address "Trust" "192.168.50.51" 192.168.50.51 255.255.255.255
set address "Trust" "192.168.50.52" 192.168.50.52 255.255.255.255
set address "Trust" "192.168.50.53" 192.168.50.53 255.255.255.255
set address "Trust" "192.168.50.54" 192.168.50.54 255.255.255.255
set address "Trust" "192.168.50.55" 192.168.50.55 255.255.255.255
set address "Trust" "192.168.50.56" 192.168.50.56 255.255.255.255
set address "Trust" "192.168.50.57" 192.168.50.57 255.255.255.255
set address "Trust" "192.168.50.58" 192.168.50.58 255.255.255.255
set address "Trust" "192.168.50.59" 192.168.50.59 255.255.255.255
set address "Trust" "192.168.50.60" 192.168.50.60 255.255.255.255
set address "Trust" "192.168.50.61" 192.168.50.61 255.255.255.255
set address "Trust" "192.168.50.62" 192.168.50.62 255.255.255.255
set address "Trust" "192.168.50.63" 192.168.50.63 255.255.255.255
set address "Trust" "192.168.50.64" 192.168.50.64 255.255.255.255
set address "Trust" "192.168.50.65" 192.168.50.65 255.255.255.255
set address "Trust" "192.168.50.66" 192.168.50.66 255.255.255.255
set address "Trust" "192.168.50.67" 192.168.50.67 255.255.255.255
set address "Trust" "192.168.50.68" 192.168.50.68 255.255.255.255
set address "Trust" "192.168.50.69" 192.168.50.69 255.255.255.255
set address "Trust" "192.168.50.70" 192.168.50.70 255.255.255.255
set address "Trust" "192.168.50.71" 192.168.50.71 255.255.255.255
set address "Trust" "192.168.50.72" 192.168.50.72 255.255.255.255
set address "Trust" "192.168.50.73" 192.168.50.73 255.255.255.255
set address "Trust" "192.168.50.83" 192.168.50.83 255.255.255.255
set address "Trust" "192.168.50.84" 192.168.50.84 255.255.255.255
set address "Trust" "192.168.50.85" 192.168.50.85 255.255.255.255
set address "Trust" "192.168.50.86" 192.168.50.86 255.255.255.255
set address "Trust" "192.168.50.87" 192.168.50.87 255.255.255.255
set address "Trust" "192.168.50.88" 192.168.50.88 255.255.255.255
set address "Trust" "192.168.50.89" 192.168.50.89 255.255.255.255
set address "Trust" "192.168.50.90" 192.168.50.90 255.255.255.255
set address "Trust" "192.168.50.91" 192.168.50.91 255.255.255.255
set address "Trust" "192.170.5.0/24" 192.170.5.0 255.255.255.0
set address "Trust" "192.170.5.156/32" 192.170.5.156 255.255.255.255
set address "Trust" "213.42.128.94/32" 213.42.128.94 255.255.255.255

