SRX

Hi everyone - I recently purchased a SRX110 for my workplace to meet security policies of our clients (they require us to have an EAL4 compliant firewall / router listed here https://www.icsalabs.com/), and because our current Draytek Vigor 2930 does not allow us to route multiple public IP addresses (we have two Polycom videoconference solutions - only 1 is working at present).

I am IT manager and consider myself competent at networking and IP configuration, having been in IT since the early 90's and have I have been reading the manual that came with the device, and this guide (and know what the command prompt is ):

http://forums.juniper.net/jnet/attachments/jnet/JUNOS/6940/1/junos-security-swconfig-security.pdf

I have also been reading this guide:

https://www.juniper.net/us/en/training/jnbooks/day-one/dynamic-services-series/deploying-srx-series/

So, I now have to replace the Draytek 2930 with the SRX110 I've reached a point where I am happy with the policies and setup - but I need to know if it is possible to:

1. Have a public IP address for our IIS / Exchange / site-to-site and client VPN (164.*.*.* - 255.255.255.0)
2. Have a public IP address for our Polycom Group Presence 500 (37.*.*.17 - 255.255.255.252)
3. Have a public IP address for our Polycom Group Presence 300 (37.*.*.18 - 255.255.255.252)

We have Internet through EFM, and our supplier in the UK is TalkTalk - they provide all the IP addresses, they state that the 37.*.*.* IP's should automatically route to us.

With the Draytek we basically had to use two public IP addresses for the Polycom 500 - one at the router under General Setup > Enable IP routing > 2nd IP Address and subnet mask, and one for the device.  Will I have to do similar for the SRX110?

Thanks in advance.

Paul

Hi ,

You requirements are not clear.

If an SRX is configured with an ip address of SRX , then it can used for site to site vpn and Client to site vpn.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15745

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14318

You can configure static or destination nat for your IIS and Exchange servers as per KB given :

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security-static-single-address-translation-configuring.html 

if you want to your Polycom Server to use certain public ip address while going out , then you can configure source Nat pool as per these KB:

https://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-security/example-configuring-source-nat-on-srx-series-services-gateways.html

I would suggest you split your queries specifically for each feature one by one.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Definitely not to clear on what you want, but I think you are asking if you can put all IP addresses on the external interface? If yes, then yes. You can use Source-nat as rparthi indicated and dnat for incoming traffic.

Thank you both for the replies - yes sorry if it was a bit of a "brain dump" of the scenario so that you had all the information...

My query was just that I need to have 3 publically accessible IP addresses.  One of which is within the trusted network - and the other two can be considered untrusted.

I know we had issues trying to get the Polycom 500 to work using NAT, so I just wanted to confirm using NAT would be the best method to configure the devices so that I can go to the Polycom reseller or forums when the device doesn't work using NAT (before the device kept restarting when I had NAT enabled, so clearly something wrong).

Paul

Based on your comments I think you have a public network for the routed connection out and a second public network assigned that is routed into your SRX.

In this case you could create a separate interface and zone for that second public network and then assign the polycom a direct interface connected to this vlan and zone.

You can still use ip addresses in this range for nat on other servers.

For your polycom nat option, with Polycom you can use nat but it does require special configurations on the device where you need to inform the polycom software that nat is in use.  This is because Polycom does insert the ip address into the payload and at some points uses the payload address and not the ip header address when processing the call.  By changing the nat setting you get the nat address into the payload.

Hi - apologies for the late reply, and thanks again for your responses!

Just trying to get this device live - got further than I got last time.  Have Internet working, and outbound emails - just having trouble getting inbound rules working.  I'm used to the 5GT, Draytek and Symantec 360R's - but setting up rules on this seems pretty hardcore, have reverted to using CLI as that seems a quicker way to make mistakes

This is what I am trying to commit:

---

set interfaces sp-0/0/0 unit 0 family inet address 192.168.0.1/24
set security zones security-zone trust interfaces sp-0/0/0.0
set interfaces fe-0/0/7 unit 0 family inet address 164.40.220.122/32
set security zones security-zone untrust interfaces sp-0/0/0.0
set security zones security-zone trust address-book address trust-net 192.168.0.0/24
set security zones security-zone trust address-book address citi-email 192.168.0.2/24
set applications application FTP protocol tcp
set applications application FTP destination-port 21
set applications application SMTP protocol tcp
set applications application SMTP destination-port 25
set applications application HTTP protocol tcp
set applications application HTTP destination-port 80
set applications application HTTPS protocol tcp
set applications application HTTPS destination-port 443
set applications application MAPI protocol tcp
set applications application MAPI destination-port 135
set applications application POP3 protocol tcp
set applications application POP3 destination-port 110
set applications application POPS protocol tcp
set applications application POPS destination-port 995
set applications application TLS protocol tcp
set applications application TLS destination-port 587
set security nat destination pool dnat_192_168_0_2m24 address 192.168.0.2/24 port 21
set security nat destination pool dnat_192_168_0_2m24 address 192.168.0.2/24 port 25
set security nat destination pool dnat_192_168_0_2m24 address 192.168.0.2/24 port 80
set security nat destination pool dnat_192_168_0_2m24 address 192.168.0.2/24 port 443
set security nat destination pool dnat_192_168_0_2m24 address 192.168.0.2/24 port 135
set security nat destination pool dnat_192_168_0_2m24 address 192.168.0.2/24 port 110
set security nat destination pool dnat_192_168_0_2m24 address 192.168.0.2/24 port 995
set security nat destination pool dnat_192_168_0_2m24 address 192.168.0.2/24 port 587
set security nat destination rule-set DEST-NAT from zone Internet
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-21 match destination-address 164.40.220.122/30
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-21 match destination-port 21
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-21 then destination-nat pool dnat_192_168_0_2m24
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-25 match destination-address 164.40.220.122/30
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-25 match destination-port 25
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-25 then destination-nat pool dnat_192_168_0_2m24
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-80 match destination-address 164.40.220.122/30
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-80 match destination-port 80
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-80 then destination-nat pool dnat_192_168_0_2m24
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-443 match destination-address 164.40.220.122/30
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-443 match destination-port 443
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-443 then destination-nat pool dnat_192_168_0_2m24
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-135 match destination-address 164.40.220.122/30
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-135 match destination-port 135
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-135 then destination-nat pool dnat_192_168_0_2m24
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-110 match destination-address 164.40.220.122/30
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-110 match destination-port 110
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-110 then destination-nat pool dnat_192_168_0_2m24
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-995 match destination-address 164.40.220.122/30
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-995 match destination-port 995
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-995 then destination-nat pool dnat_192_168_0_2m24
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-587 match destination-address 164.40.220.122/30
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-587 match destination-port 587
set security nat destination rule-set DEST-NAT rule CITI-EMAIL-TCP-587 then destination-nat pool dnat_192_168_0_2m24
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match source-address any
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match destination-address CITI-EMAIL
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match application FTP
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal then permit
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match source-address any
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match destination-address CITI-EMAIL
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match application SMTP
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal then permit
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match source-address any
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match destination-address CITI-EMAIL
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match application HTTP
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal then permit
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match source-address any
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match destination-address CITI-EMAIL
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match application HTTPS
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal then permit
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match source-address any
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match destination-address CITI-EMAIL
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match application IMAP
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal then permit
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match source-address any
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match destination-address CITI-EMAIL
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match application POP3
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal then permit
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match source-address any
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match destination-address CITI-EMAIL
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match application POPS
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal then permit
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match source-address any
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match destination-address CITI-EMAIL
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal match application TLS
set security policies from-zone Internet to-zone Internal policy Internet-TO-Internal then permit

---

But I'm getting this error:

root@CITI-UK# commit check
[edit security zones security-zone trust address-book]
  'address citi-email'
    Invalid address entry
error: configuration check-out failed

Any ideas where I am going wrong?

Thanks in advance.

Paul

set security zones security-zone trust address-book address citi-email 192.168.0.2/24

Correction

set security zones security-zone trust address-book address citi-email 192.168.0.2/32

Thanks lyndidon - that got it!  My understanding that the subnet was /24 for the server CITI-EMAIL on 255.255.255.0 but I accept my assumption was wrong!

I'm trying to commit just one rule for SMTP port 25 now with the following script, to understand the setup:

---

set interfaces sp-0/0/0 unit 0 family inet address 192.168.0.1/24
set security zones security-zone trust interfaces sp-0/0/0.0
set interfaces fe-0/0/7 unit 0 family inet address 164.40.220.122/32
set security zones security-zone ununtrust interfaces fe-0/0/7.0
set security zones security-zone trust address-book address trust-net 192.168.0.0/24
set security zones security-zone trust address-book address citi-email 192.168.0.2/32
set applications application SMTP protocol tcp
set applications application SMTP destination-port 25
set security nat destination pool dnat-192_168_0_2m32 address 192.168.0.2/32
set security nat destination pool dnat-192_168_0_2m32 address port 25
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule rule1 match destination-address 164.40.220.122/32
set security nat destination rule-set dst-nat rule rule1 match destination-port 25
set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-192_168_0_2m32
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match destination-address citi-email
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match application SMTP
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 then permit

---

But get the following message (sorry I'm learning, this is painful!):

[edit security nat destination rule-set dst-nat from zone]
  'untrust'
    Zone must be defined
error: commit failed: (statements constraint check failed)

So the problem is with this line, but my assumption was that this creates the security zone - doesn't it?

set security nat destination rule-set dst-nat from zone untrust

Once I've got the syntax and have done for one I'm sure I'll be ok (until I get to the Polycom setup!).

Paul

Just a typo::)

set security zones security-zone ununtrust interfaces fe-0/0/7.0

At the top of the heirarchy (Just soon as you log in, or simply enter "top" from where everever in the hierarchy you are)

replace pattern ununtrust with untrust

you should be good to go

Sorry for the delay in my reply - network architecture isn't my main role and was on holiday last week!

Argh I hate it when that happens lol! Thank you for spotting that error, in my defence I think that happened when I did a search and replace in Notepad.  Fresh set of eyes always helps!

Spent some more time with the device last night, got the config committed without an issue - the rules still aren't behaving as I would expect them to:

• trust > Internet works - I can get to the Internet, send emails, etc
• Internet > CITI-EMAIL fails - inbound emails do not arrive (MX record points to 164.40.220.122 / 255.255.255.252)
• CITI-EMAIL - Windows 2008 R2 server with Exchange 2007 on IP 192.168.0.2 / 255.255.255.0
• Video Conference devices - no rules in this config, was wondering if I could just set up DMZ for each as Polycom guys have said NAT is a no go?

This is my current config:

## Last commit: 2014-08-14 02:50:38 GMT by root
version 12.1X44.5;
system {
    host-name CITI;
    time-zone GMT;
    root-authentication {
        encrypted-password "$1$2VcJbKXm$zpMDNg7J7WC6QE4s11wSW/"; ## SECRET-DATA
    }
    name-server {
        195.74.128.6;
        195.74.130.12;
        208.67.222.222;
        208.67.220.220;
    }
    name-resolution {
        no-resolve-on-input;
    }
    services {
        web-management {
            https {
                system-generated-certificate;
                interface fe-0/0/0.0;
            }
            session {
                idle-timeout 60;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.0.254/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 164.40.220.122/30;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 164.40.220.121;
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-Internet {
                from zone trust;
                to zone Internet;
                rule anything {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool 192_168_0_2_443 {
                address 192.168.0.2/32 port 443;
            }
            pool 192_168_0_2_80 {
                address 192.168.0.2/32 port 80;
            }
            pool dnat_192_168_0_2m24 {
                address 192.168.0.2/24 port 587;
            }
            rule-set DEST-NAT {
                from zone Internet;
                rule CITI-EMAIL-TCP-21 {
                    match {
                        destination-address 164.40.220.122/30;
                        destination-port 21;
                    }
                    then {
                        destination-nat pool dnat_192_168_0_2m24;
                    }
                }
                rule CITI-EMAIL-TCP-25 {
                    match {
                        destination-address 164.40.220.122/30;
                        destination-port 25;
                    }
                    then {
                        destination-nat pool dnat_192_168_0_2m24;
                    }
                }
                rule CITI-EMAIL-TCP-80 {
                    match {
                        destination-address 164.40.220.122/30;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool dnat_192_168_0_2m24;
                    }
                }
                rule CITI-EMAIL-TCP-443 {
                    match {
                        destination-address 164.40.220.122/30;
                        destination-port 443;
                    }
                    then {
                        destination-nat pool dnat_192_168_0_2m24;
                    }
                }
                rule CITI-EMAIL-TCP-135 {
                    match {
                        destination-address 164.40.220.122/30;
                        destination-port 135;
                    }
                    then {
                        destination-nat pool dnat_192_168_0_2m24;
                    }
                }
                rule CITI-EMAIL-TCP-110 {
                    match {
                        destination-address 164.40.220.122/30;
                        destination-port 110;
                    }
                    then {
                        destination-nat pool dnat_192_168_0_2m24;
                    }
                }
                rule CITI-EMAIL-TCP-995 {
                    match {
                        destination-address 164.40.220.122/30;
                        destination-port 995;
                    }
                    then {
                        destination-nat pool dnat_192_168_0_2m24;
                    }
                }
                rule CITI-EMAIL-TCP-587 {
                    match {
                        destination-address 164.40.220.122/30;
                        destination-port 587;
                    }
                    then {
                        destination-nat pool dnat_192_168_0_2m24;
                    }
                }
            }
        }
    }
    policies {
        from-zone Internet to-zone trust {
            inactive: policy Web_Server_Internet_trust {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-http junos-https ];
                }
                then {
                    permit;
                }
            }
            policy Internet-to-trust {
                match {
                    source-address any;
                    destination-address CITI-EMAIL;
                    application [ FTP SMTP HTTP HTTPS MAPI POP3 POPS TLS ];
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count {
                        alarm per-second-threshold 0 per-minute-threshold 0;
                    }
                }
            }
        }
        from-zone trust to-zone Internet {
            policy All_trust_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address trust-net 192.168.0.0/24;
                address CITI-EMAIL 192.168.0.2/32;
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            https;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
    }
}
applications {
    application FTP {
        protocol tcp;
        destination-port 21;
    }
    application SMTP {
        protocol tcp;
        destination-port 25;
    }
    application HTTP {
        protocol tcp;
        destination-port 80;
    }
    application HTTPS {
        protocol tcp;
        destination-port 443;
    }
    application MAPI {
        protocol tcp;
        destination-port 135;
    }
    application POP3 {
        protocol tcp;
        destination-port 110;
    }
    application POPS {
        protocol tcp;
        destination-port 995;
    }
    application TLS {
        protocol tcp;
        destination-port 587;
    }
}

Thanks again for your help, and sorry for being such a noob on this - finding it really difficult on the SRX110 for some reason, maybe it's because the Draytek Vigor 2930 was so simplistic in comparison...

Paul

No worries, we all try to help out where we can when can. We will figure out polycomm in a minute. So since you have all these services terminating on the same server, you could actaully use two lines instead of 30:)
But for now, just remove the port 587 from:

            pool dnat_192_168_0_2m24 {
                address 192.168.0.2/24 port 587;

You have 8 rules ( we could use one rule with all the port numbers) using the same pool but all different ports being traslated to port 587:)

So this is the only rule that should work for teh TLS application using that port:
   rule CITI-EMAIL-TCP-587 {
                    match {
                        destination-address 164.40.220.122/30;
                        destination-port 587;
                    }

Once you remove that port they should all work. I also noticed that onthe ge-0/0/7 you have not enabled the system-services like http, https, ftp etc. If this works, close this as resolved and open a new one for Pollycom. Since it was suggested to do something different. Change the subject line to something like "How to make polycom work with SRX". Then you can explain about polycomm. Explain what yu have o the inside and what you want to happen. There are features to consider like Address persistency, just a number of different features to suite specific situations.
I am not familiar with the Polycom and how it works but I just read spulukas' comment and it seems like Persistet NAT with junos-stun and junos-persistent-nat using STUN protocol (client/server architucture)would be exactly what you need for Polycom to work (may need to disable port-overloading explicitly). It was designed for those VoIP solutions that embed the IP/port etc in the payload data.
I am pretty sure we have the solution.
If you have a single connection to the internet your ge-0/0/7 you can add the IP address for the Polycom to the address o that interface. If I am ot mistaken you probably could enable valn-tagging on that interface and the add a different sub-interfacefor the polycms. I maybe wrong on that though.

Thank you so much for taking the time to reply and explain - much prefer to learn and understand than just be told!

I used the admin interface to make these changes, in case anyone reads this in the future I did this:

• Configure
• NAT
• Destination NAT
• Second tab Destination NAT Pool
• dnat_192_168_0_2m24
• Edit - Removed port number
• First tab Destination Rule Set
• Deleted 8 rules
• Created rule CITI-EMAIL-TCP
• Destination 164.40.220.122/30
• Action dnat_192_168_0_2m24
• Committed

To add the system-services I did this:

• Configure
• Security
• Zones/Screens
• Internet
• Host inbound traffic - Zone
• Services
• Added ftp;http;https;ping;tracert;dns;telnet
• Committed

This is the configuration now:

## Last commit: 2014-08-14 17:36:47 GMT by root
version 12.1X44.5;
system {
    host-name CITI;
    time-zone GMT;
    root-authentication {
        encrypted-password "$1$2VcJbKXm$zpMDNg7J7WC6QE4s11wSW/"; ## SECRET-DATA
    }
    name-server {
        195.74.128.6;
        195.74.130.12;
        208.67.222.222;
        208.67.220.220;
    }
    name-resolution {
        no-resolve-on-input;
    }
    services {
        web-management {
            https {
                system-generated-certificate;
                interface fe-0/0/0.0;
            }
            session {
                idle-timeout 60;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.0.254/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 164.40.220.122/30;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 164.40.220.121;
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-Internet {
                from zone trust;
                to zone Internet;
                rule anything {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool 192_168_0_2_443 {
                address 192.168.0.2/32 port 443;
            }
            pool 192_168_0_2_80 {
                address 192.168.0.2/32 port 80;
            }
            pool dnat_192_168_0_2m24 {
                routing-instance {
                    default;
                }
                address 192.168.0.2/24;
            }
            rule-set DEST-NAT {
                from zone Internet;
                rule CITI-EMAIL-TCP {
                    match {
                        destination-address 164.40.220.122/30;
                    }
                    then {
                        destination-nat pool dnat_192_168_0_2m24;
                    }
                }
            }
        }
    }
    policies {
        from-zone Internet to-zone trust {
            inactive: policy Web_Server_Internet_trust {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-http junos-https ];
                }
                then {
                    permit;
                }
            }
            policy Internet-to-trust {
                match {
                    source-address any;
                    destination-address CITI-EMAIL;
                    application [ FTP SMTP HTTP HTTPS MAPI POP3 POPS TLS ];
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count {
                        alarm per-second-threshold 0 per-minute-threshold 0;
                    }
                }
            }
        }
        from-zone trust to-zone Internet {
            policy All_trust_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address trust-net 192.168.0.0/24;
                address CITI-EMAIL 192.168.0.2/32;
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            https;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            host-inbound-traffic {
                system-services {
                    ftp;
                    http;
                    https;
                    ping;
                    traceroute;
                    dns;
                    telnet;
                }
            }
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
    }
}
applications {
    application FTP {
        protocol tcp;
        destination-port 21;
    }
    application SMTP {
        protocol tcp;
        destination-port 25;
    }
    application HTTP {
        protocol tcp;
        destination-port 80;
    }
    application HTTPS {
        protocol tcp;
        destination-port 443;
    }
    application MAPI {
        protocol tcp;
        destination-port 135;
    }
    application POP3 {
        protocol tcp;
        destination-port 110;
    }
    application POPS {
        protocol tcp;
        destination-port 995;
    }
    application TLS {
        protocol tcp;
        destination-port 587;
    }
}

Does that look right?

I'm in a live environment and don't want to upset too many users - but I'm going to swap it over in a minute and see if this configuration works for the email and web services.  If it does work then I'll report back and close this thread, and do as suggested and start a new thread to sort the Polycom equipment.

Thanks or Kudos don't really seem enough for all the free consultancy you are giving me? 

Paul

After enabling DHCP on my test computers, this all works great and is now working in a live environment!

Thanks for all your help and sticking with me lyndidon - I will pick up the Polycom devices seperately 

Paul