TOC PREV NEXT

Put your logo here!



Chapter 7
Interfaces and Operational Modes
This chapter describes the various physical, logical, and virtual interfaces and the three operational modes supported by NetScreen devices. The chapter is organized into the following sections:
· "Interfaces" on page 760
· "Transparent Mode" on page 762
· "Network Address Translation Mode" on page 771
· "Route Mode" on page 783
Interfaces
All NetScreen devices have a Trusted interface and an Untrusted interface. The NetScreen-10 and -100 also have a DMZ interface. These are physical interfaces used for channeling network user traffic. Additionally, on each of the Virtual Systems supported by the NetScreen-1000 there can be one or more Sub interfaces linking a particular Virtual System to one or more virtual LANs (VLANs).
Other interfaces-some physical, some logical, and some virtual-provide exclusive channels for administrative traffic, or for communication among members in a redundant group.
Trusted Interface
The Trusted interface is a physical interface that leads to the network (usually the intranet or corporate network) protected by the NetScreen device.
Untrusted Interface
The Untrusted interface is a physical interface that leads to the network (usually the Internet) against which the NetScreen device defends. If the NetScreen device is in either NAT or Route mode (see "Interface Settings and Operational Modes" on page 762), the address for the Untrusted interface can be fixed (all NetScreen devices) or dynamically assigned (NetScreen-5 and -10) via Dynamic Host Control Protocol (DHCP). For the NetScreen-5, the address can also be provided by an ISP using Point-to-Point Protocol over Ethernet (PPPoE).
DMZ Interface
The DMZ interface is a physical interface that leads to a protected network to which access from the Untrusted side is typically granted. The DMZ, which stands for "demilitarized zone," offers a separate and secure area on your network for receiving incoming traffic from unknown Untrusted sources-unlike the Trusted side, to which access from the Untrusted side is tightly restricted.
Web Management Interface
The Web Management interface is a logical interface that allows network administrators to manage the NetScreen device through an IP address and port number via a Web browser, such as Internet Explorer and Netscape Navigator.
Management Interface
On the NetScreen-1000, you can also manage the device through a separate physical interface-the Management (MGT) interface-moving administrative traffic outside the regular network user traffic. Separating administrative traffic from network user traffic greatly increases security and assures constant management bandwidth.
Sub Interface
On the NetScreen-1000, a Sub interface leads to a VLAN of a particular Virtual System. Each Virtual System can have its own Untrusted interface1 and one or more Sub interfaces, each Sub interface leading to a different VLAN. In essence, a Sub interface leading to a VLAN is similar to the Trusted interface leading to a protected LAN only you can have more than one Sub interface.
HA Interface
You can link two or more NetScreen-1000 devices together to form a redundant group, or cluster, through the High Availability (HA) interface. In a redundant group, one unit acts as the Master, performing the network firewall functions, while the other units act as Slaves, basically waiting to take over the firewall functions should the Master unit fail. The HA interface is a physical port used exclusively for HA functions.
Virtual HA Interface
On the NetScreen-100, a Virtual High Availability (HA) interface provides the same functionality as the HA interface on the NetScreen-1000. However, because the NetScreen-100 does not have a separate physical port exclusively used for HA traffic, the Virtual HA interface must be bound to one of the physical ports-Trusted, Untrusted, or DMZ.
Interface Settings and Operational Modes
The three operational modes are Transparent, Network Address Translation (NAT), and Route. The configuration of the Trusted, Untrusted, and (on the NetScreen-10 and -100) DMZ interfaces of a NetScreen device defines which mode is in operation. Each mode offers distinct advantages.
Transparent Mode
In Transparent mode, the NetScreen device filters packets traversing the firewall without modifying any of the source or destination information in the IP packet header. All interfaces behave as though they are part of the same network, with the NetScreen device acting much like a layer-2 switch or bridge. Because it does not translate addresses, the IP addresses on the protected network must be valid, routable addresses on the Untrusted network2, which might be the Internet. In Transparent mode, the IP addresses for the Trusted and Untrusted interfaces are set at 0.0.0.0, making the presence of the NetScreen device invisible, or "transparent," to users.

