security { ike { ###### removed for brevity } ipsec { #### removed for brevity } dynamic-vpn { access-profile JSC-AUTH-LDAP; clients { all { remote-protected-resources { 10.0.0.0/8; 172.18.0.0/23; } remote-exceptions { 0.0.0.0/0; 9.9.9.0/24; } ipsec-vpn JSC-IPSEC-VPN; user { client2; client3; } } } } remote-access { profile COMPANY-REMOTE1 { ipsec-vpn JSC-IPSEC-VPN; access-profile JSC-AUTH-LDAP; client-config JSC-RA-CLIENT; } client-config JSC-RA-CLIENT { connection-mode manual; dead-peer-detection { interval 60; threshold 5; } } default-profile COMPANY-REMOTE1; } forwarding-options { family { inet6 { mode flow-based; } } } screen { ids-option INTERNET-SCREEN { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } ids-option untrust-screen { tcp { syn-flood; } } } nat { source { pool OFFICEIP{ address { 9.9.9.4/32; } } pool NAT-WEATHER-LINUX { address { 9.9.9.105/32; } } pool NAT-OUTAGES { address { 9.9.9.40/32; } } pool NAT-METERS { address { 9.9.9.26/32; } } pool NAT-GUEST { address { 9.9.9.104/32; } } interface { port-overloading off; } rule-set COMPANY-NAT-INTERNET { from zone COMPANY-ZONE; to zone INTERNET; rule COMPANY-NAT-RULE { match { source-address 172.18.0.0/22; } then { source-nat { pool { OFFICEIP; persistent-nat { permit target-host; inactivity-timeout 1800; } } } } } rule COMPANY-NAT-METER { match { source-address [ 172.18.0.162/32 172.18.0.161/32 ]; } then { source-nat { pool { NAT-METERS; } } } } } rule-set SCADA-NAT-INTERNET { from zone SCADA-ZONE; to zone INTERNET; rule SCADA-NAT-RULE { match { source-address 192.168.0.0/24; } then { source-nat { pool { OFFICEIP; } } } } } rule-set REPLICATION-NAT-INTERNET { from zone REPLICATION-ZONE; to zone INTERNET; rule REPLICATION-NAT-RULE { match { source-address 10.254.253.0/24; } then { source-nat { pool { OFFICEIP; } } } } } rule-set COMPANY-NAT-REPLICATION { from zone COMPANY-ZONE; to zone REPLICATION-ZONE; rule COMPANY-NAT-REPL-RULE { match { source-address 172.18.0.0/22; } then { source-nat { interface { persistent-nat { permit target-host; inactivity-timeout 1800; } } } } } } rule-set DMZ-NAT-INTERNET { from zone DMZ-ZONE; to zone INTERNET; rule DMZ-NAT-RULE { match { source-address 192.168.254.0/24; } then { source-nat { pool { OFFICEIP; } } } } rule DMZ-NAT-OUTAGES { match { source-address 192.168.254.4/32; } then { source-nat { pool { NAT-OUTAGES; } } } } } rule-set COMPANY-NAT-DMZ { from zone COMPANY-ZONE; to zone DMZ-ZONE; rule COMPANY-NAT-DMZ-RULE { match { source-address 172.18.0.0/22; } then { source-nat { interface { persistent-nat { permit target-host; inactivity-timeout 1800; } } } } } } rule-set GUEST-NAT-INTERNET { from zone GUEST-ZONE; to zone INTERNET; rule GUEST-NAT-RULE { match { source-address 192.168.104.0/24; } then { source-nat { pool { NAT-WEATHER-LINUX; } } } } rule GUEST-NAT-WEATHERLINUX { match { source-address 192.168.104.246/32; } then { source-nat { pool { NAT-WEATHER-LINUX; } } } } } rule-set LAN-NAT-DMZ { from zone SEEI-21-ZONE; to zone DMZ-ZONE; rule LAN-NAT-DMZ { match { source-address 10.9.21.0/24; } then { source-nat { interface { persistent-nat { permit target-host; inactivity-timeout 1800; } } } } } } rule-set LAN-NAT-GUEST { from zone SEEI-21-ZONE; to zone [ DMZ-ZONE GUEST-ZONE ]; rule LAN-NAT-GUEST { match { source-address 10.9.21.0/24; } then { source-nat { interface { persistent-nat { permit target-host; inactivity-timeout 1800; } } } } } } rule-set JSC-NAT-COMPANY { from zone JSC-ZONE; to zone COMPANY-ZONE; rule JSC-NAT-COMPANY-RULE { match { source-address 0.0.0.0/0; } then { source-nat { interface { persistent-nat { permit target-host; inactivity-timeout 1800; } } } } } } rule-set JSC-NAT-REPL { from zone JSC-ZONE; to zone REPLICATION-ZONE; rule JSC-NAT-REPL-RULE { match { source-address 0.0.0.0/0; } then { source-nat { interface { persistent-nat { permit target-host; inactivity-timeout 1800; } } } } } } rule-set JSC-NAT-SCADA { from zone JSC-ZONE; to zone SCADA-ZONE; rule JSC-NAT-SCADA-RULE { match { source-address 0.0.0.0/0; } then { source-nat { interface { persistent-nat { permit target-host; inactivity-timeout 1800; } } } } } } } destination { pool TEST_2022 { address 172.18.0.99/32 port 2022; } pool CUSTOMERPORTAL_HTTPS { address 192.168.254.10/32 port 443; } pool CUSTOMERPORTAL_WWW { address 192.168.254.10/32 port 80; } pool WEATHER_LINUX { address 192.168.104.246/32 port 80; } pool OUTAGES_HTTPS { address 192.168.254.4/32 port 443; } pool OUTAGES_WWW { address 192.168.254.4/32 port 80; } pool METER_162 { address 172.18.0.162/32; } pool METER_161 { address 172.18.0.161/32; } rule-set DNAT-JIM { from zone INTERNET; rule DNAT-JIM-2022-R { match { destination-address 9.9.9.4/32; destination-port { 2022; } } then { destination-nat { pool { TEST_2022; } } } } rule DNAT-CUSTOMERPORTAL_HTTPS-R { match { destination-address 9.9.9.58/32; destination-port { 443; } } then { destination-nat { pool { CUSTOMERPORTAL_HTTPS; } } } } rule DNAT-CUSTOMERPORTAL_WWW-R { match { destination-address 9.9.9.58/32; destination-port { 80; } } then { destination-nat { pool { CUSTOMERPORTAL_WWW; } } } } rule DNAT-WEATHER-LINUX-WWW { match { destination-address 9.9.9.105/32; destination-port { 80; } } then { destination-nat { pool { WEATHER_LINUX; } } } } rule DNAT-OUTAGES-HTTPS { match { destination-address 9.9.9.40/32; destination-port { 443; } } then { destination-nat { pool { OUTAGES_HTTPS; } } } } rule DNAT-OUTAGES-WWW { match { destination-address 9.9.9.40/32; destination-port { 80; } } then { destination-nat { pool { OUTAGES_WWW; } } } } rule DNAT-METER-162-2449 { match { destination-address 9.9.9.26/32; destination-port { 2449; } } then { destination-nat { pool { METER_162; } } } } rule DNAT-METER-162-12345 { match { destination-address 9.9.9.26/32; destination-port { 12345; } } then { destination-nat { pool { METER_162; } } } } rule DNAT-METER-162-NTP { match { destination-address 9.9.9.26/32; destination-port { 123; } } then { destination-nat { pool { METER_162; } } } } rule DNAT-METER-161-8443 { match { destination-address 9.9.9.26/32; destination-port { 8443; } } then { destination-nat { pool { METER_161; } } } } } } proxy-arp { interface ge-0/0/0.0 { address { 9.9.9.116/32; 9.9.9.4/32; 9.9.9.58/32; 9.9.9.40/32; 9.9.9.105/32; 9.9.9.26/32; } } } } policies { from-zone SEEI-21-ZONE to-zone VPN-HO { policy SEEI-21-ZONE-to-VPN-HO-cfgr { match { source-address SEEI-21-NET; destination-address HO-NET; application any; } then { permit; } } } from-zone VPN-HO to-zone SEEI-21-ZONE { policy VPN-HO-to-SEEI-21-ZONE-cfgr { match { source-address HO-NET; destination-address SEEI-21-NET; application any; } then { permit; } } } from-zone SEEI-21-ZONE to-zone VPN-PTFS { policy SEEI-21-ZONE-to-VPN-PTFS-cfgr { match { source-address SEEI-21-NET; destination-address PTFS-NETWORK; application any; } then { permit; } } } from-zone VPN-PTFS to-zone SEEI-21-ZONE { policy VPN-PTFS-to-SEEI-21-ZONE-cfgr { match { source-address PTFS-NETWORK; destination-address SEEI-21-NET; application any; } then { permit; } } } from-zone SEEI-21-ZONE to-zone VPN-LED { policy SEEI-21-ZONE-to-VPN-LED-cfgr { match { source-address SEEI-21-NET; destination-address LED-NETWORK; application any; } then { permit; } } } from-zone VPN-LED to-zone SEEI-21-ZONE { policy VPN-LED-to-SEEI-21-ZONE-cfgr { match { source-address LED-NETWORK; destination-address SEEI-21-NET; application any; } then { permit; } } } from-zone SEEI-21-ZONE to-zone INTERNET { policy LAN-TO-INTERNET { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone SEEI-21-ZONE to-zone SEEI-21-ZONE { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone COMPANY-ZONE to-zone COMPANY-ZONE { policy COMPANY-ZONE-to-COMPANY-ZONE { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone COMPANY-ZONE to-zone INTERNET { policy COMPANY-to-INTERNET { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone SCADA-ZONE to-zone SCADA-ZONE { policy SCADA-ZONE-to-SCADA-ZONE { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone SCADA-ZONE to-zone INTERNET { policy SCADA-to-INTERNET { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone REPLICATION-ZONE to-zone REPLICATION-ZONE { policy REPLICATION-ZONE-to-REPLICATION-ZONE { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone REPLICATION-ZONE to-zone INTERNET { policy REPLICATION-to-INTERNET { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone COMPANY-ZONE to-zone REPLICATION-ZONE { policy COMPANY-TO-REPLICATION { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone INTERNET to-zone COMPANY-ZONE { policy TEST_ACCESS { match { source-address any; destination-address TEST_DESK; application any; } then { permit; } } policy METER_SERVER_161 { match { source-address [ TT1 TT3 TT4 TT2 TT5 TT6 SERVER_NET ]; destination-address METER-SERVER-161; application TCP-8443; } then { permit; } } policy METER_SERVER_162 { match { source-address [ CABLE_METERS_5 CABLE_METERS_8 ]; destination-address METER-SERVER-162; application [ junos-ntp TCP-2249 UDP-12345 ]; } then { permit; } } policy COMPANY_DENY_ACCESS { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone DMZ-ZONE to-zone DMZ-ZONE { policy DMZ-ZONE-to-DMZ-ZONE { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone DMZ-ZONE to-zone INTERNET { policy DMZ-to-INTERNET { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone COMPANY-ZONE to-zone DMZ-ZONE { policy COMPANY-TO-DMZ { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone GUEST-ZONE to-zone GUEST-ZONE { policy GUEST-ZONE-to-GUEST-ZONE { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone GUEST-ZONE to-zone INTERNET { policy GUEST-to-INTERNET { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone SEEI-21-ZONE to-zone GUEST-ZONE { policy SEEI-TO-GUEST { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone COMPANY-ZONE to-zone JSC-ZONE { policy COMPANY-JSC-POLICY { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone JSC-ZONE to-zone COMPANY-ZONE { policy JSC-COMPANY-POLICY { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone REPLICATION-ZONE to-zone JSC-ZONE { policy REPL-JSC-POLICY { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone JSC-ZONE to-zone REPLICATION-ZONE { policy JSC-REPL-POLICY { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone SCADA-ZONE to-zone JSC-ZONE { policy SCADA-JSC-POLICY { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone JSC-ZONE to-zone SCADA-ZONE { policy JSC-SCADA-POLICY { match { source-address any; destination-address any; application any; } then { permit; } } } default-policy { permit-all; } }