Solved

Port Forwarding in Juniper Firewall ssg140

Posted on 2009-04-11
42
8,184 Views
Last Modified: 2013-11-16
What my focus is to access  three systems remotely thru web pages by giving different port nos. i m getting the remote desktop screen and i can put the ip address of remote system after the configuration of port forwarding in juniper ssg 140 firewall, i am when i hit on the button "connect" , i am receiving an error "

VBScript: Remote Desktop Disconnected

The client could not connect to the remote computer. Remote connections might not be enables or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, please contact your administrator.




0
Comment
Question by:binumhaneef
  • 21
  • 10
  • 8
  • +1
42 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 24121398
That screen is used before a connection is tried, so it is not of any relevance.
I suppose you use one single public IP address and three ports different from the standard 3389. You will have to tell the RDP client to use the corresponding port, so the address would be e.g.  publicIP:53389
0
 

Author Comment

by:binumhaneef
ID: 24121566
i have already changed the RDP ports of three systems..and configured on juniper firewall.so i m getting the first page of remote desktop connection.when i hit on the button , getting the above mentioned error
untitled.JPG
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24121609
Why aren't you using the MSTSC client for direct RDP? I'm quite uncertain where you are getting with http access. But as you have to apply a server name, you are NOT at the target machine for sure. Inside of the page, are you using internal or external addresses? Is the machine with Web access establishing the connection and sending the result to you, or is it your client to make the connection? You client will have to use the external addresses and ports, while the Web target will have to use internal ones.

0
 

Author Comment

by:binumhaneef
ID: 24121634
Inside i m using local ip address of the remote machine. This is for another purpose, so we want to use http://213.52.145.21:5874  for accessing our three machines . We dont want to use 'mstsc'.what should i do next.  i cannot get the remote desktop eventhough getting the first page. help me plz
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24121644
What is answering on that public IP/port? I.e., what service you forwarded the port 5874 to?
0
 

Author Comment

by:binumhaneef
ID: 24121670
Right now only Remote desktop connection
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24121743
With Remote Desktop Web Connection, you are connecting to IIS first, and then to RDP, both from your browser. Consequences:
  • The port 5874 is forwarded to IIS with port 80 (or whatever port you defined).
  • In the connect dialog, you need to put in the public IP and forwarded RDP port, or nothing (if the IIS is on RDP target - but as you are not using 3389 port, I reckon this does not work).
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24144626
Are you using VIP with multi-port enabled or MIPs on the juniper? i believe you dont have all the ports open to make it work with three computers. if you could post your config and also let us know if you were able to make it work with one computer, im sure we could help you.
0
 

Author Comment

by:binumhaneef
ID: 24144725
i am attaching the config of ssg140.  i did VIP for accesing 3 three systems remotely thru http
give me the solution
ssg140
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24148173
Ok there are several problems with your config, starting with the top i do not see the necessary VIP configurations. you have:

set interface ethernet0/0 vip 192.168.1.74 (why did you put a VIP on your LAN?)
set interface serial1/1 vip 213.42.128.93 5412 "HTTP" 192.168.50.111

you do not have the multi-port vip enabled , but you will need that since you have to http to the ip address, then rdp to the same ip. enter the following from the console (iit cant be done from the webui) then reset the device so it can take effect.

set vip multi-port

secondly your vip on the serial only allows one protocol to hit the ip. HTTP, but you specified your custom RDP port. unless this is a custom service that references both port80 and port 5412 for RDP then it wont work. what you need is:

set interface serial1/1 vip 213.42.128.93 80 "HTTP" 192.168.50.111
set interface serial1/1 vip 213.42.128.93 5412 "RDP" 192.168.50.111

i am assuming you removed the settings for the other two computers and are just trying to configure the firewall to allow one computer. a multi-port vip to multiple LAn ip addresses is not the ideal way to go. if you are able to use MIPs instead for the other two workstations that would be the best.

i wont go into great detail about the policies, leave the vip policy wide open until you get it working, then lock it down to your specific ports once it performs the way you want.



0
 

Author Comment

by:binumhaneef
ID: 24154566
i cannot see any RDP service in juniper ssg140 firewall
0
 

Author Comment

by:binumhaneef
ID: 24154579
set interface serial1/1 vip 213.42.128.93 5412 "RDP" 192.168.50.111
I am getting this error. i tried to do this thru web page of router , then there is no service named "RDP"

Failed command   set interface serial1/1 vip 213.42.128.93 5412 192.168.50.111
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24154618
You can create a custom service and call it rdp1. Use the custom rdp port you specified when setting up your remote desktop connections.
0
 

Author Comment

by:binumhaneef
ID: 24154803
hw can i create a custom port in juniper
0
 

Author Comment

by:binumhaneef
ID: 24155913
As u said i created a custom RDP , service port is 1111 and Virtual port is 5412, then tried to access via
http://213.42.128.93:5412/ ..., but the message came "Page cannot be displayed"
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24157495
im going to setup a vip today to connect to an RDP session that is intiated from the RDP web console and document each step for you.
0
 

Author Comment

by:binumhaneef
ID: 24173711
thanx sangame ...
0
 

Author Comment

by:binumhaneef
ID: 24178022
i hav not yet received any updated solution for port forwarding.plz help me
0
 

Author Comment

by:binumhaneef
ID: 24178740
No response
0
 

Author Comment

by:binumhaneef
ID: 24231322
y r u not  responding regarding port forwarding
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 18

Expert Comment

by:deimark
ID: 24232367
He might be a bit busy recently bud, give him a chance
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24237382
While waiting for sangamc, could you try to establish a RDP-only session via mstsc and the chosen public RDP port? Just to make sure that part is working ...
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24244963
ok, after a week away from work to attend a wedding and following that up with a sever bout of flu, i finally got back to business. sorry for the delay inresponding to your messages. i went back over all the posts and your config file again, then proceeded to setup a remote desktop web connection on a couple of servers.

your original configuration that displayed the remote desktop web connection was correct except for one thing. port 3389 TCP was not permitted and that is why you got the error message: "The client could not connect to the remote computer. Remote connections might not be enables or the computer might be too busy to accept new connections .... "

so this is how to setup a VIP to allow remote desktop web connection to one computer. by using the juniper webui.

1. first login to the console via telnet and run the following to enable multi-port VIP
# set vip -multi-port
# save

2. from the webui go to
Network > Interfaces > Edit > VIP/VIP Services
- select the check mark for 'Same as the untrusted interface IP address" then click on add
- click on new vip service button and input the following
    virutal ip; already set for you
    virtual port 3389   # you need this port because rdp over web use std rdp ports anyway
    Map to service RDP (3389)
    map to ip: the ip address of the pc you wish to connect to
    (you do not have to check server auto detection)
  Click on 'ok'

3. go to        Objects > Services > Custom >
- Create your custom service for the remote desktop web connection port you decide to use. i believe you chose TCP5412 ( this is actually HTTP traffic and not RDP traffic as we assumed before)

4. from the webui go to
Network > Interfaces > Edit > VIP/VIP Services
- click on new vip service button and input the following
    virutal ip; already set for you
    virtual port 5412  # this is the port connecting to IIS
    Map to service *custom service* (5412)
    map to ip: the ip address of the pc you chose before
- after you click ok you should have two virtual ports pointing to the same server IP address

5. go to        Policies (From Untrust To Trust)
- Click on new to create a new policy with the following information
   source: ANY
   destination: VIP(untrust)
   service: Click on multiple and choose RDP(3389) and *custom-service(5412)*
   action: permit
   logging: enabled
this will create the rule that allows the HTTP traffic on port 5412 to the IIS web server as well as the actuall RDP traffic to the workstation.

that is it. i typed this up while configuring a juniper with the same settings and it works. if you want to connect to more than one computer using a single VIP you will need to configure IIS with a unique port on each copmuter and you will need to change the RDP port on the other computers by modifyign the following registry key.

