## Last changed: 2011-04-06 07:57:51 UTC version 11.1R1.10; system { root-authentication { encrypted-password "$1$ix.oL0lr$w9piTOZLQQIuLLafEW0Ql0"; ## SECRET-DATA } services { ssh { root-login allow; protocol-version v2; } web-management { http { interface all; } } dhcp { pool 3.3.3.0/24 { address-range low 3.3.3.100 high 3.3.3.120; maximum-lease-time 21600; default-lease-time 21600; name-server { 192.168.0.4; 8.8.8.8; } router { 3.3.3.3; } propagate-settings ge-0/0/0.0; } } } syslog { file traffic { any any; match RT_FLOW_SESSION; archive size 5m files 5; } } } interfaces { ge-0/0/0 { unit 0 { description LAN; family inet { address 3.3.3.3/24; } } } ge-0/0/1 { unit 0 { description DMZ; family inet { address 4.4.4.4/24; } } } fe-0/0/6 { unit 0 { description ISP1; family inet { address 1.1.1.1/24; } } } fe-0/0/7 { unit 0 { description ISP2; family inet { address 2.2.2.2/24; } } } } routing-options { interface-routes { rib-group inet inside; } static { route 0.0.0.0/0 next-table ISP1.inet.0; } rib-groups { inside { import-rib [ inet.0 TRUST-VRF.inet.0 ISP1.inet.0 ISP2.inet.0 ]; } } } security { nat { source { rule-set interface_nat_out { from routing-instance default; to routing-instance [ ISP1 ISP2 ]; rule interface_nat { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool management-ssh { address 3.3.3.3/24 port 22; } pool management-http { address 3.3.3.3/24 port 80; } rule-set management-ISP1 { from routing-instance ISP1; rule management-ISP1-ssh { match { source-address 0.0.0.0/0; destination-address 1.1.1.1/32; destination-port 22; } then { destination-nat pool management-ssh; } } } rule-set management-ISP2 { from routing-instance ISP2; rule management-ISP2-ssh { match { source-address 0.0.0.0/0; destination-address 2.2.2.2/32; destination-port 22; } then { destination-nat pool management-ssh; } } } } } policies { from-zone LAN to-zone ISP1 { policy allow_all_isp1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone LAN to-zone ISP2 { policy allow_all_isp2 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone ISP1 to-zone LAN { policy allow_all { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone ISP2 to-zone LAN { policy allow_all { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } } zones { security-zone LAN { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; ssh; https; traceroute; ike; dhcp; } } } } } security-zone DMZ { interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { traceroute; ping; } } } } } security-zone ISP1 { interfaces { fe-0/0/6.0 { host-inbound-traffic { system-services { ike; traceroute; ping; ssh; https; http; } } } } } security-zone ISP2 { interfaces { fe-0/0/7.0 { host-inbound-traffic { system-services { ping; https; ike; traceroute; ssh; http; } } } } } } } firewall { filter isp1-in { term 1 { from { destination-address { 1.1.1.0/24; } } then { routing-instance TRUST-VRF; } } term 2 { then accept; } } filter isp2-in { term 1 { from { destination-address { 2.2.2.0/24; } } then { routing-instance TRUST-VRF; } } term 2 { then accept; } } } routing-instances { ISP1 { instance-type virtual-router; interface fe-0/0/6.0; routing-options { interface-routes { rib-group inet inside; } static { route 0.0.0.0/0 { next-hop 1.1.1.254; qualified-next-hop 2.2.2.254 { preference 10; } } } } } ISP2 { instance-type virtual-router; interface fe-0/0/7.0; routing-options { interface-routes { rib-group inet inside; } static { route 0.0.0.0/0 { next-hop 2.2.2.254; qualified-next-hop 1.1.1.254 { preference 10; } } } } } TRUST-VRF { instance-type forwarding; } }