system { host-name rica-rica; root-authentication { encrypted-password "$1$RS24WzbM$cLAloG/XzmYVYx7XMH0Vc/"; ## SECRET-DATA } login { user marlon { uid 2006; class super-user; authentication { encrypted-password "$1$h4VulmbE$TQveDZNZwgXtwTMnTisYA0"; ## SECRET-DATA } } } services { ssh { root-login deny; protocol-version v2; connection-limit 3; rate-limit 3; } web-management { http { port 5050; } } dhcp { default-lease-time 3600; domain-name rica-rica.net; name-server { 8.8.8.8; 8.8.4.4; } router { 10.10.10.1; 10.10.11.1; } pool 10.10.10.0/24 { address-range low 10.10.10.10 high 10.10.10.254; } pool 10.10.11.0/24 { address-range low 10.10.11.10 high 10.10.11.254; } } } } interfaces { fe-0/0/0 { description ***TO-INET**; unit 0 { family inet { address 172.10.11.2/24; } } } fe-0/0/1 { description ***TO-SEGMENT-10***; unit 0 { family ethernet-switching { vlan { members SEGMENT-10; } } } } fe-0/0/2 { description ***T0-SEGMENT-11***; unit 0 { family ethernet-switching { vlan { members SEGMENT-11; } } } } vlan { unit 10 { family inet { address 10.10.10.1/24; } } unit 11 { family inet { address 10.10.11.1/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 172.10.11.1; } } protocols { dot1x { traceoptions { file dot1x; flag state; flag dot1x-debug; flag eapol; } authenticator { authentication-profile-name auth; interface { fe-0/0/2.0 { supplicant multiple; mac-radius { restrict; } no-reauthentication; } } } } } security { screen { ids-option ZONE-UNTRUST { tcp { port-scan threshold 1000; syn-flood { alarm-threshold 500; attack-threshold 500; source-threshold 25; timeout 20; } } } } zones { security-zone TRUST { screen ZONE-UNTRUST; interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { http; all; } protocols { all; } } } } } security-zone VLAN-10 { address-book { address vlan10 10.10.10.10/32; address-set TEST-WEB-SERVER { address vlan10; } address-set KEEP-RDP { address vlan10; } } interfaces { vlan.10 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone VLAN-11 { interfaces { vlan.11 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } } policies { from-zone TRUST to-zone VLAN-10 { policy TRUST-TO-VLAN-10 { match { source-address any; destination-address any; application any; } then { permit; } } policy id_1 { match { source-address any; destination-address TEST-WEB-SERVER; application [ junos-http Remote-Desktop ]; } then { permit; } } } from-zone VLAN-10 to-zone TRUST { policy TRUST-FROM-VLAN10 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone VLAN-11 to-zone TRUST { policy id_1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone TRUST to-zone VLAN-11 { policy id_1 { match { source-address any; destination-address any; application any; } then { permit; } } } } flow { syn-flood-protection-mode syn-cookie; } } access { radius-server { 172.10.11.104 { port 1812; secret "$9$P5F/1RSeMX/Cu1EhvM7-Vb4Z"; ## SECRET-DATA retry 5; } } profile auth { authentication-order radius; radius { authentication-server 172.10.11.104; } } } applications { application Remote-Desktop { protocol tcp; destination-port 5555; } } vlans { SEGMENT-10 { vlan-id 10; l3-interface vlan.10; } SEGMENT-11 { vlan-id 11; l3-interface vlan.11; } } marlon@rica-rica>