   1. Start Registry Editor.
   2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
   3. On the Edit menu, click Modify, and then click Decimal.
   4. Type the new port number, and then click OK.
   5. Quit Registry Editor.

you can not point the same port at multiple computers when configuring a VIP so each pc will need t use a unique RDP port. Also in this setup you can simply bypass the web server by doing an RDP to the unique port number of each workstation.

i hope this answers your questions

 
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24246312
sangamc,
if multiple RDP connections to set up, isn't there some info missing? Does IIS read the local RDP port to use from registry by itself, and using that when you do not provide any further info?
As far as I understand, you have to set up VIP with the same port as the RDP mapped port for both public and private network (no port translation hence).
If public IP and RDP port is provided in the Web dialog, the change of RDP port on each workstation looks unnecessary. But I'm not certain about that all.

0
 

Author Comment

by:binumhaneef
ID: 24248706
could u please just go thru this config? i hav done watever u suggested. but i could not access
thru http://213.42.128.94:5412/tsweb
ssg140.txt
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24250085
@qlemo: if i misunderstood your question please correct me ...
when creating a VIP the rdp port is mapped to a specific ip address in your lan. lets say 10.10.10.27 when you open up the web page, if you put the ip address of a different workstation in the LAN, (10.10.10.55) you will not be able to control that workstation because your VIP only allows RDP(3389) traffic to one ip address 10.10.10.27.
because you can not map one port to multiple LAN ip address, you have to change the RDP port on the second workstation and add that port to the list of ports in your VIP as well as in the policy

in my opinion since the author insists on using remote desktop web. what should be done is have IIS setup on each workstation on its own unique port and then open the web page for the workstation you wish to connect to. doing this instead of opening one web page and connecting to multiple workstations will help eliminate some confusion

@binumhaneef
soon as i get to the office ill check your config.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24251745
This is from your current configuration

# set interface serial1/1 vip interface-ip 3389 "RDP" 192.168.50.111 manual
# set interface serial1/1 vip interface-ip 5412 "CService" 192.168.50.111 manual

in your initial configuration i noticed you had the following

# set interface serial1/1 vip 213.42.128.93 5412 "HTTP" 192.168.50.111

so instead of using Same as the untrusted interface IP address, go ahead and use the other ip address you have available in that subnet for the VIP (213.42.128.93)

also for the policy, instead of restricting the services to the ones specified in the VIP you can set the service to 'ANY' for the sake of testing, and then once we have a sucessful test, lock it down to the specific service you need.
0
 

Accepted Solution

by:
binumhaneef earned 0 total points
ID: 24266950
It s working now. The actual problem is it needs service pack 3 for accessing another workstation Remotely thru http. Thanks
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24267977
Do you really think the changes sangamc suggested are not related to the solution? If they are, you should award some points!
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24268613
i am pretty sure that service pack three was not the only reason that you were unable to make the connection. i am disappointed that after some aggressive posts 'demanding' my response that you would choose this route. my test config worked with xp virtual machines with NO Service packs installed.
0
 

Author Comment

by:binumhaneef
ID: 24284933
Actually i tried the way which sangamc suggested me. Really i configured the same before, my friends also said ther s no other configuration to make port forwarding. What i did is just config the firewall means exception. i checked in windowsXP SP-II but it didnt work. but when i upgrade to sp-3 it s working.
0
 

Author Comment

by:binumhaneef
ID: 24284937
To be frank, sangamc gave me the configuration, but after configured it was not working. RDP wil work only with SP-iii
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24285023
ok, if thats what you believe. im absolutely positive it works with a brand new xp install with no service packs. that is the way i tested the setup that i posted above (i  didnt have time to wait for 2 service packs to download b4 testing). either way your intial config was incorrect since you only had the port open for the web server and not the port for the actual rdp connection. and you did not have multi-port vip enabled either. good luck with your future netscreen configs and dont forget to check the juniper website for great documentation on different aspects of using the device. their knowledge base is very good and is open to the public
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24285604
Remove sangamc's configuration, and re-establish yours, and you will not succeed in connecting, I'm pretty sure. XP SP2 might add to the problem (but never heard of it), but is not the solely reason.
0
 

Author Comment

by:binumhaneef
ID: 24285929
i m very sure that it wil not work with service pack -2. as sangamc said, i have enabled multi-port , which i didnt enabled earlier. if u want to make sure and wish to go thru my configuration , i wil attach the file
0
 

Author Comment

by:binumhaneef
ID: 24285931
set clock timezone 3
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389 timeout 5
set service "CService" protocol tcp src-port 0-65535 dst-port 5412-5412
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "ascorp"
set admin password "nEZqE+rwLcwFcb5PlskLlzMtC6CAMn"
set admin user "shaji" password "nGe+BwrFDDyHcZZNrs2Ow/LtXLCcVn" privilege "all"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface adsl2/0 phy operating-mode auto
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "Trust"
set interface "ethernet0/4" zone "Trust"
set interface "ethernet0/5" zone "Trust"
set interface "serial1/0" zone "Untrust"
set interface "serial1/1" zone "Untrust"
set interface "adsl2/0" pvc 8 35 mux llc protocol bridged  zone "Untrust"
set interface "tunnel.1" zone "Trust"
set interface "serial1/1" encap cisco-hdlc
set interface ethernet0/0 ip 192.168.3.2/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.8.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 192.168.0.151/24
set interface ethernet0/2 route
set interface ethernet0/3 ip 192.170.10.39/24
set interface ethernet0/3 nat
set interface ethernet0/4 ip 192.168.50.1/24
set interface ethernet0/4 nat
set interface serial1/1 ip 213.42.128.94/30
set interface serial1/1 route
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/3 ip manageable
set interface ethernet0/4 ip manageable
set interface serial1/1 ip manageable
unset interface ethernet0/1 manage ssh
unset interface ethernet0/1 manage snmp
unset interface ethernet0/1 manage ssl
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
unset interface ethernet0/3 manage ssh
unset interface ethernet0/3 manage snmp
unset interface ethernet0/3 manage ssl
unset interface ethernet0/4 manage ssh
unset interface ethernet0/4 manage ssl
unset interface ethernet0/5 manage ping
unset interface ethernet0/5 manage ssh
unset interface ethernet0/5 manage telnet
unset interface ethernet0/5 manage snmp
unset interface ethernet0/5 manage ssl
unset interface ethernet0/5 manage web
set interface serial1/1 manage ping
set interface serial1/1 manage ssh
set interface serial1/1 manage telnet
set interface serial1/1 manage snmp
set interface serial1/1 manage ssl
set interface serial1/1 manage web
set interface serial1/1 vip interface-ip 5416 "HTTP" 192.168.50.111
set interface serial1/1 vip interface-ip 5417 "HTTP" 192.168.50.83

set interface ethernet0/4 dot1x control-mode interface
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain dell.ascorpholdings1.com
set hostname dell.ascorpholdings1.com
set pki authority default scep mode "auto"
set pki x509 default cert-path partial

