http://hizliresim.com/VvbRzq ------------------->flow session
SRX Config
## Last changed: 2016-02-08 11:55:27 GMT
version 12.1X46-D40.2;
system {
host-name Srx210;
time-zone GMT;
root-authentication {
encrypted-password "$1$MC07G1vL$dmgZvsso6mIR4nd1ACIIv/";
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
web-management {
http {
port 8888;
interface [ ge-0/0/0.0 ge-0/0/1.0 fe-0/0/7.0 ];
}
https {
port 4444;
system-generated-certificate;
interface [ ge-0/0/0.0 ge-0/0/1.0 fe-0/0/7.0 ];
}
session {
idle-timeout 60;
}
}
dhcp {
pool 192.168.100.0/24 {
address-range low 192.168.100.50 high 192.168.100.200;
maximum-lease-time 2419200;
default-lease-time 1209600;
name-server {
8.8.8.8;
208.67.222.222;
}
router {
192.168.100.1;
}
}
pool 192.168.120.0/24 {
address-range low 192.168.120.10 high 192.168.120.20;
router {
192.168.120.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.111.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.110.1/24;
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members VLAN20;
}
native-vlan-id default;
}
}
}
fe-0/0/6 {
unit 0 {
family inet {
address 212.154.102.29/29;
}
}
}
vlan {
unit 1 {
family inet {
address 192.168.100.1/24;
}
}
unit 20 {
family inet {
address 192.168.120.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 212.154.102.25;
}
}
protocols {
stp;
}
policy ike_pol_PetVPN {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$rFul87ws4JUHbsaUDi5T";
}
gateway gw_PetVPN {
ike-policy ike_pol_PetVPN;
address 85.99.109.181;
no-nat-traversal;
external-interface fe-0/0/6.0;
}
}
policy ipsec_pol_PetVPN {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn PetVPN {
vpn-monitor;
ike {
gateway gw_PetVPN;
ipsec-policy ipsec_pol_PetVPN;
}
establish-tunnels immediately;
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set Nete_Cikis {
from zone [ Camera Hart Trust ];
to zone [ PetVpnZone Untrust ];
rule Source_Nat {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool ExchangeHTTPS {
address 192.168.110.212/32 port 443;
}
pool TermDMS {
routing-instance {
default;
}
address 192.168.110.210/32 port 4406;
}
pool DMS_15000 {
address 192.168.110.5/32 port 15000;
}
pool DMS_15001 {
address 192.168.110.5/32 port 15001;
}
pool DMS_15002 {
address 192.168.110.5/32 port 15002;
}
pool DMS_15003 {
address 192.168.110.5/32 port 15003;
}
pool DMS_15080 {
address 192.168.110.5/32 port 15080;
}
pool DMS_50000 {
address 192.168.110.5/32 port 50000;
}
pool Camera_1 {
address 192.168.111.3/32 port 37777;
}
pool Camera_2 {
address 192.168.111.4/32 port 37779;
}
pool PDC {
address 192.168.110.4/32 port 44060;
}
pool Node1 {
address 192.168.110.201/32 port 44061;
}
pool Node2 {
address 192.168.110.202/32 port 44062;
}
pool SDC {
address 192.168.110.5/32 port 44063;
}
pool Spark {
address 192.168.110.215/32 port 5222;
}
pool Isi_Control {
address 192.168.110.74/32 port 10001;
}
pool DCS_47200 {
address 192.168.110.5/32 port 47200;
}
rule-set VIP {
description "Disaridan Iceriye Yonlenen Portlar";
from interface fe-0/0/7.0;
rule ExchangeHttpS_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 443;
}
then {
destination-nat {
pool {
ExchangeHTTPS;
}
}
}
}
rule DCS_PORT_47200_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 47200;
}
then {
destination-nat {
pool {
DCS_47200;
}
}
}
}
rule DMS_PORT_15000_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 15000;
}
then {
destination-nat {
pool {
DMS_15000;
}
}
}
}
rule DMS_PORT_15001_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 15001;
}
then {
destination-nat {
pool {
DMS_15001;
}
}
}
}
rule DMS_PORT_15002_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 15002;
}
then {
destination-nat {
pool {
DMS_15002;
}
}
}
}
rule DMS_PORT_15003_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 15003;
}
then {
destination-nat {
pool {
DMS_15003;
}
}
}
}
rule DMS_PORT_15080_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 15080;
}
then {
destination-nat {
pool {
DMS_15080;
}
}
}
}
rule DMS_PORT_50000_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 50000;
}
then {
destination-nat {
pool {
DMS_50000;
}
}
}
}
rule PDC_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 44060;
}
then {
destination-nat {
pool {
PDC;
}
}
}
}
rule SDC_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 44063;
}
then {
destination-nat {
pool {
SDC;
}
}
}
}
rule NODE1_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 44061;
}
then {
destination-nat {
pool {
Node1;
}
}
}
}
rule NODE2_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 44062;
}
then {
destination-nat {
pool {
Node2;
}
}
}
}
rule SPARK_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 5222;
}
then {
destination-nat {
pool {
Spark;
}
}
}
}
rule ISI_Control_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 10001;
}
then {
destination-nat {
pool {
Isi_Control;
}
}
}
}
rule CAMERA1_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 37777;
}
then {
destination-nat {
pool {
Camera_1;
}
}
}
}
rule CAMERA2_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 37779;
}
then {
destination-nat {
pool {
Camera_2;
}
}
}
}
rule TERMDMS_NAT {
match {
destination-address 212.154.102.26/32;
destination-port 4406;
}
then {
destination-nat {
pool {
TermDMS;
}
}
}
}
}
}
static {
rule-set Exchange {
from zone Untrust;
rule r1 {
match {
source-address [ 216.104.0.0/19 216.99.128.0/20 150.26.0.0/9 54.219.191.0/25 54.86.63.64/26 150.70.0.0/16 ];
destination-address 212.154.102.26/32;
}
then {
static-nat {
prefix {
192.168.110.212/32;
}
}
}
}
}
}
}
policies {
from-zone Untrust to-zone Trust {
policy Exch-Mip {
description "Trend to Exchange MIP";
match {
source-address trend_micro_mail;
destination-address Exchange;
application junos-smtp;
}
then {
permit;
}
}
policy DMS_Remote {
description "DMS sunucuya remote gelen Honda";
match {
source-address HONDAINTERNETPCLER;
destination-address DMSVR;
application DMS_Remote;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy ExcHTTPS_IsiControl {
description "Exchange Https OWA ve Isi Kontrol Nat";
match {
source-address any;
destination-address [ Exchange ISI_TAKIP ];
application [ Isi_Control SSL_Exchange ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy Spark {
description "Spark Baglantilari Nat";
match {
source-address any;
destination-address Spark_Server;
application Spark;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy Terminal_Servers {
description "Radmin ile Sunuculara Nat";
match {
source-address any;
destination-address Terminal_Servers;
application Terminal_Servers;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
inactive: policy DMS_VIP {
description "DMS PORTLARI NAT";
match {
source-address HONDAINTERNETPCLER;
destination-address DMSVR;
application DMS_PORTS;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone Untrust to-zone Camera {
policy Cameralar {
description "Disaridan Kameralara Nat";
match {
source-address any;
destination-address Camera_IP;
application Camera;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone Trust to-zone Camera {
policy Trust_Camera {
description "Ic Kamera Izleme Portlar";
match {
source-address [ Huseyin Tanju Ugur ];
destination-address Camera_IP;
application any;
}
then {
permit;
}
}
}
from-zone Hart to-zone Untrust {
policy Hart_Untrust {
description "Ubiquitilere Bagli Kullanicilar Nete";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone Hart to-zone Camera {
policy Hart_to_Camera {
description "Ubiquit Cameralar Erissin";
match {
source-address any;
destination-address Camera_IP;
application Camera;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone Trust to-zone Untrust {
policy Serverlar {
description "Komple Izinli PCler";
match {
source-address Serverlar;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy Terakki_Net {
description "Terakkinin Disari Cikisi";
match {
source-address Terakki_Lan;
destination-address any;
application Terakki_Trust_Portlar;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone Ipad to-zone Trust {
policy Ipad_Trust {
description "Ipadler Dms Sunucuya Ulassin";
match {
source-address Ipad_Ipler;
destination-address DMSVR;
application junos-http;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone Camera to-zone PetVpnZone {
policy CamNet {
match {
source-address Camera_IP;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy OUT {
match {
source-address Camera_IP;
destination-address Petrolyag_LAN;
application any;
}
then {
permit {
tunnel {
ipsec-vpn PetVPN;
pair-policy IN;
}
}
}
}
}
from-zone PetVpnZone to-zone Camera {
policy IN {
match {
source-address Petrolyag_LAN;
destination-address Camera_IP;
application any;
}
then {
permit {
tunnel {
ipsec-vpn PetVPN;
pair-policy OUT;
}
}
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone Camera {
address-book {
address Camera_IP 192.168.111.0/24;
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
}
}
}
}
}
security-zone Trust {
address-book {
address Terakki_Lan 192.168.110.0/24;
address Cisil 192.168.110.29/32;
address DMSVR 192.168.110.210/32;
address Eimza 192.168.110.31/32;
address Exchange 192.168.110.212/32;
address Hasar_Yazici_Utax 192.168.110.73/32;
address Huseyin 192.168.110.40/32;
address ISI_TAKIP 192.168.110.74/32;
address Kiwi_Syslog 192.168.110.72/32;
