## Last changed: 2011-04-11 21:52:33 UTC
version 11.1R1.10;
system {
    root-authentication {
        encrypted-password "$1$ix.oL0lr$w9piTOZLQQIuLLafEW0Ql0"; ## SECRET-DATA
    }
    scripts {
        op {
            file toggle-interface.slax;
        }
    }
    services {
        ssh {
            root-login allow;
            protocol-version v2;
        }
        web-management {
            http {
                interface all;
            }
        }
        dhcp {
            pool 3.3.3.0/24 {
                address-range low 3.3.3.100 high 3.3.3.120;
                maximum-lease-time 21600;
                default-lease-time 21600;
                name-server {
                    192.168.0.4;
                    8.8.8.8;
                }
                router {
                    3.3.3.3;
                }
                propagate-settings ge-0/0/0.0;
            }
        }
    }
    syslog {
        file traffic {
            any any;
            match RT_FLOW_SESSION;
            archive size 5m files 5;
        }
        file everything {
            any any;
            archive size 5m files 5;
        }                               
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            description LAN;
            family inet {
                address 3.3.3.3/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description DMZ;
            family inet {
                address 4.4.4.4/24;
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            description ISP1;
            family inet {               
                address 1.1.1.1/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            description ISP2;
            family inet {
                address 2.2.2.2/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 172.16.172.172/32;
            }
        }
    }
    st0 {
        unit 0 {
            description srx-vpn;
            family inet;                
        }
        unit 1 {
            family inet;
        }
    }
}
event-options {
    policy gw-down {
        events ping_probe_failed;
        within 15 {
            trigger on 1;
        }
        attributes-match {
            ping_probe_failed.test-owner matches "^def-gw$";
            ping_probe_failed.test-name matches "^def-gw-ping$";
        }
        then {
            execute-commands {
                commands {
                    "clear security ipsec security-associations";
                    "clear security ike security-associations";
                }
            }                           
            event-script toggle-interface.slax {
                arguments {
                    silent 0;
                    interface fe-0/0/6.0;
                    new_intf_state disable;
                }
            }
        }
    }
    policy gw-up {
        events PING_TEST_COMPLETED;
        within 15 {
            trigger on 1;
        }
        attributes-match {
            ping_test_completed.test-owner matches "^def-gw$";
            ping_test_completed.test-name matches "^def-gw-ping$";
        }
        then {
            execute-commands {
                commands {
                    "clear security ipsec security-associations";
                    "clear security ike security-associations";
                }
            }
            event-script toggle-interface.slax {
                arguments {
                    silent 0;
                    interface fe-0/0/6.0;
                    new_intf_state enable;
                }
            }
        }
    }
    event-script {
        file toggle-interface.slax;
    }
}
routing-options {
    interface-routes {
        rib-group inet inside;
    }
    static {
        route 0.0.0.0/0 next-table ISP1.inet.0;
        route 8.8.8.8/32 next-hop 172.16.172.172;
        route 9.9.9.9/32 next-hop 172.16.172.172;
    }
    rib-groups {
        inside {
            import-rib [ inet.0 TRUST-VRF.inet.0 ISP1.inet.0 ISP2.inet.0 ];
        }
    }
}
security {
    ike {
        traceoptions {
            file iked_debug size 5m files 5;
            flag all;
        }
        proposal pre-g2-3des-sha {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy inner-srx {
            mode main;
            proposals pre-g2-3des-sha;  
            pre-shared-key ascii-text "$9$fT6Ap0IRcyvWs4oajiBIESrv"; ## SECRET-DATA
        }
        gateway srx100 {
            ike-policy inner-srx;
            address [ 8.8.8.8 9.9.9.9 ];
            dead-peer-detection {
                always-send;
                interval 10;
                threshold 5;
            }
            external-interface fe-0/0/6.0;
        }
        gateway srx100-backup {
            ike-policy inner-srx;
            address [ 9.9.9.9 8.8.8.8 ];
            dead-peer-detection {
                always-send;
                interval 10;
                threshold 5;
            }
            external-interface fe-0/0/7.0;
        }                               
    }
    ipsec {
        traceoptions {
            flag all;
        }
        proposal g2-esp-3des-sha {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy g2-esp-3des-sha {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals g2-esp-3des-sha;
        }
        vpn tp-srx100 {
            bind-interface st0.0;
            ike {
                gateway srx100;
                ipsec-policy g2-esp-3des-sha;
            }                           
            establish-tunnels immediately;
        }
        vpn to-srx100-backup {
            bind-interface st0.1;
            ike {