set dns host dns3 0.0.0.0
set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "Trust" "192.168.1.101/32" 192.168.1.101 255.255.255.255
set address "Trust" "192.168.2.0/24" 192.168.2.0 255.255.255.0
set address "Trust" "192.168.40.1/24" 192.168.40.1 255.255.255.0
set address "Trust" "192.168.50.0/24" 192.168.50.0 255.255.255.0
set address "Trust" "192.168.50.10" 192.168.50.10 255.255.255.255
set address "Trust" "192.168.50.100" 192.168.50.100 255.255.255.255
set address "Trust" "192.168.50.101" 192.168.50.101 255.255.255.255
set address "Trust" "192.168.50.102" 192.168.50.102 255.255.255.255
set address "Trust" "192.168.50.11" 192.168.50.11 255.255.255.255
set address "Trust" "192.168.50.111" 192.168.50.111 255.255.255.255
set address "Trust" "192.168.50.114" 192.168.50.114 255.255.255.255
set address "Trust" "192.168.50.12" 192.168.50.12 255.255.255.255
set address "Trust" "192.168.50.13" 192.168.50.13 255.255.255.255
set address "Trust" "192.168.50.14" 192.168.50.14 255.255.255.255
set address "Trust" "192.168.50.15" 192.168.50.15 255.255.255.255
set address "Trust" "192.168.50.16" 192.168.50.16 255.255.255.255
set address "Trust" "192.168.50.17" 192.168.50.17 255.255.255.255
set address "Trust" "192.168.50.18" 192.168.50.18 255.255.255.255
set address "Trust" "192.168.50.19" 192.168.50.19 255.255.255.255
set address "Trust" "192.168.50.20" 192.168.50.20 255.255.255.255
set address "Trust" "192.168.50.200" 192.168.50.200 255.255.255.255
set address "Trust" "192.168.50.21" 192.168.50.21 255.255.255.255
set address "Trust" "192.168.50.22" 192.168.50.22 255.255.255.255
set address "Trust" "192.168.50.23" 192.168.50.23 255.255.255.255
set address "Trust" "192.168.50.24" 192.168.50.24 255.255.255.255
set address "Trust" "192.168.50.25" 192.168.50.25 255.255.255.255
set address "Trust" "192.168.50.26" 192.168.50.26 255.255.255.255
set address "Trust" "192.168.50.27" 192.168.50.27 255.255.255.255
set address "Trust" "192.168.50.28" 192.168.50.28 255.255.255.255
set address "Trust" "192.168.50.29" 192.168.50.29 255.255.255.255
set address "Trust" "192.168.50.30" 192.168.50.30 255.255.255.255
set address "Trust" "192.168.50.33" 192.168.50.33 255.255.255.255
set address "Trust" "192.168.50.34" 192.168.50.34 255.255.255.255
set address "Trust" "192.168.50.49" 192.168.50.49 255.255.255.255
set address "Trust" "192.168.50.50" 192.168.50.50 255.255.255.255
set address "Trust" "192.168.50.51" 192.168.50.51 255.255.255.255
set address "Trust" "192.168.50.52" 192.168.50.52 255.255.255.255
set address "Trust" "192.168.50.53" 192.168.50.53 255.255.255.255
set address "Trust" "192.168.50.54" 192.168.50.54 255.255.255.255
set address "Trust" "192.168.50.55" 192.168.50.55 255.255.255.255
set address "Trust" "192.168.50.56" 192.168.50.56 255.255.255.255
set address "Trust" "192.168.50.57" 192.168.50.57 255.255.255.255
set address "Trust" "192.168.50.58" 192.168.50.58 255.255.255.255
set address "Trust" "192.168.50.59" 192.168.50.59 255.255.255.255
set address "Trust" "192.168.50.60" 192.168.50.60 255.255.255.255
set address "Trust" "192.168.50.61" 192.168.50.61 255.255.255.255
set address "Trust" "192.168.50.62" 192.168.50.62 255.255.255.255
set address "Trust" "192.168.50.63" 192.168.50.63 255.255.255.255
set address "Trust" "192.168.50.64" 192.168.50.64 255.255.255.255
set address "Trust" "192.168.50.65" 192.168.50.65 255.255.255.255
set address "Trust" "192.168.50.66" 192.168.50.66 255.255.255.255
set address "Trust" "192.168.50.67" 192.168.50.67 255.255.255.255
set address "Trust" "192.168.50.68" 192.168.50.68 255.255.255.255
set address "Trust" "192.168.50.69" 192.168.50.69 255.255.255.255
set address "Trust" "192.168.50.70" 192.168.50.70 255.255.255.255
set address "Trust" "192.168.50.71" 192.168.50.71 255.255.255.255
set address "Trust" "192.168.50.72" 192.168.50.72 255.255.255.255
set address "Trust" "192.168.50.73" 192.168.50.73 255.255.255.255
set address "Trust" "192.168.50.83" 192.168.50.83 255.255.255.255
set address "Trust" "192.168.50.84" 192.168.50.84 255.255.255.255
set address "Trust" "192.168.50.85" 192.168.50.85 255.255.255.255
set address "Trust" "192.168.50.86" 192.168.50.86 255.255.255.255
set address "Trust" "192.168.50.87" 192.168.50.87 255.255.255.255
set address "Trust" "192.168.50.88" 192.168.50.88 255.255.255.255
set address "Trust" "192.168.50.89" 192.168.50.89 255.255.255.255
set address "Trust" "192.168.50.90" 192.168.50.90 255.255.255.255
set address "Trust" "192.168.50.91" 192.168.50.91 255.255.255.255
set address "Trust" "192.170.5.0/24" 192.170.5.0 255.255.255.0
set address "Trust" "192.170.5.156/32" 192.170.5.156 255.255.255.255
set address "Trust" "213.42.128.94/32" 213.42.128.94 255.255.255.255

