=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.17 13:15:32 =~=~=~=~=~=~=~=~=~=~=~= top show | no-more ## Last changed: 2012-09-17 13:09:20 CDT version 10.4R10.7; system { services { ftp; ssh; web-management { http { interface vlan.10; } https { system-generated-certificate; interface vlan.10; } } } interfaces { ge-0/0/0 { description Building_HP_Switch; unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ vlan-suite-g vlan-phones vlan-printer vlan-suite-a vlan-suite-b vlan-suite-d vlan-suite-m ]; } native-vlan-id 999; } } } ge-0/0/1 { description EX2200_Internet_Vlan; unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ vlan-internet vlan-phones ]; } } } } fe-0/0/2 { description Midco_Internet_UCT; unit 0 { family ethernet-switching { vlan { members vlan-untrust; } } } } fe-0/0/4 { description midco-300f; unit 0 { family inet { address 1.1.1.138/29 { primary; preferred; } address 1.1.1.139/29; address 1.1.1.140/29; address 1.1.1.141/29; address 1.1.1.142/29; } } } fe-0/0/5 { description midco-300d; unit 0 { family inet { address 1.1.1.226/29 { primary; preferred; } address 1.1.1.227/29; address 1.1.1.228/29; address 1.1.1.229/29; address 1.1.1.230/29; } } } fe-0/0/6 { description midco-300j; unit 0 { family inet { address 1.1.2.202/29 { primary; } address 1.1.2.203/29; address 1.1.2.204/29; address 1.1.2.205/29; } inactive: family ethernet-switching { vlan { members vlan-midco300j; } } } } fe-0/0/7 { description midco-300a; unit 0 { family inet { address 1.1.2.218/29 { primary; preferred; } address 1.1.2.219/29; address 1.1.2.220/29; address 1.1.2.221/29; address 1.1.2.222/29; } inactive: family ethernet-switching { vlan { members vlan-midco300a; } } } } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } } vlan { unit 2 { description printer; family inet { filter { input filter-based-forwarding; } address 10.129.2.1/24; } } unit 4 { description security; family inet { inactive: address 192.168.1.1/24; } } unit 5 { description Phones; family inet { filter { input filter-based-forwarding; } address 10.5.0.1/24; } } unit 10 { description vlan-internet; family inet { address 10.128.63.1/24; } } unit 60 { description untrust; family inet { address 1.1.3.250/29 { primary; preferred; } address 1.1.3.251/29; address 1.1.3.252/29; address 1.1.3.253/29; address 1.1.3.254/29; } } unit 100 { description suite-a; family inet { filter { input filter-based-forwarding; } address 192.168.1.254/32; } } unit 105 { description suite-b; family inet { filter { input filter-based-forwarding; } address 10.129.105.1/24; } } unit 115 { description suite-d; family inet { filter { input filter-based-forwarding; } address 10.129.115.1/24; } } unit 130 { description suite-g; family inet { filter { input filter-based-forwarding; } address 10.129.130.1/24; } } inactive: unit 145 { description suite-j; family inet { filter { input filter-based-forwarding; } address 10.129.145.1/24; } } unit 160 { description suite-m-storm; family inet { filter { input filter-based-forwarding; } address 10.129.160.1/24; } } } } snmp { name UCT-FW-01; description SRX-210H; location UCTCORP; contact Nate; community uct { clients { 10.128.66.0/24; 10.128.64.0/24; } } } routing-options { interface-routes { rib-group inet isp-instances; } static { route 10.128.64.0/24 next-hop 10.128.63.254; route 10.128.65.0/24 next-hop 10.128.63.254; route 10.128.66.0/24 next-hop 10.128.63.254; route 10.128.67.0/24 next-hop 10.128.63.254; route 10.128.68.0/24 next-hop 10.128.63.254; route 10.128.69.0/24 next-hop 10.128.63.254; route 0.0.0.0/0 next-hop 1.1.3.249; } rib-groups { isp-instances { import-rib [ inet.0 vr-midco-300j.inet.0 vr-midco-300a.inet.0 vr-midco-300d.inet.0 vr-midco-300f.inet.0 ]; } } } security { nat { source { pool 1_1_3_251 { address { 1.1.3.251/32; } } pool 1_1_3_252 { address { 1.1.3.252/32; } } pool 1_1_3_253 { address { 1.1.3.253/32; } } pool 1_1_3_254 { address { 1.1.3.254/32; } } pool 1_1_2_203 { address { 1.1.2.203/32; } } pool 1_1_2_204 { address { 1.1.2.204/32; } } pool 1_1_2_205 { address { 1.1.2.205/32; } } pool 1_1_2_206 { address { 1.1.2.206/32; } } pool 1_1_1_139 { address { 1.1.1.139/32; } } pool 1_1_2_219 { address { 