andrew@MIA-SRX220# show |no-more ## Last changed: 2012-04-13 15:15:49 UTC version 11.4R1.6; } } interfaces { ge-0/0/0 { speed 100m; link-mode full-duplex; unit 0 { description "LINK TO THE INTERNET"; family inet { filter { input packet-mode; output packet-mode; } address 196.x.x.x/30; } } } ge-0/0/1 { unit 0 { description "LINK TO PUBLIC NETWORK"; family ethernet-switching { port-mode trunk; vlan { members [ public-10 management-5 ]; } } } } ge-0/0/2 { unit 0 { family inet { address 172.200.0.253/30; } } } ge-0/0/3 { unit 0 { description "LINK TO DMZ NETWORK"; family inet { filter { input packet-mode; output packet-mode; } address 196.x.x.x/30; } } } vlan { unit 5 { description "SWITCH MANAGEMENT"; family inet { address 10.10.10.1/29; } } unit 10 { description "PUBLIC ACCESS"; family inet { address 196.x.x.x/29; } } unit 20 { family inet { address 172.200.0.253/30; } } } } routing-options { static { route 0.0.0.0/0 next-hop 196.x.x.x; route 196.x.x.x/29 next-hop 196.x.x.x; route 196.x.x.x/29 next-hop 196.x.x.x; route 196.v/29 next-hop 196.x.x.x; route 196.x.x.x/29 next-hop 196.x.x.x; route 66.x.x.x/29 next-hop 196.x.x.x; route 66.8x.x.x/29 next-hop 196.x.x.x; route 196.x.x.x/29 next-hop 196.x.x.x; route 196.x.x.x/29 next-hop 196.x.x.x; route 196.x.x.x/29 next-hop 196.vx.x.x; route 196.x.x.x/29 next-hop 196.x.x.x; route 196.x.x.x/29 next-hop 196.x.x.x; route 196.x.x.x/29 next-hop 196.x.x.x; route 196.3x.x.x/29 next-hop 196.x.x.x; route 196.x.x.x/29 next-hop 196x.x.x; route 196.x.x.x/28 next-hop 196.x.x.x; route 196.x.x.x/28 next-hop 196.x.x.x; route 172.200.0.0/25 next-hop 172.200.0.254; } } protocols { ospf { export export-ospf; area 0.0.0.0 { interface ge-0/0/3.0 { interface-type p2p; } } } lldp { interface all; } stp; } policy-options { prefix-list MIA { 66.x.x.x/29; 66.x.x.x/29; 196.3x.x.x/28; 196.x.x.x/29; 196.x.x.x/29; 196.x.x.x/29; 196.x.x.x/29; 196.3x.x.x/29; 196.x.x.x/29; 196.3x.x.x/29; 196.x.x.x2/29; 196.x.x.x/29; 196.x.x.x/29; 196.x.x.x/29; } policy-statement export-ospf { term 1 { from protocol [ static direct ]; then accept; } term 2 { then reject; } } } security { address-book { private { attach { zone private; } } public { attach { zone public; } } untrust { attach { zone untrust; } } dmz { attach { zone dmz; } } } nat { source { rule-set allow-private { from zone private; to zone untrust; rule source-nat { match { source-address 172.200.0.0/25; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone public to-zone untrust { policy allow-all { match { source-address any; destination-address any; application any; } then { permit; count; } } } from-zone untrust to-zone public { policy allow-all { match { source-address any; destination-address any; application any; } then { permit; count; } } } from-zone untrust to-zone dmz { policy allow-all { match { source-address any; destination-address any; application any; } then { permit; count; } } } from-zone dmz to-zone untrust { policy allow-all { match { source-address any; destination-address any; application any; } then { permit; count; } } } from-zone private to-zone untrust { policy allow-private-out { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } } } zones { security-zone private { interfaces { ge-0/0/2.0 { host-inbound-traffic { system-services { ping; traceroute; } } } } } security-zone public { interfaces { vlan.10 { host-inbound-traffic { system-services { ping; traceroute; } } } vlan.5 { host-inbound-traffic { system-services { ping; traceroute; } } } } } security-zone untrust { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; traceroute; ssh; } } } } } security-zone dmz { interfaces { ge-0/0/3.0 { host-inbound-traffic { system-services { ping; traceroute; ssh; } protocols { ospf; } } } } } } } firewall { family inet { filter packet-mode { term main { from { source-address { 0.0.0.0/0; } destination-prefix-list { MIA; } } then { count pctks; packet-mode; accept; } } term 2 { then accept; } } } } vlans { management-5 { vlan-id 5; l3-interface vlan.5; } private-20 { description "VLAN FOR PRIVATE ACCESS"; vlan-id 20; l3-interface vlan.20; } public-10 { description "VLAN FOR PUBLIC ACCESS"; vlan-id 10; l3-interface vlan.10; } } [edit] andrew@MIA-SRX220#