Monday, December 17, 2012

Upgrading a Juniper SRX Cluster

Upgrading branch SRX's is a quite simple process. However, the steps get a little more convoluted when you need to upgrade a cluster. The steps below have been tested on an SRX 240 cluster running Junos 11.4R5.5. Node 0 is the primary node, and Node 1 is the secondary node.
  1. Ensure that the system time is synchronized, as this has been known to cause issues:
    1. node0> show system uptime
  2. If time is off you can configure time for both nodes via one of the following methods:
    1. node0> set date 201210172200.00
    2. node0> set date ntp 0.north-america.pool.ntp.org 
  3. From configuration mode on the primary node, issue the following commands:
    1. node0# set system services ftp
    2. node0# set system login user ftp-user class super-user uid 2001 authentication plain-text-password
      1. enter a password twice as prompted
    3. node0# commit
  4. Using your favorite FTP program, connect to the IP of your trust interface, and login using the credentials of the user you created above.
  5. Copy the Junos software package you downloaded from the Juniper site to /var/tmp
  6. From the primary node, issue the following commands:
    1. node0# request routing-engine login node 1
    2. node1# file copy file copy /var/tmp/junos-srxsme-11.4R5.5-domestic.tgz node1:/var/tmp/
    3. Check to make sure the copy completed successfully:
      1. node1> show file /var/tmp/?
      2. You should be able to see the file in the directory
    4. node1# request system software add /var/tmp/junos-srxsme-11.4R5.5-domestic.tgz no-copy no-validate unlink
  7. Open a separate terminal window and SSH once again to the primary node and issue the same command we issued on node 1:
    1. node0# request system software add /var/tmp/junos-srxsme-11.4R5.5-domestic.tgz no-copy no-validate unlink
  8. You should have two terminal windows open, one that is monitoring the node0 package installation, and the other that is monitoring the node1 package installation. Once complete, you will see that each SRX is showing that a reboot is required. 
  9. Issue a reboot from node1:
    1. node1> request system software reboot
  10. Issue a reboot from node0:
    1. node0> request system software reboot
Juniper recommends to do it simultaneously. I just enter the command in each window and then hit enter in node1, then alt-tab to node0 and do the same. I always disable FTP after I'm done using it, but you can do what you want. Enjoy!

Wednesday, October 3, 2012

Complete Aruba Networks Access Point Configuration


In my experience, configuring some parameters via the Aruba Networks GUI is a bit of a pain. I have found that doing certain parts of the deployment via the CLI is a lot faster. Below is an example of such a deployment. The example below was for a multi-site, retail-type of environment. Rather than deploying wireless controllers at each site, I deployed all APs as remote APs in bridge mode behind Juniper Networks SRX Series Firewalls. This deployment method leverages the benefits of Aruba Networks' Remote AP technology. Basically, the configuration is stored in the flash of the AP so that there is no need to deploy a wireless controller at each site, keeping hardware costs as low as possible. This also makes it so that there is no need for the APs to remain connected to the wireless controller in order to provide wireless access for end users. They are essentially leveraging local switching rather than tunneling back to the controller and then out to the Internet.

NOTE: I am not going to review configuration details for the SRX side of the deployment. You can find that information here. Please also note that these steps have been validated on ArubaOS 5. I imagine it will work for newer builds, but don't quote me on that.

When working with ArubaOS, it is important to go from most granular to least granular. Here is the general method I follow (which varies based on use case):

  1. Define services
  2. Apply services to access lists
  3. Apply access lists to user roles
  4. Define ap system profile, aaa profiles, wlan ssid profiles
  5. Apply user roles to aaa profiles
  6. Define wlan virtual ap and apply aaa profiles, wlan ssid profiles
  7. Define ap groups and apply wlan virtual ap and ap system profile
I know it seems confusing, but after doing it a couple of times and following this method you will save a ton of time. Here it is explained:

Define the services that you would like to use.

netservice svc-http-acl tcp 80
netservice svc-dhcp udp 67 68 alg dhcp
netservice svc-dns udp 53 alg dns
netservice svc-mgcp-5004 udp 5004
netservice svc-rtp-udp udp 3000 3005
netservice svc-mgcp-2427 udp 2427
netservice svc-mgcp-2727 udp 2727
netservice svc-sip-udp udp 5060
netservice svc-mgcp-5440-5446 udp 5440 5446
netservice svc-ftp tcp 21 alg ftp
netservice svc-ntp udp 123

Define the access control lists that you would like to use.

ip access-list session dns-acl                  
  any any svc-dns permit
!
ip access-list session http-acl
  any any svc-http permit
!
ip access-list session dhcp-acl
  any any svc-dhcp permit
!

