# show interfaces fe-0/0/0 { unit 0 { family inet { address 65.12.11.30/27; } } } fe-0/0/1 { unit 0 { family inet { address 10.2.2.1/24; } } } st0 { unit 0 { family inet { address 10.252.253.200/32; } } } # show security address-book global address local-unit-prenat 10.252.253.1/32; address local-sys-prod-prenat 10.252.253.5/32; address local-sys-test-prenat 10.252.253.6/32; address local-unit-postnat 10.2.2.1/32; address local-sys-prod-postnat 10.2.2.5/32; address local-sys-test-postnat 10.2.2.6/32; address local-vpn-external-address 65.12.11.30/32; address remote-vpn-external-address 216.3.3.7/32; address remote-private-subnet 10.33.33.2/32; address remote-sys-prenat 10.12.7.2/32; # show security nat static { rule-set from-vpn-static-nat { from zone vpn; rule from-vpn-snat-unit { match { destination-address 10.252.253.1/32; } then { static-nat { prefix { 10.2.2.1/32; } } } } rule from-vpn-snat-sys-prod { match { destination-address 10.252.253.5/32; } then { static-nat { prefix { 10.2.2.5/32; } } } } rule from-vpn-snat-sys-test { match { destination-address 10.252.253.6/32; } then { static-nat { prefix { 10.2.2.6/32; } } } } } rule-set to-vpn-static-nat { from zone trust; rule from-trust-snat { match { destination-address 10.33.33.2/32; } then { static-nat { prefix { 10.12.7.2/32; } } } } } } proxy-arp { interface st0.0 { address { 10.252.253.1/32; 10.252.253.5/32; 10.252.253.6/32; } } } # show security policies from-zone trust to-zone vpn { policy trust-to-sys-prod-icmp { match { source-address local-sys-prod-postnat; destination-address remote-private-subnet; application junos-icmp-all; } then { permit; } } policy trust-to-vpn-icmp { match { source-address local-sys-test-postnat; destination-address remote-private-subnet; application junos-icmp-all; } then { permit; } } } from-zone vpn to-zone trust { policy vpn-to-sys-prod-amqps { match { source-address remote-sys-prenat; destination-address local-sys-prod-prenat; application test-abc; } then { permit; } } policy vpn-to-sys-test-amqps { match { source-address remote-sys-prenat; destination-address local-sys-test-prenat; application test-abc; } then { permit; } } policy vpn-to-sys-prod-amqp-http { match { source-address remote-sys-prenat; destination-address local-sys-prod-prenat; application test-xyz; } then { permit; } } policy vpn-to-sys-test-amqp-http { match { source-address remote-sys-prenat; destination-address local-sys-test-prenat; application test-xyz; } then { permit; } } policy vpn-to-unit-icmp { match { source-address remote-sys-prenat; destination-address local-unit-prenat; application junos-icmp-all; } then { permit; } } policy vpn-to-sys-prod-icmp { match { source-address remote-sys-prenat; destination-address local-sys-prod-prenat; application junos-icmp-all; } then { permit; } } policy vpn-to-sys-test-icmp { match { source-address remote-sys-prenat; destination-address local-sys-test-prenat; application junos-icmp-all; } then { permit; } } } global { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } default-policy { deny-all; } # show security zones security-zone trust { interfaces { fe-0/0/1.0 { host-inbound-traffic { system-services { ssh; ping; } } } } } security-zone untrust { screen untrust-screen; interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { ike; } } } } } security-zone vpn { interfaces { st0.0 { host-inbound-traffic { system-services { ssh; ping; } } } } } application test-abc { protocol tcp; destination-port 671; } application test-xyz { protocol tcp; destination-port 1672; }