## Last changed: 2014-02-18 19:22:14 ICT version 10.4R4.5; system { host-name JUNIPER; time-zone Asia/Saigon; root-authentication { encrypted-password "$2$eCcN2Xpy$P7Xv87MCRug.wYIQlqkN1."; } services { ssh; } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { unit 0 { description ISP1; encapsulation ppp-over-ether; } } ge-0/0/1 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } native-vlan-id 1; } } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { description ISP2; encapsulation ppp-over-ether; } } pp0 { unit 0 { ppp-options { pap { local-name username_abc1; local-password "$9$DFHfTn/A0ORKMoJGDkr"; passive; } } pppoe-options { underlying-interface ge-0/0/0.0; idle-timeout 0; auto-reconnect 60; client; } family inet { mtu 1492; negotiate-address; } } unit 1 { ppp-options { pap { local-name username_abc2; local-password "$9$nsPW9tOhclKMX/CKMW87Nik.P3s"; passive; } } pppoe-options { underlying-interface ge-0/0/15.0; idle-timeout 0; auto-reconnect 60; client; } family inet { mtu 1492; negotiate-address; } } } vlan { unit 10 { family inet { address 192.168.10.1/24; } } unit 20 { family inet { address 192.168.20.1/24; } } unit 30 { family inet { address 192.168.30.1/24; } } unit 40 { family inet { address 192.168.40.1/24; } } unit 50 { family inet { address 192.168.50.1/24; } } unit 60 { family inet { address 192.168.60.1/24; } } unit 70 { family inet { address 192.168.70.1/24; } } unit 80 { family inet { address 192.168.80.1/24; } } unit 90 { family inet { address 192.168.90.1/24; } } unit 100 { family inet { address 192.168.1.1/24; } } unit 200 { family inet { address 172.16.0.1/16; } } } } forwarding-options { helpers { bootp { description "Global DHCP relay service"; server 192.168.1.254; maximum-hop-count 4; interface { vlan.10; vlan.20; vlan.30; vlan.40; vlan.50; vlan.60; vlan.70; vlan.80; vlan.90; vlan.100; vlan.200; } } } } routing-options { interface-routes { rib-group inet IMPORT-PHY; } static { route 0.0.0.0/0 next-hop [ pp0.0 pp0.1 ]; } rib-groups { IMPORT-PHY { import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ]; } } } security { nat { source { rule-set local-to-internet { from zone [ Zone1 trust ]; to zone untrust; rule MASQUERADE { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool CAMERA { address 192.168.1.9/24 port 12345; } rule-set NAT-IN-SIDE { from zone untrust; rule NAT-CAMERA1 { match { destination-address 115.78.162.2/32; destination-port 12345; } then { destination-nat pool CAMERA; } } } } } zones { security-zone untrust { address-book { address 173.252.110.27/32 173.252.110.27/32; address 69.171.247.29/32 69.171.247.29/32; address-set Facebook { address 173.252.110.27/32; address 69.171.247.29/32; } } host-inbound-traffic { system-services { ping; } } interfaces { pp0.0; pp0.1; } } security-zone trust { host-inbound-traffic { system-services { all; } } interfaces { vlan.10; vlan.20; vlan.30; vlan.40; vlan.50; vlan.60; vlan.70; vlan.80; vlan.90; vlan.200; } } security-zone Zone1 { host-inbound-traffic { system-services { all; } } interfaces { vlan.100; } } } policies { from-zone untrust to-zone Zone1 { policy Untrust-to-Zone1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy Untrust-to-Trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy Trust-to-Untrust { match { source-address any; destination-address any; application [ HTTP HTTPS POP3 POP3S IMAP IMAPS SMTP SMTPS FTP FTP-DATA DNS LIBRARY LIBRARY1 NET-TIME GAME1 GAME2 SSH PROXY ]; } then { permit; } } } from-zone trust to-zone Zone1 { policy Trust-to-Zone1 { match { source-address any; destination-address any; application [ RSYSLOG DNS CAMERA HTTP ]; } then { permit; } } } from-zone trust to-zone trust { policy Trust-to-Trust { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone Zone1 to-zone untrust { policy Zone1-to-Untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Zone1 to-zone trust { policy Zone1-to-Trust { match { source-address any; destination-address any; application any; } then { permit; } } } default-policy { deny-all; } } flow { tcp-mss { all-tcp { mss 1350; } } } } routing-instances { routing-table-ISP1 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop 115.78.128.1; qualified-next-hop 113.172.0.1 { preference 100; } } } } } routing-table-ISP2 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop 113.172.0.1; qualified-next-hop 115.78.128.1 { preference 100; } } } } } } applications { application ASTERISK { protocol udp; destination-port 5060; } application RSYSLOG { protocol tcp; destination-port 514; } application DNS { protocol udp; destination-port 53; } application HTTP { protocol tcp; destination-port 80; } application HTTPS { protocol tcp; destination-port 443; } application POP3 { protocol tcp; destination-port 110; } application POP3S { protocol tcp; destination-port 995; } application IMAP { protocol tcp; destination-port 143; } application IMAPS { protocol tcp; destination-port 993; } application SMTP { protocol tcp; destination-port 25; } application SMTPS { protocol tcp; destination-port 465; } application FTP { protocol tcp; destination-port ftp; } application FTP-DATA { protocol tcp; destination-port ftp-data; } application CAMERA { protocol tcp; destination-port 26060; } application LIBRARY { protocol tcp; destination-port 2000-3000; } application LIBRARY1 { protocol tcp; destination-port 9000; } application NET-TIME { protocol udp; destination-port 123; } application GAME1 { protocol udp; destination-port 9339; } application GAME2 { protocol tcp; destination-port 9339; } application SSH { protocol tcp; destination-port 25000; } application PROXY { protocol tcp; destination-port 8080; } } vlans { VLAN010 { vlan-id 10; l3-interface vlan.10; } VLAN020 { vlan-id 20; interface { ge-0/0/2.0; } l3-interface vlan.20; } VLAN030 { vlan-id 30; interface { ge-0/0/3.0; } l3-interface vlan.30; } VLAN040 { vlan-id 40; interface { ge-0/0/4.0; } l3-interface vlan.40; } VLAN050 { vlan-id 50; interface { ge-0/0/5.0; ge-0/0/10.0; ge-0/0/11.0; } l3-interface vlan.50; } VLAN060 { vlan-id 60; interface { ge-0/0/6.0; } l3-interface vlan.60; } VLAN070 { vlan-id 70; interface { ge-0/0/7.0; } l3-interface vlan.70; } VLAN080 { vlan-id 80; interface { ge-0/0/8.0; } l3-interface vlan.80; } VLAN090 { vlan-id 90; interface { ge-0/0/9.0; } l3-interface vlan.90; } VLAN100 { vlan-id 100; interface { ge-0/0/12.0; ge-0/0/13.0; ge-0/0/14.0; } l3-interface vlan.100; } VLAN200 { vlan-id 200; l3-interface vlan.200; } }