These ACLs are basically stating that from any network to any network, allow DNS/DHCP/HTTP traffic. The same format applies to the rest of the ACLs below.

ip access-list session allowall
  any any any permit 
!
ip access-list session srcnat
  any any any route src-nat
  user any any src-nat
!

The srcnat ACL is important when deploying APs as Remote APs in Bridge Mode. You will see why shortly.

Create user roles and apply access control lists to them.

user-role test-corporate-role
 session-acl allowall
 session-acl srcnat
!
user-role test-guest-role
 session-acl dhcp-acl
 session-acl srcnat
!

One role applies to guest users, and the other applies to corporate users. It is important to note that although we are leveraging local switching and firewall rules on the Juniper SRX Series Firewall, ACLs applied to user roles can still allow/deny traffic. This is due to the fact that the AP configuration is stored in the flash of the AP itself in this type of deployment. By applying the allowall ACL at the beginning of the user role, we are essentially telling the AP to follow the rules applied on the SRX. The srcnat rule tells the AP that if traffic does not match rules on the SRX, then dump all traffic out the local untrust interface. There is always an implicit deny at the end of every Aruba Networks firewall policy.

Create aaa profiles and apply roles to them.

aaa profile "test-corporate-profile"
   initial-role "test-corporate-role"
   authentication-dot1x "default"
   dot1x-default-role "test-corporate-role"
!
aaa profile "test-guest-profile"
   initial-role "test-guest-role"
   authentication-dot1x "default"
   dot1x-default-role "test-guest-role"
!

Create an ap system profile.

ap system-profile "test-ap-profile"
   native-vlan-id 6
!

Based on this example and our integration with the Juniper SRX Series Firewall, the native VLAN ID is the same VLAN that the AP and the corporate wireless users with reside on (192.168.6.0/24). You have to use this command when the AP is plugged into a trunked interface. You can find additional information on the SRX configuration here.

Create WLAN SSID Profiles.

wlan ssid-profile "test-coporate-ssid"
   essid "corporate"
   wpa-passphrase test123
   opmode wpa2-psk-aes
!
wlan ssid-profile "test-guest-ssid"
   essid "guest"
   wpa-passphrase test123
   opmode wpa2-psk-aes
!

In this example, both SSIDs are configured for AES-CCMP encryption with a pre-shared key.

Create WLAN Virtual AP Profiles, and apply the AAA and SSID Profiles.

wlan virtual-ap "test-corporate-vap"
   aaa-profile "test-corporate-profile"
   ssid-profile "test-corporate-ssid"
   vlan 6
   forward-mode bridge
   rap-operation always
!
wlan virtual-ap "test-guest-vap"
   aaa-profile "test-guest-profile"
   ssid-profile "test-guest-ssid"
   vlan 7
   forward-mode bridge
   rap-operation always
!

The wlan virtual-ap profile is exactly what it describes, a "virtual" access point. By creating multiple virtual APs, you can have multiple SSIDs exist on one physical access point. Please also note that these VLANs only reside at the branch network and not where the controller lives, thus it is not necessary to add these VLANs to the controller itself.

Create an AP Group, and apply the Virtual AP Profiles.

ap-group "test-ap-group"
   virtual-ap "test-corporate-vap"
   virtual-ap "test-guest-vap"
   ap-system-profile "test-ap-profile"
!

Provision the AP.

provision-ap copy-provisioning-params ap-name 00:00:00:00:00:00
provision-ap installation default
provision-ap dns-server-ip 1.1.1.1
provision-ap domain-name test.local
provision-ap no external-antenna
provision-ap server-name aruba-master
provision-ap ap-group "test-ap-group"
provision-ap ap-name "Test_AP"
provision-ap no syslocation
provision-ap mesh-role none
provision-ap no fqln
provision-ap reprovision ap-name 00:00:00:00:00:00


Thursday, August 16, 2012

ShoreTel Reverse Proxy for Mobile Communicator

I recently ran into an issue when attempting to create a reverse proxy between the ShoreTel HQ server and the outside world. I thought I would share the steps I took to get this working.

