[edit] root@AltaBadia# show | except SECRET-DATA | no-more ## Last changed: 2011-04-27 22:54:51 CEST version 10.4R3.4; system { host-name AltaBadia; time-zone Europe/Zurich; root-authentication { } name-server { 208.67.222.222; 208.67.220.220; 8.8.8.8; 62.2.24.162; 62.2.17.61; } login { retry-options { backoff-threshold 3; backoff-factor 5; } user raven { uid 2000; class super-user; authentication { } } } services { ftp; ssh { protocol-version v2; connection-limit 2; rate-limit 1; } dns; web-management { http { interface vlan.0; } https { system-generated-certificate; interface vlan.0; } } dhcp { router { 192.168.1.1; 10.10.10.10; 172.24.24.172; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; exclude-address { 192.168.1.100; } router { 192.168.1.1; } } pool 10.10.10.0/24 { address-range low 10.10.10.1 high 10.10.10.254; exclude-address { 10.10.10.10; } router { 10.10.10.10; } } pool 172.24.24.0/24 { address-range low 172.24.24.1 high 172.24.24.254; exclude-address { 172.24.24.100; 172.24.24.172; 172.24.24.200; 172.24.24.150; } router { 172.24.24.172; } } propagate-settings ge-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 207.46.232.182; } } interfaces { ge-0/0/0 { unit 0 { family inet { dhcp { update-server; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { port-mode access; vlan { members 3; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { port-mode access; vlan { members 5; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { port-mode access; vlan { members 5; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { port-mode access; vlan { members 5; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { port-mode access; vlan { members 5; } } } } ge-0/0/6 { unit 0 { family ethernet-switching { port-mode access; vlan { members 5; } } } } ge-0/0/7 { unit 0 { family ethernet-switching { port-mode access; vlan { members 5; } } } } ge-0/0/8 { unit 0 { family ethernet-switching { port-mode access; vlan { members 5; } } } } ge-0/0/9 { unit 0 { family ethernet-switching { port-mode access; vlan { members 5; } } } } ge-0/0/10 { unit 0 { family ethernet-switching { port-mode access; vlan { members 4; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { port-mode access; vlan { members 4; } } } } ge-0/0/12 { unit 0 { family ethernet-switching { port-mode access; vlan { members 4; } } } } ge-0/0/13 { unit 0 { family ethernet-switching { port-mode access; vlan { members 4; } } } } ge-0/0/14 { unit 0 { family ethernet-switching { port-mode trunk; native-vlan-id 3; } } } ge-0/0/15 { unit 0 { family ethernet-switching { port-mode trunk; } } } vlan { unit 0 { family inet { address 10.10.10.10/24; } } unit 1 { family inet { address 172.24.24.172/24; } } unit 2 { family inet { address 192.168.1.1/24; } } } } security { nat { source { rule-set GREEN_NAT { from zone trust; to zone untrust; rule GREEN_ACCESS { match { source-address 10.10.10.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set AMBER1_NAT { from zone idmz; to zone untrust; rule AMBER1_ACCESS { match { source-address 172.24.24.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set AMBER2_NAT { from zone edmz; to zone untrust; rule AMBER2_ACCESS { match { source-address 192.168.1.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool NAS { address 172.24.24.200/32; } pool HP8500 { address 172.24.24.100/32; } pool GREEN_GW { address 10.10.10.10/32; } rule-set RED_NAT { from zone untrust; rule NAS_HTTP { match { destination-address 0.0.0.0/0; destination-port 80; } then { destination-nat pool NAS; } } rule NAS_HTTPS { match { destination-address 0.0.0.0/0; destination-port 443; } then { destination-nat pool NAS; } } rule NAS_ACCESS { match { destination-address 0.0.0.0/0; destination-port 5000; } then { destination-nat pool NAS; } } rule NAS_ACCESS2 { match { destination-address 0.0.0.0/0; destination-port 5001; } then { destination-nat pool NAS; } } rule NAS_FILESTATION { match { destination-address 0.0.0.0/0; destination-port 7000; } then { destination-nat pool NAS; } } rule NAS_FILESTATION2 { match { destination-address 0.0.0.0/0; destination-port 7001; } then { destination-nat pool NAS; } } rule NAS_FTP2 { match { destination-address 0.0.0.0/0; } then { destination-nat pool NAS; } } rule GREEN_GW { match { destination-address 0.0.0.0/0; destination-port 22; } then { destination-nat pool GREEN_GW; } } } rule-set GREEN_NAT { from zone trust; rule GREEN_HP8500 { match { destination-address 10.10.10.100/32; destination-port 9100; } then { destination-nat pool HP8500; } } rule GREEN_HP8500_HTTP { match { destination-address 10.10.10.100/32; destination-port 80; } then { destination-nat pool HP8500; } } } rule-set AMBER2_NAT { from zone edmz; rule AMBER2_HP8500 { match { destination-address 192.168.1.100/32; destination-port 9100; } then { destination-nat pool HP8500; } } } } proxy-arp { interface vlan.0 { address { 10.10.10.100/32; } } interface vlan.2 { address { 192.168.1.100/32; } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone trust { address-book { address GREEN_RANGE 10.10.10.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } } } security-zone idmz { address-book { address AMBER1_RANGE 172.24.24.0/24; address HP8500 172.24.24.100/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.1; } } security-zone edmz { address-book { address AMBER2_RANGE 192.168.1.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.2; } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address GREEN_RANGE; destination-address any; application any; } then { permit; } } } from-zone trust to-zone edmz { policy trust-to-edmz { match { source-address GREEN_RANGE; destination-address AMBER2_RANGE; application any; } then { permit; } } } from-zone trust to-zone idmz { policy trust-to-idmz { match { source-address GREEN_RANGE; destination-address AMBER1_RANGE; application any; } then { permit; } } } from-zone trust to-zone trust { policy trust-to-trust { match { source-address GREEN_RANGE; destination-address GREEN_RANGE; application any; } then { permit; } } } from-zone idmz to-zone untrust { policy idmz-to-untrust { match { source-address AMBER1_RANGE; destination-address any; application any; } then { permit; } } } from-zone idmz to-zone edmz { policy idmz-to-edmz { match { source-address AMBER1_RANGE; destination-address AMBER2_RANGE; application any; } then { deny; } } policy idmz_prt-to-edmz { match { source-address HP8500; destination-address AMBER2_RANGE; application any; } then { permit; } } } from-zone idmz to-zone idmz { policy idmz-to-idmz { match { source-address AMBER1_RANGE; destination-address AMBER1_RANGE; application any; } then { permit; } } } from-zone idmz to-zone trust { policy idmz_prt-to-trust { match { source-address HP8500; destination-address GREEN_RANGE; application any; } then { permit; } } policy idmz-to-trust { match { source-address AMBER1_RANGE; destination-address GREEN_RANGE; application any; } then { deny; } } } from-zone edmz to-zone untrust { policy edmz-to-untrust { match { source-address AMBER2_RANGE; destination-address any; application any; } then { permit; } } } from-zone edmz to-zone edmz { policy edmz-to-edmz { match { source-address AMBER2_RANGE; destination-address AMBER2_RANGE; application any; } then { permit; } } } from-zone edmz to-zone idmz { policy edmz-to-idmz { match { source-address AMBER2_RANGE; destination-address AMBER1_RANGE; application any; } then { permit; } } } from-zone edmz to-zone trust { policy edmz-to-trust { match { source-address AMBER2_RANGE; destination-address GREEN_RANGE; application any; } then { deny; } } } from-zone untrust to-zone untrust { policy untrust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone edmz { policy untrust-to-edmz { match { source-address any; destination-address AMBER2_RANGE; application any; } then { deny; } } } from-zone untrust to-zone idmz { policy untrust-to-idmz { match { source-address any; destination-address AMBER1_RANGE; application any; } then { permit; } } } from-zone untrust to-zone trust { policy untrust-to-trust_ssh { match { source-address any; destination-address GREEN_RANGE; application junos-ssh; } then { permit; } } policy untrust-to-trust { match { source-address any; destination-address GREEN_RANGE; application any; } then { deny; } } } default-policy { deny-all; } } alg { ftp ftps-extension; } } wlan { access-point raven-ap1 { mac-address 50:c5:8d:29:23:80; location Zurich; external { system { ports { ethernet { management-vlan 3; untagged-vlan 3; name-server 8.8.8.8; } } } } access-point-options { country { CH; } } radio 2 { radio-options { mode bgn; channel { number auto; } transmit-power 50; } virtual-access-point 0 { ssid ; vlan 3; security { wpa-personal { wpa-version { v2; } cipher-suites { tkip; } } } } virtual-access-point 1 { description Visitors-VLAN-24GHz; ssid ; vlan 5; security { wpa-personal { wpa-version { v2; } cipher-suites { tkip; } } } } } radio 1 { radio-options { mode a; channel { number auto; } transmit-power 50; } virtual-access-point 0 { ssid ; vlan 3; security { wpa-personal { wpa-version { v2; } cipher-suites { tkip; } } } } virtual-access-point 1 { description Visitors_VLAN_50GHz; ssid ; vlan 5; security { wpa-personal { wpa-version { v2; } cipher-suites { tkip; } } } } } } } vlans { vlan-edmz { description AMBER2; vlan-id 5; interface { ge-0/0/2.0; ge-0/0/3.0; ge-0/0/4.0; ge-0/0/5.0; ge-0/0/6.0; ge-0/0/7.0; ge-0/0/8.0; ge-0/0/9.0; ge-0/0/14.0; ge-0/0/15.0; } l3-interface vlan.2; } vlan-idmz { description AMBER1; vlan-id 4; interface { ge-0/0/11.0; ge-0/0/12.0; ge-0/0/13.0; ge-0/0/10.0; } l3-interface vlan.1; } vlan-trust { description GREEN; vlan-id 3; interface { ge-0/0/1.0; ge-0/0/14.0; ge-0/0/15.0; } l3-interface vlan.0; } }