## Last changed: 2013-12-22 09:36:29 CET version 11.4R9.4; # THIS SOFWARE IS PROVIDED TO YOU 'AS IS' AND IS NOT WARRANTED OR SUPPORTED # BY JUNIPER NETWORKS. JUNIPER NETWORKS DISCLAIMS ANY AND ALL WARRANTIES IN # AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), # INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR # PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER NETWORKS WARRANT THAT # THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE # WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION # OR ATTACK. ADDITIONALLY USE OF THE SOFTWARE IS SUBJECT TO JUNIPER NETWORKS' # AUTHORIZATION AND SOFTWARE MAY NOT BE DISTRIBUTED WITHOUT JUNIPER NETWORKS' # PRIOR WRITTEN CONSENT. IN NO EVENT SHALL JUNIPER NETWORKS HAVE ANY LIABILITY # FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES, OR FOR ANY DIRECT, SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES # ARISING OUT OF CUSTOMER’S USE OF THE SOFTWARE, UNDER ANY THEORY OF LIABILITY, # INLCUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF SOFTWARE # PROVIDED HEREUNDER, OR THE FAILURE OF SOFTWARE TO PERFORM, OR FOR ANY OTHER # REASON. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING THE FAILURE OF THE # ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. # # system { host-name gw.example.com; domain-name example.com; time-zone Europe/Warsaw; authentication-order password; root-authentication { encrypted-password "???"; ## SECRET-DATA } name-server { 8.8.8.8; 8.8.4.4; } services { ssh { root-login allow; protocol-version v2; } telnet; xnm-clear-text; dns { max-cache-ttl 600; forwarders { 8.8.8.8; } } web-management { http { interface ge-0/0/1.0; } https { system-generated-certificate; interface ge-0/0/1.0; } } dhcp { domain-name example.com; name-server { 8.8.8.8; 8.8.4.4; } domain-search { example.com; example.lan; } router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.100 high 192.168.1.199; } propagate-settings ge-0/0/1.0; } } max-configuration-rollbacks 49; } interfaces { ge-0/0/0 { gigether-options { no-loopback; auto-negotiation; } unit 0 { family inet { address 79.110.203.161/30; } } } ge-0/0/1 { unit 0 { family inet { address 192.168.1.1/24; } } } lo0 { description local-loopback; unit 0 { family inet { address 79.110.203.153/29; } } } } routing-options { static { route 0.0.0.0/0 next-hop 79.110.203.162; } } security { nat { source { pool src-nat-pool-a { address { 79.110.203.155/32; } } rule-set lan-to-net { from zone trust; to zone untrust; rule lan-to-net-via-dmz { match { source-address 192.168.1.0/24; destination-address 0.0.0.0/0; } then { source-nat { pool { src-nat-pool-a; } } } } } } destination { pool kairos-pool { address 192.168.1.254/32 port 443; } rule-set kairos { from zone dmz-zone; rule kairos-ssl { match { source-address 0.0.0.0/0; destination-address 79.110.203.154/32; destination-port 443; } then { destination-nat pool kairos-pool; } } } } proxy-arp { interface lo0.0 { address { 79.110.203.154/32; } } } } # 0001 # FROM "Any" # TO "Any" # SERVICE "any" # permit policies { # 0002 # FROM "Any" # TO "Any" # SERVICE "any" # permit from-zone trust to-zone untrust { policy defaultPermitPolicy { match { source-address any; destination-address any; application any; } then { permit; } } } # 0003 # FROM "Any" # TO "Any" # SERVICE "any" # deny from-zone untrust to-zone trust { policy defaultPolicy { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone untrust to-zone junos-host { policy icmp-from-wan { match { source-address any; destination-address any; application junos-icmp-all; } then { permit; } } } from-zone untrust to-zone dmz-zone { policy icmp { match { source-address any; destination-address any; application junos-icmp-all; } then { permit; } } policy untrust-to-dmz-any { match { source-address any; destination-address any; application junos-ssh; } then { permit; } } } from-zone trust to-zone dmz-zone { policy lan-to-dmz { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { address-book { address kairos-host 192.168.1.254/32; } host-inbound-traffic { system-services { ping; traceroute; } } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ssh; ping; http; https; dhcp; dns; } protocols { bgp; pim; ospf; rip; igmp; } } } } } security-zone untrust { host-inbound-traffic { system-services { ping; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { https; ssh; ping; traceroute; } } } } } security-zone junos-host { address-book { address dmz-153 79.110.203.153/32; } } security-zone dmz-zone { host-inbound-traffic { system-services { ping; traceroute; https; } } interfaces { lo0.0; } } } }