Scenario: You have purchased the Mobile Access License which allows the utilization of the ShoreTel Mobile Communicator via a smart phone from the 3G/4G network. Now, in order for mobile access to work, ports 80, 5447, and 5449 need to be opened to allow authentication and traffic. Giving access to your ShoreTel server over port 80 from the outside world is never recommended, so building a proxy server to translate one random port to the three ports mentioned above is best practice.

Before you continue reading, download and read through the official ShoreTel Application Note#10370 found here.

Please use the steps in the application note to get everything set up. I followed this guide myself, but due to the document being outdated I had to make certain changes in order to get this working. These changes are as follows.
  • Do not use port 5500 as specified in the application note. As of ShoreTel 12, port 5500 is in use by DTAS. Not sure why this would affect this scenario, but it did. Use any other random port, like 5505 for example.
  • Change the web.config file to the following (additions in red):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ShoreTel Authenticate Redirect" stopProcessing="true">
<match url="^authenticate(.*)" />
<action type="Rewrite" url="http://shoretelhq.internal.name:80{R:1}" logRewrittenUrl="true" />
</rule>
<rule name="ShoreTel CAS Redirect" stopProcessing="true">
<match url="^cas(.*)" />
<action type="Rewrite" url="http://shoretelhq.internal.name:5447{R:1}" logRewrittenUrl="true" />
</rule>
<rule name="ShoreTel Director2 Redirect" stopProcessing="true">
<match url="^director2(.*)" />
<action type="Rewrite" url="http://shoretelhq.internal.name:5449{R:1}" logRewrittenUrl="true" />
</rule>
</rules>
<outboundRules>
<preConditions>
<preCondition name="IsHTML">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<urlCompression doStaticCompression="false" doDynamicCompression="false" />
</system.webServer>
</configuration>
  • Restart IIS
This is all I did to get it working. All it took was a little google fu and a packet capture.

Saturday, July 28, 2012

Adding SIP Extensions to ShoreTel

Recently I had an installation in which we needed to add multiple Polycom SoundPoint 501 phones to the ShoreTel Phone System. Since the guides that explain how to add SIP extensions are outdated and the process is completely manual, I thought I would share how we automated the process of adding these phones, making it almost as easy as adding ShorePhones to the system.

It is important to note that you need to ensure that you have the proper licensing. Also, please download and read the manual process of adding SIP extensions prior to attempting this automated process. Your partner of record will be able to provide you with multiple documents if you do not have access to the ShoreTel Knowledge Base.
  1. The first thing you need to do is download and run some type of TFTP server program. We did it on the ShoreWare Server just to keep things simple.
  2. Go to Polycom's site and download the version of SIP that it specifies to use in the ShoreTel KB for your phone model.
  3. Place the downloaded files into the root directory of your TFTP server.
  4. You don't really need to worry about anything that's in there other than the file titled, "000000000000.cfg." This file is the first file that the phone looks to in order to pull configuration information.
  5. Edit the "000000000000.cfg" and add "[MACADDRESS]-user.cfg, CUSTOM_phone1.cfg, CUSTOM_sip.cfg" to the config files string for your specific SoundPoint model. You will see I added it to all models in the attached template.
  6. Create two files called, "CUSTOM_phone1.cfg" and "CUSTOM_sip.cfg", and add the information as specified in the attached template files. These files essentially tells the phones how to connect to ShoreTel so you don't have to log into the GUI of each phone and enter parameters by hand.
  7. Create one file for each of your SIP phones with each phone's MAC address in the title of each file name. So, if your phone's MAC address is AB:CD:EF:GH:IJ:KL, then create a file called "abcdefghijkl-user.cfg" and add the information as shown below in the "enterphonemac-user.cfg" file example. This file specifies extension number and SIP password information as specified in the Users->Individual Users page of the ShoreWare Director.
  8. Optional step: Factory default the phone (Format File System, Reset Device Settings, and Reset Local Config).
  9. Enter the IP address of the TFTP server and any other necessary information (i.e. VLAN ID) on the phone. These can also be achieved via custom DHCP options. I am not going to go over this process because it is different depending on what you are using for your DHCP server.
  10. Reboot the phone and that’s that.
Here is a look at the files with information we added in red:

