## Last commit: 2011-05-26 11:52:14 MST by version 10.3R1.9; } interfaces { ge-0/0/0 { description "INET Connection 2"; unit 0 { family inet { filter { input pptp; } address 1.2.3.170/29; } } } ge-0/0/1 { description "INET Connection 2"; unit 0 { family inet { address x.x.x.138/29; } } } ge-0/0/2 { description "DMZ - Guest_Network"; unit 0 { family inet { address 192.168.11.1/24; } } } ge-0/0/7 { description OfficeNet; unit 0 { family inet { address 192.168.10.1/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop x.x.x.169; } } security { nat { source { pool asterisk-pub { address { x.x.x.172/32; } } rule-set trust-nat { from zone trust; to zone untrust; rule astrisk-out { match { source-address 192.168.10.175/32; } then { source-nat { pool { asterisk-pub; } } } } rule nat-trust { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set dmz-nat { from zone dmz; to zone untrust; rule nat-dmz { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set untrust-nat { from zone untrust; to zone trust; rule VPN { match { source-address 0.0.0.0/0; destination-address 192.168.10.0/24; destination-port 1723; } then { source-nat { off; } } } } } destination { pool win-vpn { address 192.168.10.20/32; } pool asterisk-server { address 192.168.10.175/32; } rule-set old-nat-wan { from zone untrust; rule old-PPTP { match { source-address 0.0.0.0/0; destination-address 1.2.3.171/32; destination-port 1723; } then { destination-nat pool win-vpn; } } rule voip { match { source-address 0.0.0.0/0; destination-address 1.2.3.172/32; } then { destination-nat pool asterisk-server; } } } } proxy-arp { interface ge-0/0/0.0 { address { 1.2.3.172/32; 1.2.3.171/32; } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone trust { address-book { address winvpn-server 192.168.10.20/32; address voip-pbx 192.168.10.175/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/7.0; } } security-zone untrust { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ssh; telnet; ping; traceroute; ike; } } } ge-0/0/1.0 { host-inbound-traffic { system-services { ssh; telnet; ping; traceroute; ike; } } } } } security-zone dmz { host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/2.0; } } } policies { from-zone trust to-zone untrust { policy permit-all { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone dmz to-zone untrust { policy dmz_out { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy WinVPN { match { source-address any; destination-address winvpn-server; application [ junos-gre junos-pptp ]; } then { permit { destination-address; } } } } } alg { sip disable; } }