1.1.2.219/32; } } pool 1_1_1_227 { address { 1.1.1.227/32; } } pool 1_1_1_228 { address { 1.1.1.228/32; } } pool 1_1_1_140 { address { 1.1.1.140/32; } } pool 1_1_2_220 { address { 1.1.2.220/32; } } rule-set trust-to-untrust { from zone trust; to zone untrust; rule utccw-nat { match { source-address 10.128.66.30/32; } then { source-nat { pool { 1_1_3_252; } } } } rule utc-nat { match { source-address 10.128.66.0/24; } then { source-nat { pool { 1_1_3_251; } } } } rule pbx-nat { match { source-address 10.128.69.0/24; } then { source-nat { pool { 1_1_3_254; } } } } rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } inactive: rule-set suitej-to-midco-300j { from zone suitej; to zone midco-300j; rule suitej-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { pool { 1_1_2_204; } } } } } rule-set suiteg-to-midco-300f { from zone suiteg; to zone midco-300j; rule suiteg-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { pool { 1_1_1_139; } } } } } rule-set suitea-to-midco-300a { from zone suitea; to zone midco-300j; rule suitea-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { pool { 1_1_2_219; } } } } } rule-set suiteb-to-midco-300d { from zone suiteb; to zone midco-300j; rule suiteb-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { pool { 1_1_1_227; } } } } } rule-set suited-to-midco-300d { from zone suited; to zone midco-300j; rule suited-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { pool { 1_1_1_228; } } } } } rule-set phones-to-midco-300f { from zone phones; to zone midco-300j; rule phones-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { pool { 1_1_1_140; } } } } } rule-set printer-to-midco-300f { from zone printer; to zone midco-300j; rule printer-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { pool { 1_1_1_140; } } } } } rule-set suitem-to-midco-300a { from zone suitem; to zone midco-300j; rule suitem-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { pool { 1_1_2_220; } } } } } } destination { pool uctsbs { address 10.128.64.10/32; } pool utccw { address 10.128.66.30/32; } pool utcdc { address 10.128.66.20/32; } pool pbx { address 10.128.69.100/32; } rule-set untrust-to-trust { from zone untrust; rule uctsbs_smtp { match { destination-address 1.1.3.250/32; destination-port 25; } then { destination-nat pool uctsbs; } } rule uctsbs_https { match { destination-address 1.1.3.250/32; destination-port 443; } then { destination-nat pool uctsbs; } } rule pbx { match { destination-address 1.1.3.254/32; } then { destination-nat pool pbx; } } rule cw_rdp { match { destination-address 1.1.3.252/32; destination-port 3389; } then { destination-nat pool utccw; } } rule utc_http { match { destination-address 1.1.3.251/32; destination-port 80; } then { destination-nat pool utcdc; } } rule utc_https { match { destination-address 1.1.3.251/32; destination-port 443; } then { destination-nat pool utcdc; } } rule CW { match { destination-address 1.1.3.252/32; } then { destination-nat pool utccw; } } rule utc_rdp { match { destination-address 1.1.3.251/32; destination-port 3389; } then { destination-nat pool utcdc; } } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone trust { address-book { address uctsbs 10.128.64.10/32; address uctnetwork 10.128.64.0/24; address utccw 10.128.66.30/32; address utcdc 10.128.66.20/32; address pbx 10.128.69.100/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.10; } } security-zone untrust { address-book { address connectwise-205_232_23_250-32 205.232.23.250/32; address connectwise-70_46_245_126-32 70.46.245.126/32; address connectwise-63_145_136_126-32 63.145.136.126/32; address nextiva_siptrunk-208_73_146_95-32 208.73.146.95/32; } screen untrust-screen; interfaces { vlan.60 { host-inbound-traffic { system-services { inactive: ike; ping; inactive: ssh; } } } } } security-zone midco-300j { address-book { address email_sdmha_com 207.97.245.100/32; address smtp_midco 24.220.0.78/32; } screen untrust-screen; interfaces { inactive: vlan.202 { host-inbound-traffic { system-services { ping; } } } fe-0/0/4.0 { host-inbound-traffic { system-services { ping; } } } fe-0/0/5.0 { host-inbound-traffic { system-services { ping; } } } fe-0/0/6.0 { host-inbound-traffic { system-services { ping; } } } fe-0/0/7.0 { host-inbound-traffic { system-services { ping; } } } } } inactive: security-zone suitej { interfaces { vlan.145 { host-inbound-traffic { system-services { dhcp; ping; traceroute; } } } } } security-zone printer { address-book { address 10_129_2_10 10.129.2.10/32; } interfaces { vlan.2 { host-inbound-traffic { system-services { ping; traceroute; } } } } } security-zone phones { address-book { address voicemail-10_5_0_7 10.5.0.7/32; } interfaces { vlan.5 { host-inbound-traffic { system-services { dhcp; ping; traceroute; } } } } } security-zone security; security-zone suiteg { address-book { address 10_129_130_0 10.129.130.0/24; } interfaces { vlan.130 { host-inbound-traffic { system-services { dhcp; ping; traceroute; } } } } } security-zone suitea { address-book { address 10_129_100_0 192.168.1.0/24; } interfaces { vlan.100 { host-inbound-traffic { system-services { ping; traceroute; dhcp; } } } } } security-zone suiteb { address-book { address 10_129_105_0 10.129.105.0/24; address 10_129_105_25 10.129.105.25/32; } interfaces { vlan.105 { host-inbound-traffic { system-services { ping; traceroute; dhcp; } } } } } security-zone suited { address-book { address 10_129_115_0 10.129.115.0/24; } interfaces { vlan.115 { host-inbound-traffic { system-services { dhcp; ping; traceroute; } } } } } security-zone suitem { address-book { address 10_129_160_0 10.129.160.0/24; } interfaces { vlan.160 { host-inbound-traffic { system-services { ping; traceroute; dhcp; } } } } } } policies { from-zone trust to-zone untrust { policy mail-out { match { source-address uctsbs; destination-address any; application junos-smtp; } then { permit; } } policy smtp-deny { match { source-address any; destination-address any; application junos-smtp; } then { deny; count; } } policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy mailservices-in { match { source-address any; destination-address uctsbs; application junos-smtp; } then { permit; count; } } policy http-in { match { source-address any; destination-address [ uctsbs utcdc utccw ]; application [ junos-http junos-https ]; } then { permit; count; } } policy pbx { match { source-address nextiva_siptrunk-208_73_146_95-32; destination-address pbx; application any; } then { permit; } } policy rdp-in { match { source-address any; destination-address [ utccw utcdc ]; application any; } then { permit; count; } } policy default_deny { match { source-address any; destination-address any; application any; } then { deny; count; } } } inactive: from-zone suitej to-zone midco-300j { policy smtp-deny { match { source-address any; destination-address any; application junos-smtp; } then { deny; count; } } policy suitej-to-midco-300j { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone suiteg to-zone midco-300j { policy smtp-permit { match { source-address any; destination-address email_sdmha_com; application junos-smtp; } then { permit; count; } } policy smtp-deny { match { source-address any; destination-address any; application junos-smtp; } then { deny; count; } } policy suiteg-to-midco-300f { match { source-address any; destination-address any; application any; } then { permit; count; } } } from-zone suiteg to-zone printer { policy g-printer { match { source-address 10_129_130_0; destination-address 10_129_2_10; application any; } then { permit; } } } from-zone suitea to-zone printer { policy a-printer { match { source-address 10_129_100_0; destination-address 10_129_2_10; application any; } then { permit; } } } from-zone suitea to-zone midco-300j { policy smtp-deny { match { source-address any; destination-address any; application junos-smtp; } then { deny; count; } } policy suitea-to-midco-300a { match { source-address 10_129_100_0; destination-address any; application any; } then { permit; } } } from-zone suiteb to-zone midco-300j { policy smtp-deny { match { source-address any; destination-address any; application junos-smtp; } then { deny; count; } } policy suiteb-to-midco-300d { match { source-address 10_129_105_0; destination-address any; application any; } then { permit; } } } from-zone suiteb to-zone printer { policy b-printer { match { source-address 10_129_105_0; destination-address 10_129_2_10; application any; } then { permit; } } } from-zone suited to-zone midco-300j { policy smtp-midco { match { source-address any; destination-address smtp_midco; application junos-smtp; } then { permit; } } policy smtp-deny { match { source-address any; destination-address any; application junos-smtp; } then { deny; count; } } policy suited-to-midco-300d { match { source-address 10_129_115_0; destination-address any; application any; } then { permit; } } } from-zone suited to-zone printer { policy d-printer { match { source-address 10_129_115_0; destination-address 10_129_2_10; application any; } then { permit; } } } from-zone suitea to-zone suiteb { policy innovative_to_rod { match { source-address 10_129_100_0; destination-address 10_129_105_25; application any; } then { permit; } } } from-zone phones to-zone midco-300j { policy voicemail-to-midco-300f { match { source-address voicemail-10_5_0_7; destination-address any; application any; } then { permit; count; } } } from-zone midco-300j to-zone untrust { policy offices-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone suiteb to-zone untrust { policy offices-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone printer to-zone midco-300j { policy copier-to-midco-300f { match { source-address 10_129_2_10; destination-address any; application any; } then { permit; } } } from-zone trust to-zone printer { policy uct-to-printer { match { source-address uctnetwork; destination-address 10_129_2_10; application any; } then { permit; } } } from-zone suiteb to-zone phones { policy B-Phones { match { source-address any; destination-address voicemail-10_5_0_7; application any; } then { permit; } } } from-zone suiteb to-zone suitea { policy rod_to_innovative { match { source-address 10_129_105_25; destination-address 10_129_100_0; application any; } then { permit; } } } from-zone suitem to-zone midco-300j { policy smtp-midco { match { source-address any; destination-address smtp_midco; application junos-smtp; } then { permit; count; } } policy smtp-deny { match { source-address any; destination-address any; application junos-smtp; } then { deny; count; } } policy suitem-to-midco-300a { match { source-address 10_129_160_0; destination-address any; application any; } then { permit; count; } } } } } firewall { family inet { filter filter-based-forwarding { term midco-300j { from { source-address { 10.129.145.0/24; } } then { routing-instance vr-midco-300j; } } term midco-300f { from { source-address { 10.129.130.0/24; 10.5.0.0/24; 10.129.2.10/32; } } then { routing-instance vr-midco-300f; } } term midco-300d { from { source-address { 10.129.105.0/24; 10.129.115.0/24; } } then { routing-instance vr-midco-300d; } } term midco-300a { from { source-address { 10.129.100.0/24; 192.168.1.0/24; 10.129.160.0/24; } } then { routing-instance vr-midco-300a; } } term uct { from { destination-address { 1.1.3.248/29; } } then accept; } term default { then { discard; } } } } } routing-instances { vr-midco-300a { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 1.1.2.217; } } } vr-midco-300d { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 1.1.1.225; } } } vr-midco-300f { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 1.1.1.137; } } } vr-midco-300j { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 1.1.2.201; } } } } applications { application rdp { protocol tcp; source-port 3389; } } vlans { vlan-internet { vlan-id 10; l3-interface vlan.10; } vlan-null { vlan-id 999; } vlan-phones { vlan-id 5; l3-interface vlan.5; } vlan-printer { vlan-id 2; l3-interface vlan.2; } vlan-publicwifi { vlan-id 3; } vlan-security { vlan-id 4; l3-interface vlan.4; } vlan-suite-a { vlan-id 100; l3-interface vlan.100; } vlan-suite-b { vlan-id 105; l3-interface vlan.105; } vlan-suite-d { vlan-id 115; l3-interface vlan.115; } vlan-suite-g { vlan-id 130; l3-interface vlan.130; } inactive: vlan-suite-j { vlan-id 145; l3-interface vlan.145; } vlan-suite-m { description Suite_M_Storm; vlan-id 160; l3-interface vlan.160; } vlan-untrust { vlan-id 60; l3-interface vlan.60; } } [edit routing-instances] root@fw1#