part 2 of juniper config:
policies {
from-zone iScsi to-zone expo {
policy iScsi-replication {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
count;
}
}
}
from-zone expo to-zone iScsi {
policy iScsi-inbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone internet to-zone DMZ {
policy ive-inbound {
match {
source-address any;
destination-address JuniperIVE;
application [ junos-https junos-http ];
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone expo to-zone DMZ {
policy expo-inbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone DMZ to-zone trust {
policy IVE-to-TS {
match {
source-address JuniperIVE;
destination-address EMS-TS;
application RDP-3389;
}
then {
permit;
log {
session-close;
}
}
}
policy IVE-to-CITRIX {
match {
source-address [ JuniperIVE NC-Client1 NC-NAT-IP ];
destination-address [ CITRIX CITRIX-1 CITRIX-2 ];
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
policy IVE-to-DCs {
match {
source-address JuniperIVE;
destination-address EMS-DCs;
application any;
}
then {
permit;
log {
session-close;
}
}
}
policy OWA {
match {
source-address JuniperIVE;
destination-address EMS-MAIL;
application junos-https;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone trust to-zone DMZ {
policy trust-to-DMZ {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internet to-zone trust {
policy inbound-mail {
match {
source-address MAIL;
destination-address EMS-MAIL;
application junos-smtp;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-2001 {
match {
source-address any;
destination-address 10.10.1.30;
application TCP-2001;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-ts {
match {
source-address any;
destination-address EMS-TS;
application RDP-3389;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-ts2 {
match {
source-address any;
destination-address EMS-DC2;
application RDP-3389;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-nimsoft {
match {
source-address ACORA;
destination-address NIMSOFT;
application NIMSOFT;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-cctv {
match {
source-address CCTV;
destination-address CCTV;
application CCTV-PORTS;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-5000 {
match {
source-address 88.xx.xx.xx;
destination-address 10.10.6.1;
application TCP-5000;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-owa {
match {
source-address any;
destination-address EMS-MAIL;
application junos-https;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-crm {
match {
source-address any;
destination-address EMS-CRM;
application junos-https;
}
then {
permit;
log {
session-close;
}
}
}
policy SSLVPN {
match {
source-address any;
destination-address EMS-DC2;
application TCP-444;
}
then {
permit;
log {
session-init;
}
}
}
policy vpnpolicy-internet-trust-cfgr {
match {
source-address net-cfgr_10-128-0-128--26;
destination-address net-cfgr_10-10-0-0--16;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ATLAS;
pair-policy vpnpolicy-trust-internet-cfgr;
}
}
}
}
policy Deny_Internet_Trust {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
from-zone internet to-zone expo {
policy Deny_Internet_Expo {
match {
source-address any;
destination-address any;
application any;
}
then {
reject;
}
}
}
from-zone trust to-zone internet {
policy outbound-dns {
match {
source-address INTERNAL;
destination-address any;
application [ junos-dns-udp junos-dns-tcp ];
}
then {
permit;
log {
session-close;
}
}
}
policy outbound-facebook {
match {
source-address INTERNAL;
destination-address FACEBOOK;
application [ junos-http junos-https ];
}
then {
permit;
log {
session-close;
}
}
}
policy outbound-msn-deny {
match {
source-address INTERNAL;
destination-address any;
application MSN-PORTS;
}
then {
deny;
log {
session-init;
}
}
}
policy vpnpolicy-trust-internet-cfgr {
match {
source-address net-cfgr_10-10-0-0--16;
destination-address net-cfgr_10-128-0-128--26;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ATLAS;
pair-policy vpnpolicy-internet-trust-cfgr;
}
}
}
}
policy outbound-internet {
match {
source-address INTERNAL;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone iScsi to-zone internet {
policy HHCL-Replication {
match {
source-address hhcl_local;
destination-address hhcl_remote;
application any;
}
then {
permit {
tunnel {
ipsec-vpn HHCL;
}
}
}
}
}
from-zone internet to-zone iScsi {
policy HHCL-Replication-In {
match {
source-address hhcl_remote;
destination-address hhcl_local;
application any;
}
then {
permit {
tunnel {
ipsec-vpn HHCL;
}
}
}
}
}
from-zone trust to-zone internet2 {
policy outbound-internet2 {
match {
source-address INTERNAL;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internet2 to-zone trust {
policy inbound-exchange {
match {
source-address any;
destination-address EMS-MAIL;
application junos-https;
}
then {
permit;
log {
session-close;
}
}
}
policy inbound-sslvpn {
match {
source-address any;
destination-address EMS-DC2;
application junos-https;
}
then {
permit;
log {
session-init;
}
}
}
}
}
zones {
security-zone trust {
address-book {
address EMS-TS 10.10.1.50/32;
address CITRIX-1 10.10.1.110/32;
address CITRIX-2 10.10.1.111/32;
address EMS-DC1 10.10.1.105/32;
address EMS-DC2 10.10.1.106/32;
address EMS-MAIL 10.10.1.109/32;
address 10.10.1.30 10.10.1.30/32;
address NIMSOFT 10.10.1.117/32;
address 10.10.6.1 10.10.6.1/32;
address CCTV 10.10.0.50/32;
address INTERNAL 10.10.0.0/16;
address EMS-CRM01 10.10.1.126/32;
address EMS-CRM02 10.10.1.127/32;
address net-cfgr_10-10-0-0--16 10.10.0.0/16;
address-set CITRIX {
address CITRIX-1;
address CITRIX-2;
}
address-set EMS-DCs {
address EMS-DC1;
address EMS-DC2;
}
address-set EMS-CRM {
address EMS-CRM01;
address EMS-CRM02;
}
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
}
security-zone expo {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone internet {
address-book {
address Juniper-ive 62.xx.xx.xx/32;
address MAIL-1 217.xx.xx.xx/32;
address MAIL-2 86.xx.xx.xx/21;
address MAIL-3 116.xx.xx.xx/21;
address MAIL-4 208.xx.xx.xx/21;
address FACEBOOK-1 204.xx.xx.xx/22;
address FACEBOOK-2 69.xx.xx.xx/20;
address FACEBOOK-3 66.xx.xx.xx/20;
address ACORA 211.xx.xx.xx/32;
address 88.xx.xx.xx 88.xx.xx.xx/32;
address CCTV-1 81.xx.xx.xx/32;
address CCTV-2 81.xx.xx.xx/32;
address CCTV-3 81.xx.xx.xx/29;
address MAIL-5 85.xx.xx.xx/19;
address MAIL-6 103.xx.xx.xx/22;
address MAIL-7 177.xx.xx.xx/22;
address CCTV-MONITORSTATION-1 194.xx.xx.xx/32;
address CCTV-MONITORSTATION-2 82.xx.xx.xx/32;
address CCTV-4 81.xx.xx.xx/32;
address HHCL 195.xx.xx.xx/27;
address net-cfgr_10-129-2-0--25 10.129.2.0/25;
address net-cfgr_10-128-0-128--26 10.128.0.128/26;
address hhcl_remote 172.17.203.0/24;
address-set MAIL {
address MAIL-1;
address MAIL-2;
address MAIL-3;
address MAIL-4;
address MAIL-5;
address MAIL-6;
address MAIL-7;
}
address-set FACEBOOK {
address FACEBOOK-1;
address FACEBOOK-2;
address FACEBOOK-3;
}
address-set CCTV {
address CCTV-1;
address CCTV-2;
address CCTV-3;
address CCTV-MONITORSTATION-1;
address CCTV-MONITORSTATION-2;
address CCTV-4;
address HHCL;
}
}
host-inbound-traffic {
system-services {
ike;
ping;
}
}
interfaces {
ge-0/0/0.1 {
host-inbound-traffic {
system-services {
ping;
ike;
}
}
}
at-1/0/0.0 {
host-inbound-traffic {
system-services {
https;
ping;
}
}
}
st0.1 {
host-inbound-traffic {
protocols {
all;
}
}
}
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
ping;
ike;
ssh;
}
}
}
}
}
security-zone iScsi {
address-book {
address hhcl_local 172.16.1.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/3.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone DMZ {
address-book {
address JuniperIVE 172.30.2.130/32;
address NC-Client1 192.168.200.0/24;
address NC-NAT-IP 10.200.200.200/32;
address-set Juniper-NC {
address JuniperIVE;
address NC-Client1;
address NC-NAT-IP;
}
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone internet2 {
host-inbound-traffic {
system-services {
ike;
ping;
}
}
}
}
}
firewall {
family inet {
filter daisy-internet {
term 0 {
from {
source-address {
10.10.1.107/32;
10.10.1.106/32;
10.10.10.44/32;
10.10.10.59/32;
10.10.10.0/24;
10.10.0.50/32;
}
}
then {
routing-instance daisy-route;
}
}
term 1 {
then accept;
}
}
}
}
routing-instances {
daisy-route {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 62.xx.xx.xx;
}
}
}
}
applications {
application RDP-3389 {
protocol tcp;
destination-port 3389;
}
application XML-8080 {
protocol tcp;
destination-port 8080;
}
application XML-1494 {
protocol tcp;
destination-port 1494;
}
application XML-2598 {
protocol tcp;
destination-port 2598;
}
application UDP-1863 {
protocol udp;
destination-port 1863;
}
application UDP-5190 {
protocol udp;
destination-port 5190;
}
application TCP-6891-6900 {
protocol tcp;
destination-port 6800-6900;
}
application UDP-6901 {
protocol udp;
destination-port 6901;
}
application TCP-1863 {
protocol tcp;
destination-port 1863;
}
application TCP-2001 {
protocol tcp;
destination-port 2001;
}
application TCP-444 {
protocol tcp;
destination-port 444;
}
application RDP-3390 {
protocol tcp;
destination-port 3390;
}
application NIMSOFT {
protocol tcp;
destination-port 48003;
}
application TCP-5000 {
protocol tcp;
destination-port 5000;
}
application TCP-15000-15007 {
protocol tcp;
destination-port 15000-15007;
}
application UDP-15000-15200 {
protocol udp;
destination-port 15000-15200;
}
application NEWSMTP {
protocol tcp;
destination-port 587;
}
application-set CITRIX-PORTS {
application XML-8080;
application XML-1494;
application XML-2598;
}
application-set MSN-PORTS {
application UDP-1863;
application UDP-5190;
application TCP-6891-6900;
application UDP-6901;
application TCP-1863;
}
application-set CCTV-PORTS {
application TCP-15000-15007;
application UDP-15000-15200;
}
}