Transparent mode is a convenient means for protecting Web servers, or any other kind of server that mainly receives traffic from Untrusted sources. Using Transparent mode offers the following benefits:
· No need to reconfigure the IP settings of routers or protected servers
· No need to create Mapped or Virtual IP addresses for incoming traffic to reach protected servers
· (NetScreen-100) Because port numbers are not translated when the NetScreen-100 is operating in Transparent mode, there can be twice as many concurrent outgoing sessions (from ~64,000 to ~128,000 sessions) than when it is operating in NAT mode. The maximum number of sessions-outgoing and incoming-remains the same (~128,000) in either mode, but the maximum number of outgoing sessions is not limited to 64,000 in Transparent mode because the limit imposed by port translation is not involved.
Packet Flow Sequence
The packet flow initiating a session from a host on the Trusted side of a NetScreen device in Transparent mode to a host on the Untrusted side progresses as follows:
1. Host A, on the Trusted side of the NetScreen device, sends an IP packet to Host B, which is located on the Untrusted side.
2. The NetScreen device receives the IP packet and checks if there is an Access Policy allowing outbound TCP/IP traffic from Host A to Host B of the specified service.
3. If there is an Access Policy, the NetScreen device creates a new session in its session table.
4. The NetScreen device forwards the IP packet.

5. When the NetScreen device receives a responding IP packet from Host B, it inspects the address information in the packet header. If it matches the addressing information stored in the session table, it forwards the packet to Host A.
The connection is established. Host B knows Host A's actual IP address and port number.
Note: The flow sequence for any session requiring a packet to traverse the NetScreen firewall proceeds similarly; that is, when the NetScreen device receives a packet originating from any interface (Trusted, Untrusted, DMZ) and destined for any other interface, it performs the following three actions:
1. Checks the Access Policies list
2. Finding permission for the passage granted, creates an entry in the session table
3. Forwards the packet

6. When Hosts A and B close their connection, the NetScreen device removes the entry from its session table. Host B can no longer send traffic to Host A.
Interface Settings
For Transparent mode, define the following interface settings, where <a.b.c.d> and <e.f.g.h> represent numbers in an IP address, <A.B.C.D> represents the numbers in a subnet mask, and <number> represents the bandwidth size in kbps:
Trusted
IP: 0.0.0.0
Subnet Mask: 0.0.0.0
Default Gateway: 0.0.0.0
Manage IP: <a.b.c.d>
Traffic Bandwidth1: <number>
Untrusted
IP: 0.0.0.0
Subnet Mask: 0.0.0.0
Default Gateway: 0.0.0.0
Manage IP: <a.b.c.d>
Traffic Bandwidth*: <number>
DMZ (NetScreen-10 and -100)
IP: 0.0.0.0
Subnet Mask: 0.0.0.0
Default Gateway: 0.0.0.0
Manage IP: <a.b.c.d>
Traffic Bandwidth*: <number>
Web Management
System IP: <a.b.c.d>
Port: <port_number>2
MGT (NetScreen-1000)
IP: <a.b.c.d>
Subnet Mask: <A.B.C.D>
Default Gateway: <e.f.g.h>
1
Optional setting for traffic shaping

2
The default port number is 80. Changing this to any number between 1024 and 32,767 is advised for discouraging unauthorized access and modifications to the configuration.

Note: For managing the devices, you can use the System IP address, the Manage IP addresses, or the MGT IP address (NetScreen-1000).

Example: Transparent Mode
The following example illustrates a basic configuration for a single LAN protected by a NetScreen-100 in Transparent mode. Access Policies permit outgoing traffic for all four Trusted hosts, incoming mail for the mail server, and incoming FTP for the FTP server. The device is managed through its System IP address.

WebUI
1. Admin >> Settings: Enter the following, and then click Apply:
System IP Address: 209.122.17.252
2. Admin >> Web: Enter the following, and then click Apply:
Port: 55553
3. Interface >> Trusted >> Edit: Enter the following, and then click Save:
Inside IP: 0.0.0.0
Netmask: 0.0.0.0
Default Gateway: 0.0.0.0
Manage IP: 0.0.0.0
Traffic Bandwidth: 0
4. Interface >> Untrusted >> Edit: Enter the following, and then click Save and Reset:4
IP Address: 0.0.0.0
Netmask: 0.0.0.0
Default Gateway: 209.122.17.253
Manage IP: 0.0.0.0
Traffic Bandwidth: 0
5. (NetScreen-10 and -100) Interface >> DMZ >> Edit: Enter the following, and then click Save:
Inside IP: 0.0.0.0
Netmask: 0.0.0.0
Default Gateway: 0.0.0.0
Manage IP: 0.0.0.0
Traffic Bandwidth: 0
6. (NetScreen-1000) Interface >> MGT >> Edit: Enter the following, and then click OK:
MGT IP (NetScreen-1000): 0.0.0.0
Netmask: 0.0.0.0
Traffic Bandwidth: 0
7. Address >> Trusted >> New Address: Enter the following and then click OK:
Address Name: Mail Server
IP Address/Domain Name: 209.122.17.249
Netmask: 255.255.255.255
8. Address >> Trusted >> New Address: Enter the following and then click OK:
Address Name: FTP Server
IP Address/Domain Name: 209.122.17.250
Netmask: 255.255.255.255
9. Policy >> Outgoing >> New Policy: Enter the following and then click OK:
Source Address: Inside Any
Destination Address: Outside Any
Service: Any
Action: Permit
10. Policy >> Incoming >> New Policy: Enter the following and then click OK:
Source Address: Outside Any
Destination Address: Mail Server
Service: Mail
Action: Permit
11. Policy >> Incoming >> New Policy: Enter the following and then click OK:
Source Address: Outside Any
Destination Address: FTP Server
Service: FTP
Action: Permit
Note: Because PC #1 and PC #2 are not specified in an Access Policy, they do not need to be added to the Trusted Address Book. The term "Inside Any" applies to any device connected to the Trusted interface.

CLI
1. set admin sys-ip 209.122.17.252
2. set admin port 55555
3. set interface trust ip 0.0.0.0 0.0.0.0
4. set interface trust gateway 0.0.0.0
5. set interface untrust ip 0.0.0.0 0.0.0.0
6. set interface untrust gateway 209.122.17.253
7. (NetScreen-1000) set interface mgt ip 0.0.0.0 0.0.0.0
8. set address trust Mail_Server 209.122.17.249 255.255.255.255
9. set address trust FTP_Server 209.122.17.250 255.255.255.255
10. set policy outgoing "inside any" "outside any" any permit
11. set policy incoming "outside any" 209.122.17.250 255.255.255.255 mail permit
12. set policy incoming "outside any" 209.122.17.249 255.255.255.255 ftp permit
13. save
Network Address Translation Mode
When in Network Address Translation (NAT) mode, the NetScreen device, acting like a layer-3 switch (or router), translates two components in the header of an outgoing IP packet traversing the firewall from the Trusted side: its source IP address and source port number. The NetScreen device replaces the source IP address of the host that sent the packet with the IP address of the Untrusted port6 of the NetScreen device. Also, it replaces the source port number with another random port number generated by the NetScreen device.

