version 21.2R1.10; system { host-name gw-salesoffice; ..... services { ssh; netconf { ssh; } dhcp-local-server { group jdhcp-group { interface irb.0; } } } domain-name somedomain.com; time-zone America/New_York; name-server { 8.8.8.8; 8.8.4.4; } syslog { archive size 100k files 3; user * { any emergency; } file interactive-commands { interactive-commands any; } file messages { any notice; authorization info; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; archival { configuration { transfer-on-commit; archive-sites { ..... } } } license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 72.5.72.15; server 74.6.168.73; } } security { ike { policy GW-MAINOFFICE-POLICY { mode main; proposal-set standard; pre-shared-key ascii-text "$9$SomePasswordHere"; } gateway GW-MAINOFFICE { ike-policy GW-MAINOFFICE-POLICY; address 1.1.1.98; external-interface irb.20; version v1-only; } } ipsec { policy IPSEC-POLICY-STD { perfect-forward-secrecy { keys group19; } proposal-set standard; } vpn IPSEC-VPN-MAINOFFICE { bind-interface st0.1; ike { gateway GW-MAINOFFICE; ipsec-policy IPSEC-POLICY-STD; } establish-tunnels on-traffic; } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set OFFICE-to-INTERNET { from zone OFFICE; to zone INTERNET; rule NAT-OFFICE-INTERNET { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool CAM200-8000 { address 192.168.11.200/32 port 8000; } pool CAM200-1001 { address 192.168.11.200/32 port 1001; } pool CAM200-8554 { address 192.168.11.200/32 port 8554; } pool CAM201-8080 { address 192.168.11.201/32 port 8080; } pool CAM201-1002 { address 192.168.11.201/32 port 1002; } pool CAM201-8555 { address 192.168.11.201/32 port 8555; } rule-set RULE-NAT { from zone INTERNET; rule R8000 { match { destination-address 2.2.2.210/32; destination-port { 8000; } } then { destination-nat { pool { CAM200-8000; } } } } rule R1001 { match { destination-address 2.2.2.210/32; destination-port { 1001; } } then { destination-nat { pool { CAM200-1001; } } } } rule R8554 { match { destination-address 2.2.2.210/32; destination-port { 8554; } } then { destination-nat { pool { CAM200-8554; } } } } rule R8080 { match { destination-address 2.2.2.210/32; destination-port { 8080; } } then { destination-nat { pool { CAM201-8080; } } } } rule R1002 { match { destination-address 2.2.2.210/32; destination-port { 1002; } } then { destination-nat { pool { CAM201-1002; } } } } rule R8555 { match { destination-address 2.2.2.210/32; destination-port { 8555; } } then { destination-nat { pool { CAM201-8555; } } } } } } } policies { from-zone OFFICE to-zone OFFICE { policy OFFICE-to-OFFICE { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone OFFICE to-zone INTERNET { policy OFFICE-to-INTERNET { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone INTERNET to-zone OFFICE { policy CAM200-ACCESS { match { source-address any; destination-address CAMSERV200; application any; } then { permit; } } policy CAM201-ACCESS { match { source-address any; destination-address CAMSERV201; application any; } then { permit; } } } from-zone OFFICE to-zone VPN-MAINOFFICE { policy OFFICE-VPN-MAINOFFICE-VPN { match { source-address SALES-NET; destination-address MAINOFFICE-NET; application any; } then { permit; } } } from-zone VPN-MAINOFFICE to-zone OFFICE { policy VPN-MAINOFFICE-OFFICE-VPN { match { source-address MAINOFFICE-NET; destination-address SALES-NET; application any; } then { permit; } } } } zones { security-zone OFFICE { address-book { address CAMSERV200 192.168.11.200/32; address CAMSERV201 192.168.11.201/32; address SALES-NET 192.168.11.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { irb.0; } } security-zone INTERNET { address-book { address MAINOFFICE-NET 172.16.254.0/24; } screen untrust-screen; host-inbound-traffic { system-services { all; } } interfaces { irb.20 { host-inbound-traffic { system-services { ike; ssh; ping; https; tcp-encap; } } } } } security-zone VPN-MAINOFFICE { address-book { address MAINOFFICE-NET 172.16.254.0/24; } interfaces { st0.1; } } } } interfaces { ge-0/0/0 { description INTERNET; unit 0 { family ethernet-switching { vlan { members INTERNET; } } } } ge-0/0/1 { enable; unit 0 { family ethernet-switching { vlan { members OFFICE; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan { members OFFICE; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members OFFICE; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { vlan { members OFFICE; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { vlan { members OFFICE; } } } } ge-0/0/6 { unit 0 { family ethernet-switching { vlan { members OFFICE; } } } } ge-0/0/7 { unit 0 { family ethernet-switching { vlan { members OFFICE; } } } } irb { unit 0 { family inet { address 192.168.11.254/24; } } unit 20 { description INTERNET; family inet { address 2.2.2.210/29; } } } lo0 { unit 0 { family inet { filter { input ADMIN-FILTER; } } } } st0 { unit 1 { description MAINOFFICE; family inet; } } } /* ADMIN-IPS are permitted ssh access */ policy-options { prefix-list ADMIN-IPS { 3.3.3.3/24; } } firewall { filter ADMIN-FILTER { term BLOCK-NON-ADMIN { from { source-address { 0.0.0.0/0; } source-prefix-list { ADMIN-IPS except; } protocol tcp; destination-port [ ssh telnet ]; } then { count BLOCK-COUNT; discard; } } term accept_everything_else { then accept; } } } access { address-assignment { pool junosDHCPPool { family inet { network 192.168.1.0/24; range junosRange { low 192.168.1.2; high 192.168.1.254; } dhcp-attributes { router { 192.168.1.1; } propagate-settings ge-0/0/0.0; } } } } } applications { application SSH-4022 { protocol tcp; destination-port 4022; } } vlans { INTERNET { vlan-id 20; l3-interface irb.20; } OFFICE { vlan-id 3; l3-interface irb.0; } } protocols { l2-learning { global-mode switching; } } routing-options { static { route 0.0.0.0/0 next-hop 2.2.2.2.209; route 172.16.254.0/24 next-hop st0.1; } }