## Last changed: 2017-03-14 11:31:33 GMT-6 version SCRUBBED; system { host-name SCRUBBED; time-zone GMT-6; root-authentication { encrypted-password "SCRUBBED"; } name-server { 208.67.222.222; 208.67.220.220; } name-resolution { no-resolve-on-input; } services { ssh; web-management { https { system-generated-certificate; interface vlan.3; } session { idle-timeout 60; } } dhcp { pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; router { 192.168.1.1; } } pool 192.168.2.0/24 { address-range low 192.168.2.2 high 192.168.2.254; router { 192.168.2.1; } } pool 192.168.3.0/24 { address-range low 192.168.3.11 high 192.168.3.11; router { 192.168.3.1; } } static-binding SCRUBBED { fixed-address { 192.168.2.33; } name-server { 208.67.222.222; 208.67.220.220; } router { 192.168.2.1; } } static-binding SCRUBBED{ fixed-address { 192.168.2.34; } name-server { 208.67.222.222; 208.67.220.220; } router { 192.168.2.1; } } propagate-settings ge-0/0/0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server us.ntp.pool.org; } } security { screen { ids-option untrust-screen { alarm-without-drop; icmp { ip-sweep; fragment; large; flood; ping-death; icmpv6-malformed; } ip { bad-option; record-route-option; timestamp-option; security-option; stream-option; spoofing; source-route-option; loose-source-route-option; strict-source-route-option; unknown-protocol; block-frag; tear-drop; ipv6-malformed-header; } tcp { syn-fin; fin-no-ack; tcp-no-flag; syn-frag; port-scan; syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; winnuke; } udp { flood; } } } nat { source { rule-set nsw_srcnat { from zone [ Home VPN Work ]; to zone Internet; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone Home to-zone Internet { policy home-internet { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internet to-zone Home { policy internet-home { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone Work to-zone Internet { policy work-internet { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internet to-zone Work { policy internet-work { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone VPN to-zone Internet { policy vpn-internet { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internet to-zone VPN { policy internet-vpn { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone Work to-zone Home { policy work-home { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone Home to-zone Work { policy home-work { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone Work to-zone VPN { policy work-vpn { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone VPN to-zone Work { policy vpn-work { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone VPN to-zone Home { policy vpn-home { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone Home to-zone VPN { policy home-vpn { match { source-address any; destination-address any; application any; } then { deny; } } } } zones { security-zone Home { interfaces { vlan.1 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone VPN { interfaces { vlan.2 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone Work { interfaces { vlan.3 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone Internet { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; } } } } } } } interfaces { ge-0/0/0 { unit 0 { family inet { dhcp; } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } ge-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } ge-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } ge-0/0/8 { unit 0 { family ethernet-switching { vlan { members vlan3; } } } } ge-0/0/9 { unit 0 { family ethernet-switching { vlan { members vlan3; } } } } ge-0/0/10 { unit 0 { family ethernet-switching { vlan { members vlan3; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { vlan { members vlan3; } } } } ge-0/0/12 { unit 0 { family ethernet-switching { vlan { members vlan3; } } } } ge-0/0/13 { unit 0 { family ethernet-switching { vlan { members vlan3; } } } } ge-0/0/14 { unit 0 { family ethernet-switching { vlan { members vlan3; } } } } ge-0/0/15 { unit 0 { family ethernet-switching { vlan { members vlan2; } } } } vlan { unit 1 { family inet { address 192.168.1.1/24; } } unit 2 { family inet { address 192.168.3.1/24; } } unit 3 { family inet { address 192.168.2.1/24; } } } } protocols { stp { disable; } } wlan { admin-authentication { encrypted-password "SCRUBBED"; } } vlans { vlan1 { description Home; vlan-id 3; interface { ge-0/0/2.0; } l3-interface vlan.1; } vlan2 { description VPN; vlan-id 2; interface { ge-0/0/15.0; } l3-interface vlan.2; } vlan3 { description Work; vlan-id 4; interface { ge-0/0/8.0; } l3-interface vlan.3; } }