## Last changed: 2018-12-03 18:56:47 EST version 12.3X48-D75.4; groups { jweb-security-logging { system { syslog { file srx_logging { any any; archive size 20m files 5; structured-data; } } } } } system { host-name srx210; time-zone EST5EDT; root-authentication { encrypted-password "$1$ywkPUvP6$WdPlO9s6bewcL4Sf1XxZG1"; ## SECRET-DATA } name-server { 8.8.8.8; } name-resolution { no-resolve-on-input; } services { ssh; web-management { http { interface ge-0/0/1.0; } https { system-generated-certificate; interface ge-0/0/1.0; } session { idle-timeout 60; } } dhcp { name-server { 8.8.8.8; } } } syslog { archive size 20m files 5; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file traffic-log { any any; match RT_FLOW_SESSION_DENY; archive world-readable; structured-data; } file srx_logging { any any; archive size 20m files 5; structured-data; } } max-configurations-on-flash 6; max-configuration-rollbacks 6; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server us.ntp.pool.org; } } services { application-identification; } security { log { mode event; } alg { dns disable; ftp disable; h323 disable; mgcp disable; msrpc disable; sunrpc disable; rtsp disable; sccp disable; sip disable; talk disable; tftp disable; pptp disable; } application-tracking { disable; } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set nsw_srcnat { from zone Internal; to zone Internet; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool 192_168_1_2_22 { address 192.168.1.2/32 port 22; } rule-set nsw_destnat { from zone Internet; rule 0_File_Transfer--Internal_22 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; destination-port { 2222; } } then { destination-nat { pool { 192_168_1_2_22; } } } } } } } policies { from-zone Internet to-zone Internal { inactive: policy File_Transfer_Internet_Internal { match { source-address any; destination-address any; application [ nsw-File_Transfer_Internet_Internal_1_ssh junos-ssh ]; } then { permit; log { session-init; } } } policy deny-internet { match { source-address any; destination-address any; application any; } then { deny; log { session-init; session-close; } } } } from-zone Internal to-zone Internet { policy All_Internal_Internet { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Internet to-zone junos-host { policy deny-junos { match { source-address any; destination-address any; application any; } then { deny; log { session-init; session-close; } } } } global { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; session-close; } } } } } zones { security-zone Internal { interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ping; http; https; ssh; } } } } application-tracking; } security-zone Internet { host-inbound-traffic { system-services { any-service; } } interfaces { pp0.0; } } } } interfaces { ge-0/0/0 { vlan-tagging; unit 0 { encapsulation ppp-over-ether; vlan-id 35; } } ge-0/0/1 { unit 0 { family inet { address 192.168.1.1/24; } } } pp0 { unit 0 { apply-macro pppoe; ppp-options { pap { local-name HIDDEN; local-password "HIDDEN"; ## SECRET-DATA passive; } } pppoe-options { underlying-interface ge-0/0/0.0; auto-reconnect 10; client; idle-timeout 0; } family inet { negotiate-address; } } } } routing-options { static { route 0.0.0.0/0 { qualified-next-hop pp0.0 { metric 1; } } } } protocols { stp; } applications { application nsw-File_Transfer_Internet_Internal_1_ssh { term 22-term protocol tcp destination-port 22; } } poe { interface all; }