When the reply packet arrives at the NetScreen device, the device translates two components in the IP header of the incoming packet: the destination address and port number, which are translated back to the original numbers. The packet is then forwarded to its destination.
NAT adds a level of security not provided in Transparent mode: The addresses of hosts connected to the Trusted port are never exposed to the Untrusted or DMZ network.
Also, NAT preserves the use of Internet-routable IP addresses. With only one public, Internet-routable IP address-that of the Untrusted interface-the Trusted LAN can have a vast number of hosts with private IP addresses. The following IP address ranges are reserved for private IP networks and must not get routed on the Internet:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
A host on the Trusted LAN can initiate traffic to the Internet, if an Access Policy allows it Internet access, but it cannot receive traffic initiated outside the firewall unless a Mapped IP or Virtual IP is set up for it.
Packet Flow Sequence: Trusted >> Untrusted
The packet flow initiating a session from a host on the Trusted side of a NetScreen device in NAT mode to a host on the Untrusted side progresses as follows:
1. Host A, on the Trusted side of the NetScreen device, sends an IP packet to Host B, which is located on the Untrusted side.
2. The NetScreen device receives the IP packet and checks if there is an Access Policy allowing outbound TCP/IP traffic from Host A to Host B with the specified service.
3. If there is such an Access Policy, the NetScreen device creates a new session in its session table and changes the source IP address and source port number on the outbound IP packet.
4. The NetScreen device forwards the modified IP packet, its true source IP address and port number unexposed.

5. When the NetScreen device receives a responding IP packet from Host B, it inspects the address information in the packet header. If it matches the information stored in the session table, it forwards the packet to Host A, converting the translated IP address and port number back to the originals. (This packet filtering method is called "stateful inspection.")
Note: The source port number of an outbound packet is the key to successfully directing an inbound packet to its destination. Because the source IP address for an outbound IP packet is translated to the IP address of the Untrusted interface, the distinguishing factor in the header of an inbound IP packet is its destination port number, which is unique to each inbound IP packet.

The connection is established. Host B does not know Host A's actual IP address or port number.
Note: The NetScreen-10 and -100 can also perform NAT on traffic going from the Trusted interface to the DMZ.

Packet Flow Sequence: Untrusted >> Trusted
For traffic initiated on the Untrusted side of a NetScreen device in NAT mode to reach the Trusted side, you must first create one of the following:
· A Mapped IP (MIP), mapping inbound traffic from a public IP address to a private IP address
· A Virtual IP (VIP), mapping inbound traffic from a public IP address via the port number of the incoming service to one of several possible private IP addresses
· A VPN tunnel
Mapped IP
The packet flow for a session initiating on the Untrusted side of a NetScreen device in NAT mode to a host on the Trusted side using an MIP progresses as follows:
1. Host B, on the Untrusted side of the NetScreen device, sends an IP packet to the public IP address that is mapped to the private IP address for Host A, which is located on the Trusted side.
2. The NetScreen device receives the inbound packet and checks if there is an Access Policy allowing inbound TCP/IP traffic to the MIP.
3. If there is an Access Policy, the NetScreen device creates a new session in its session table and changes the destination IP address on the inbound packet, mapping it to the private address.
4. The NetScreen device forwards the packet to Host A.
The connection is established. Host B does not know Host A's actual IP address.

Virtual IP
The packet flow for a session initiating on the Untrusted side of a NetScreen device in NAT mode to a host on the Trusted side using an VIP progresses as follows:
1. Host B, on the Untrusted side of the NetScreen device, sends an IP packet to a public IP address in the same subnet as the Untrusted interface. (That address has been configured to route traffic to any one of several IP addresses on the Trusted side, depending on the port number carried by the incoming packet.)
2. The NetScreen device receives the inbound packet and checks if there is an Access Policy allowing inbound traffic to the VIP.
3. If there is an Access Policy, the NetScreen device creates a new session in its session table and, referring to its VIP translation table, changes the destination IP address and destination port number on the inbound packet to map it to the private IP address and port number.
4. The NetScreen device forwards the packet to Host A.
The connection is established. Host B does not know Host A's actual IP address or port number.

Interface Settings
For NAT mode, define the following interface settings, where <a.b.c.d>, <e.f.g.h>, and <i.j.k.l> represent numbers in an IP address, <A.B.C.D> represents the numbers in a subnet mask, and <number> represents the bandwidth size in kbps:
Trusted
IP: <a.b.c.d>
Subnet Mask: <A.B.C.D>
Default Gateway: <e.f.g.h>
Manage IP: <i.j.k.l>
Traffic Bandwidth1: <number>
NAT: (select)2
Untrusted
IP: <a.b.c.d>
Subnet Mask: <A.B.C.D>
Default Gateway: <e.f.g.h>
Manage IP: <i.j.k.l>
Traffic Bandwidth*: <number>
DMZ (NetScreen-10 and -100)
IP: <a.b.c.d>
Subnet Mask: <A.B.C.D>
Default Gateway: <e.f.g.h>
Manage IP: <i.j.k.l>
Traffic Bandwidth*: <number>
Web Management
System IP: <a.b.c.d>
Port: <port_number>3
MGT (NetScreen-1000)
IP: <a.b.c.d>
Subnet Mask: <A.B.C.D>
Default Gateway: <e.f.g.h>
Traffic Bandwidth*: <number>
1
Optional setting for traffic shaping

2
Selecting NAT for the Trusted interface defines the mode as NAT. Selecting Route defines the mode as Route.

3
The default port number is 80. Changing this to any number between 1024 and 32,767 is advised for discouraging unauthorized access and modifications to the configuration.

Note: In NAT mode, you can manage a NetScreen device from any interface-and from multiple interfaces-using the System IP address, interface IP addresses, Manage IP addresses, or the MGT IP address (NetScreen-1000).

Example: NAT Mode
The following example illustrates a simple configuration for a LAN with a single Trusted subnet. The LAN is protected by a NetScreen-1000 in NAT mode. Access Policies permit outgoing traffic for all three Trusted hosts and incoming mail for the mail server. The incoming mail is routed to the mail server through a Virtual IP address. The device is managed through its MGT IP address.
Note: Compare this example with that for Route mode on page 785.


WebUI
1. Interface >> Trusted >> Edit: Enter the following, and then click Save:
IP Address: 172.16.10.1
Netmask: 255.255.255.0
Default Gateway: 0.0.0.0
Manage IP: 0.0.0.0
Traffic Bandwidth: 0
NAT:7 (select)
2. Interface >> Untrusted >> Edit: Enter the following, and then click Save:
IP Address:8 200.2.2.2
Netmask: 255.255.255.0
Default Gateway: 200.2.2.1
Manage IP: 0.0.0.0
Traffic Bandwidth: 0
3. (NetScreen-10/100) Interface >> DMZ >> Edit: Enter the following, and then click Save and Reset:9
DMZ IP (NetScreen-10/100): 0.0.0.0
Netmask: 0.0.0.0
Default Gateway: 0.0.0.0
Manage IP: 0.0.0.0
Traffic Bandwidth: 0
4. (NetScreen-1000) Interface >> MGT >> Edit: Enter the following, and then click OK:
IP Address: 172.16.40.1
Netmask: 255.255.255.0
Traffic Bandwidth: 0
5. Admin >> Admin >> New Management Client IP: Enter the following, and then click OK:
IP Address: 172.16.40.2
Netmask: 255.255.255.255
6. Virtual IP >> Virtual IP 1 >> Click here to configure: Enter the following, and then click OK:
Virtual IP Address: 200.2.2.3
7. Virtual IP >> New Services: Enter the following, and then click OK:
Virtual Port: 25
Service: Mail
Map to IP: 172.16.10.253
8. Policy >> Outgoing >> New Policy: Enter the following, and then click OK:
Source Address: Inside Any
Destination Address: Outside Any
Service: Any
Action: Permit
9. Policy >> Incoming >> New Policy: Enter the following and then click OK:
Source Address: Outside Any
Destination Address: VIP(200.2.2.3)
Service: Mail
Action: Permit
CLI
1. set admin sys-ip 0.0.0.0
2. set interface trust ip 172.16.10.1 255.255.255.0
3. set interface trust NAT
4. set interface trust gateway 0.0.0.0
5. set interface untrust ip 200.2.2.2 255.255.255.0
6. set interface untrust gateway 200.2.2.1
DHCP Note: For the NetScreen-5 and -10, if the ISP dynamically assigns the Untrusted IP address, use the following command: set interface untrust dhcp
PPPoE Note: For the NetScreen-5, if the ISP uses PPPoE, use the set pppoe and exec pppoe commands. For more information, see the NetScreen CLI Reference Guide.

7. (NetScreen-10/100) set interface dmz ip 0.0.0.0 0.0.0.0
8. (NetScreen-1000) set interface mgt ip 172.16.40.1 255.255.255.0
9. set admin mng-ip 172.16.40.2 255.255.255.255
10. set vip 200.2.2.3 25 mail 172.16.10.253
11. set policy outgoing "inside any" "outside any" any permit
12. set policy incoming "outside any" "vip 200.2.2.3" mail permit
13. save
Route Mode
In Route mode, the NetScreen device routes traffic between different interfaces without performing NAT; that is, the source address and port number in the IP packet header remain unchanged as it traverses the NetScreen device. Unlike NAT, the hosts on the Trusted side must have public IP addresses, and you do not need to establish Mapped and Virtual IP addresses to allow sessions initiated on the Untrusted side to reach hosts on the Trusted side. Unlike Transparent mode, the Trusted and Untrusted interfaces are on different subnets.

With the NetScreen-10 or -100 operating in Route mode (or Transparent mode), you do not need to set up Virtual or Mapped IPs for servers in the DMZ; the servers only require Internet-routable IP addresses. Using Route mode for the Trusted side likewise eliminates the need to create Virtual or Mapped IPs.
Interface Settings
For Route mode, define the following interface settings, where <a.b.c.d> and <e.f.g.h> represents numbers in an IP address, <A.B.C.D> represents the numbers in a subnet mask, and <number> represents the bandwidth size in kbps:
Trusted
IP: <a.b.c.d>
Subnet Mask: <A.B.C.D>
Default Gateway: <e.f.g.h>
Manage IP: <i.j.k.l>
Traffic Bandwidth1: <number>
Route: (select)2
Untrusted
IP: <a.b.c.d>
Subnet Mask: <A.B.C.D>
Default Gateway: <e.f.g.h>
Manage IP: <i.j.k.l>
Traffic Bandwidth*: <number>
DMZ (NetScreen-10 and -100)
IP: <a.b.c.d>
Subnet Mask: <A.B.C.D>
Default Gateway: <e.f.g.h>
Manage IP: <i.j.k.l>
Traffic Bandwidth*: <number>
Web Management
System IP: <a.b.c.d>
Port: <port_number>3
MGT (NetScreen-1000)
IP: <a.b.c.d>
Subnet Mask: <A.B.C.D>
Default Gateway: <e.f.g.h>
Traffic Bandwidth|: <number>
1
Optional setting for traffic shaping

2
Selecting Route for the Trusted interface defines the mode as Route. Selecting NAT defines the mode as NAT.

3
The default port number is 80. Changing this to any number between 1024 and 32,767 is advised for discouraging unauthorized access and modifications to the configuration.

Note: In Route mode, you can manage a NetScreen device from any interface-and from multiple interfaces-using the System IP address, Manage IP addresses, or interface IP addresses.

Example: Route Mode
In the previous example for NAT mode on page 779, the hosts on the protected LAN have private IP addresses and a Mapped IP for the mail server. In the following example of the same network protected by a NetScreen-1000 operating in Route mode, note that the hosts have public IP addresses and that a MIP is unnecessary for the mail server. The device is managed through its MGT IP address.

WebUI
1. Interface >> Trusted >> Edit: Enter the following, and then click Save:
IP Address: 240.9.10.10
Netmask: 255.255.255.0
Default Gateway: 0.0.0.0
Manage IP: 0.0.0.0
Traffic Bandwidth: 0
Route:10 (select)
2. Interface >> Untrusted >> Edit: Enter the following, and then click Save:
IP Address:11 200.2.2.2
Netmask: 255.255.255.0
Default Gateway: 200.2.2.1
Manage IP: 0.0.0.0
Traffic Bandwidth: 0
3. Interface >> DMZ (NetScreen-10/100) >> Edit: Enter the following, and then click Save:
DMZ IP: 0.0.0.0
Netmask: 0.0.0.0
Default Gateway: 0.0.0.0
Manage IP: 0.0.0.0
Traffic Bandwidth: 0
4. (NetScreen-1000) Interface >> MGT >> Edit: Enter the following, and then click Save and Reset:
MGT IP: 172.16.40.1
Netmask 255.255.255.0
5. Admin >> Admin: Enter the following, and then click Apply:
Management Client IP: 172.16.40.2
Netmask: 255.255.255.255
6. Address >> Trusted >> New Address: Enter the following and then click OK:
Address Name: Mail Server
IP Address/Domain Name: 240.9.10.45
Netmask: 255.255.255.255
7. Policy >> Outgoing >> New Policy: Enter the following and then click OK:
Source Address: Inside Any
Destination Address: Outside Any
Service: Any
Action: Permit
8. Policy >> Incoming >> New Policy: Enter the following and then click OK:
Source Address: Outside Any
Destination Address: Mail Server
Service: Mail
Action: Permit
CLI
1. set admin sys-ip 0.0.0.0
2. set interface trust ip 240.9.10.10 255.255.255.0
3. unset interface trust NAT12
4. set interface trust gateway 0.0.0.0
5. set interface untrust ip 200.2.2.2 255.255.255.0
6. set interface untrust gateway 200.2.2.1
7. (NetScreen-10/100) set interface dmz ip 0.0.0.0 0.0.0.0
8. (NetScreen-1000) set interface mgt ip 172.16.40.1 255.255.255.0
9. set admin mng-ip 172.16.40.2 255.255.255.255
10. set address trust mail_server 240.9.10.45 255.255.255.0
11. set policy outgoing "inside any" "outside any" any permit
12. set policy incoming "outside any" mail_server mail permit
1
A Virtual System can have an Untrusted interface if one is defined for it. If an Untrusted interface is not defined for a Virtual System, the Virtual System uses the Untrusted interface at the root level of the NetScreen-1000.

2
If the router on the Untrusted side performs NAT, then the addresses on the Trusted side can be private IP addresses.

3
When logging in to manage the device later, enter the following in the URL field of your Web browser: http://172.16.10.40:5555.

4
Through the CLI, you can schedule the NetScreen-5, -10, and -100 to reset at a time that is convenient for maintaining uninterrupted network operation: set timer <mm|dd|yyyy> <hh:mm> action reset.

5
When logging in to manage the device later, enter the following in the URL field of your Web browser: http://172.16.10.40:5555.

6
If the outbound traffic is destined for the DMZ (on the NetScreen-10 and -100), then the source IP address is translated to that of the DMZ port.

7
Selecting NAT determines that the NetScreen device performs NAT on traffic to and from the Trusted side.

8
If the Untrusted IP address on the NetScreen-5 and -10 is dynamically assigned by an ISP, leave the IP address and subnet mask fields empty and select DHCP. For the NetScreen-5, if the ISP is using Point-to-Point Protocol over Ethernet, select PPPoE and enter the name and password.

9
Through the CLI, you can schedule the NetScreen-5, -10, and -100 to reset at a time that is convenient for maintaining uninterrupted network operation: set timer <mm|dd|yyyy> <hh:mm> action reset.

10
Selecting Route determines that the NetScreen device operates in Route mode, without performing NAT on traffic to or from the Trusted side.

11
If the Untrusted IP address on the NetScreen-5 and -10 is dynamically assigned by an ISP, leave the IP address and subnet mask fields empty and select DHCP. For the NetScreen-5, if the ISP is using Point-to-Point Protocol over Ethernet, select PPPoE and enter the name and password.

12
The unset interface trust NAT command determines that the NetScreen device operates in Route mode.



NetScreen Technologies Inc.
http://www.netscreen.com
Voice: (408) 730-6000
Fax: (408) 730-6100
sales@netscreen.com
TOC PREV NEXT