set address "Untrust" "192.168.3.0/24" 192.168.3.0 255.255.255.0
set address "Untrust" "192.168.4.0/24" 192.168.4.0 255.255.255.0
set address "Untrust" "217.12.4.245/32" 217.12.4.245 255.255.255.255
set address "Untrust" "64.4.32.7/32" 64.4.32.7 255.255.255.255
set address "Untrust" "64.4.33.7/32" 64.4.33.7 255.255.255.255
set address "Untrust" "68.142.230.232/32" 68.142.230.232 255.255.255.255
set address "Untrust" "68.142.230.234/32" 68.142.230.234 255.255.255.255
set address "Untrust" "68.142.230.235/32" 68.142.230.235 255.255.255.255
set address "Untrust" "68.142.230.236/32" 68.142.230.236 255.255.255.255
set address "Untrust" "69.147.112.160/32" 69.147.112.160 255.255.255.255
set group address "Trust" "Exclusive Users" comment "OPEN"
set group address "Trust" "Exclusive Users" add "192.168.50.100"
set group address "Trust" "Exclusive Users" add "192.168.50.101"
set group address "Trust" "Exclusive Users" add "192.168.50.102"
set group address "Trust" "Exclusive Users" add "192.168.50.114"
set group address "Trust" "Exclusive Users" add "192.168.50.200"
set group address "Trust" "Exclusive Users" add "192.168.50.34"
set group address "Trust" "Exclusive Users" add "192.168.50.49"
set group address "Trust" "Exclusive Users" add "192.168.50.84"
set group address "Trust" "Exclusive Users" add "192.168.50.85"
set group address "Trust" "Exclusive Users" add "192.168.50.87"
set group address "Trust" "Exclusive Users" add "192.168.50.88"
set group address "Trust" "Exclusive Users" add "192.168.50.90"
set group address "Trust" "Exclusive Users" add "192.168.50.91"
set group address "Trust" "GmailUsers" comment "khalid,mustafa"
set group address "Trust" "GmailUsers" add "192.168.50.10"
set group address "Trust" "GmailUsers" add "192.168.50.13"
set group address "Trust" "GmailUsers" add "192.168.50.51"
set group address "Trust" "GmailUsers" add "192.168.50.86"
set group address "Trust" "IT Users" comment "Dept"
set group address "Trust" "IT Users" add "192.168.50.111"
set group address "Trust" "IT Users" add "192.168.50.14"
set group address "Trust" "IT Users" add "192.168.50.15"
set group address "Trust" "IT Users" add "192.168.50.16"
set group address "Trust" "IT Users" add "192.168.50.17"
set group address "Trust" "IT Users" add "192.168.50.18"
set group address "Trust" "IT Users" add "192.168.50.19"
set group address "Trust" "IT Users" add "192.168.50.21"
set group address "Trust" "IT Users" add "192.168.50.22"
set group address "Trust" "IT Users" add "192.168.50.33"
set group address "Trust" "IT Users" add "192.168.50.58"
set group address "Trust" "IT Users" add "192.168.50.70"
set group address "Trust" "IT Users" add "192.168.50.72"
set group address "Trust" "IT Users" add "192.168.50.83"
set group address "Trust" "IT Users" add "192.168.50.89"
set group address "Trust" "Others" comment "Restricted!!"
set group address "Trust" "Others" add "192.168.50.12"
set group address "Trust" "Others" add "192.168.50.23"
set group address "Trust" "Others" add "192.168.50.50"
set group address "Trust" "Others" add "192.168.50.52"
set group address "Trust" "Others" add "192.168.50.53"
set group address "Trust" "Others" add "192.168.50.54"
set group address "Trust" "Others" add "192.168.50.55"
set group address "Trust" "Others" add "192.168.50.56"
set group address "Trust" "Others" add "192.168.50.57"
set group address "Trust" "Others" add "192.168.50.59"
set group address "Trust" "Others" add "192.168.50.60"
set group address "Trust" "Others" add "192.168.50.61"
set group address "Trust" "Others" add "192.168.50.62"
set group address "Trust" "Others" add "192.168.50.63"
set group address "Trust" "Others" add "192.168.50.64"
set group address "Trust" "Others" add "192.168.50.65"
set group address "Trust" "Others" add "192.168.50.66"
set group address "Trust" "Others" add "192.168.50.67"
set group address "Trust" "Others" add "192.168.50.68"
set group address "Trust" "Others" add "192.168.50.69"
set group address "Trust" "Others" add "192.168.50.71"
set group address "Trust" "Others" add "192.168.50.72"
set group address "Trust" "Others" add "192.168.50.73"
set ppp profile "serial"
set ppp profile "serial" static-ip
set ike gateway "vpn_p1" address 0.0.0.0 id "ascorp@ascorp.com" Aggr outgoing-interface "serial1/1" preshare "YlPrXwxDNyCgqSs7eVCkjQqjkXnm2zI78A==" proposal "pre-g2-3des-sha"
set ike gateway "vpn_p1" cert peer-ca-hash 48B76449F3D5FEFA1133AA805E420F0FCA643651
unset ike gateway "vpn_p1" nat-traversal
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "vpn_p2" gateway "vpn_p1" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "vpn_p2" monitor
set vpn "vpn_p2" id 1 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set attack "CS:yahoo" ymsg-chatroom-name "Yahoo" severity high
set attack group "CS:AG"
set attack group "CS:AG" add "CS:yahoo"
set av http trickling default
set url protocol type sc-cpa
set url protocol sc-cpa
set category "ASCORP" url "ca.my.yahoo.com/"
set category "ASCORP" url "uk.mail.yahoo.com/"
set category "ASCORP" url "www.gmail.com/"
set category "ASCORP" url "www.hotmail.com/"
set category "ASCORP" url "www.rediffmail.com/"
set category "ASCORP" url "www.yahoo.com/"
set category "Firewall" url "ca.my.yahoo.com/"
set category "Firewall" url "ca.yahoo.com/"
set category "Firewall" url "developer.yahoo.com/"
set category "Firewall" url "dir.yahoo.com/"
set category "Firewall" url "edit.europe.com/"
set category "Firewall" url "finance.yahoo.com/"
set category "Firewall" url "gateway.messenger.hotmail.com/"
set category "Firewall" url "login.yahoo.com/"
set category "Firewall" url "login.yahoo.com/config"
set category "Firewall" url "mail.google.com/mai"
set category "Firewall" url "mail.google.com/mail"
set category "Firewall" url "mail.rediff.com/"
set category "Firewall" url "mail.yahoo.com/"
set category "Firewall" url "messenger.yahoo.com/"
set category "Firewall" url "msg.edit.yahoo.com/"
set category "Firewall" url "my.yahoo.com/"
set category "Firewall" url "myc1.msg.vip.re2.yahoo.com/"
set category "Firewall" url "news.yahoo.com/"
set category "Firewall" url "sip35.voice.re2.yahoo.com/"
set category "Firewall" url "uk.mail.yahoo.com/"
set category "Firewall" url "uk.news.yahoo.com/"
set category "Firewall" url "uk.yahoo.com/"
set category "Firewall" url "ultra1/ultrasurf.htm"
set category "Firewall" url "us.lrd.yahoo.com/"
set category "Firewall" url "video.yahoo.com/"
set category "Firewall" url "wap.oa.yahoo.com/"
set category "Firewall" url "widgets.yahoo.com/"
set category "Firewall" url "www.anchorfree.com/"
set category "Firewall" url "www.gmail.com/"
set category "Firewall" url "www.gotoforum.com/"
set category "Firewall" url "www.hotmail.com/"
set category "Firewall" url "www.hotspotshield.com/"
set category "Firewall" url "www.onlytorrents.com/torrent"
set category "Firewall" url "www.rediffmail.com/"
set category "Firewall" url "www.yahoomail.com/"
set category "Firewall" url "www.youtube.com/"
set category "GmailUsers" url "ca.my.yahoo.com/"
set category "GmailUsers" url "developer.yahoo.com/"
set category "GmailUsers" url "edit.europe.yahoo.com/"
set category "GmailUsers" url "login.live.com/"
set category "GmailUsers" url "login.yahoo.com/"
set category "GmailUsers" url "mail.rediff.com/"
set category "GmailUsers" url "mail.yahoo.com/"
set category "GmailUsers" url "msg.edit.yahoo.com/"
set category "GmailUsers" url "uk.mail.yahoo.com/"
set category "GmailUsers" url "uk.news.yahoo.com/"
set category "GmailUsers" url "us.lrd.yahoo.com/"
set category "GmailUsers" url "www.gotoforum.com/"
set category "GmailUsers" url "www.hotmail.com/"
set category "GmailUsers" url "www.hotspotshield.com/"
set category "GmailUsers" url "www.rediffmail.com/"
set category "GmailUsers" url "www.yahoo.com/"
set category "GmailUsers" url "www.yahoomail.com/"
set profile "ASCORP Firewall" "Firewall" black-list
set profile "ASCORP Firewall" "Chat" block
set profile "ASCORP Firewall" "Hacking" block
set profile "ASCORP Firewall" "Sex Education" block
set profile "ASCORP Firewall" "Adult/Sexually Explicit" block
set profile "Firewall4Gmail" "GmailUsers" black-list
set profile "Firewall4Gmail" "Chat" block
set profile "Firewall4Gmail" "Hacking" block
set profile "Firewall4Gmail" "Sex Education" block
set profile "Firewall4Gmail" "Adult/Sexually Explicit" block
set enable
set fail-mode permit
set server europe
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set vpn "vpn_p2" proxy-id local-ip 192.168.1.2/24 remote-ip 192.168.3.1/24 "ANY"
set policy id 23 from "Trust" to "Untrust"  "192.170.5.156/32" "Any" "ANY" permit
set policy id 23 disable
set policy id 23
exit
set policy id 3 from "Trust" to "Untrust"  "192.168.1.0/24" "Any" "ANY" permit
set policy id 3
exit
set policy id 4 from "Trust" to "Untrust"  "192.170.5.0/24" "Any" "DNS" permit
set policy id 4
set service "PING"
set service "POP3"
set service "SMTP"
set service "TCP-ANY"
exit
set policy id 5 from "Trust" to "Untrust"  "Exclusive Users" "Any" "ANY" permit
set policy id 5
exit
set policy id 6 from "Trust" to "Untrust"  "IT Users" "Any" "ANY" permit
set policy id 6
exit
set policy id 7 from "Trust" to "Untrust"  "Others" "Any" "ANY" permit url-filter
set policy id 7 disable
set policy id 7
exit
set policy id 8 from "Trust" to "Untrust"  "GmailUsers" "Any" "ANY" permit
set policy id 8
exit
set policy id 22 from "Untrust" to "Trust"  "Any" "VIP(serial1/1)" "ANY" permit log
set policy id 22
exit
set policy id 9 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.249)" "ANY" permit log
set policy id 9
exit
set policy id 10 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.251)" "ANY" permit
set policy id 10
exit
set policy id 12 from "Trust" to "Untrust"  "192.168.2.0/24" "Any" "DNS" permit
set policy id 12
set service "FTP"
set service "POP3"
set service "SMTP"
exit
set policy id 13 from "Trust" to "Untrust"  "192.168.1.0/24" "192.168.3.0/24" "ANY" permit
set policy id 13
exit
set policy id 14 from "Untrust" to "Trust"  "192.168.3.0/24" "192.168.1.0/24" "ANY" permit
set policy id 14
set src-address "192.168.4.0/24"
set dst-address "192.168.2.0/24"
set dst-address "192.168.50.0/24"
set dst-address "192.170.5.0/24"
exit
set policy id 17 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.252)" "ANY" permit
set policy id 17
exit
set policy id 20 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.250)" "ANY" permit
set policy id 20
exit
set log module system level warning destination console
set log module system level notification destination console
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface serial1/1 gateway 213.42.128.93 preference 20 permanent
set route 192.168.1.2/24 interface tunnel.1 preference 20
set route 192.168.3.1/24 interface tunnel.1 preference 20
set route 192.168.4.1/24 interface tunnel.1 preference 20
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 8080-8080 protocol tcp entry 1
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 80-80 protocol tcp entry 2
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 53-53 protocol tcp entry 3
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 5
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 6
set access-list extended 2 src-ip 192.170.5.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 1
set access-list extended 2 src-ip 192.170.5.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 2
set access-list extended 3 src-ip 192.168.2.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 1
set access-list extended 3 src-ip 192.168.2.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 2
set match-group name MG2
set match-group MG2 ext-acl 2 match-entry 1
set match-group name MG4Mail2.0
set match-group MG4Mail2.0 ext-acl 3 match-entry 1
set match-group name MG1
set match-group MG1 ext-acl 1 match-entry 1
set action-group name AGforAcctMail
set action-group AGforAcctMail next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set action-group name AGFor50.0
set action-group AGFor50.0 next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set action-group name AG2.0
set action-group AG2.0 next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set pbr policy name Forexusers
set pbr policy Forexusers match-group MG1 action-group AGFor50.0 1
set pbr policy name plcy4mail2.0
set pbr policy plcy4mail2.0 match-group MG4Mail2.0 action-group AG2.0 1
set pbr policy name AcctMail
set pbr policy AcctMail match-group MG2 action-group AGforAcctMail 1
exit
set interface ethernet0/1 pbr plcy4mail2.0
set interface ethernet0/3 pbr AcctMail
set interface ethernet0/4 pbr Forexusers
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0
 