set address "Untrust" "192.168.3.0/24" 192.168.3.0 255.255.255.0
set address "Untrust" "192.168.4.0/24" 192.168.4.0 255.255.255.0
set address "Untrust" "217.12.4.245/32" 217.12.4.245 255.255.255.255
set address "Untrust" "64.4.32.7/32" 64.4.32.7 255.255.255.255
set address "Untrust" "64.4.33.7/32" 64.4.33.7 255.255.255.255
set address "Untrust" "68.142.230.232/32" 68.142.230.232 255.255.255.255
set address "Untrust" "68.142.230.234/32" 68.142.230.234 255.255.255.255
set address "Untrust" "68.142.230.235/32" 68.142.230.235 255.255.255.255
set address "Untrust" "68.142.230.236/32" 68.142.230.236 255.255.255.255
set address "Untrust" "69.147.112.160/32" 69.147.112.160 255.255.255.255
set group address "Trust" "Exclusive Users" comment "OPEN"
set group address "Trust" "Exclusive Users" add "192.168.50.100"
set group address "Trust" "Exclusive Users" add "192.168.50.101"
set group address "Trust" "Exclusive Users" add "192.168.50.102"
set group address "Trust" "Exclusive Users" add "192.168.50.114"
set group address "Trust" "Exclusive Users" add "192.168.50.200"
set group address "Trust" "Exclusive Users" add "192.168.50.34"
set group address "Trust" "Exclusive Users" add "192.168.50.49"
set group address "Trust" "Exclusive Users" add "192.168.50.84"
set group address "Trust" "Exclusive Users" add "192.168.50.85"
set group address "Trust" "Exclusive Users" add "192.168.50.87"
set group address "Trust" "Exclusive Users" add "192.168.50.88"
set group address "Trust" "Exclusive Users" add "192.168.50.90"
set group address "Trust" "Exclusive Users" add "192.168.50.91"
set group address "Trust" "GmailUsers" comment "khalid,mustafa"
set group address "Trust" "GmailUsers" add "192.168.50.10"
set group address "Trust" "GmailUsers" add "192.168.50.13"
set group address "Trust" "GmailUsers" add "192.168.50.51"
set group address "Trust" "GmailUsers" add "192.168.50.86"
set group address "Trust" "IT Users" comment "Dept"
set group address "Trust" "IT Users" add "192.168.50.111"
set group address "Trust" "IT Users" add "192.168.50.14"
set group address "Trust" "IT Users" add "192.168.50.15"
set group address "Trust" "IT Users" add "192.168.50.16"
set group address "Trust" "IT Users" add "192.168.50.17"
set group address "Trust" "IT Users" add "192.168.50.18"
set group address "Trust" "IT Users" add "192.168.50.19"
set group address "Trust" "IT Users" add "192.168.50.21"
set group address "Trust" "IT Users" add "192.168.50.22"
set group address "Trust" "IT Users" add "192.168.50.33"
set group address "Trust" "IT Users" add "192.168.50.58"
set group address "Trust" "IT Users" add "192.168.50.70"
set group address "Trust" "IT Users" add "192.168.50.72"
set group address "Trust" "IT Users" add "192.168.50.83"
set group address "Trust" "IT Users" add "192.168.50.89"
set group address "Trust" "Others" comment "Restricted!!"
set group address "Trust" "Others" add "192.168.50.12"
set group address "Trust" "Others" add "192.168.50.23"
set group address "Trust" "Others" add "192.168.50.50"
set group address "Trust" "Others" add "192.168.50.52"
set group address "Trust" "Others" add "192.168.50.53"
set group address "Trust" "Others" add "192.168.50.54"
set group address "Trust" "Others" add "192.168.50.55"
set group address "Trust" "Others" add "192.168.50.56"
set group address "Trust" "Others" add "192.168.50.57"
set group address "Trust" "Others" add "192.168.50.59"
set group address "Trust" "Others" add "192.168.50.60"
set group address "Trust" "Others" add "192.168.50.61"
set group address "Trust" "Others" add "192.168.50.62"
set group address "Trust" "Others" add "192.168.50.63"
set group address "Trust" "Others" add "192.168.50.64"
set group address "Trust" "Others" add "192.168.50.65"
set group address "Trust" "Others" add "192.168.50.66"
set group address "Trust" "Others" add "192.168.50.67"
set group address "Trust" "Others" add "192.168.50.68"
set group address "Trust" "Others" add "192.168.50.69"
set group address "Trust" "Others" add "192.168.50.71"
set group address "Trust" "Others" add "192.168.50.72"
set group address "Trust" "Others" add "192.168.50.73"
set ppp profile "serial"
set ppp profile "serial" static-ip