000000000000.cfg with Custom String:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!-- Default Master SIP Configuration File-->
<!-- For information on configuring Polycom VoIP phones please refer to the -->
<!-- Configuration File Management white paper available from: -->
<!-- http://www.polycom.com/common/documents/whitepapers/configuration_file_management_on_soundpoint_ip_phones.pdf -->
<!-- $RCSfile$  $Revision: 125118 $ -->
<APPLICATION APP_FILE_PATH="sip.ld" CONFIG_FILES="phone1.cfg, sip.cfg" MISC_FILES="" LOG_FILE_DIRECTORY="logs" OVERRIDES_DIRECTORY="" CONTACTS_DIRECTORY="" LICENSE_DIRECTORY="">
  <APPLICATION_SPIP300 APP_FILE_PATH_SPIP300="sip_212.ld" CONFIG_FILES_SPIP300="[MACADDRESS]-user.cfg, CUSTOM_phone1.cfg, CUSTOM_sip.cfg, phone1_212.cfg, sip_212.cfg" />
  <APPLICATION_SPIP301 APP_FILE_PATH_SPIP301="sip_318.ld" CONFIG_FILES_SPIP301="[MACADDRESS]-user.cfg, CUSTOM_phone1.cfg, CUSTOM_sip.cfg, phone1_318.cfg, sip_318.cfg" />
  <APPLICATION_SPIP430 APP_FILE_PATH_SPIP430="sip_318.ld" CONFIG_FILES_SPIP430="[MACADDRESS]-user.cfg, CUSTOM_phone1.cfg, CUSTOM_sip.cfg, phone1_318.cfg, sip_318.cfg" />
  <APPLICATION_SPIP500 APP_FILE_PATH_SPIP500="sip_212.ld" CONFIG_FILES_SPIP500="[MACADDRESS]-user.cfg, CUSTOM_phone1.cfg, CUSTOM_sip.cfg, phone1_318.cfg, sip_212.cfg" />
  <APPLICATION_SPIP501 APP_FILE_PATH_SPIP501="sip_318.ld" CONFIG_FILES_SPIP501="[MACADDRESS]-user.cfg, CUSTOM_phone1.cfg, CUSTOM_sip.cfg, phone1_318.cfg, sip_318.cfg" />
  <APPLICATION_SPIP600 APP_FILE_PATH_SPIP600="sip_318.ld" CONFIG_FILES_SPIP600="[MACADDRESS]-user.cfg, CUSTOM_phone1.cfg, CUSTOM_sip.cfg, phone1_318.cfg, sip_318.cfg" />
  <APPLICATION_SPIP601 APP_FILE_PATH_SPIP601="sip_318.ld" CONFIG_FILES_SPIP601="[MACADDRESS]-user.cfg, CUSTOM_phone1.cfg, CUSTOM_sip.cfg, phone1_318.cfg, sip_318.cfg" />
  <APPLICATION_SSIP4000 APP_FILE_PATH_SSIP4000="sip_318.ld" CONFIG_FILES_SSIP4000="[MACADDRESS]-user.cfg, CUSTOM_phone1.cfg, CUSTOM_sip.cfg, phone1_318.cfg, sip_318.cfg" />
</APPLICATION>

CUSTOM_phone1.cfg:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<phone1>
   <reg reg.1.server.2.transport="DNSnaptr" reg.1.server.1.transport="DNSnaptr" reg.1.type="private" reg.1.server.1.address="Virtual_IP_of_SIP_Proxy" reg.1.server.1.port="5060"  reg.1.server.1.expires="3600" reg.1.server.1.register="1" reg.1.server.1.retryTimeOut="0" reg.1.server.1.retryMaxCount="3" />
  <msg msg.bypassInstantMessage="0">
    <mwi msg.mwi.1.callBack="1102" msg.mwi.1.callBackMode="contact" msg.mwi.1.subscribe="1102" divert.dnd.1.contact="1101" divert.dnd.1.enabled="1" />
  </msg>
</phone1>

