system { host-name COHO-FW; time-zone America/Los_Angeles; root-authentication { encrypted-password "$1$i9WaCutH$byy.78iHhCqhCjn3OblDt1"; } services { ssh { root-login allow; } telnet; xnm-clear-text; web-management { http; https { system-generated-certificate; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file policy_session { any any; user info; match RT_FLOW; archive size 1000k world-readable; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp; } interfaces { fe-0/0/0 { unit 0 { family inet { address 172.24.164.250/24; } } } fe-0/0/1 { vlan-tagging; unit 430 { vlan-id 430; family inet { address 192.168.10.148/24; } } unit 431 { vlan-id 431; family inet { address 172.25.33.1/24; } } unit 432 { vlan-id 432; family inet { address 10.45.16.1/24; } } } fe-0/0/2 { vlan-tagging; unit 429 { vlan-id 429; family inet { address 2.2.2.1/24; } } } fe-0/0/3 { vlan-tagging; unit 428 { vlan-id 428; family inet { address 222.168.10.1/24; } } unit 433 { vlan-id 433; family inet { address 15.45.16.1/24; } } unit 434 { vlan-id 434; family inet { address 182.25.33.1/24; } } } fe-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } vlan { unit 0 { family inet { address 192.168.200.230/24; } } } } routing-options { interface-routes { rib-group inet all-vrs; } static { rib-group all-vrs; route 0.0.0.0/0 next-hop 2.2.2.254; } rib-groups { all-vrs { import-rib [ inet.0 boredge.inet.0 fededge.inet.0 w13edge.inet.0 ]; import-policy Outside-Import; } boredge-to-inet0 { import-rib [ boredge.inet.0 inet.0 ]; } fededge-to-inet0 { import-rib [ fededge.inet.0 inet.0 ]; } w13edge-to-inet0 { import-rib [ w13edge.inet.0 inet.0 ]; } } } protocols { stp; } policy-options { prefix-list External-Routes { 0.0.0.0/0; 2.2.2.0/24; } policy-statement Outside-Import { term 1 { from { prefix-list-filter External-Routes exact; } then accept; } term 2 { then reject; } } } security { alg { dns disable; sip disable; } flow { tcp-session { no-syn-check; no-sequence-check; } } nat { inactive: traceoptions { file nat; flag all; } source { pool 432a { address { 2.2.2.10/32; } } pool 432b { address { 2.2.2.20/32; } } pool 432c { address { 2.2.2.30/32; } } pool 432d { address { 2.2.2.32/32; } } pool 433a { address { 2.2.2.40/32; } } pool 433b { address { 2.2.2.50/32; } } pool 433c { address { 2.2.2.60/32; } } rule-set 432A { from zone 432; to zone [ 429 433 ]; rule a1 { match { source-address 10.45.16.10/32; } then { source-nat { pool { 432a; } } } } rule a2 { match { source-address 10.45.16.20/32; } then { source-nat { pool { 432b; } } } } rule a3 { match { source-address 10.45.16.30/32; } then { source-nat { pool { 432c; } } } } rule a4 { match { source-address 10.45.16.32/32; } then { source-nat { pool { 432d; } } } } } rule-set 433A { from zone 433; to zone [ 429 432 ]; rule b1 { match { source-address 15.45.16.10/32; } then { source-nat { pool { 433a; } } } } rule b2 { match { source-address 15.45.16.20/32; } then { source-nat { pool { 433b; } } } } rule b3 { match { source-address 15.45.16.30/32; } then { source-nat { pool { 433c; } } } } } rule-set intra-432 { from zone 432; to zone 432; rule 432intra { match { source-address 10.45.16.0/24; } then { source-nat { interface; } } } } rule-set intra-433 { from zone 433; to zone 433; rule 433intra { match { source-address 15.45.16.0/24; } then { source-nat { interface; } } } } } static { rule-set 432NAT { from zone [ 429 432 433 ]; rule 432access { match { destination-address 2.2.2.10/32; } then { static-nat { prefix { 10.45.16.10/32; routing-instance default; } } } } rule 432web { match { destination-address 2.2.2.20/32; } then { static-nat { prefix { 10.45.16.20/32; routing-instance default; } } } } rule 432av { match { destination-address 2.2.2.30/32; } then { static-nat { prefix { 10.45.16.30/32; routing-instance boredge; } } } } rule 432RP { match { destination-address 2.2.2.32/32; } then { static-nat { prefix { 10.45.16.32/32; routing-instance default; } } } } rule 428access { match { destination-address 2.2.2.40/32; } then { static-nat { prefix { 15.45.16.10/32; routing-instance default; } } } } rule 428web { match { destination-address 2.2.2.50/32; } then { static-nat { prefix { 15.45.16.20/32; routing-instance default; } } } } rule 428av { match { destination-address 2.2.2.60/32; } then { static-nat { prefix { 15.45.16.30/32; routing-instance default; } } } } } } proxy-arp { interface fe-0/0/2.429 { address { 2.2.2.10/32 to 2.2.2.60/32; } } } } policies { from-zone 430 to-zone 430 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 431 to-zone 431 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 432 to-zone 432 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 429 to-zone 429 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 434 to-zone 434 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 433 to-zone 433 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 431 to-zone 430 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 430 to-zone 431 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 429 to-zone 432 { policy https-media { match { source-address any; destination-address edge_access_edge; application Media-Relay; } then { permit; } } policy DNS { match { source-address any; destination-address any; application [ junos-dns-udp junos-dns-tcp ]; } then { permit; } } policy TCP5269_429_432 { match { source-address