firewall {
all-ping enable
broadcast-ping disable
group {
address-group DMZ_External {
address *.177.*.*
description ""
}
address-group DMZ_Web_Internal {
address 192.168.105.25
description ""
}
address-group GatewaysAdmin {
address 192.168.1.1
address 192.168.10.1
description ""
}
address-group GatewaysRED {
address 192.168.86.1
address 192.168.87.1
description ""
}
address-group Mail_External {
address *.177.*.*
description ""
}
address-group Mail_Internal {
address 192.168.1.7
description ""
}
address-group VPN_external {
address *.177.*.*
description ""
}
network-group SubnetsAdmin {
description ""
network 192.168.1.0/24
network 192.168.10.0/24
}
network-group SubnetsRED {
description ""
network 192.168.86.0/24
network 192.168.87.0/24
}
port-group DMZ_web {
description "DMZ_web HTTP,HTTPS"
port 80
port 443
}
port-group Mail {
description "Mail SMTP,SMTPS,IMAP,IMAPS,HTTPS"
port 25
port 465
port 143
port 993
port 443
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "packets from internet to LAN and WLAN"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 3 {
action accept
description "allow VPN traffic from admin"
destination {
group {
network-group SubnetsRED
}
}
log disable
source {
group {
network-group SubnetsAdmin
}
}
}
}
name WAN_LOCAL {
default-action drop
description "packets from internet to the router"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log enable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 3 {
action accept
description "allow VPN traffic from Admin to the router"
destination {
group {
address-group GatewaysRED
}
}
log disable
source {
group {
network-group SubnetsAdmin
}
}
}
rule 5 {
action accept
description "allow IKE-UDP-500"
destination {
port 500
}
log disable
protocol udp
}
rule 6 {
action accept
description "allow ESP-50"
log disable
protocol esp
}
rule 7 {
action accept
description "allow NAT-T-UDP-4500"
destination {
port 4500
}
log disable
protocol udp
}
rule 8 {
action accept
description "allow PPTP VPN gre"
protocol gre
}
rule 9 {
action accept
description "allow PPTP VPN pptp"
destination {
port 1723
}
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address *.*.*.231/28
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.86.1/24
description LAN
duplex auto
speed auto
}
ethernet eth2 {
description VLANS
duplex auto
speed auto
vif 10 {
address 192.168.87.1/24
description VOICE.10
mtu 1500
}
}
loopback lo {
}
vti vti1 {
address 10.87.1.87/24
description ADM
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1398
}
vti vti18 {
address 10.18.87.87/24
description SMI
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1398
}
vti vti28 {
address 10.28.87.87/24
description SMA
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1398
}
vti vti33 {
address 10.87.33.87/24
description GDA
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1398
}
vti vti39 {
address 10.87.39.87/24
description FAR
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1398
}
vti vti60 {
address 10.60.87.87/24
description RDO
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1398
}
vti vti74 {
address 10.87.*.87/24
description DAR
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1398
}
vti vti95 {
address 10.95.87.87/24
description SST
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1398
}
vti vti113 {
address 10.87.113.87/24
description GRA
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1398
}
vti vti116 {
address 10.87.116.87/24
description LAM
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1398
}
vti vti204 {
address 10.87.204.87/24
description CDO
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1398
}
}
protocols {
ospf {
area 0.0.0.0 {
network 192.168.86.0/24
network 192.168.87.0/24
network 10.18.87.0/24
network 10.28.87.0/24
network 10.87.33.0/24
network 10.87.39.0/24
network 10.60.87.0/24
network 10.87.*.0/24
network 10.87.1.0/24
network 10.95.87.0/24
network 10.87.113.0/24
network 10.87.116.0/24
network 10.87.204.0/24
}
log-adjacency-changes {
}
parameters {
abr-type cisco
router-id 192.168.86.1
}
passive-interface default
passive-interface-exclude vti1
passive-interface-exclude vti116
passive-interface-exclude vti204
passive-interface-exclude vti33
passive-interface-exclude vti39
passive-interface-exclude vti74
passive-interface-exclude vti113
passive-interface-exclude vti18
passive-interface-exclude vti28
passive-interface-exclude vti60
passive-interface-exclude vti95
}
static {
interface-route 192.168.1.0/24 {
next-hop-interface vti1 {
distance 152
}
}
interface-route 192.168.10.0/24 {
next-hop-interface vti1 {
distance 152
}
}
interface-route 192.168.87.0/24 {
next-hop-interface eth2.10 {
}
}
}
}
service {
dhcp-server {
disabled false
global-parameters "class "vendor-classes" {"
global-parameters "match option vendor-class-identifier;"
global-parameters "}"
global-parameters "option space MSUCClient;"
global-parameters "option MSUCClient.UCIdentifier code 1 = string;"
global-parameters "option MSUCClient.URLScheme code 2 = string;"
global-parameters "option MSUCClient.WebServerFqdn code 3 = string;"
global-parameters "option MSUCClient.WebServerPort code 4 = string;"
global-parameters "option MSUCClient.CertProvRelPath code 5 = string;"
global-parameters "option UCSipServer code 120 = string;"
global-parameters "subclass "vendor-classes" "MS-UC-Client" {"
global-parameters "vendor-option-space MSUCClient;"
global-parameters "option MSUCClient.UCIdentifier 4D:53:2D:55:43:2D:43:6C:69:65:6E:74;"
global-parameters "option MSUCClient.URLScheme 68:74:74:70:73;"