address Mahmut 192.168.110.19/32;
address Nalan 192.168.110.15/32;
address Netsis 192.168.110.211/32;
address Nihal 192.168.110.24/32;
address NODE1 192.168.110.201/32;
address NODE2 192.168.110.202/32;
address Ozge_Petrolyag 192.168.110.69/32;
address PDC 192.168.110.4/32;
address Rifat 192.168.110.33/32;
address Roberto 192.168.110.9/32;
address SDC 192.168.110.5/32;
address Selen 192.168.110.30/32;
address Spark_Server 192.168.110.215/32;
address Tanju 192.168.110.71/32;
address Ter_Nas 192.168.110.250/32;
address Ter_San 192.168.110.240/32;
address Ugur 192.168.110.39/32;
address Wsus 192.168.110.213/32;
address-set Serverlar {
address Eimza;
address Huseyin;
address ISI_TAKIP;
address Exchange;
address Hasar_Yazici_Utax;
address Mahmut;
address Nalan;
address Netsis;
address Nihal;
address Ozge_Petrolyag;
address Rifat;
address Roberto;
address Spark_Server;
address Tanju;
address Ter_Nas;
address Ter_San;
address Ugur;
address Wsus;
address DMSVR;
}
address-set Terminal_Servers {
address NODE1;
address NODE2;
address PDC;
address SDC;
}
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
}
}
}
}
}
security-zone Untrust {
address-book {
address HondaB-NW 192.168.55.0/24;
address HONDAINTERNETPC11 195.174.160.152/32;
address HONDAINTERNETPC13 176.41.7.38/32;
address HONDAINTERNETPC6 212.175.221.10/32;
address HONDAINTERNETPC7 212.175.221.9/32;
address HONDAINTERNETPC99 92.44.76.179/32;
address HondaLAN 207.129.40.0/23;
address trend_micro_1 216.104.0.0/19;
address trend_micro_2 216.99.128.0/20;
address trend_micro_4 150.70.0.0/16;
address trend_micro_5 54.219.191.0/25;
address trend_micro_6 54.86.63.64/26;
address HondaVPN_NW 212.175.221.64/26;
address-set HONDAINTERNETPCLER {
address HONDAINTERNETPC13;
address HONDAINTERNETPC6;
address HONDAINTERNETPC7;
address HONDAINTERNETPC99;
}
address-set trend_micro_mail {
address trend_micro_1;
address trend_micro_2;
address trend_micro_4;
address trend_micro_5;
address trend_micro_6;
}
}
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
https;
}
}
}
}
}
security-zone Hart {
address-book {
address Hart_Ipler 192.168.100.0/24;
}
interfaces {
vlan.1 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
security-zone Ipad {
address-book {
address Ipad_Ipler 192.168.120.0/24;
}
interfaces {
vlan.20 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
security-zone PetVpnZone {
address-book {
address Petrolyag_LAN 192.168.1.0/24;
}
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
fe-0/0/6.0;
}
}
}
}
applications {
application DMS_PORTS {
term DMS15000 protocol tcp source-port 0-65535 destination-port 15000;
term DMS15001 protocol tcp source-port 0-65535 destination-port 15001;
term DMS15002 protocol tcp source-port 0-65535 destination-port 15002;
term DMS15003 protocol tcp source-port 0-65535 destination-port 15003;
term DMS15080 protocol tcp source-port 0-65535 destination-port 15080;
term DMS50000 protocol tcp source-port 0-65535 destination-port 50000;
term DCS47200 protocol tcp source-port 0-65535 destination-port 47200;
}
application Camera {
term Cam1 protocol tcp source-port 0-65535 destination-port 37777;
term Cam2 protocol tcp source-port 0-65535 destination-port 37779;
}
application Biotekno_SMS {
protocol tcp;
destination-port 8090;
}
application SSL_Exchange {
protocol tcp;
destination-port 443;
}
application Terminal_Servers {
term Node1 protocol tcp destination-port 44061;
term Node2 protocol tcp destination-port 44062;
term PDC protocol tcp destination-port 44060;
term SDC protocol tcp destination-port 44063;
}
application Spark {
protocol tcp;
destination-port 5222;
}
application Isi_Control {
protocol udp;
destination-port 10001;
}
application Radmin {
protocol tcp;
destination-port 44064;
}
application Remote_Desktop {
protocol tcp;
destination-port 3389;
}
application Radmi1 {
protocol tcp;
destination-port 44063;
}
application Skype {
term Udp protocol udp destination-port 7001;
term Tcp protocol tcp destination-port 1863;
}
application DMS_Remote {
protocol tcp;
destination-port 4406;
}
application-set Sparks {
application Radmin;
application Radmi1;
application Remote_Desktop;
application Spark;
application junos-ping;
}
application-set Terakki_Trust_Portlar {
application Biotekno_SMS;
application junos-dns-udp;
application junos-dns-tcp;
application junos-http;
application junos-https;
application junos-http-ext;
application junos-smtp;
application DMS_PORTS;
application Skype;
}
}
ethernet-switching-options {
voip;
}
vlans {
VLAN20 {
vlan-id 20;
l3-interface vlan.20;
}
default {
vlan-id 1;
l3-interface vlan.1;
}
}