Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Last changed: 2012-09-10 12:27:26 UTC
- version 12.1R2.9;
- system {
- host-name gate101;
- domain-name xxxxxxxxx;
- root-authentication {
- encrypted-password "$1$n/hU9xO6$XDcjEKVvT3KXCPNsDUtmK1";
- }
- login {
- user guys {
- uid 2002;
- class super-user;
- authentication {
- encrypted-password "$1$JF6cPLr3$X10sEr/w3m2GMN5JWGMvT/";
- }
- }
- }
- services {
- ssh;
- telnet;
- web-management {
- http;
- }
- }
- syslog {
- file ids {
- any any;
- match RT_IDS;
- archive world-readable;
- structured-data;
- }
- file traffic-log {
- any any;
- match RT_FLOW_SESSION;
- }
- }
- }
- interfaces {
- ge-0/0/0 {
- vlan-tagging;
- gigether-options {
- auto-negotiation;
- }
- unit 826 {
- vlan-id 826;
- family inet {
- address 8x.xx.76.1xx/28;
- }
- }
- }
- ge-0/0/2 {
- unit 0 {
- family inet {
- address 192.168.1.1/24;
- }
- }
- }
- ge-0/0/4 {
- gigether-options {
- no-auto-negotiation;
- }
- unit 0 {
- family inet {
- address 10.3.0.125/24;
- }
- }
- }
- ge-0/0/5 {
- description trunkport;
- vlan-tagging;
- gigether-options {
- no-auto-negotiation;
- }
- unit 55 {
- description "Link to Cisc0";
- vlan-id 55;
- family inet {
- address 172.16.2.1/24;
- }
- }
- }
- ge-0/0/6 {
- unit 0 {
- family inet {
- address 10.41.0.125/24;
- }
- }
- }
- ge-0/0/8 {
- vlan-tagging;
- gigether-options {
- auto-negotiation;
- }
- unit 10 {
- vlan-id 10;
- family inet {
- address 10.1.0.125/24;
- }
- }
- }
- ge-0/0/15 {
- unit 0 {
- family inet {
- address 10.0.0.146/24;
- }
- }
- }
- }
- routing-options {
- static {
- route 0.0.0.0/0 next-hop 82.xx.xx.x30;
- route 10.22.0.0/24 next-hop 10.41.0.254;
- route 10.0.0.0/24 next-hop 10.41.0.254;
- route 10.2.0.0/24 next-hop 10.41.0.254;
- route 10.20.0.0/24 next-hop 10.41.0.254;
- }
- }
- security {
- log {
- mode event;
- }
- application-tracking {
- first-update;
- }
- screen {
- ids-option UNTRUST {
- icmp {
- ip-sweep threshold 2000;
- fragment;
- large;
- flood threshold 2000;
- ping-death;
- }
- ip {
- spoofing;
- block-frag;
- tear-drop;
- }
- tcp {
- syn-fin;
- fin-no-ack;
- tcp-no-flag;
- syn-frag;
- port-scan threshold 2000;
- syn-ack-ack-proxy threshold 512;
- syn-flood {
- alarm-threshold 512;
- attack-threshold 500;
- source-threshold 4000;
- destination-threshold 4000;
- timeout 20;
- }
- land;
- winnuke;
- }
- udp {
- flood threshold 2000;
- }
- }
- }
- nat {
- source {
- rule-set Outbound_NAT {
- from zone [ DMZ LAN SETUP VPN_DMZ ];
- to zone UNTRUST;
- rule Outbound_NAT {
- match {
- source-address 10.55.0.1/24;
- destination-port 1024 to 65535;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- destination {
- pool Inbound_VPN {
- address 10.3.0.192/32 port 1723;
- }
- pool Inbound_DNS {
- address 10.1.0.191/32 port 53;
- }
- pool Inbound_Mail {
- address 10.1.0.163/32 port 25;
- }
- pool Inbound_TLS {
- address 10.1.0.163/32 port 587;
- }
- pool Inbound_Web_1 {
- address 10.1.0.202/32 port 80;
- }
- pool Inbound_SWEB_1 {
- address 10.1.0.202/32 port 443;
- }
- pool Inbound_Web_2 {
- address 10.1.0.138/32 port 80;
- }
- pool Inbound_SWEB_2 {
- address 10.1.0.138/32 port 443;
- }
- pool Inbound_Web_3 {
- address 10.1.0.134/32 port 80;
- }
- pool Inbound_SWEB_3 {
- address 10.1.0.134/32 port 443;
- }
- }
- static {
- rule-set Inbound_NAT {
- from zone UNTRUST;
- rule VPN {
- match {
- destination-address 8x.xx.xx.xxx/32;
- }
- then {
- static-nat prefix 10.3.0.192/32;
- }
- }
- rule DNS {
- match {
- destination-address 8xx.xx.7.1xxx/32;
- }
- then {
- static-nat prefix 10.1.0.191/32;
- }
- }
- rule MAIL {
- match {
- destination-address 8xx.xx.xxx.xx/32;
- }
- then {
- static-nat prefix 10.1.0.163/32;
- }
- }
- rule WEB1 {
- match {
- destination-address 8xx.xx.xxx.xx/32;
- }
- then {
- static-nat prefix 10.1.0.202/32;
- }
- }
- rule WEB2 {
- match {
- destination-address 8xx.xx.xxx.xx/32;
- }
- then {
- static-nat prefix 10.1.0.198/32;
- }
- }
- rule WEB3 {
- match {
- destination-address 8xx.xx.xxx.xx/32/32;
- }
- then {
- static-nat prefix 10.1.0.138/32;
- }
- }
- rule WEB4 {
- match {
- destination-address 8xx.xx.xxx.xx/32/32;
- }
- then {
- static-nat prefix 10.1.0.134/32;
- }
- }
- }
- }
- proxy-arp {
- interface ge-0/0/0.0 {
- address {
- 8xx.xx.xxx.xx/32 to 8xx.xx.xxx.xx/32;
- 8xx.xx.xxx.xx/32 to 8xx.xx.xxx.xx/32;
- 8xx.xx.xxx.xx/32 to 8xx.xx.xxx.xx/32;
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone DMZ {
- policy Inbound_Web {
- description "HTTP and HTTPS inbound to Web Servers";
- match {
- source-address any;
- destination-address [ Web_1 Web_2 Web_3 Web_4 ];
- application [ junos-http junos-https junos-ping ];
- }
- then {
- permit;
- log {
- session-init;
- session-close;
- }
- }
- }
- policy Inbound_Mail {
- description "SMTP and TLS inbound to Mail Server";
- match {
- source-address any;
- destination-address MAIL;
- application [ junos-mail tls junos-ping ];
- }
- then {
- permit;
- log {
- session-init;
- session-close;
- }
- }
- }
- policy Inbound_DNS {
- description "DNS inbound to Name Server";
- match {
- source-address any;
- destination-address Name_Server;
- application [ junos-dns-udp junos-dns-tcp junos-ping ];
- }
- then {
- permit;
- log {
- session-init;
- session-close;
- }
- }
- }
- }
- from-zone UNTRUST to-zone VPN_DMZ {
- policy Inbound_VPN {
- description "Inbound to VPN Server";
- match {
- source-address any;
- destination-address VPN_Server;
- application [ junos-pptp junos-gre ];
- }
- then {
- permit;
- log {
- session-init;
- session-close;
- }
- }
- }
- }
- from-zone DMZ to-zone UNTRUST {
- policy Outbound_Allow {
- description "Allowing all traffic outbound from DMZ to the internet";
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- log {
- session-init;
- session-close;
- }
- }
- }
- }
- from-zone LAN to-zone UNTRUST {
- policy LAN_Allow {
- description "Allowing all traffic outbound from LAN to the internet";
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- log {
- session-init;
- session-close;
- }
- }
- }
- }
- }
- zones {
- security-zone UNTRUST {
- screen UNTRUST;
- host-inbound-traffic {
- system-services {
- ping;
- }
- }
- interfaces {
- ge-0/0/0.826;
- }
- application-tracking;
- }
- security-zone SETUP {
- host-inbound-traffic {
- system-services {
- telnet;
- ssh;
- http;
- ping;
- }
- }
- interfaces {
- ge-0/0/2.0;
- }
- }
- security-zone VPN_DMZ {
- address-book {
- address VPN_Server 10.3.0.192/32;
- }
- host-inbound-traffic {
- system-services {
- telnet;
- ssh;
- http;
- ping;
- }
- }
- interfaces {
- ge-0/0/4.0;
- }
- application-tracking;
- }
- security-zone LAN {
- host-inbound-traffic {
- system-services {
- telnet;
- ssh;
- http;
- ping;
- }
- }
- interfaces {
- ge-0/0/6.0;
- ge-0/0/15.0;
- ge-0/0/5.55;
- }
- application-tracking;
- }
- security-zone DMZ {
- address-book {
- address Web_1 10.1.0.202/32;
- address Web_2 10.1.0.198/32;
- address Web_3 10.1.0.138/32;
- address MAIL 10.1.0.163/32;
- address Name_Server 10.1.0.191/32;
- address Web_4 10.1.0.134/32;
- }
- host-inbound-traffic {
- system-services {
- telnet;
- ssh;
- http;
- ping;
- https;
- }
- }
- interfaces {
- ge-0/0/8.10;
- }
- application-tracking;
- }
- }
- }
- applications {
- application tls {
- protocol tcp;
- destination-port 587;
- }
- }
Add Comment
Please, Sign In to add comment