Author Comment

by:binumhaneef
ID: 24285936
check this config
0
 

Author Comment

by:binumhaneef
ID: 24285938
set clock timezone 3
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit

set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "ascorp"
set admin password "nEZqE+rwLcwFcb5PlskLlzMtC6CAMn"
set admin user "shaji" password "nGe+BwrFDDyHcZZNrs2Ow/LtXLCcVn" privilege "all"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface adsl2/0 phy operating-mode auto
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "Trust"
set interface "ethernet0/4" zone "Trust"
set interface "ethernet0/5" zone "Trust"
set interface "serial1/0" zone "Untrust"
set interface "serial1/1" zone "Untrust"
set interface "adsl2/0" pvc 8 35 mux llc protocol bridged  zone "Untrust"
set interface "tunnel.1" zone "Trust"
set interface "serial1/1" encap cisco-hdlc
set interface ethernet0/0 ip 192.168.3.2/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.8.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 192.168.0.151/24
set interface ethernet0/2 route
set interface ethernet0/3 ip 192.170.10.39/24
set interface ethernet0/3 nat
set interface ethernet0/4 ip 192.168.50.1/24
set interface ethernet0/4 nat
set interface serial1/1 ip 213.42.128.94/30
set interface serial1/1 route
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/3 ip manageable
set interface ethernet0/4 ip manageable
set interface serial1/1 ip manageable
unset interface ethernet0/1 manage ssh
unset interface ethernet0/1 manage snmp
unset interface ethernet0/1 manage ssl
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
unset interface ethernet0/3 manage ssh
unset interface ethernet0/3 manage snmp
unset interface ethernet0/3 manage ssl
unset interface ethernet0/4 manage ssh
unset interface ethernet0/4 manage ssl
unset interface ethernet0/5 manage ping
unset interface ethernet0/5 manage ssh
unset interface ethernet0/5 manage telnet
unset interface ethernet0/5 manage snmp
unset interface ethernet0/5 manage ssl
unset interface ethernet0/5 manage web
set interface serial1/1 manage ping
set interface serial1/1 manage ssh
set interface serial1/1 manage telnet
set interface serial1/1 manage snmp
set interface serial1/1 manage ssl
set interface serial1/1 manage web
set interface serial1/1 vip interface-ip 5416 "HTTP" 192.168.50.111
set interface serial1/1 vip interface-ip 5417 "HTTP" 192.168.50.83

set interface ethernet0/4 dot1x control-mode interface
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain dell.ascorpholdings1.com
set hostname dell.ascorpholdings1.com
set pki authority default scep mode "auto"
set pki x509 default cert-path partial

set dns host dns3 0.0.0.0
set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "Trust" "192.168.1.101/32" 192.168.1.101 255.255.255.255
set address "Trust" "192.168.2.0/24" 192.168.2.0 255.255.255.0
set address "Trust" "192.168.40.1/24" 192.168.40.1 255.255.255.0
set address "Trust" "192.168.50.0/24" 192.168.50.0 255.255.255.0
set address "Trust" "192.168.50.10" 192.168.50.10 255.255.255.255
set address "Trust" "192.168.50.100" 192.168.50.100 255.255.255.255
set address "Trust" "192.168.50.101" 192.168.50.101 255.255.255.255
set address "Trust" "192.168.50.102" 192.168.50.102 255.255.255.255
set address "Trust" "192.168.50.11" 192.168.50.11 255.255.255.255
set address "Trust" "192.168.50.111" 192.168.50.111 255.255.255.255
set address "Trust" "192.168.50.114" 192.168.50.114 255.255.255.255
set address "Trust" "192.168.50.12" 192.168.50.12 255.255.255.255
set address "Trust" "192.168.50.13" 192.168.50.13 255.255.255.255
set address "Trust" "192.168.50.14" 192.168.50.14 255.255.255.255
set address "Trust" "192.168.50.15" 192.168.50.15 255.255.255.255
set address "Trust" "192.168.50.16" 192.168.50.16 255.255.255.255
set address "Trust" "192.168.50.17" 192.168.50.17 255.255.255.255
set address "Trust" "192.168.50.18" 192.168.50.18 255.255.255.255
set address "Trust" "192.168.50.19" 192.168.50.19 255.255.255.255
set address "Trust" "192.168.50.20" 192.168.50.20 255.255.255.255
set address "Trust" "192.168.50.200" 192.168.50.200 255.255.255.255
set address "Trust" "192.168.50.21" 192.168.50.21 255.255.255.255
set address "Trust" "192.168.50.22" 192.168.50.22 255.255.255.255
set address "Trust" "192.168.50.23" 192.168.50.23 255.255.255.255
set address "Trust" "192.168.50.24" 192.168.50.24 255.255.255.255
set address "Trust" "192.168.50.25" 192.168.50.25 255.255.255.255
set address "Trust" "192.168.50.26" 192.168.50.26 255.255.255.255
set address "Trust" "192.168.50.27" 192.168.50.27 255.255.255.255
set address "Trust" "192.168.50.28" 192.168.50.28 255.255.255.255
set address "Trust" "192.168.50.29" 192.168.50.29 255.255.255.255
set address "Trust" "192.168.50.30" 192.168.50.30 255.255.255.255
set address "Trust" "192.168.50.33" 192.168.50.33 255.255.255.255
set address "Trust" "192.168.50.34" 192.168.50.34 255.255.255.255
set address "Trust" "192.168.50.49" 192.168.50.49 255.255.255.255
set address "Trust" "192.168.50.50" 192.168.50.50 255.255.255.255
set address "Trust" "192.168.50.51" 192.168.50.51 255.255.255.255
set address "Trust" "192.168.50.52" 192.168.50.52 255.255.255.255
set address "Trust" "192.168.50.53" 192.168.50.53 255.255.255.255
set address "Trust" "192.168.50.54" 192.168.50.54 255.255.255.255
set address "Trust" "192.168.50.55" 192.168.50.55 255.255.255.255
set address "Trust" "192.168.50.56" 192.168.50.56 255.255.255.255
set address "Trust" "192.168.50.57" 192.168.50.57 255.255.255.255
set address "Trust" "192.168.50.58" 192.168.50.58 255.255.255.255
set address "Trust" "192.168.50.59" 192.168.50.59 255.255.255.255
set address "Trust" "192.168.50.60" 192.168.50.60 255.255.255.255
set address "Trust" "192.168.50.61" 192.168.50.61 255.255.255.255
set address "Trust" "192.168.50.62" 192.168.50.62 255.255.255.255
set address "Trust" "192.168.50.63" 192.168.50.63 255.255.255.255
set address "Trust" "192.168.50.64" 192.168.50.64 255.255.255.255
set address "Trust" "192.168.50.65" 192.168.50.65 255.255.255.255
set address "Trust" "192.168.50.66" 192.168.50.66 255.255.255.255
set address "Trust" "192.168.50.67" 192.168.50.67 255.255.255.255
set address "Trust" "192.168.50.68" 192.168.50.68 255.255.255.255
set address "Trust" "192.168.50.69" 192.168.50.69 255.255.255.255
set address "Trust" "192.168.50.70" 192.168.50.70 255.255.255.255
set address "Trust" "192.168.50.71" 192.168.50.71 255.255.255.255
set address "Trust" "192.168.50.72" 192.168.50.72 255.255.255.255
set address "Trust" "192.168.50.73" 192.168.50.73 255.255.255.255
set address "Trust" "192.168.50.83" 192.168.50.83 255.255.255.255
set address "Trust" "192.168.50.84" 192.168.50.84 255.255.255.255
set address "Trust" "192.168.50.85" 192.168.50.85 255.255.255.255
set address "Trust" "192.168.50.86" 192.168.50.86 255.255.255.255
set address "Trust" "192.168.50.87" 192.168.50.87 255.255.255.255
set address "Trust" "192.168.50.88" 192.168.50.88 255.255.255.255
set address "Trust" "192.168.50.89" 192.168.50.89 255.255.255.255
set address "Trust" "192.168.50.90" 192.168.50.90 255.255.255.255
set address "Trust" "192.168.50.91" 192.168.50.91 255.255.255.255
set address "Trust" "192.170.5.0/24" 192.170.5.0 255.255.255.0
set address "Trust" "192.170.5.156/32" 192.170.5.156 255.255.255.255
set address "Trust" "213.42.128.94/32" 213.42.128.94 255.255.255.255

