## Last changed: 2011-09-09 12:00:10 UTC version 10.4R5.5; system { host-name srx240a; root-authentication { encrypted-password "$1$kTyjxUYd$bB//OyU.KifBU0tXBRTN91"; ## SECRET-DATA } name-server { 8.8.8.8; } services { ssh; netconf { ssh; } web-management { http { interface [ ge-0/0/0.0 vlan.0 ]; } https { system-generated-certificate; } } dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.121 high 192.168.1.129; } propagate-settings ge-0/0/3.0; } } syslog { user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family inet { address 10.0.0.1/24; } } } ge-0/0/10 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; native-vlan-id 1; } } } ge-0/0/14 { unit 0 { family inet { address XXX.XX.X.XXX/29; } } } vlan { unit 0 { family inet { address 192.168.1.1/32; } } unit 23 { family inet { address 10.0.1.1/24; } } } } snmp { community public { authorization read-only; } } routing-options { static { route 0.0.0.0/0 next-hop XXX.XX.X.XXX; } } protocols { lldp { interface all; } igmp-snooping { vlan all; } } security { nat { source { rule-set interface-nat { from zone trust; to zone untrust; rule rule1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; queue-size 2000; ## Warning: 'queue-size' is deprecated timeout 20; } land; } } } zones { security-zone trust { tcp-rst; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { http; https; ssh; telnet; dhcp; } } } vlan.0; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { ping; ssh; https; } } interfaces { ge-0/0/14.0 { host-inbound-traffic { protocols { all; } } } } } security-zone cloud { host-inbound-traffic { protocols { all; } } interfaces { ge-0/0/9.0 { host-inbound-traffic { system-services { all; } } } } } security-zone cloudmgmt { host-inbound-traffic { system-services { all; } protocols { all; } } } } policies { from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone untrust to-zone cloudmgmt { policy untrust2cloudmgmt { match { source-address any; destination-address any; application any; } then { permit; } } policy untrust_to_cloudmgmt { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone cloudmgmt to-zone cloudmgmt { policy cloudmgmt_default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone cloudmgmt to-zone untrust { policy cloudmgmt_to_internet { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone cloudmgmt { policy trust_to_cloudmgmt { match { source-address any; destination-address any; application any; } then { permit; } } } } flow { traceoptions { file flow-trace; flag basic-datapath; flag all; packet-filter f0 { destination-prefix 10.0.0.0/24; } } } } vlans { VLAN23 { vlan-id 23; l3-interface vlan.23; } default { vlan-id 1; l3-interface vlan.0; } }