any; destination-address edge_access_edge; application TCP5269; } then { permit; } } policy TCP5061_429_432 { match { source-address any; destination-address edge_access_edge; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_429_432 { match { source-address any; destination-address edge_av_edge; application Media-Relay50k; } then { permit; } } policy UDP50K_429_432 { match { source-address any; destination-address edge_av_edge; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_429_432 { match { source-address any; destination-address edge_av_edge; application tcp3478; } then { permit; } } policy UDP3478_429_432 { match { source-address any; destination-address edge_av_edge; application udp3478; } then { permit; } } policy TCP443_429_432 { match { source-address any; destination-address [ edge_access_edge edge_webconf_edge edge_av_edge ]; application junos-https; } then { permit; } } policy ping { match { source-address any; destination-address any; application junos-ping; } then { permit; } } policy reverse { match { source-address any; destination-address reverseproxy; application junos-https; } then { permit; } } policy DenyAll_429_432 { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone 434 to-zone 428 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 428 to-zone 434 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 432 to-zone 429 { policy TCP80_432_429 { match { source-address edge_access_edge; destination-address any; application junos-http; } then { permit; } } policy DNS_UDPTCP53_432_429 { match { source-address any; destination-address any; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } policy TCP5061_432_429 { match { source-address edge_access_edge; destination-address any; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_432_429 { match { source-address edge_av_edge; destination-address any; application Media-Relay50k; } then { permit; } } policy UDP50K_432_429 { match { source-address edge_av_edge; destination-address any; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_432_429 { match { source-address edge_av_edge; destination-address any; application tcp3478; } then { permit; } } policy UDP3478_432_429 { match { source-address edge_av_edge; destination-address any; application udp3478; } then { permit; } } policy TCP443_432_429 { match { source-address [ edge_av_edge edge_access_edge reverseproxy ]; destination-address any; application junos-https; } then { permit; } } policy DenyAll_432_429 { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone 428 to-zone 428 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 433 to-zone 429 { policy TCP80_433_429 { match { source-address fededgeaccess; destination-address any; application junos-http; } then { permit; } } policy DNS_UDPTCP53_433_429 { match { source-address fededgeaccess; destination-address any; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } policy TCP5061_433_429 { match { source-address fededgeaccess; destination-address any; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_433_429 { match { source-address fededgeav; destination-address any; application Media-Relay50k; } then { permit; } } policy UDP50K_433_429 { match { source-address fededgeav; destination-address any; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_433_429 { match { source-address fededgeav; destination-address any; application tcp3478; } then { permit; } } policy UDP3478_433_429 { match { source-address fededgeav; destination-address any; application udp3478; } then { permit; } } policy TCP443_433_429 { match { source-address [ fededgeav fededgeaccess ]; destination-address any; application junos-https; } then { permit; } } policy DenyAll_433_429 { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone 429 to-zone 433 { policy DNS { match { source-address any; destination-address any; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } policy DNS_429_433 { match { source-address any; destination-address any; application [ junos-dns-udp junos-dns-tcp ]; } then { permit; } } policy TCP5269_429_433 { match { source-address any; destination-address fededgeaccess; application TCP5269; } then { permit; } } policy TCP5061_429_433 { match { source-address any; destination-address fededgeaccess; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_429_433 { match { source-address any; destination-address fededgeav; application Media-Relay50k; } then { permit; } } policy UDP50K_429_433 { match { source-address any; destination-address fededgeav; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_429_433 { match { source-address any; destination-address fededgeav; application tcp3478; } then { permit; } } policy UDP3478_429_433 { match { source-address any; destination-address fededgeav; application udp3478; } then { permit; } } policy TCP443_429_433 { match { source-address any; destination-address [ fededgeaccess fededgeweb fededgeav ]; application junos-https; } then { permit; } } policy DenyAll_429_433 { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone 432 to-zone 433 { policy TCP80_432_433 { match { source-address edge_access_edge; destination-address any; application junos-http; } then { permit; } } policy DNS_UDPTCP53_432_433 { match { source-address edge_access_edge; destination-address any; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } policy TCP5061_432_433 { match { source-address edge_access_edge; destination-address any; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_432_433 { match { source-address edge_av_edge; destination-address any; application Media-Relay50k; } then { permit; } } policy UDP50K_432_433 { match { source-address edge_av_edge; destination-address any; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_432_433 { match { source-address edge_av_edge; destination-address any; application tcp3478; } then { permit; } } policy UDP3478_432_433 { match { source-address edge_av_edge; destination-address any; application udp3478; } then { permit; } } policy TCP443_432_433 { match { source-address [ edge_av_edge edge_access_edge ]; destination-address any; application junos-https; } then { permit; } } policy DenyAll_432_433 { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone 433 to-zone 432 { policy TCP80_433_432 { match { source-address fededgeaccess; destination-address any; application junos-http; } then { permit; } } policy DNS_UDPTCP53_433_432 { match { source-address fededgeaccess; destination-address any; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } policy TCP5061_433_432 { match { source-address fededgeaccess; destination-address any; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_433_432 { match { source-address fededgeav; destination-address any; application Media-Relay50k; } then { permit; } } policy UDP50K_433_432 { match { source-address fededgeav; destination-address any; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_433_432 { match { source-address fededgeav; destination-address any; application tcp3478; } then { permit; } } policy UDP3478_433_431 { match { source-address fededgeav; destination-address any; application udp3478; } then { permit; } } policy TCP443_433_432 { match { source-address [ fededgeaccess fededgeav ]; destination-address any; application junos-https; } then { permit; } } policy DenyAll_433_432 { match { source-address any; destination-address any; application any; } then { deny; } } } global { policy default-deny-log { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } default-policy { permit-all; } } zones { security-zone 430 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/1.430; } } security-zone 431 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/1.431; } } security-zone 432 { address-book { address edge_access_edge 10.45.16.10/32; address edge_webconf_edge 10.45.16.20/32; address edge_av_edge 10.45.16.30/32; address reverseproxy 10.45.16.32/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/1.432; } } security-zone 429 { address-book { address EXTDNS 2.2.2.2/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/2.429; vlan.0; } } security-zone 428 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/3.428; } } security-zone 434 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/3.434; } } security-zone 433 { address-book { address fededgeaccess 15.45.16.10/32; address fededgeweb 15.45.16.20/32; address fededgeav 15.45.16.30/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/3.433; } } security-zone 30 { host-inbound-traffic { system-services { all; } protocols { all; } } } security-zone 31 { host-inbound-traffic { system-services { all; } protocols { all; } } } security-zone 32 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } firewall { filter Block_to_172.16.1.31 { term term1 { from { source-address { 0.0.0.0/0; } destination-address { 10.45.16.10/32; 10.45.16.20/32; 10.45.16.30/32; 15.45.16.10/32; 15.45.16.20/32; 15.45.16.30/32; 16.1.16.11/32; 16.1.16.12/32; 16.1.16.13/32; } } then { reject; } } term term2 { then accept; } } } routing-instances { boredge { instance-type virtual-router; interface fe-0/0/1.432; routing-options { interface-routes { rib-group inet boredge-to-inet0; } } } borint { instance-type virtual-router; interface fe-0/0/1.430; interface fe-0/0/1.431; routing-options { static { route 192.168.0.0/16 next-hop 192.168.10.1; route 0.0.0.0/0 next-hop 172.25.33.1; } } } fededge { instance-type virtual-router; interface fe-0/0/3.433; routing-options { interface-routes { rib-group inet fededge-to-inet0; } } } fedint { instance-type virtual-router; interface fe-0/0/3.428; interface fe-0/0/3.434; routing-options { static { route 0.0.0.0/0 next-hop 182.25.33.1; } } } w13edge { instance-type virtual-router; interface fe-0/0/3.32; routing-options { interface-routes { rib-group inet w13edge-to-inet0; } } } w13int { instance-type virtual-router; interface fe-0/0/3.30; interface fe-0/0/3.31; routing-options { static { route 0.0.0.0/0 next-hop 15.1.15.15; } } } } applications { application tcp3478 { protocol tcp; destination-port 3478; } application udp3478 { protocol tcp; destination-port 3478; } application Media-Relay { protocol tcp; destination-port 443; } application Media-Relay50k { protocol tcp; destination-port 50000-59999; } application test { application-protocol ignore; protocol tcp; destination-port 0-65535; inactivity-timeout 3600; } application TCP5269 { protocol tcp; destination-port 5269; } application UDPMedia_Relay50K { protocol tcp; destination-port 50000-59999; } application LyncTCP_SIP { protocol tcp; destination-port 5061; } application LyncUDP_SIP { protocol udp; destination-port 5061; } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }