Configuring the NetScreen 10 & 100 for the First Time
This chapter shows you how to configure your NetScreen-10/100 in Transparent mode and allow internal users to access the Internet while denying internal access from the Internet. You do this by setting the System IP address and creating an Access Policy that permits outgoing traffic.
There are two methods for configuring the NetScreen-10/100 for the first time.
Table 61 "Administration Requirements" lists the workstation requirements for each method.
Table 6-1 Administration Requirements
|
|
|
Netscape ® Communicator ® V4.5 or greater, or Microsoft ® Internet Explorer V5. or greater
TCP/IP network connection to the NetScreen-10/100
|
|
Via the console port, using Hilgraeve ® Hyperterminal ® or a VT100 terminal emulator on the administrator's workstation and an RS-232 Console cable
Via Telnet, using TCP/IP network connection to the NetScreen device.
|
The installation procedure using a Web browser is explained first, followed by the CLI procedures using the console port and Telnet.
To perform the initial configuration through a WebUI, you need to change the IP address of the management workstation to the same subnet as the NetScreen-10/100 default system IP address. You can log on through a Web browser and set the system IP address. The following sections details the procedures for administration of the NetScreen-10/100 device from the administrator's workstation.
Before you begin, be sure you connected the NetScreen-10/100 hardware to the network.
Setting the System IP Address
For remote administration of the NetScreen device over a network connection, you must change the system IP address. The NetScreen-10/100 ships from the factory with a default IP address of 192.168.1.1. To change this to an address on the same subnet as the other network devices to which the NetScreen-10/100 is connected, enter the following command:
1. Record the IP address and subnet mask of your workstation; you must re-enter them later in this process.
2. Change the IP address of the workstation to 192.168.1.2 and the subnet mask to 255.255.255.0. You might have to restart the workstation to enable the changes to take effect. The workstation is now part of the same subnet as the default IP address of the NetScreen-10/100, which is 192.168.1.1.
3. Start your Web browser.
4. In the URL field of the browser, enter the IP address of the NetScreen-10/100: http://192.168.1.1.
Figure 6-1 Enter Network Password Dialog Box
6. In the dialog box, type
netscreen for both the user name and password, and then click
OK.
7. For the first-time configuration, you are directed to a special setup page as shown in
Figure 6-2.
Figure 6-2 Initial IP Address Configuration
8. Enter the IP address and subnet mask for administration of the
NetScreen-10/100, and then click
OK.
|
Note: Select the Synchronize system clock with this client checkbox to synchronize the NetScreen-10/100 clock with the clock in the administrator's workstation.
|
The IP address must be a valid and available IP address on your local network and the subnet mask must be an appropriate value for your local network.
The Configuring in Progress screen displays as shown in
Figure 6-3.
Figure 6-3 Configuring in Progress Screen
9. Reconfigure your administration workstation IP address and subnet mask back to values you recorded in step 1. Depending on the operating system, you might have to restart your workstation.
Once the IP configuration is complete, you must again log on.
1. In the URL field of the browser, enter the new IP address for the NetScreen device.
The Enter Network Password dialog box re-appears, shown in
Figure 6-4.
Figure 6-4 Enter Network Password Dialog Box
2. In the dialog box, type
netscreen for both the user name and password, and then click
OK. Remember that the user name and password are case-sensitive.
The Access Policies pages appear, with the Outgoing Access Policies page displayed, as shown in
Figure 6-5. You are now logged on to the
NetScreen-10/100.
Figure 6-5 Access Policies Pages
Allowing Outbound Traffic
1. Click the
New Policy option in the lower left corner of the Access Policies page. The Policy Configuration dialog box appears.
Figure 6-6 New Policy Page
2. Set an Access Policy that allows all inside hosts to access the Internet. Set the options as follows:
-
Name: This is optional.
-
Source Address: Inside Any (Inside Any is a predefined address for any host on the Trusted network)
-
Destination Address: Outside Any (Outside Any is a predefined address for any location on the Untrusted network, Internet)
-
Service: Any (Any is a predefined value for any IP service)
-
Action: Permit (Allows the traffic defined by the Access Policy)
- Leave the rest of the options to their default values, and click the
OK button.
The Outgoing Access Policies page now has one Access Policy that permits any inside traffic to pass through the firewall and access the Internet, as shown in
Figure 6-7.
