version 12.1R6.5; system { host-name Juniper-2; time-zone Europe/Paris; root-authentication { encrypted-password "xxxxx"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } scripts { op { file toggle-interface.slax; } } services { ssh { root-login allow; protocol-version v2; } web-management { http { interface all; } } dhcp { pool 192.168.1.0/24 { address-range low 192.168.1.5 high 192.168.1.120; maximum-lease-time 21600; default-lease-time 21600; name-server { 81.253.149.10; 212.27.40.240; } router { 192.168.1.1; } propagate-settings ge-0/0/1.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { unit 0 { description ISP1; family inet { address 192.168.3.2/24; } } } ge-0/0/1 { unit 0 { description LAN; family inet { address 192.168.1.1/24; } } } fe-0/0/2 { unit 0 { description ISP2; family inet { address 192.168.5.2/24; } } } lo0 { unit 0 { family inet { address 172.16.172.172/32; } } } } event-options { policy gw-down { events ping_probe_failed; within 15 { trigger on 1; } attributes-match { ping_probe_failed.test-owner matches "^def-gw$"; ping_probe_failed.test-name matches "^def-gw-ping$"; } then { event-script toggle-interface.slax { arguments { silent 0; interface ge-0/0/0.0; new_intf_state disable; } } } } policy gw-up { events PING_TEST_COMPLETED; within 15 { trigger on 1; } attributes-match { ping_test_completed.test-owner matches "^def-gw$"; ping_test_completed.test-name matches "^def-gw-ping$"; } then { event-script toggle-interface.slax { arguments { silent 0; interface ge-0/0/0.0; new_intf_state enable; } } } } event-script { file toggle-interface.slax; } } routing-options { interface-routes { rib-group inet IMPORT-PHY; } static { route 0.0.0.0/0 next-table routing-table-ISP1.inet.0; } rib-groups { IMPORT-PHY { import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ]; } } } security { utm { feature-profile { anti-virus { kaspersky-lab-engine { profile junos-av-defaults { notification-options { virus-detection { notify-mail-sender; } fallback-block { administrator-email "xxxxxxxx"; notify-mail-sender; } } } } } anti-spam { sbl { profile junos-as-defaults { spam-action tag-subject; } } } } } nat { source { rule-set interface_nat_out { from zone LAN; to zone [ ISP1 ISP2 ]; rule interface_nat { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool server_mail { address 192.168.1.2/32 port 25; } pool server_mail_ssh { address 192.168.1.2/32 port 2222; } pool management-ssh { address 172.16.172.172/32 port 22; } pool management-http { address 172.16.172.172/32 port 80; } rule-set nat-ssh_yann { from routing-instance routing-table-ISP2; rule rule1 { match { destination-address 0.0.0.0/0; destination-port 25; } then { destination-nat pool server_mail; } } rule management-ISP2-ssh { match { source-address 0.0.0.0/0; destination-address 192.168.5.2/32; destination-port 22; } then { destination-nat pool management-ssh; } } rule management-ISP2-http { match { source-address 0.0.0.0/0; destination-address 192.168.5.2/32; destination-port 80; } then { destination-nat pool management-http; } } } rule-set management-ISP1 { from routing-instance routing-table-ISP1; rule management-ISP1-ssh { match { source-address 0.0.0.0/0; destination-address 192.168.3.2/32; destination-port 22; } then { destination-nat pool management-ssh; } } rule management-ISP1-http { match { source-address 0.0.0.0/0; destination-address 192.168.3.2/32; destination-port 80; } then { destination-nat pool management-http; } } rule ssh_yann { match { destination-address 0.0.0.0/0; destination-port 2222; } then { destination-nat pool server_mail_ssh; } } } } } policies { from-zone LAN to-zone ISP1 { policy allow_all_isp1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone LAN to-zone ISP2 { policy allow_all_isp2 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone ISP1 to-zone LAN { policy allow_all { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } policy ISP1_ssh_yann { match { source-address any; destination-address server_mail; application ssh_yann; } then { permit; } } } from-zone ISP2 to-zone LAN { policy allow_all { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } policy server_mail__yann { match { source-address any; destination-address server_mail; application junos-smtp; } then { permit; } } } from-zone LAN to-zone LAN { policy intrazone { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } } zones { security-zone LAN { address-book { address server_mail 192.168.1.2/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ping; ssh; https; traceroute; ike; dhcp; } protocols { all; } } } lo0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone ISP1 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone ISP2 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/2.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } } } firewall { filter FILTER1 { term TERM1 { from { destination-port 25; } then { routing-instance routing-table-ISP2; } } term default { then accept; } } } routing-instances { routing-table-ISP1 { instance-type virtual-router; interface ge-0/0/0.0; routing-options { interface-routes { rib-group inet IMPORT-PHY; } static { route 0.0.0.0/0 { next-hop 192.168.3.1; qualified-next-hop 192.168.5.1 { preference 100; } } } } } routing-table-ISP2 { instance-type virtual-router; interface fe-0/0/2.0; routing-options { interface-routes { rib-group inet IMPORT-PHY; } static { route 0.0.0.0/0 { next-hop 192.168.5.1; qualified-next-hop 192.168.3.1 { preference 100; } } } } } } services { rpm { probe def-gw { test def-gw-ping { probe-type icmp-ping; target address 192.168.3.254; probe-count 5; probe-interval 15; test-interval 60; source-address 172.16.172.172; traps test-completion; } } } } applications { application ssh_yann { protocol tcp; source-port 2222; destination-port 2222; } application-set junos-cifs { application ssh_yann; } }