TOC PREV NEXT

Put your logo here!


Chapter 3

Basic NetScreen-5 Network Connection
Follow the instructions in this chapter to set up the NetScreen-5 hardware and to configure the software initially for Transparent or Network Address Translation (NAT) mode. See the NetScreen Concepts and Examples ScreenOS Reference Guide, for more configuration options.
Connecting the NetScreen-5 to Networks and Devices
This section explains how to set up the NetScreen-5 hardware connections.
Note: Check your router, hub, or computer documentation to determine if you should reconfigure the device or if you should switch off the power supply when connecting new equipment to the LAN.

1. Install the NetScreen-5 on a level surface.
2. Connect the universal power supply's DC side to the power outlet on the NetScreen-5 device, and the AC side to an AC outlet.
The NetScreen-5 takes up to one minute to start up. There is no ON/OFF switch. If you need to reboot at any point, unplug the NetScreen device for 30 seconds and then plug it back in again.
3. Connect the NetScreen-5 to the network as shown in one of the following illustrations:
- Figure 3-1 "Typical Multiple-Workstation Configuration-Router Connected to the Untrusted Port, LAN Connected to the Trusted Port" on page 314
- Figure 3-2 "Typical Single-Workstation Configuration-Router Connected to the Untrusted Port, Workstation Connected to the Trusted Port" on page 314

Figure 3-1 Typical Multiple-Workstation Configuration-Router Connected to the Untrusted Port, LAN Connected to the Trusted Port

Figure 3-2 Typical Single-Workstation Configuration-Router Connected to the Untrusted Port, Workstation Connected to the Trusted Port


Note: You may have to supply additional cables, depending on your particular configuration. A straight-through cable is a 10/BaseT unshielded twisted pair (UTP) and is usually white. A crossover cable is a 10/BaseT UTP and is usually orange.
A DTE (Data Terminal Equipment) device cannot connect to a DTE port without
a crossover cable. Conversely, a DCE (Data Communications Equipment) device
cannot connect to a DCE port without a crossover cable.


Table 3-1
For a Device Connected to:
Untrusted Port (DTE)*
Trusted Port (DCE)
Workstation (DTE)
crossover
straight-through
Switch/Hub (DCE)
straight-through
crossover
Router§ (DTE)
crossover
straight-through
*An Untrusted Ethernet port is not technically a DTE but for cabling purposes, should be treated as such.
§ Routers with uplink ports may behave in reverse.
Typical NetScreen-5 Cable Connections
4. If you have not already done so, turn on the power supply to the devices you have connected to the NetScreen-5.
If all cables are connected correctly, the link light for each connection illuminates.

Configuring the NetScreen-5
There are three ways to configure the NetScreen-5 for the first time:
· Using the Quick Start Program.
· Using a Web browser running on a workstation connected via a network to the Trusted port.
· Using CLI via either Telnet or the serial port.
Table 3-2 Administration Configuration Requirements
Configuration Method
Requirements
Quick Start
Netscape® Communicator® v4.5 or greater, or Microsoft® Internet Explorer v5.0 or greater
TCP/IP network connection to the NetScreen-5
WebUI via a Web Browser
Netscape Communicator v4.5 or greater, or Microsoft Internet Explorer v 5.0 or greater
TCP/IP network connection to the NetScreen-5
CLI
Via the console port, using Hilgraeve® Hyperterminal® or a VT100 terminal emulator on the administrator's workstation and an RS-232 Console cable
Via Telnet, using TCP/IP network connection to the NetScreen device.


Table 3-3
Default System IP Address:
192.168.1.1
Default Trusted/Untrusted IP Addresses:
0.0.0.0
(transparent mode)
Default User Name:
netscreen
Default Password:
netscreen
Important Default Configuration Settings


Configuring Via the Quick Start Program
NetScreen-5 comes with The Quick Start disk for easy configuration.
1. Insert the Quick Start disk into the a: drive of Windows® 95/98 or Windows NT® v4.0 computer from which you will configure unit on the LAN.
2. On the Windows task bar, click the Start button, and then select Run.
3. At the Command Line, type a:\nsqstart.exe, then select OK.
The NetScreen Quick Start Welcome window appears as in Figure 3-3 on page 17.

Figure 3-3 NetScreen Quick Start Welcome
4. Read the information on the NetScreen Quick Start Welcome screen, then click the Next button.
If there is more than one network card on the computer, the Quick Start program displays their IP addresses and prompts you to select the one for the network on which you are installing the NetScreen-5, as shown in Figure 3-4.

Figure 3-4 Network Card IP Address List
Select the appropriate network card, and then click OK.
Note: The Quick Start program can only find the NetScreen-5 devices on your network that still have the factory default configuration.

5. When the NetScreen Quick Start Select Device dialog box displays, select the NetScreen-5 you want to configure, as shown in Figure 3-5, then click the Next button.

Figure 3-5 NetScreen Quick Start-Select Device
6. Enter the new System IP address for the NetScreen device you are configuring, as shown in Figure 3-6.
This value must be an available address on the Trusted subnet. This is the address that you will use to further manage the NetScreen-5.