Figure 6-7 Access Policies Page
Because there is no need to configure other interface IP settings, your NetScreen-10/100 configuration for Transparent mode is now complete.
Changing the Administrator Login Name and Password
Because all NetScreen units come with the same default name and password, it is highly recommended that you change the default Admin Login name and Password.
|
Note: The information in this guide has been widely published, and failure to change the defaults might expose your system to attack.
|
1.
Admin >> Admin >> Edit: Enter the following and then click
OK:
New Password: <new password>
Confirm Password: <new password>
The Enter Network Password dialog box appears.
|
Note: The login name and password are case-sensitive.
|
2. Enter your new user name and password, and then click
OK.
The next time you log on, you must supply the new login name and password.
3. Record the new Administration name and Password in a secure manner.
|
Make sure that you remember your password! If you forget it, you will have to return the unit to the factory for initialization. This feature has been implemented in this manner as an extra security measure.
|
Testing the Configuration
Use your Web browser to access an external Web site (for example, www.netscreen.com). You should be able to locate the site and access the available Web pages.
If you cannot access the Web site, check the following:
· The power, status and link lights on NetScreen-10/100 are illuminated.
· The LEDs on the host, hubs and router are illuminated.
· The Administrator's workstation IP address and subnet mask are correct.
· The workstation gateway points to the external router.
· The workstation has valid Domain Name Service (DNS) entry.
|
Note: For more information and examples on other configuration options, please refer to the NetScreen Concepts & Examples ScreenOS Reference Guide.
|
The following section provides information on how to configure the device using the command line interface (CLI).
You can access the CLI either by connecting directly via a console (or serial) cable or you can use the network via Telnet. Connection instructions are offered for both methods.
Connecting via the Console Port
You need direct access to the NetScreen device you want to configure and the following items before you start:
· An RS-232 male-to-female serial cable
· Microsoft Hyperterminal software on the management workstation (or, if you are using a different operating system, a VT100 terminal emulator)
Follow these steps to connect the NetScreen device to the workstation:
1. Connect the serial cable from the management workstation to the serial port on the NetScreen-10/100.
2. Start the terminal emulator on the workstation.
3. To create a new connection, type a name, select an icon, and then click
OK.
The Connect To dialog box appears.
4. Select the serial port to which the serial cable is connected to the workstation, and click
OK. The COM1 Properties dialog box appears.
5. Configure the port settings as follows, and then click
OK.
- Serial communications 9600 bps
6. Press
ENTER to see the login prompt.
Telnet operates over TCP/IP networks. It allows you to configure the device using the command line interface (CLI).
Before you begin, be sure you connected the NetScreen device hardware to the network as outlined in Chapter 2.
1. Establish a Telnet connection to the NetScreen device.
2. For Host name, type: 192.168.1.1.
|
Note: Select vt100 for Terminal type.
|
To log on, enter the default administrator login name and password.
1. At the login prompt, enter
netscreen.
2. At the password prompt, enter
netscreen.
Setting the System IP Address
To administer the NetScreen device over a network connection, you must change the system IP address. The NetScreen-10/100 ships from the factory with a default IP address of 192.168.1.1. To change this to an address on the same subnet as the other network devices to which the NetScreen-10/100 is connected, enter the following command, substituting your system IP address for the letters:
At the command line enter:
1. set admin sys-ip <a.b.c.d>
Changing the Administrator Login Name and Password
Because all NetScreen units come with the same default name and password, it is highly recommended that you change the default Admin Login name and Password.
|
Note: The information in this guide has been widely published, and failure to change the defaults might expose your system to attack.
|
At the command line enter:
2. set admin password <password>
Record the new Administration name and Password in a secure manner.
|
Make sure that you remember your password! If you forget it, you will have to return the unit to the factory for initialization. This feature has been implemented in this manner as an extra security measure.
|
Testing the Configuration
Use a Web browser to access an external Web site (for example, www.netscreen.com). You should be able to locate the site and access the available Web pages.
If you cannot access the Web site, check the following:
· The power, status and link lights on NetScreen-10/100 are illuminated.
· The LEDs on the host, hubs and router are illuminated.
· The Administrator's workstation IP address and subnet mask are correct.
· The workstation gateway points to the external router.
· The workstation has valid Domain Name Service (DNS) entry.