set address "Untrust" "192.168.3.0/24" 192.168.3.0 255.255.255.0
set address "Untrust" "192.168.4.0/24" 192.168.4.0 255.255.255.0
set address "Untrust" "217.12.4.245/32" 217.12.4.245 255.255.255.255
set address "Untrust" "64.4.32.7/32" 64.4.32.7 255.255.255.255
set address "Untrust" "64.4.33.7/32" 64.4.33.7 255.255.255.255
set address "Untrust" "68.142.230.232/32" 68.142.230.232 255.255.255.255
set address "Untrust" "68.142.230.234/32" 68.142.230.234 255.255.255.255
set address "Untrust" "68.142.230.235/32" 68.142.230.235 255.255.255.255
set address "Untrust" "68.142.230.236/32" 68.142.230.236 255.255.255.255
set address "Untrust" "69.147.112.160/32" 69.147.112.160 255.255.255.255
set group address "Trust" "Exclusive Users" comment "OPEN"
set group address "Trust" "Exclusive Users" add "192.168.50.100"
set group address "Trust" "Exclusive Users" add "192.168.50.101"
set group address "Trust" "Exclusive Users" add "192.168.50.102"
set group address "Trust" "Exclusive Users" add "192.168.50.114"
set group address "Trust" "Exclusive Users" add "192.168.50.200"
set group address "Trust" "Exclusive Users" add "192.168.50.34"
set group address "Trust" "Exclusive Users" add "192.168.50.49"
set group address "Trust" "Exclusive Users" add "192.168.50.84"
set group address "Trust" "Exclusive Users" add "192.168.50.85"
set group address "Trust" "Exclusive Users" add "192.168.50.87"
set group address "Trust" "Exclusive Users" add "192.168.50.88"
set group address "Trust" "Exclusive Users" add "192.168.50.90"
set group address "Trust" "Exclusive Users" add "192.168.50.91"
set group address "Trust" "GmailUsers" comment "khalid,mustafa"
set group address "Trust" "GmailUsers" add "192.168.50.10"
set group address "Trust" "GmailUsers" add "192.168.50.13"
set group address "Trust" "GmailUsers" add "192.168.50.51"
set group address "Trust" "GmailUsers" add "192.168.50.86"
set group address "Trust" "IT Users" comment "Dept"
set group address "Trust" "IT Users" add "192.168.50.111"
set group address "Trust" "IT Users" add "192.168.50.14"
set group address "Trust" "IT Users" add "192.168.50.15"
set group address "Trust" "IT Users" add "192.168.50.16"
set group address "Trust" "IT Users" add "192.168.50.17"
set group address "Trust" "IT Users" add "192.168.50.18"
set group address "Trust" "IT Users" add "192.168.50.19"
set group address "Trust" "IT Users" add "192.168.50.21"
set group address "Trust" "IT Users" add "192.168.50.22"
set group address "Trust" "IT Users" add "192.168.50.33"
set group address "Trust" "IT Users" add "192.168.50.58"
set group address "Trust" "IT Users" add "192.168.50.70"
set group address "Trust" "IT Users" add "192.168.50.72"
set group address "Trust" "IT Users" add "192.168.50.83"
set group address "Trust" "IT Users" add "192.168.50.89"
set group address "Trust" "Others" comment "Restricted!!"
set group address "Trust" "Others" add "192.168.50.12"
set group address "Trust" "Others" add "192.168.50.23"
set group address "Trust" "Others" add "192.168.50.50"
set group address "Trust" "Others" add "192.168.50.52"
set group address "Trust" "Others" add "192.168.50.53"
set group address "Trust" "Others" add "192.168.50.54"
set group address "Trust" "Others" add "192.168.50.55"
set group address "Trust" "Others" add "192.168.50.56"
set group address "Trust" "Others" add "192.168.50.57"
set group address "Trust" "Others" add "192.168.50.59"
set group address "Trust" "Others" add "192.168.50.60"
set group address "Trust" "Others" add "192.168.50.61"
set group address "Trust" "Others" add "192.168.50.62"
set group address "Trust" "Others" add "192.168.50.63"
set group address "Trust" "Others" add "192.168.50.64"
set group address "Trust" "Others" add "192.168.50.65"
set group address "Trust" "Others" add "192.168.50.66"
set group address "Trust" "Others" add "192.168.50.67"
set group address "Trust" "Others" add "192.168.50.68"
set group address "Trust" "Others" add "192.168.50.69"
set group address "Trust" "Others" add "192.168.50.71"
set group address "Trust" "Others" add "192.168.50.72"
set group address "Trust" "Others" add "192.168.50.73"
set ppp profile "serial"
set ppp profile "serial" static-ip
set ike gateway "vpn_p1" address 0.0.0.0 id "ascorp@ascorp.com" Aggr outgoing-interface "serial1/1" preshare "YlPrXwxDNyCgqSs7eVCkjQqjkXnm2zI78A==" proposal "pre-g2-3des-sha"
set ike gateway "vpn_p1" cert peer-ca-hash 48B76449F3D5FEFA1133AA805E420F0FCA643651
unset ike gateway "vpn_p1" nat-traversal
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "vpn_p2" gateway "vpn_p1" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "vpn_p2" monitor
set vpn "vpn_p2" id 1 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set attack "CS:yahoo" ymsg-chatroom-name "Yahoo" severity high
set attack group "CS:AG"
set attack group "CS:AG" add "CS:yahoo"
set av http trickling default
set url protocol type sc-cpa
set url protocol sc-cpa
set category "ASCORP" url "ca.my.yahoo.com/"
set category "ASCORP" url "uk.mail.yahoo.com/"
set category "ASCORP" url "www.gmail.com/"
set category "ASCORP" url "www.hotmail.com/"
set category "ASCORP" url "www.rediffmail.com/"
set category "ASCORP" url "www.yahoo.com/"
set category "Firewall" url "ca.my.yahoo.com/"
set category "Firewall" url "ca.yahoo.com/"
set category "Firewall" url "developer.yahoo.com/"
set category "Firewall" url "dir.yahoo.com/"
set category "Firewall" url "edit.europe.com/"
set category "Firewall" url "finance.yahoo.com/"
set category "Firewall" url "gateway.messenger.hotmail.com/"
set category "Firewall" url "login.yahoo.com/"
set category "Firewall" url "login.yahoo.com/config"
set category "Firewall" url "mail.google.com/mai"
set category "Firewall" url "mail.google.com/mail"
set category "Firewall" url "mail.rediff.com/"
set category "Firewall" url "mail.yahoo.com/"
set category "Firewall" url "messenger.yahoo.com/"
set category "Firewall" url "msg.edit.yahoo.com/"
set category "Firewall" url "my.yahoo.com/"
set category "Firewall" url "myc1.msg.vip.re2.yahoo.com/"
set category "Firewall" url "news.yahoo.com/"
set category "Firewall" url "sip35.voice.re2.yahoo.com/"
set category "Firewall" url "uk.mail.yahoo.com/"
set category "Firewall" url "uk.news.yahoo.com/"
set category "Firewall" url "uk.yahoo.com/"
set category "Firewall" url "ultra1/ultrasurf.htm"
set category "Firewall" url "us.lrd.yahoo.com/"
set category "Firewall" url "video.yahoo.com/"
set category "Firewall" url "wap.oa.yahoo.com/"
set category "Firewall" url "widgets.yahoo.com/"
set category "Firewall" url "www.anchorfree.com/"
set category "Firewall" url "www.gmail.com/"
set category "Firewall" url "www.gotoforum.com/"
set category "Firewall" url "www.hotmail.com/"
set category "Firewall" url "www.hotspotshield.com/"
set category "Firewall" url "www.onlytorrents.com/torrent"
set category "Firewall" url "www.rediffmail.com/"
set category "Firewall" url "www.yahoomail.com/"
set category "Firewall" url "www.youtube.com/"
set category "GmailUsers" url "ca.my.yahoo.com/"
set category "GmailUsers" url "developer.yahoo.com/"
set category "GmailUsers" url "edit.europe.yahoo.com/"
set category "GmailUsers" url "login.live.com/"
set category "GmailUsers" url "login.yahoo.com/"
set category "GmailUsers" url "mail.rediff.com/"
set category "GmailUsers" url "mail.yahoo.com/"
set category "GmailUsers" url "msg.edit.yahoo.com/"
set category "GmailUsers" url "uk.mail.yahoo.com/"
set category "GmailUsers" url "uk.news.yahoo.com/"
set category "GmailUsers" url "us.lrd.yahoo.com/"
set category "GmailUsers" url "www.gotoforum.com/"
set category "GmailUsers" url "www.hotmail.com/"
set category "GmailUsers" url "www.hotspotshield.com/"
set category "GmailUsers" url "www.rediffmail.com/"
set category "GmailUsers" url "www.yahoo.com/"
set category "GmailUsers" url "www.yahoomail.com/"
set profile "ASCORP Firewall" "Firewall" black-list
set profile "ASCORP Firewall" "Chat" block
set profile "ASCORP Firewall" "Hacking" block
set profile "ASCORP Firewall" "Sex Education" block
set profile "ASCORP Firewall" "Adult/Sexually Explicit" block
set profile "Firewall4Gmail" "GmailUsers" black-list
set profile "Firewall4Gmail" "Chat" block
set profile "Firewall4Gmail" "Hacking" block
set profile "Firewall4Gmail" "Sex Education" block
set profile "Firewall4Gmail" "Adult/Sexually Explicit" block
set enable
set fail-mode permit
set server europe
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set vpn "vpn_p2" proxy-id local-ip 192.168.1.2/24 remote-ip 192.168.3.1/24 "ANY"
set policy id 23 from "Trust" to "Untrust"  "192.170.5.156/32" "Any" "ANY" permit
set policy id 23 disable
set policy id 23
exit
set policy id 3 from "Trust" to "Untrust"  "192.168.1.0/24" "Any" "ANY" permit
set policy id 3
exit
set policy id 4 from "Trust" to "Untrust"  "192.170.5.0/24" "Any" "DNS" permit
set policy id 4
set service "PING"
set service "POP3"
set service "SMTP"
set service "TCP-ANY"
exit
set policy id 5 from "Trust" to "Untrust"  "Exclusive Users" "Any" "ANY" permit
set policy id 5
exit
set policy id 6 from "Trust" to "Untrust"  "IT Users" "Any" "ANY" permit
set policy id 6
exit
set policy id 7 from "Trust" to "Untrust"  "Others" "Any" "ANY" permit url-filter
set policy id 7 disable
set policy id 7
exit
set policy id 8 from "Trust" to "Untrust"  "GmailUsers" "Any" "ANY" permit
set policy id 8
exit
set policy id 22 from "Untrust" to "Trust"  "Any" "VIP(serial1/1)" "ANY" permit log
set policy id 22
exit
set policy id 9 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.249)" "ANY" permit log
set policy id 9
exit
set policy id 10 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.251)" "ANY" permit
set policy id 10
exit
set policy id 12 from "Trust" to "Untrust"  "192.168.2.0/24" "Any" "DNS" permit
set policy id 12
set service "FTP"
set service "POP3"
set service "SMTP"
exit
set policy id 13 from "Trust" to "Untrust"  "192.168.1.0/24" "192.168.3.0/24" "ANY" permit
set policy id 13
exit
set policy id 14 from "Untrust" to "Trust"  "192.168.3.0/24" "192.168.1.0/24" "ANY" permit
set policy id 14
set src-address "192.168.4.0/24"
set dst-address "192.168.2.0/24"
set dst-address "192.168.50.0/24"
set dst-address "192.170.5.0/24"
exit
set policy id 17 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.252)" "ANY" permit
set policy id 17
exit
set policy id 20 from "Untrust" to "Trust"  "Any" "MIP(83.111.56.250)" "ANY" permit
set policy id 20
exit
set log module system level warning destination console
set log module system level notification destination console
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface serial1/1 gateway 213.42.128.93 preference 20 permanent
set route 192.168.1.2/24 interface tunnel.1 preference 20
set route 192.168.3.1/24 interface tunnel.1 preference 20
set route 192.168.4.1/24 interface tunnel.1 preference 20
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 8080-8080 protocol tcp entry 1
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 80-80 protocol tcp entry 2
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 53-53 protocol tcp entry 3
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 5
set access-list extended 1 src-ip 192.168.50.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 6
set access-list extended 2 src-ip 192.170.5.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 1
set access-list extended 2 src-ip 192.170.5.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 2
set access-list extended 3 src-ip 192.168.2.0/24 dst-ip 0.0.0.0/0 dst-port 25-25 protocol tcp entry 1
set access-list extended 3 src-ip 192.168.2.0/24 dst-ip 0.0.0.0/0 dst-port 110-110 protocol tcp entry 2
set match-group name MG2
set match-group MG2 ext-acl 2 match-entry 1
set match-group name MG4Mail2.0
set match-group MG4Mail2.0 ext-acl 3 match-entry 1
set match-group name MG1
set match-group MG1 ext-acl 1 match-entry 1
set action-group name AGforAcctMail
set action-group AGforAcctMail next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set action-group name AGFor50.0
set action-group AGFor50.0 next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set action-group name AG2.0
set action-group AG2.0 next-interface ethernet0/2 next-hop 192.168.0.100 action-entry 1
set pbr policy name Forexusers
set pbr policy Forexusers match-group MG1 action-group AGFor50.0 1
set pbr policy name plcy4mail2.0
set pbr policy plcy4mail2.0 match-group MG4Mail2.0 action-group AG2.0 1
set pbr policy name AcctMail
set pbr policy AcctMail match-group MG2 action-group AGforAcctMail 1
exit
set interface ethernet0/1 pbr plcy4mail2.0
set interface ethernet0/3 pbr AcctMail
set interface ethernet0/4 pbr Forexusers
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24286137
QUOTE ---- "i m very sure that it wil not work with service pack -2. as sangamc said, i have enabled multi-port , which i didnt enabled earlier."