Figure 3-6 NetScreen Quick Start-Configuration Dialog Box.
Selecting Transparent Mode
1. To launch your NetScreen-5 in Transparent mode, select Transparent Mode as shown in Figure 3-6.
2. Click Finish.
If you leave the Launch web browser for further configuration check box selected (the default), Quick Start opens your Web browser and displays the User name and Password dialog box as shown in Figure 3-11 on page 325.
If you clear the Launch web browser for further configuration check box, you must start your Web browser manually when Quick Start exits.
Selecting Network Address Translation
1. To launch your NetScreen-5 in NAT mode, select Network Address Translation Mode (NAT).
2. Click Next.
The NAT Configuration screen shown in Figure 3-7 appears.

Figure 3-7 NetScreen Quick Start-Configuring NAT
3. Enter the IP address, subnet mask of the NetScreen-5 Trusted interface.
4. To configure the Untrusted interface, use one of the following three methods:
a. To use Dynamic Host Control Protocol, select DHCP.
b. To use Point-to-Point Protocol over Ethernet, select PPPoE and enter the User name and Password for the login prompt.
c. To assign an IP address, subnet mask, and gateway IP address manually, select Manually Assign and then enter the settings in the appropriate fields.
5. Select Finish.
If you leave the Launch web browser for further configuration check box selected (the default), Quick Start opens your Web browser and displays the Username and Password dialog box, as shown in Figure 3-11 on page 325.
If you clear the Launch web browser for further configuration check box, you must start your Web browser manually when Quick Start exits. For more information on logging in manually, see "Logging On" on page 325
Configuring Via the WebUI
You can also perform the initial configuration through a Web browser without the NetScreen-5 Quick Start disk. To do this, you need to
· Change the IP address of the management workstation to the same subnet as the NetScreen-5 default System IP address.
Then after making an Ethernet connection to the NetScreen-5, you can log on through a Web browser. The following section details this procedure.
Refer back to Table 32 on page 316 for administration requirements.
Making a Connection
Before you begin, be sure you connected the NetScreen-5 hardware to the network as outlined on page 313.
Setting the System IP Address
For remote administration of the NetScreen device over a network connection, you must change the system IP address. The NetScreen-5 ships from the factory with a default IP address of 192.168.1.1. To change this to an address on the same subnet as the other network devices to which the NetScreen-5 is connected, enter the following command:
1. Record your workstation's IP address and subnet mask. You must re-enter them later in this process.
Note: To find your workstation IP address: Start>>Settings>>Control Panel>Network>Configuration, select TCP/IP and then click Properties.

2. Change the IP address of the workstation to 192.168.1.2 and a subnet mask of 255.255.255.0. You might have to restart the workstation to enable these changes to take effect
Note: For Windows NT users, ensure that you are logged on to the workstation as an administrator.
.
3. Start your Web browser.
4. In the URL field of the browser, enter the IP address of the NetScreen-5: http://192.168.1.1.
The Enter Network Password dialog box appears, as shown in Figure 3-8 on page 322.
Note: The NetScreen-5 ships from the factory with the IP address set to 192.168.1.1.


Figure 3-8 Enter Network Password Dialog Box
5. In the dialog box, type netscreen for both the user name and password, and then click OK.
Note: The user name and password are case-sensitive. After configuring the NetScreen device for the first time, change the default user name and password as described later in "Changing the Administrator Login Name and Password" on page 330.

6. An IP Address Configuration dialog box, as shown in Figure 3-9 on page 323 is displayed for first-time configuration.

Figure 3-9 Initial IP Address Configuration
7. Enter a new System IP address and subnet mask for the NetScreen-5, and then click OK to save your settings.
Note: The IP address must be a valid and available IP address on your local network, and the subnet mask must be an appropriate value for your local network.

The Configuring in Progress screen appears, as shown in Figure 3-10.

Figure 3-10 Configuring in Progress Screen
The NetScreen-5 is in Transparent mode. To change it to NAT mode, you must configure the Trusted and Untrusted interfaces. To do that, refer to chapter 2, "System Parameters" in the NetScreen Concepts and Examples ScreenOS Reference Guide.
8. Reconfigure your administration workstation IP address to the original settings that you recorded in the first step. Depending on the operating system, you might have to restart your workstation.
Logging On
Once the IP configuration is complete, you must again log on.
1. When the Web browser is activated, enter the newly created IP address of the NetScreen-5.
The User name and Password dialog box displays.
2. In the User name and Password dialog box, type netscreen for both the user name and password, and then click OK.

Figure 3-11 Username and Password Dialog Box
Note: The login name and password are case-sensitive.

After configuring the NetScreen-5 for the first time, change the user name and password. See "Changing the Administrator Login Name and Password" on page 330 for instructions.
Allowing Outbound Traffic
The NetScreen-5 ships with a default Access Policy allowing all traffic inside the network to access the Internet. The Access Policies pages appear with the Default Outgoing page displayed, as shown in Figure 3-12 on page 326.
Note: For more information on Access Policies, please refer to the NetScreen Concepts and Examples ScreenOS Reference Guide.


Figure 3-12 Default Outgoing Access Policy
Testing the Configuration
Use a Web browser to access an external Web site (for example, www.netscreen.com). You should be able to locate the site and access the available Web pages.
If you cannot access the Web site, check the following:
· Link lights on the NetScreen-5, workstations, hubs, and the router are illuminated.
· The workstation IP and Netmask have the correct settings.
· The workstation gateway points to the router.
· The workstation has a valid DNS entry.
Note: See the NetScreen Command Line Reference Guide.

Configuring Via the CLI
The following section provides information on how to configure the device using the command line interface (CLI).
Making a Connection
You can access the CLI either by connecting directly via a console (or serial) cable or you can use the network via Telnet. Connection instructions are offered for both methods.
Refer to Table 32 on page 316 for administration requirements.
Connecting via the Console Port
You need direct access to the NetScreen device you want to configure and the following items before you start:
· An RS-232 male-to-female serial cable
· Microsoft Hyperterminal software on the management workstation (or, if you are using a different operating system, a VT100 terminal emulator)
Follow these steps to connect the NetScreen device to the workstation:
1. Connect the serial cable from the management workstation to the serial port on the NetScreen-5.
2. Start the terminal emulator on the workstation.
3. To create a new connection, type a name, select an icon, and then click OK.
The Connect To dialog box appears.
4. Select the serial port to which the serial cable is connected to the workstation, and click OK. The COM1 Properties dialog box appears.
5. Configure the port settings as follows, and then click OK.
- Serial communications 9600 bps
- 8 bit, no parity
- 1 stop bit
- no flow control
6. Press ENTER to see the login prompt.
Connecting via Telnet
Telnet operates over TCP/IP networks. It allows you to configure the device using the command line interface (CLI).
Before you begin, be sure you connected the NetScreen-5 hardware to the network as outlined in on page 313.
1. Establish a Telnet connection to the NetScreen device.
2. For Host name, type: 192.168.1.1.
Note: Select vt100 for Terminal type.

Logging On
To log on, enter the default administrator name and password.
1. At the login prompt, enter netscreen.
2. At the password prompt, enter netscreen.
Note: The user name and password are case-sensitive.

After configuring the NetScreen-5 for the first time, change the user name and password. See "Changing the Administrator Login Name and Password" on page 330 for instructions.
Setting the System IP Address
You can configure your NetScreen device for either Transparent mode or Network Address Translation (NAT) mode.
Transparent Mode
At the command line enter:
1. set admin sys-ip <a.b.c.d>
2. save
Note: Substitute your actual system IP address for <a.b.c.d.>.

Network Address Translation (NAT) Mode
At the command line enter:
1. set admin sys-ip <a.b.c.d>
2. set interface trust ip <a.b.c.d>
3. set interface untrust ip <a.b.c.d>
4. save
Allowing Outbound Traffic
To create an outgoing Access Policy that permits any inside traffic to pass through the firewall and access the Internet, enter the following commands:
1. set policy outgoing "inside any" "outside any" any permit
2. save
Note: Making system-level changes through the CLI does not require restarting the NetScreen-5, whereas making similar changes through the WebUI does.

Testing the Configuration
Use a Web browser to access an external Web site (for example, www.netscreen.com). You should be able to locate the site and access the available Web pages.
See "Testing the Configuration" on page 326 for instructions.
Note: See the NetScreen Command Line Reference Guide.

Changing the Administrator Login Name and Password
Because all NetScreen-5 devices come with the same default login name and password, you should change this information immediately after you install the device. You can change the default administrator login and password either through the WebUI or the CLI.
The information in this guide has been widely published, and failure to change the defaults might expose your system to attack.

Using the WebUI
To change the default administrator login and password via the WebUI:
1. Select the Admin button in the menu column to view the Admin page, as shown in Figure 3-13.

Figure 3-13 The Administration Page
2. Type a new Admin Login Name.
Note: The login name and password must be alphanumeric. The login username and password are case-sensitive

3. Type the old password (initially netscreen) in the Old Password field. You must enter the old password to change to the new password.
4. Type the new password in the New Password field and the Confirm New Password field.
5. Record the new Administrator Login Name and Password in a secure manner.
Warning
Make sure that you remember your password! If you forget it, you will have to return the unit to the factory for initialization. This feature has been implemented in this manner as an extra security measure.

6. Leave the other fields at their default entries, and select the Apply button.
The changes require the NetScreen-5 to reset, which it automatically does at this point. Figure 3-14 on page 32 shows the system message that appears.

Figure 3-14 The System Message Display
7. Click the Yes button to confirm your command to reset the system.
The next time you log in, use the new login name and password.
Note: To receive important news on product updates, please visit our web site at www.netscreen.com and register your product.

Using the CLI
At the command line enter:
1. set admin name <name>
2. set admin password <password>
Record the new Administrator Login Name and Password in a secure manner.
Make sure that you remember your password! If you forget it, you will have to return the unit to the factory for initialization. This feature has been implemented in this manner as an extra security measure.



NetScreen Technologies Inc.
http://www.netscreen.com
Voice: (408) 730-6000
Fax: (408) 730-6100
sales@netscreen.com
TOC PREV NEXT