set ike gateway "vpn_p1" address 0.0.0.0 id "ascorp@ascorp.com" Aggr outgoing-interface "serial1/1" preshare "YlPrXwxDNyCgqSs7eVCkjQqjkXnm2zI78A==" proposal "pre-g2-3des-sha"
set ike gateway "vpn_p1" cert peer-ca-hash 48B76449F3D5FEFA1133AA805E420F0FCA643651
unset ike gateway "vpn_p1" nat-traversal
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "vpn_p2" gateway "vpn_p1" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "vpn_p2" monitor
set vpn "vpn_p2" id 1 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set attack "CS:yahoo" ymsg-chatroom-name "Yahoo" severity high
set attack group "CS:AG"
set attack group "CS:AG" add "CS:yahoo"
set av http trickling default
set url protocol type sc-cpa
set url protocol sc-cpa
set category "ASCORP" url "ca.my.yahoo.com/"
set category "ASCORP" url "uk.mail.yahoo.com/"
set category "ASCORP" url "www.gmail.com/"
set category "ASCORP" url "www.hotmail.com/"
set category "ASCORP" url "www.rediffmail.com/"
set category "ASCORP" url "www.yahoo.com/"
set category "Firewall" url "ca.my.yahoo.com/"
set category "Firewall" url "ca.yahoo.com/"
set category "Firewall" url "developer.yahoo.com/"
set category "Firewall" url "dir.yahoo.com/"
set category "Firewall" url "edit.europe.com/"
set category "Firewall" url "finance.yahoo.com/"
set category "Firewall" url "gateway.messenger.hotmail.com/"
set category "Firewall" url "login.yahoo.com/"
set category "Firewall" url "login.yahoo.com/config"
set category "Firewall" url "mail.google.com/mai"
set category "Firewall" url "mail.google.com/mail"
set category "Firewall" url "mail.rediff.com/"
set category "Firewall" url "mail.yahoo.com/"
set category "Firewall" url "messenger.yahoo.com/"
set category "Firewall" url "msg.edit.yahoo.com/"
set category "Firewall" url "my.yahoo.com/"
set category "Firewall" url "myc1.msg.vip.re2.yahoo.com/"
set category "Firewall" url "news.yahoo.com/"
set category "Firewall" url "sip35.voice.re2.yahoo.com/"
set category "Firewall" url "uk.mail.yahoo.com/"
set category "Firewall" url "uk.news.yahoo.com/"
set category "Firewall" url "uk.yahoo.com/"
set category "Firewall" url "ultra1/ultrasurf.htm"
set category "Firewall" url "us.lrd.yahoo.com/"
set category "Firewall" url "video.yahoo.com/"
set category "Firewall" url "wap.oa.yahoo.com/"
set category "Firewall" url "widgets.yahoo.com/"
set category "Firewall" url "www.anchorfree.com/"
set category "Firewall" url "www.gmail.com/"
set category "Firewall" url "www.gotoforum.com/"
set category "Firewall" url "www.hotmail.com/"
set category "Firewall" url "www.hotspotshield.com/"
set category "Firewall" url "www.onlytorrents.com/torrent"
set category "Firewall" url "www.rediffmail.com/"
set category "Firewall" url "www.yahoomail.com/"
set category "Firewall" url "www.youtube.com/"
set category "GmailUsers" url "ca.my.yahoo.com/"
set category "GmailUsers" url "developer.yahoo.com/"
set category "GmailUsers" url "edit.europe.yahoo.com/"
set category "GmailUsers" url "login.live.com/"
set category "GmailUsers" url "login.yahoo.com/"
set category "GmailUsers" url "mail.rediff.com/"
set category "GmailUsers" url "mail.yahoo.com/"
set category "GmailUsers" url "msg.edit.yahoo.com/"
set category "GmailUsers" url "uk.mail.yahoo.com/"
set category "GmailUsers" url "uk.news.yahoo.com/"
set category "GmailUsers" url "us.lrd.yahoo.com/"
set category "GmailUsers" url "www.gotoforum.com/"
set category "GmailUsers" url "www.hotmail.com/"
set category "GmailUsers" url "www.hotspotshield.com/"
set category "GmailUsers" url "www.rediffmail.com/"
set category "GmailUsers" url "www.yahoo.com/"
set category "GmailUsers" url "www.yahoomail.com/"
set profile "ASCORP Firewall" "Firewall" black-list
set profile "ASCORP Firewall" "Chat" block
set profile "ASCORP Firewall" "Hacking" block
set profile "ASCORP Firewall" "Sex Education" block
set profile "ASCORP Firewall" "Adult/Sexually Explicit" block
set profile "Firewall4Gmail" "GmailUsers" black-list
set profile "Firewall4Gmail" "Chat" block
set profile "Firewall4Gmail" "Hacking" block
set profile "Firewall4Gmail" "Sex Education" block
set profile "Firewall4Gmail" "Adult/Sexually Explicit" block
set enable
set fail-mode permit
set server europe