@ binumhaneef: this quote alone tells us that your original problem where you could open the web site but not the actual RDP connection was solved by my first post.

QUOTE: ----- binumhaneef: "how can i create a custom port in juniper"

secondly you did not configure custom RDP service in your juniper. without the custom service that you copied from my post you would never have been able to RDP to any of your workstations inside your network. the following lines in your 'working' config most certainly did not come from something you or your 'friends' dsicovered

set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389 timeout 5
set service "CService" protocol tcp src-port 0-65535 dst-port 5412-5412

and lastly i wish you would stop going on about sp3 which actually needs to be patched in order for remote desktop web connection to work. below is a MS kb article describing how active x is disabled and the steps required to make sure it works correctly.

http://support.microsoft.com/kb/951607

You cannot connect to a remote computer or start a remote application when you use Terminal Services Web Access or Remote Web Workspace on a Windows XP SP3-based or Windows Small Business Server 2003 SP1-based computer. By default, the ActiveX control is disabled after you install Windows XP Service Pack 3 (SP3) or Windows Small Business Server 2003 SP1.


i have mentioned this privately but now i will say it publicly. your grasp of juniper netscreen concepts is rudimentary at best and probably IT concepts as a whole. your approach demanding my response was extremely rude and i was shocked that you would choose that route. and finally your confidence that you solved your own problem without crediting any of the people who posted and tried to assist you is just spitefule.

please award points and close the question properly.

PS your juniper config is full of holes and does not protect your network at all. you have basically dumbed it down to a 'home stlye router' that everyone knows the user name and password for. please change the following before someone logs into your device and puts you out of business.


set admin name "ascorp"
set admin password "nEZqE+rwLcwFcb5PlskLlzMtC6CAMn"
set admin user "shaji" password "nGe+BwrFDDyHcZZNrs2Ow/LtXLCcVn" privilege "all

set ike gateway "vpn_p1" address 0.0.0.0 id "ascorp@ascorp.com" Aggr outgoing-interface "serial1/1" preshare "YlPrXwxDNyCgqSs7eVCkjQqjkXnm2zI78A==" proposal "pre-g2-3des-sha"
set ike gateway "vpn_p1" cert peer-ca-hash 48B76449F3D5FEFA1133AA805E420F0FCA643651

i recomend getting a new cert since that is compromised as well as configuring new keys for your VPNs your user names and passwords are also weak and you should specify a listof  ip address that can hit the webui for your device. coz right now anyone in the world can login

0
 

Author Comment

by:binumhaneef
ID: 24288710
see Mr. Sangamc , Our router configuration is really rudimentary as u said. I accept whatever it may be. But i was forcing to config port forwarding in juniper urgently from our GM side. I tried ur configuration and i made custom port and RDP port. But it didnt work. So i just removed the custom port and RDP port from router and config only http port.First time it was not working, i just upgrade to sp3, then it starts to connect.As u said i m beginner, u r very expert , but wat i realized thru this config, without config Custom port and RDP port it was working smoothly. So could u tell me hw it has been working without config these things.

 i dont want any award points or anything .., why should i be a paid member...Only to get the proper answer for my doubts .., just to clarify my doubts right? Anyway leave the chapter.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now