CUSTOM_sip.cfg:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!-- SIP Application Configuration File -->
<!-- $RCSfile$  $Revision: 100041 $ -->
<sip>
  <voIpProt>
    <server voIpProt.server.1.address="Virtual_IP_of_SIP_Proxy" voIpProt.server.1.port="5060" voIpProt.server.1.transport="DNSnaptr" voIpProt.server.1.expires="3600" voIpProt.server.1.register="1" voIpProt.server.1.retryTimeOut="0" voIpProt.server.1.retryMaxCount="3" voIpProt.server.1.expires.lineSeize="30" />
  </voIpProt>
  <TCP_IP>
    <SNTP tcpIpApp.sntp.resyncPeriod="86400" tcpIpApp.sntp.address="SNTP_Server" tcpIpApp.sntp.address.overrideDHCP="1" tcpIpApp.sntp.gmtOffset="-28800" tcpIpApp.sntp.gmtOffset.overrideDHCP="1" />
  </TCP_IP>
 </sip>

enterphonemac_user.cfg:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<phone1>
   <reg reg.1.label="enterextension" reg.1.auth.userId="enterextension" reg.1.auth.password="sip_password" reg.1.address="enterextension" reg.1.displayName="EnterUserName" />
</phone1>

Monday, June 11, 2012

How to View an Encrypted PSK on an Aruba Controller

I have run into an issue before when migrating configuration parmeters from one Aruba Networks Wireless Controller to another. To view pre-shared keys unencrypted, enter the following commands while in enable mode:

#encrypt disable
#show running-config

To re-enable encryption once finished, enter the following command while in enable mode:

#encrypt enable

Friday, June 8, 2012

vSphere Client won't connect to vCenter?

I have run into this issue with multiple customers that have VMware vSphere 4+ and Microsoft SQL Server 2005 Express Edition. Many times when working with vSphere, rather than installing SQL Server Standard/Enterprise Edition, customers typically install SQL Server Express since it comes as an installable option with the vSphere .msi. Is this a good idea? NOPE. There is a 4GB limit to SQL Server Express Edition. This is a total pain because one day, without warning, you will attempt to log into vCenter via your vSphere client only to be greeted by an error stating that the vSphere client is unable to connect to the vCenter server. Looking in services.msc will reveal that the VMware VirtualCenter Server service has stopped, and attempting to restart the service fails.

There are multiple ways to free up space. Obviously, the best thing to do would be to migrate to Microsoft SQL Server Standard or Express Edition. However, if you are in a bind and just need to get into VMware vSphere, follow the steps below:

Check Database Size:

  • Login to the vCenter server.
  • Stop all vCenter services.
  • Launch Microsoft SQL Server Management Studio Express. You can download Management Studio if you do not have it.
  • Under Server Name select the database that pertains to your vCenter instance. Chances are you are only using the server to host vCenter so there may only be one database to select.
  • Under Authentication you can select Windows Authentication and click connect. Assuming you are logged in as an administrator you should be able to connect without issue.
  • Click connect.
  • Before you do anything, you want to verify that a full database is your issue. Right-click on VIM_VCDB and select properties. Under properties you will see how much space is in use.
Modify Events and Tasks Parameters:
  • Expand the database as shown below until you see a table called dbo.VPX_PARAMETER.
  • Right-click on dbo.VPX_PARAMETER and select Open Table
  • Modify the following values:
    • event.maxAge - By default this is set to 180 days. You can set this to whatever you desire. Obviously if you decrease the amount, the less will be retained.
    • event.maxAgeEnabled - By default this is set to false, which means that by default your database saves all events. Make sure this is set to true.
      • Do the same thing for the task.maxAge and task.maxAgeEnabled values.
Execute Database Cleanup:
  • Expand the database as shown below until you see a table called dbo.cleanup_events_tasks_proc.
  • Right-click on dbo.cleanup_events_tasks_proc and select Execute Stored Procedure.
  • This will remove all the events and tasks that do not match the parameters specified in the dbo.VPX_PARAMETER table. This may take a few minutes.
  • Once complete, open up the database properties again and check the database size. It should be substantially lower. 


Sunday, May 20, 2012

Juniper Networks SRX Sample Configuration

Below is a sample remote site configuration of a Juniper SRX100 firewall along with explanations. I used this template configuration to deploy multiple firewalls in a multi-site, retail-type deployment. You will see 4 separate subnets/VLANs for voip, data, corporate wireless, and guest wireless. In this particular example, the VoIP deployment was ShoreTel, and the wireless technology used was that of Aruba Networks. You will also see a route-based VPN configuration bound to the untrust interface, allowing for communication between the HQ and remote site.

Note: You can view the configuration in the format below any time by issuing the command, "show | display set". I changed a bit of how it is displayed in order to better show what each line means.


To set the host name:
set system host-name

To set the root password:
set system root-authentication plain-text-password

To set the name server:
set system name-server

To set additional user names and passwords:
set system login user example uid 2000
set system login user example class super-user
set system login user example authentication plain-text-password 

To allow different global services:
set system services ftp
set system services ssh
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.5 

(vlan.5 allows web management from that logical interface only. You will see below that vlan.5 is also known as the data vlan)

To set other system policies:
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval

(The settings above are actually there by default, but can be changed as needed.)

To configure interfaces:
set interfaces fe-0/0/0 description "WAN"
set interfaces fe-0/0/0 unit 0 family inet dhcp

(In this example, I am using interface fe-0/0/0 as the WAN interface.)

set interfaces fe-0/0/1 description "VOIP/DATA"
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/1 unit 0 family ethernet-switching native-vlan-id 5

(Interface fe-0/0/1 is a trunk port for both the VOIP and DATA VLANs.)

set interfaces fe-0/0/2 disable
set interfaces fe-0/0/3 disable

set interfaces fe-0/0/4 disable

set interfaces fe-0/0/5 disable

set interfaces fe-0/0/6 disable

(The interfaces above are disabled since they are not in use in this example.)

set interfaces fe-0/0/7 description "CORP WIRELESS/GUEST WIRELESS"
set interfaces fe-0/0/7 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/7 unit 0 family ethernet-switching native-vlan-id 6

(Interface fe-0/0/7 is a trunk port for both the CORP WIRELESS and GUEST WIRELESS VLANs.)

To configure an interface for route-based VPN:
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.254 ipsec-vpn routebasedvpn
set interfaces st0 unit 0 family inet address 10.10.10.5/24

(The 10.10.10.254 IP is the address of the HQ st0 interface. The 10.10.10.5 IP is the address of the local st0 interface)

To configure a gateway/subnet for each VLAN:
set interfaces vlan unit 1 family inet address 192.168.4.1/24
set interfaces vlan unit 2 family inet address 192.168.5.1/24
set interfaces vlan unit 3 family inet address 192.168.6.1/24
set interfaces vlan unit 4 family inet address 192.168.7.1/24

To configure DHCP options:
set forwarding-options helpers bootp relay-agent-option
set forwarding-options helpers bootp description "DHCP SERVER"
set forwarding-options helpers bootp server 10.10.100.10
set forwarding-options helpers bootp vpn
set forwarding-options helpers bootp interface vlan.4
set forwarding-options helpers bootp interface vlan.5
set forwarding-options helpers bootp interface vlan.6
set forwarding-options helpers bootp interface vlan.7

(In the example above, the SRX is doing a relay from a centralized DHCP server at HQ.)

To configure routing options:
set routing-options static route 192.168.4.0/24 next-hop st0.0

(In the example above, the subnet for the VoIP VLAN is being routed over the VPN tunnel interface.)

To set protocols:
set protocols igmp interface vlan.4
set protocols lldp interface all
set protocols lldp-med interface all

To configure IPSEC VPN:
set security ike proposal phase1-prop authentication-method pre-shared-keys
set security ike proposal phase1-prop dh-group group2
set security ike proposal phase1-prop authentication-algorithm sha1
set security ike proposal phase1-prop encryption-algorithm 3des-cbc
set security ike policy ike-policy1 mode main
set security ike policy ike-policy1 proposal-set standard
set security ike policy ike-policy1 pre-shared-key ascii-text test1234
set security ike gateway ike-gateway1 ike-policy ike-policy1
set security ike gateway ike-gateway1 address 1.1.1.1
set security ike gateway ike-gateway1 external-interface fe-0/0/0.0
set security ipsec proposal phase2-prop protocol esp
set security ipsec proposal phase2-prop authentication-algorithm hmac-sha1-96
set security ipsec proposal phase2-prop encryption-algorithm 3des-cbc
set security ipsec policy ipsec-policy1 perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy1 proposal-set standard
set security ipsec vpn routebasedvpn bind-interface st0.0
set security ipsec vpn routebasedvpn ike gateway ike-gateway1
set security ipsec vpn routebasedvpn ike ipsec-policy ipsec-policy1
set security ipsec vpn routebasedvpn establish-tunnels immediately

To configure NAT:
set security nat source rule-set voip-to-untrust from zone voip
set security nat source rule-set voip-to-untrust to zone untrust
set security nat source rule-set voip-to-untrust rule source-nat-rule1 match source-address 192.168.4.0/24
set security nat source rule-set voip-to-untrust rule source-nat-rule1 then source-nat interface
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule2 match source-address 192.168.5.0/24
set security nat source rule-set trust-to-untrust rule source-nat-rule2 then source-nat interface
set security nat source rule-set corp_wireless-to-untrust from zone corp_wireless
set security nat source rule-set corp_wireless-to-untrust to zone untrust
set security nat source rule-set corp_wireless-to-untrust rule source-nat-rule3 match source-address 192.168.6.0/24
set security nat source rule-set corp_wireless-to-untrust rule source-nat-rule3 then source-nat interface
set security nat source rule-set guest_wireless-to-untrust from zone guest_wireless
set security nat source rule-set guest_wireless-to-untrust to zone untrust
set security nat source rule-set guest_wireless-to-untrust rule source-nat-rule3 match source-address 181.168.7.0/24
set security nat source rule-set guest_wireless-to-untrust rule source-nat-rule3 then source-nat interface

To configure screen options:
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land

To configure zones:
set security zones security-zone voip host-inbound-traffic system-services all
set security zones security-zone voip host-inbound-traffic protocols all
set security zones security-zone voip interfaces vlan.4
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.5
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic protocols router-discovery
set security zones security-zone corp_wireless host-inbound-traffic system-services all
set security zones security-zone corp_wireless host-inbound-traffic protocols all
set security zones security-zone corp_wireless interfaces vlan.6
set security zones security-zone vpn address-book address hq_network 10.10.0.0/16
set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0 host-inbound-traffic protocols all
set security zones security-zone guest_wireless host-inbound-traffic system-services all
set security zones security-zone guest_wireless host-inbound-traffic protocols all
set security zones security-zone guest_wireless interfaces vlan.7

To configure policies from zone to zone:
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match source-address any
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match destination-address any
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match application any
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust then permit
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match source-address any
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match destination-address any
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match application any
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn then permit
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match source-address any
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match destination-address any
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match application any
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless then permit
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match source-address any
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match destination-address any
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match application any
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust then permit
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match source-address any
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match destination-address any
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match application any
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless then permit
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match source-address any
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match destination-address any
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match application any
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless then permit
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match source-address any
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match destination-address any
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match application any
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless then permit
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match source-address any
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match destination-address any
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match application any
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust then permit
set security flow tcp-mss ipsec-vpn mss 1350

To configure VLANs:
set vlans VOIP description "VOIP"
set vlans VOIP vlan-id 4
set vlans VOIP interface fe-0/0/1.0
set vlans VOIP l3-interface vlan.4
set vlans DATA description "DATA"
set vlans DATA vlan-id 5
set vlans DATA l3-interface vlan.5     
set vlans CORP_WIRELESS description "CORP_WIRELESS"
set vlans CORP_WIRELESS vlan-id 6
set vlans CORP_WIRELESS l3-interface vlan.6
set vlans GUEST_WIRELESS description "GUEST_WIRELESS"
set vlans GUEST_WIRELESS vlan-id 7
set vlans GUEST_WIRELESS interface fe-0/0/7.0
set vlans GUEST_WIRELESS l3-interface vlan.7


(You will notice that interface fe-0/0/1.0 is bound to the VOIP VLAN. However, if you take a look at the "set interfaces" section again you will see that interface fe-0/0/1 has a native VLAN ID of 5. This means that both VLANs can exist on this interface, but that by default devices will receive an IP in VLAN 5 unless otherwise specified (i.e. In this example a custom DHCP option was created for the voip VLAN, assigning a VLAN ID of 4.).)