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set vpn "vpn_p2" proxy-id local-ip 192.168.1.2/24 remote-ip 192.168.3.1/24 "ANY"
set policy id 23 from "Trust" to "Untrust"  "192.170.5.156/32" "Any" "ANY" permit
set policy id 23 disable
set policy id 23
exit
set policy id 3 from "Trust" to "Untrust"  "192.168.1.0/24" "Any" "ANY" permit
set policy id 3
exit
set policy id 4 from "Trust" to "Untrust"  "192.170.5.0/24" "Any" "DNS" permit
set policy id 4
set service "PING"
set service "POP3"
set service "SMTP"
set service "TCP-ANY"
exit
set policy id 5 from "Trust" to "Untrust"  "Exclusive Users" "Any" "ANY" permit
set policy id 5
exit
set policy id 6 from "Trust" to "Untrust"  "IT Users" "Any" "ANY" permit
set policy id 6
exit
set policy id 7 from "Trust" to "Untrust"  "Others" "Any" "ANY" permit url-filter
set policy id 7 disable
set policy id 7
exit
set policy id 8 from "Trust" to "Untrust"  "GmailUsers" "Any" "ANY" permit
set policy id 8
exit
set policy id 22 from "Untrust" to "Trust"  "Any" "VIP(serial1/1)" "ANY" permit log
set policy id 22
exit
set policy id 9 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.249)" "ANY" permit log
set policy id 9
exit
set policy id 10 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.251)" "ANY" permit
set policy id 10
exit
set policy id 12 from "Trust" to "Untrust"  "192.168.2.0/24" "Any" "DNS" permit
set policy id 12
set service "FTP"
set service "POP3"
set service "SMTP"
exit
set policy id 13 from "Trust" to "Untrust"  "192.168.1.0/24" "192.168.3.0/24" "ANY" permit
set policy id 13
exit
set policy id 14 from "Untrust" to "Trust"  "192.168.3.0/24" "192.168.1.0/24" "ANY" permit
set policy id 14
set src-address "192.168.4.0/24"
set dst-address "192.168.2.0/24"
set dst-address "192.168.50.0/24"
set dst-address "192.170.5.0/24"
exit
set policy id 17 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.252)" "ANY" permit
set policy id 17
exit
set policy id 20 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.250)" "ANY" permit
set policy id 20
exit
set log module system level warning destination console
set log module system level notification destination console
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface serial1/1 gateway 213.42.128.93 preference 20 permanent
set route 192.168.1.2/24 interface tunnel.1 preference 20
set route 192.168.3.1/24 interface tunnel.1 preference 20
set route 192.168.4.1/24 interface tunnel.1 preference 20
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 8080-8080 protocol tcp entry 1
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 80-80 protocol tcp entry 2
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 53-53 protocol tcp entry 3
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 5
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 6
set access-list extended 2 src-ip 192.170.5.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 1
set access-list extended 2 src-ip 192.170.5.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 2
set access-list extended 3 src-ip 192.168.2.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 1
set access-list extended 3 src-ip 192.168.2.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 2
set match-group name MG2
set match-group MG2 ext-acl 2 match-entry 1
set match-group name MG4Mail2.0
set match-group MG4Mail2.0 ext-acl 3 match-entry 1
set match-group name MG1
set match-group MG1 ext-acl 1 match-entry 1
set action-group name AGforAcctMail
set action-group AGforAcctMail next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set action-group name AGFor50.0
set action-group AGFor50.0 next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set action-group name AG2.0
set action-group AG2.0 next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set pbr policy name Forexusers
set pbr policy Forexusers match-group MG1 action-group AGFor50.0 1
set pbr policy name plcy4mail2.0
set pbr policy plcy4mail2.0 match-group MG4Mail2.0 action-group AG2.0 1
set pbr policy name AcctMail
set pbr policy AcctMail match-group MG2 action-group AGforAcctMail 1
exit
set interface ethernet0/1 pbr plcy4mail2.0
set interface ethernet0/3 pbr AcctMail
set interface ethernet0/4 pbr Forexusers
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

by: sangamcPosted on 2009-05-02 at 06:40:10ID: 24286137

QUOTE ---- "i m very sure that it wil not work with service pack -2. as sangamc said, i have enabled multi-port , which i didnt enabled earlier."

@ binumhaneef: this quote alone tells us that your original problem where you could open the web site but not the actual RDP connection was solved by my first post.

QUOTE: ----- binumhaneef: "how can i create a custom port in juniper"

secondly you did not configure custom RDP service in your juniper. without the custom service that you copied from my post you would never have been able to RDP to any of your workstations inside your network. the following lines in your 'working' config most certainly did not come from something you or your 'friends' dsicovered

set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389 timeout 5
set service "CService" protocol tcp src-port 0-65535 dst-port 5412-5412

and lastly i wish you would stop going on about sp3 which actually needs to be patched in order for remote desktop web connection to work. below is a MS kb article describing how active x is disabled and the steps required to make sure it works correctly.

http://support.microsoft.com/kb/951607

You cannot connect to a remote computer or start a remote application when you use Terminal Services Web Access or Remote Web Workspace on a Windows XP SP3-based or Windows Small Business Server 2003 SP1-based computer. By default, the ActiveX control is disabled after you install Windows XP Service Pack 3 (SP3) or Windows Small Business Server 2003 SP1.


i have mentioned this privately but now i will say it publicly. your grasp of juniper netscreen concepts is rudimentary at best and probably IT concepts as a whole. your approach demanding my response was extremely rude and i was shocked that you would choose that route. and finally your confidence that you solved your own problem without crediting any of the people who posted and tried to assist you is just spitefule.

please award points and close the question properly.

PS your juniper config is full of holes and does not protect your network at all. you have basically dumbed it down to a 'home stlye router' that everyone knows the user name and password for. please change the following before someone logs into your device and puts you out of business.


set admin name "ascorp"
set admin password "nEZqE+rwLcwFcb5PlskLlzMtC6CAMn"
set admin user "shaji" password "nGe+BwrFDDyHcZZNrs2Ow/LtXLCcVn" privilege "all

set ike gateway "vpn_p1" address 0.0.0.0 id "ascorp@ascorp.com" Aggr outgoing-interface "serial1/1" preshare "YlPrXwxDNyCgqSs7eVCkjQqjkXnm2zI78A==" proposal "pre-g2-3des-sha"
set ike gateway "vpn_p1" cert peer-ca-hash 48B76449F3D5FEFA1133AA805E420F0FCA643651

i recomend getting a new cert since that is compromised as well as configuring new keys for your VPNs your user names and passwords are also weak and you should specify a listof  ip address that can hit the webui for your device. coz right now anyone in the world can login

 

by: binumhaneefPosted on 2009-05-02 at 21:45:21ID: 24288710

see Mr. Sangamc , Our router configuration is really rudimentary as u said. I accept whatever it may be. But i was forcing to config port forwarding in juniper urgently from our GM side. I tried ur configuration and i made custom port and RDP port. But it didnt work. So i just removed the custom port and RDP port from router and config only http port.First time it was not working, i just upgrade to sp3, then it starts to connect.As u said i m beginner, u r very expert , but wat i realized thru this config, without config Custom port and RDP port it was working smoothly. So could u tell me hw it has been working without config these things.

 i dont want any award points or anything .., why should i be a paid member...Only to get the proper answer for my doubts .., just to clarify my doubts right? Anyway leave the chapter.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...