                gateway srx100-backup;
                ipsec-policy g2-esp-3des-sha;
            }
            establish-tunnels immediately;
        }
    }
    nat {
        source {
            rule-set interface_nat_out {
                from routing-instance default;
                to routing-instance [ ISP1 ISP2 ];
                rule interface_nat {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {    
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool management-ssh {
                address 172.16.172.172/32 port 22;
            }
            pool management-http {
                address 172.16.172.172/32 port 80;
            }
            rule-set management-ISP1 {
                from routing-instance ISP1;
                rule management-ISP1-ssh {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 1.1.1.1/32;
                        destination-port 22;
                    }
                    then {
                        destination-nat pool management-ssh;
                    }
                }
            }
            rule-set management-ISP2 {
                from routing-instance ISP2;
                rule management-ISP2-ssh {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 2.2.2.2/32;
                        destination-port 22;
                    }
                    then {
                        destination-nat pool management-ssh;
                    }
                }
            }
        }
    }
    policies {
        from-zone LAN to-zone ISP1 {
            policy allow_all_isp1 {
                match {
                    source-address any; 
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone LAN to-zone ISP2 {
            policy allow_all_isp2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;   
                        session-close;
                    }
                }
            }
        }
        from-zone ISP1 to-zone LAN {
            policy allow_all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone ISP2 to-zone LAN {
            policy allow_all {          
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone LAN to-zone LAN {
            policy intrazone {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;             
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
    }
    zones {
        security-zone LAN {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            https;
                            traceroute;
                            ike;
                            dhcp;
                        }
                    }
                }                       
                lo0.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            ike;
                        }
                    }
                }
                st0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
                st0.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }                           
        }
        security-zone DMZ {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            traceroute;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone ISP1 {
            interfaces {
                fe-0/0/6.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            traceroute;
                            ping;
                            ssh;
                            https;      
                            http;
                        }
                    }
                }
            }
        }
        security-zone ISP2 {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            https;
                            ike;
                            traceroute;
                            ssh;
                            http;
                        }
                    }
                }
            }
        }
    }                                   
}
firewall {
    filter isp1-in {
        term 1 {
            from {
                destination-address {
                    1.1.1.0/24;
                }
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then accept;
        }
    }
    filter isp2-in {
        term 1 {
            from {
                destination-address {
                    2.2.2.0/24;
                }                       
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then accept;
        }
    }
}
routing-instances {
    ISP1 {
        instance-type virtual-router;
        interface fe-0/0/6.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }
            static {
                route 0.0.0.0/0 {
                    next-hop 1.1.1.254;
                    qualified-next-hop 2.2.2.254 {
                        preference 10;  
                    }
                }
            }
        }
    }
    ISP2 {
        instance-type virtual-router;
        interface fe-0/0/7.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }
            static {
                route 0.0.0.0/0 {
                    next-hop 2.2.2.254;
                    qualified-next-hop 1.1.1.254 {
                        preference 10;
                    }
                }
            }
        }
    }
    TRUST-VRF {                         
        instance-type forwarding;
    }
}
services {
    rpm {
        probe def-gw {
            test def-gw-ping {
                probe-type icmp-ping;
                target address 1.1.1.254;
                probe-count 5;
                probe-interval 15;
                test-interval 60;
                source-address 172.16.172.172;
                traps test-completion;
            }
        }
    }
}

