## Last changed: 2014-04-14 18:27:38 GMT version 12.1X44.5; system { host-name FS-JUNIPER-01; time-zone GMT; root-authentication { encrypted-password "$1$vLCvkZOR$dAz9ntSD6WZEd.H3dQhqV0"; } name-server { 172.16.1.106; 172.16.1.129; } name-resolution { no-resolve-on-input; } login { user admin { uid 2000; class super-user; authentication { encrypted-password "$1$YjyyP9li$MoIEzJhAFqhEUefR3fV420"; } } user msp { uid 2001; class super-user; authentication { encrypted-password "$1$sNTYFEzo$83aBmpB0CtGnEYoIBMT6d/"; } } user mkadmin { uid 2002; class super-user; authentication { encrypted-password "$1$NXOrDD1T$nHQ21Gr7p1Wgz7r1GDkpR1"; } } user rhadmin { uid 2003; class super-user; authentication { encrypted-password "$1$nFe5e70B$.W2TSfje9zzEemcrE9weH1"; } } } services { ssh; telnet; web-management { http { interface vlan.1; } https { system-generated-certificate; interface vlan.1; } session { idle-timeout 60; } } dhcp { propagate-settings ge-0/0/0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server us.ntp.pool.org; } } interfaces { ge-0/0/0 { description untrust_Link; unit 0 { family inet { address 1.2.3.66/28; } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } fe-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan1; } } } } vlan { unit 1 { family inet { address 172.16.1.228/16; } } } } routing-options { static { route 0.0.0.0/0 next-hop 1.2.3.65; } } protocols { stp; } security { screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set nsw_srcnat { from zone trust; to zone untrust; rule nsw-src-interface { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool RDP-Access { address 172.16.1.120/32; } pool SSO-Access { address 172.16.1.161/32; } pool TMG-Access { address 172.16.1.215/32; } pool SMTP-Access { address 172.16.1.108/32; } rule-set NatRule { from zone untrust; rule RDPAccess-Rule { match { destination-address 1.2.3.67/32; destination-port 3389; } then { destination-nat pool RDP-Access; } } rule SSOAccess80-Rule { match { destination-address 1.2.3.68/32; destination-port 80; } then { destination-nat pool SSO-Access; } } rule SSOAccess443-Rule { match { destination-address 1.2.3.68/32; destination-port 443; } then { destination-nat pool SSO-Access; } } rule TMGAccess80-Rule { match { destination-address 1.2.3.67/32; destination-port 80; } then { destination-nat pool TMG-Access; } } rule TMGAccess443-Rule { match { destination-address 1.2.3.67/32; destination-port 443; } then { destination-nat pool TMG-Access; } } rule SMTPAccessUnt-Rule { match { destination-address 1.2.3.66/32; destination-port 25; } then { destination-nat pool SMTP-Access; } } } } proxy-arp { interface ge-0/0/0.0 { address { 1.2.3.67/32; 1.2.3.68/32; } } } } policies { from-zone trust to-zone untrust { policy All_trust_untrust { match { source-address any; destination-address any; application any; } then { permit; } } policy SMTP { description "Allow SMTP to Exchange"; match { source-address Exchange; destination-address any; application junos-smtp; } then { permit; } } policy DNS { description "DNS Outgoing"; match { source-address [ FS-DC-01 FS-DC-02 ]; destination-address any; application [ junos-dns-udp junos-dns-tcp ]; } then { permit; } } policy NTP { description "NTP access"; match { source-address [ FS-DC-01 FS-DC-02 ]; destination-address any; application junos-ntp; } then { permit; } } policy WebAccess { description "HTTP and HTTPS access for the whole subnet"; match { source-address School_Int; destination-address any; application [ junos-http junos-https ]; } then { permit; } } policy RDP_Internal_Access { match { source-address School_Int; destination-address any; application RDP; } then { permit; } } policy Lightspeed { match { source-address Lightspeed; destination-address any; application [ Lightspeed Lightspeed-TCP ]; } then { permit; } } } from-zone untrust to-zone trust { policy POP3 { description "Allow POP3 to Exchange"; match { source-address any; destination-address Exchange; application junos-pop3; } then { permit; } } policy sso { description SSO.School.kent.sch.uk; match { source-address any; destination-address FS-MAIL-01; application [ junos-https junos-http ]; } then { permit; } } policy Publishing { description "HTTP and HTTPS Rule for Publishing"; match { source-address any; destination-address FS-TMG-01; application [ junos-http junos-https ]; } then { permit; } } policy FS-RD-01 { description remote.School.kent.sch.uk; match { source-address any; destination-address FS-RD-01; application RDP; } then { permit; } } policy SMTP { match { source-address any; destination-address Exchange; application junos-smtp; } then { permit; } } policy IncomingSIP { description "Incoming SIP from ExcellGroup"; match { source-address any; destination-address AvayaPBX; application junos-sip; } then { permit; } } } } zones { security-zone trust { address-book { address Exchange 172.16.1.108/32; address FS-MAIL-01 172.16.1.161/32; address FS-TMG-01 172.16.1.215/32; address FS-RD-01 172.16.1.120/32; address FS-DC-01 172.16.1.106/32; address FS-DC-02 172.16.1.129/32; address School_Int 172.16.0.0/16; address AvayaPBX 172.16.1.130/32; address Lightspeed 172.16.1.224/32; } interfaces { vlan.1 { host-inbound-traffic { system-services { all; http; https; ssh; telnet; } protocols { all; } } } } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { tftp; dhcp; } } } } } } } applications { application RDP { protocol tcp; destination-port 3389; } application Lightspeed { protocol udp; source-port 0-65535; destination-port 1311-1311; } application Lightspeed-TCP { protocol tcp; source-port 0-65535; destination-port 1311-1311; } } vlans { vlan1 { vlan-id 3; l3-interface vlan.1; } }