global-parameters "option MSUCClient.WebServerFqdn 61:64:6D:2D:6C:79:6E:63:2E:68:65:61:64:73:74:61:72:74:2E:61:64:6D:69:6E;"
global-parameters "option MSUCClient.WebServerPort 34:34:33;"
global-parameters "option MSUCClient.CertProvRelPath"
global-parameters "2F:43:65:72:74:50:72:6F:76:2F:43:65:72:74:50:72:6F:76:69:73:69:6F:6E:69:6E:67:53:65:72:76:69:63:65:2E:73:76:63;"
global-parameters "} "
hostfile-update disable
shared-network-name 192.168.86.0 {
authoritative disable
subnet 192.168.86.0/24 {
default-router 192.168.86.1
dns-server 192.168.1.29
dns-server 192.168.1.30
domain-name ExampleDomain.com
lease 86400
ntp-server 192.168.1.29
ntp-server 192.168.1.30
start 192.168.86.100 {
stop 192.168.86.210
}
subnet-parameters "option UCSipServer 00:08:61:64:6D:2D:6C:79:6E:63:09:68:65:61:64:73:74:61:72:74:05:61:64:6D:69:6E:00;"
unifi-controller 192.168.1.30
}
}
shared-network-name 192.168.87.0 {
authoritative disable
subnet 192.168.87.0/24 {
default-router 192.168.87.1
dns-server 192.168.1.29
dns-server 192.168.1.30
domain-name ExampleDomain.com
lease 86400
ntp-server 192.168.1.29
ntp-server 192.168.1.30
start 192.168.87.100 {
stop 192.168.87.210
}
subnet-parameters "option UCSipServer 00:08:61:64:6D:2D:6C:79:6E:63:09:68:65:61:64:73:74:61:72:74:05:61:64:6D:69:6E:00;"
}
}
}
gui {
https-port 443
}
nat {
rule 1 {
description Mail_NAT_SMTP
destination {
address 192.168.1.7
port 25
}
inbound-interface eth0
inside-address {
address *.177.*.*
port 25
}
log enable
protocol tcp
type destination
}
rule 2 {
description Mail_NAT_SMTPS
destination {
address 192.168.1.7
port 465
}
inbound-interface eth0
inside-address {
address *.177.*.*
port 465
}
log enable
protocol tcp
type destination
}
rule 3 {
description Mail_NAT_IMAP
destination {
address 192.168.1.7
port 143
}
inbound-interface eth0
inside-address {
address *.177.*.*
port 143
}
log enable
protocol tcp
type destination
}
rule 4 {
description Mail_NAT_IMAPS
destination {
address 192.168.1.7
port 993
}
inbound-interface eth0
inside-address {
address *.177.*.*
port 993
}
log enable
protocol tcp
type destination
}
rule 5 {
description Mail_NAT_HTTPS
destination {
address 192.168.1.7
port 443
}
inbound-interface eth0
inside-address {
address *.177.*.*
port 443
}
log enable
protocol tcp
type destination
}
rule 6 {
description DMZ_website_HTTP
destination {
address 192.168.105.25
port 80
}
inbound-interface eth0
inside-address {
address *.177.*.*
port 80
}
log disable
protocol tcp
type destination
}
rule 7 {
description DMZ_website_HTTPS
destination {
address 192.168.105.25
port 443
}
inbound-interface eth0
inside-address {
address *.177.*.*
port 443
}
log disable
protocol tcp
type destination
}
rule 5000 {
description "masquerade for WAN"
log disable
outbound-interface eth0
protocol all
type masquerade
}
rule 5001 {
destination {
address 192.168.1.0/24
}
exclude
outbound-interface eth0
source {
address 192.168.86.0/24
}
type masquerade
}
}
snmp {
community public {
authorization ro
}
location "1145 Redwood Ave El Cajon, CA 92020"
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
domain-name ExampleDomain.com
gateway-address *.*.*.225
host-name RED-ERLite
login {
user AccountName1 {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name AccountName1
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
ipsec enable
ipv4 {
forwarding enable
}
ipv6 {
forwarding disable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Los_Angeles
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer 68.15.0.* {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO0
local-address *.*.*.231
vti {
bind vti116
esp-group FOO0
}
}
peer 68.15.*.* {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO0
local-address *.*.*.231
vti {
bind vti74
esp-group FOO0
}
}
peer *.*.2.166 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO0
local-address *.*.*.231
vti {
bind vti28
esp-group FOO0
}
}
peer *.*.*.*15 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO0
local-address *.*.*.231
vti {
bind vti95
esp-group FOO0
}
}
peer *.*.6.126 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO0
local-address *.*.*.231
vti {
bind vti33
esp-group FOO0
}
}
peer *.*.28.72 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO0
local-address *.*.*.231
vti {
bind vti204
esp-group FOO0
}
}
peer *.*.*.125 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO0
local-address *.*.*.231
vti {
bind vti39
esp-group FOO0
}
}
peer *.173.62.* {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO0
local-address *.*.*.231
vti {
bind vti18
esp-group FOO0
}
}
peer *.175.247.* {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO0
local-address *.*.*.231
vti {
bind vti60
esp-group FOO0
}
}
peer 174.78.*.* {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO0
local-address *.*.*.231
vti {
bind vti113
esp-group FOO0
}
}
peer *.177.*.* {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group FOO0
local-address *.*.*.231
vti {
bind vti1
esp-group FOO0
}
}
}
}
pptp {
remote-access {
authentication {
local-users {
username AccountName1 {
password ****************
}
username AccountName2 {
password ****************
}
}
mode local
}
client-ip-pool {
start 192.168.103.100
stop 192.168.103.210
}
dns-servers {
server-1 192.168.1.29
server-2 192.168.1.30
}
mtu 1492
outside-address *.*.*.231
}
}
}
Wednesday, April 8, 2015
Example of one of my configs for a remote site on a Ubiquiti Edgerouter with PPTP, OSPF, VTIs, and DCHP Lync Phone Settings
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment