## Last changed: 2014-05-11 14:38:24 UTC version 11.2R3.3; system { root-authentication { encrypted-password "$1$xBnp.1c3$qBRqSDIFjeqZRJJELoo0O1"; ## SECRET-DATA } name-server { 193.150.34.1; 91.230.181.1; 8.8.8.8; } services { ssh; telnet; xnm-clear-text; web-management { https { system-generated-certificate; interface [ vlan.0 fe-0/0/1.0 ]; } } dhcp { propagate-settings fe-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { fe-0/0/0 { unit 0 { encapsulation ppp-over-ether; } } fe-0/0/1 { unit 0 { family inet { address 192.168.1.60/32; } } } fe-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/6 { unit 0 { family inet { address 192.168.10.1/24; } } } fe-0/0/7 { unit 0 { family inet { address 10.0.0.1/24; } } } pt-1/0/0 { unit 0; } pp0 { unit 0 { ppp-options { chap { default-chap-secret "$9$VIYJGkqfn9A24369Cu0NdVYJG"; ## SECRET-DATA local-name "17815@tw.uno.net.uk"; no-rfc2486; passive; } } pppoe-options { underlying-interface fe-0/0/0.0; idle-timeout 0; auto-reconnect 10; client; } family inet { negotiate-address; } } } vlan { unit 0 { family inet { address 192.168.2.1/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop pp0.0; } } protocols { stp; } security { flow { tcp-mss { all-tcp { mss 1460; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust_zone_out { from zone trust; to zone untrust; rule trust_all_out { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set hairpin_loopback { from zone trust; to zone trust; rule loopback_1_0_source { match { source-address 192.168.1.0/24; } then { source-nat { interface; } } } } } destination { pool sbs_server_443 { address 192.168.1.32/32 port 443; } pool sbs_server_25 { address 192.168.1.32/32 port 25; } pool sbs_server_all_ports { address 192.168.1.32/32; } pool hp_lb_sbs2008 { address 192.168.1.32/24; } rule-set hairpin_loopback { from zone trust; rule loopback_destination { match { destination-address 95.172.232.69/32; } then { destination-nat pool hp_lb_sbs2008; } } } } static { rule-set untrust_in { from zone untrust; rule snat_dmz_160 { match { destination-address 95.172.227.160/32; } then { static-nat prefix 10.0.0.3/32 routing-instance dmz-vr; } } rule snat_sbs_227_165 { match { destination-address 95.172.227.165/32; } then { static-nat prefix 192.168.1.32/32; } } } } proxy-arp { interface pp0.0 { address { 95.172.227.160/32 to 95.172.227.165/32; } } } } policies { from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy untrust_to_trust_https { match { source-address any; destination-address SBS2008; application junos-https; } then { permit; } } policy untrust_to_trust_smtp { match { source-address any; destination-address SBS2008; application junos-smtp; } then { permit; } } policy default-deny { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone trust to-zone dmz { policy trust_to_dmz { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone dmz { policy untrust_dmz_http { match { source-address any; destination-address DMZSERVER1; application junos-http; } then { permit; } } } from-zone dmz to-zone dmz { policy dmz_to_dmz_intra_trust { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { address-book { address SBS2008 192.168.1.32/32; address SRD2008 192.168.1.12/32; address CCTV 192.168.1.2/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; fe-0/0/1.0 { host-inbound-traffic { system-services { all; } } } } } security-zone untrust { host-inbound-traffic { system-services { http; dns; https; ping; } protocols { all; } } interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } pt-1/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } pp0.0; } } security-zone dmz { address-book { address DMZSERVER1 10.0.0.3/32; } host-inbound-traffic { system-services { https; http; dns; } protocols { all; } } interfaces { fe-0/0/7.0; } } security-zone train { host-inbound-traffic { system-services { dns; http; https; } protocols { all; } } interfaces { fe-0/0/6.0; } } } } routing-instances { dmz-vr { instance-type virtual-router; interface fe-0/0/7.0; routing-options { static { route 0.0.0.0/0 next-table inet.0; } } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }