system { host-name COHO-FW; time-zone America/Los_Angeles; root-authentication { encrypted-password "$1$i9WaCutH$byy.78iHhCqhCjn3OblDt1"; } services { ssh { root-login allow; } telnet; xnm-clear-text; web-management { http; https { system-generated-certificate; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file policy_session { any any; user info; match RT_FLOW; archive size 1000k world-readable; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp; } interfaces { fe-0/0/0 { unit 0 { family inet { address 172.24.164.250/24; } } } fe-0/0/1 { vlan-tagging; unit 778 { vlan-id 778; family inet { address 192.168.10.148/24; } } unit 784 { vlan-id 784; family inet { address 172.25.33.1/24; } } unit 785 { vlan-id 785; family inet { address 10.45.16.1/24; } } } fe-0/0/2 { vlan-tagging; unit 786 { vlan-id 786; family inet { address 2.2.2.1/24; } } } fe-0/0/3 { vlan-tagging; unit 787 { vlan-id 787; family inet { address 222.168.10.1/24; } } unit 789 { vlan-id 789; family inet { address 15.45.16.1/24; } } unit 788 { vlan-id 788; family inet { address 182.25.33.1/24; } } } fe-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } vlan { unit 0 { family inet { address 192.168.200.230/24; } } } } routing-options { interface-routes { rib-group inet all-vrs; } static { rib-group all-vrs; route 0.0.0.0/0 next-hop 2.2.2.254; } rib-groups { all-vrs { import-rib [ inet.0 boredge.inet.0 fededge.inet.0 w13edge.inet.0 ]; import-policy Outside-Import; } boredge-to-inet0 { import-rib [ boredge.inet.0 inet.0 ]; } fededge-to-inet0 { import-rib [ fededge.inet.0 inet.0 ]; } w13edge-to-inet0 { import-rib [ w13edge.inet.0 inet.0 ]; } } } protocols { stp; } policy-options { prefix-list External-Routes { 0.0.0.0/0; 2.2.2.0/24; } policy-statement Outside-Import { term 1 { from { prefix-list-filter External-Routes exact; } then accept; } term 2 { then reject; } } } security { alg { dns disable; sip disable; } flow { tcp-session { no-syn-check; no-sequence-check; } } nat { inactive: traceoptions { file nat; flag all; } source { pool 785a { address { 2.2.2.10/32; } } pool 785b { address { 2.2.2.20/32; } } pool 785c { address { 2.2.2.30/32; } } pool 785d { address { 2.2.2.32/32; } } pool 789a { address { 2.2.2.40/32; } } pool 789b { address { 2.2.2.50/32; } } pool 789c { address { 2.2.2.60/32; } } rule-set 785A { from zone 785; to zone [ 786 789 ]; rule a1 { match { source-address 10.45.16.10/32; } then { source-nat { pool { 785a; } } } } rule a2 { match { source-address 10.45.16.20/32; } then { source-nat { pool { 785b; } } } } rule a3 { match { source-address 10.45.16.30/32; } then { source-nat { pool { 785c; } } } } rule a4 { match { source-address 10.45.16.32/32; } then { source-nat { pool { 785d; } } } } } rule-set 789A { from zone 789; to zone [ 786 785 ]; rule b1 { match { source-address 15.45.16.10/32; } then { source-nat { pool { 789a; } } } } rule b2 { match { source-address 15.45.16.20/32; } then { source-nat { pool { 789b; } } } } rule b3 { match { source-address 15.45.16.30/32; } then { source-nat { pool { 789c; } } } } } rule-set intra-785 { from zone 785; to zone 785; rule 785intra { match { source-address 10.45.16.0/24; } then { source-nat { interface; } } } } rule-set intra-789 { from zone 789; to zone 789; rule 789intra { match { source-address 15.45.16.0/24; } then { source-nat { interface; } } } } } static { rule-set 785NAT { from zone [ 786 785 789 ]; rule 785access { match { destination-address 2.2.2.10/32; } then { static-nat { prefix { 10.45.16.10/32; routing-instance default; } } } } rule 785web { match { destination-address 2.2.2.20/32; } then { static-nat { prefix { 10.45.16.20/32; routing-instance default; } } } } rule 785av { match { destination-address 2.2.2.30/32; } then { static-nat { prefix { 10.45.16.30/32; routing-instance boredge; } } } } rule 785RP { match { destination-address 2.2.2.32/32; } then { static-nat { prefix { 10.45.16.32/32; routing-instance default; } } } } rule 787access { match { destination-address 2.2.2.40/32; } then { static-nat { prefix { 15.45.16.10/32; routing-instance default; } } } } rule 787web { match { destination-address 2.2.2.50/32; } then { static-nat { prefix { 15.45.16.20/32; routing-instance default; } } } } rule 787av { match { destination-address 2.2.2.60/32; } then { static-nat { prefix { 15.45.16.30/32; routing-instance default; } } } } } } proxy-arp { interface fe-0/0/2.786 { address { 2.2.2.10/32 to 2.2.2.60/32; } } } } policies { from-zone 778 to-zone 778 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 784 to-zone 784 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 785 to-zone 785 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 786 to-zone 786 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 788 to-zone 788 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 789 to-zone 789 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 784 to-zone 778 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 778 to-zone 784 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 786 to-zone 785 { policy https-media { match { source-address any; destination-address edge_access_edge; application Media-Relay; } then { permit; } } policy DNS { match { source-address any; destination-address any; application [ junos-dns-udp junos-dns-tcp ]; } then { permit; } } policy TCP5269_786_785 { match { source-address any; destination-address edge_access_edge; application TCP5269; } then { permit; } } policy TCP5061_786_785 { match { source-address any; destination-address edge_access_edge; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_786_785 { match { source-address any; destination-address edge_av_edge; application Media-Relay50k; } then { permit; } } policy UDP50K_786_785 { match { source-address any; destination-address edge_av_edge; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_786_785 { match { source-address any; destination-address edge_av_edge; application tcp3478; } then { permit; } } policy UDP3478_786_785 { match { source-address any; destination-address edge_av_edge; application udp3478; } then { permit; } } policy TCP443_786_785 { match { source-address any; destination-address [ edge_access_edge edge_webconf_edge edge_av_edge ]; application junos-https; } then { permit; } } policy ping { match { source-address any; destination-address any; application junos-ping; } then { permit; } } policy reverse { match { source-address any; destination-address reverseproxy; application junos-https; } then { permit; } } policy DenyAll_786_785 { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone 788 to-zone 787 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 787 to-zone 788 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 785 to-zone 786 { policy TCP80_785_786 { match { source-address edge_access_edge; destination-address any; application junos-http; } then { permit; } } policy DNS_UDPTCP53_785_786 { match { source-address any; destination-address any; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } policy TCP5061_785_786 { match { source-address edge_access_edge; destination-address any; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_785_786 { match { source-address edge_av_edge; destination-address any; application Media-Relay50k; } then { permit; } } policy UDP50K_785_786 { match { source-address edge_av_edge; destination-address any; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_785_786 { match { source-address edge_av_edge; destination-address any; application tcp3478; } then { permit; } } policy UDP3478_785_786 { match { source-address edge_av_edge; destination-address any; application udp3478; } then { permit; } } policy TCP443_785_786 { match { source-address [ edge_av_edge edge_access_edge reverseproxy ]; destination-address any; application junos-https; } then { permit; } } policy DenyAll_785_786 { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone 787 to-zone 787 { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone 789 to-zone 786 { policy TCP80_789_786 { match { source-address fededgeaccess; destination-address any; application junos-http; } then { permit; } } policy DNS_UDPTCP53_789_786 { match { source-address fededgeaccess; destination-address any; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } policy TCP5061_789_786 { match { source-address fededgeaccess; destination-address any; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_789_786 { match { source-address fededgeav; destination-address any; application Media-Relay50k; } then { permit; } } policy UDP50K_789_786 { match { source-address fededgeav; destination-address any; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_789_786 { match { source-address fededgeav; destination-address any; application tcp3478; } then { permit; } } policy UDP3478_789_786 { match { source-address fededgeav; destination-address any; application udp3478; } then { permit; } } policy TCP443_789_786 { match { source-address [ fededgeav fededgeaccess ]; destination-address any; application junos-https; } then { permit; } } policy DenyAll_789_786 { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone 786 to-zone 789 { policy DNS { match { source-address any; destination-address any; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } policy DNS_786_789 { match { source-address any; destination-address any; application [ junos-dns-udp junos-dns-tcp ]; } then { permit; } } policy TCP5269_786_789 { match { source-address any; destination-address fededgeaccess; application TCP5269; } then { permit; } } policy TCP5061_786_789 { match { source-address any; destination-address fededgeaccess; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_786_789 { match { source-address any; destination-address fededgeav; application Media-Relay50k; } then { permit; } } policy UDP50K_786_789 { match { source-address any; destination-address fededgeav; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_786_789 { match { source-address any; destination-address fededgeav; application tcp3478; } then { permit; } } policy UDP3478_786_789 { match { source-address any; destination-address fededgeav; application udp3478; } then { permit; } } policy TCP443_786_789 { match { source-address any; destination-address [ fededgeaccess fededgeweb fededgeav ]; application junos-https; } then { permit; } } policy DenyAll_786_789 { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone 785 to-zone 789 { policy TCP80_785_789 { match { source-address edge_access_edge; destination-address any; application junos-http; } then { permit; } } policy DNS_UDPTCP53_785_789 { match { source-address edge_access_edge; destination-address any; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } policy TCP5061_785_789 { match { source-address edge_access_edge; destination-address any; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_785_789 { match { source-address edge_av_edge; destination-address any; application Media-Relay50k; } then { permit; } } policy UDP50K_785_789 { match { source-address edge_av_edge; destination-address any; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_785_789 { match { source-address edge_av_edge; destination-address any; application tcp3478; } then { permit; } } policy UDP3478_785_789 { match { source-address edge_av_edge; destination-address any; application udp3478; } then { permit; } } policy TCP443_785_789 { match { source-address [ edge_av_edge edge_access_edge ]; destination-address any; application junos-https; } then { permit; } } policy DenyAll_785_789 { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone 789 to-zone 785 { policy TCP80_789_785 { match { source-address fededgeaccess; destination-address any; application junos-http; } then { permit; } } policy DNS_UDPTCP53_789_785 { match { source-address fededgeaccess; destination-address any; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } policy TCP5061_789_785 { match { source-address fededgeaccess; destination-address any; application LyncTCP_SIP; } then { permit; } } inactive: policy TCP50K_789_785 { match { source-address fededgeav; destination-address any; application Media-Relay50k; } then { permit; } } policy UDP50K_789_785 { match { source-address fededgeav; destination-address any; application UDPMedia_Relay50K; } then { permit; } } inactive: policy TCP3478_789_785 { match { source-address fededgeav; destination-address any; application tcp3478; } then { permit; } } policy UDP3478_789_784 { match { source-address fededgeav; destination-address any; application udp3478; } then { permit; } } policy TCP443_789_785 { match { source-address [ fededgeaccess fededgeav ]; destination-address any; application junos-https; } then { permit; } } policy DenyAll_789_785 { match { source-address any; destination-address any; application any; } then { deny; } } } global { policy default-deny-log { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } default-policy { permit-all; } } zones { security-zone 778 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/1.778; } } security-zone 784 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/1.784; } } security-zone 785 { address-book { address edge_access_edge 10.45.16.10/32; address edge_webconf_edge 10.45.16.20/32; address edge_av_edge 10.45.16.30/32; address reverseproxy 10.45.16.32/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/1.785; } } security-zone 786 { address-book { address EXTDNS 2.2.2.2/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/2.786; vlan.0; } } security-zone 787 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/3.787; } } security-zone 788 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/3.788; } } security-zone 789 { address-book { address fededgeaccess 15.45.16.10/32; address fededgeweb 15.45.16.20/32; address fededgeav 15.45.16.30/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/3.789; } } security-zone 30 { host-inbound-traffic { system-services { all; } protocols { all; } } } security-zone 31 { host-inbound-traffic { system-services { all; } protocols { all; } } } security-zone 32 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } firewall { filter Block_to_172.16.1.31 { term term1 { from { source-address { 0.0.0.0/0; } destination-address { 10.45.16.10/32; 10.45.16.20/32; 10.45.16.30/32; 15.45.16.10/32; 15.45.16.20/32; 15.45.16.30/32; 16.1.16.11/32; 16.1.16.12/32; 16.1.16.13/32; } } then { reject; } } term term2 { then accept; } } } routing-instances { boredge { instance-type virtual-router; interface fe-0/0/1.785; routing-options { interface-routes { rib-group inet boredge-to-inet0; } } } borint { instance-type virtual-router; interface fe-0/0/1.778; interface fe-0/0/1.784; routing-options { static { route 192.168.0.0/16 next-hop 192.168.10.1; route 0.0.0.0/0 next-hop 172.25.33.1; } } } fededge { instance-type virtual-router; interface fe-0/0/3.789; routing-options { interface-routes { rib-group inet fededge-to-inet0; } } } fedint { instance-type virtual-router; interface fe-0/0/3.787; interface fe-0/0/3.788; routing-options { static { route 0.0.0.0/0 next-hop 182.25.33.1; } } } w13edge { instance-type virtual-router; interface fe-0/0/3.32; routing-options { interface-routes { rib-group inet w13edge-to-inet0; } } } w13int { instance-type virtual-router; interface fe-0/0/3.30; interface fe-0/0/3.31; routing-options { static { route 0.0.0.0/0 next-hop 15.1.15.15; } } } } applications { application tcp3478 { protocol tcp; destination-port 3478; } application udp3478 { protocol tcp; destination-port 3478; } application Media-Relay { protocol tcp; destination-port 443; } application Media-Relay50k { protocol tcp; destination-port 50000-59999; } application test { application-protocol ignore; protocol tcp; destination-port 0-65535; inactivity-timeout 3600; } application TCP5269 { protocol tcp; destination-port 5269; } application UDPMedia_Relay50K { protocol tcp; destination-port 50000-59999; } application LyncTCP_SIP { protocol tcp; destination-port 5061; } application LyncUDP_SIP { protocol udp; destination-port 5061; } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }