Basic NetScreen-5 Network Connection
Follow the instructions in this chapter to set up the NetScreen-5 hardware and to configure the software initially for Transparent or Network Address Translation (NAT) mode. See the
NetScreen Concepts and Examples ScreenOS Reference Guide, for more configuration options.
Connecting the NetScreen-5 to Networks and Devices
This section explains how to set up the NetScreen-5 hardware connections.
|
Note: Check your router, hub, or computer documentation to determine if you should reconfigure the device or if you should switch off the power supply when connecting new equipment to the LAN.
|
1. Install the NetScreen-5 on a level surface.
2. Connect the universal power supply's DC side to the power outlet on the NetScreen-5 device, and the AC side to an AC outlet.
The NetScreen-5 takes up to one minute to start up. There is no ON/OFF switch. If you need to reboot at any point, unplug the NetScreen device for 30 seconds and then plug it back in again.
3. Connect the NetScreen-5 to the network as shown in one of the following illustrations:
Figure 3-1 Typical Multiple-Workstation Configuration-Router Connected to the Untrusted Port, LAN Connected to the Trusted Port
Figure 3-2 Typical Single-Workstation Configuration-Router Connected to the Untrusted Port, Workstation Connected to the Trusted Port
|
Note: You may have to supply additional cables, depending on your particular configuration. A straight-through cable is a 10/BaseT unshielded twisted pair (UTP) and is usually white. A crossover cable is a 10/BaseT UTP and is usually orange.
A DTE (Data Terminal Equipment) device cannot connect to a DTE port without a crossover cable. Conversely, a DCE (Data Communications Equipment) device cannot connect to a DCE port without a crossover cable.
|
Table 3-1
For a Device Connected to:
|
|
|
|
|
|
|
|
|
|
|
|
* An Untrusted Ethernet port is not technically a DTE but for cabling purposes, should be treated as such.
§ Routers with uplink ports may behave in reverse.
|
Typical NetScreen-5 Cable Connections
4. If you have not already done so, turn on the power supply to the devices you have connected to the NetScreen-5.
If all cables are connected correctly, the link light for each connection illuminates.
Configuring the NetScreen-5
There are three ways to configure the NetScreen-5 for the first time:
· Using the Quick Start Program.
· Using a Web browser running on a workstation connected via a network to the Trusted port.
· Using CLI via either Telnet or the serial port.
Table 3-2 Administration Configuration Requirements
|
|
|
Netscape ® Communicator ® v4.5 or greater, or Microsoft ® Internet Explorer v5.0 or greater
TCP/IP network connection to the NetScreen-5
|
|
Netscape Communicator v4.5 or greater, or Microsoft Internet Explorer v 5.0 or greater
TCP/IP network connection to the NetScreen-5
|
|
Via the console port, using Hilgraeve ® Hyperterminal ® or a VT100 terminal emulator on the administrator's workstation and an RS-232 Console cable
Via Telnet, using TCP/IP network connection to the NetScreen device.
|
Table 3-3
Default System IP Address:
|
|
Default Trusted/Untrusted IP Addresses:
|
0.0.0.0 (transparent mode)
|
|
|
|
|
Important Default Configuration Settings
Configuring Via the Quick Start Program
NetScreen-5 comes with The Quick Start disk for easy configuration.
1. Insert the Quick Start disk into the a: drive of Windows
® 95/98 or Windows NT
® v4.0 computer from which you will configure unit on the LAN.
2. On the Windows task bar, click the
Start button, and then select
Run.
3. At the Command Line, type
a:\nsqstart.exe, then select
OK.
Figure 3-3 NetScreen Quick Start Welcome
4. Read the information on the NetScreen Quick Start Welcome screen, then click the
Next button.
If there is more than one network card on the computer, the Quick Start program displays their IP addresses and prompts you to select the one for the network on which you are installing the NetScreen-5, as shown in
Figure 3-4.
Figure 3-4 Network Card IP Address List
Select the appropriate network card, and then click
OK.
|
Note: The Quick Start program can only find the NetScreen-5 devices on your network that still have the factory default configuration.
|
5. When the NetScreen Quick Start Select Device dialog box displays, select the
NetScreen-5 you want to configure, as shown in
Figure 3-5, then click the
Next button.
Figure 3-5 NetScreen Quick Start-Select Device
6. Enter the new System IP address for the NetScreen device you are configuring, as shown in
Figure 3-6.
This value must be an available address on the Trusted subnet. This is the address that you will use to further manage the NetScreen-5.
Figure 3-6 NetScreen Quick Start-Configuration Dialog Box.
Selecting Transparent Mode
1. To launch your NetScreen-5 in Transparent mode, select
Transparent Mode as shown in Figure 3-6.
If you leave the
Launch web browser for further configuration check box selected (the default), Quick Start opens your Web browser and displays the User name and Password dialog box as shown in
Figure 3-11 on page 325.
If you clear the
Launch web browser for further configuration check box, you must start your Web browser manually when Quick Start exits.
Selecting Network Address Translation
1. To launch your NetScreen-5 in NAT mode, select
Network Address Translation Mode (NAT).
The NAT Configuration screen shown in
Figure 3-7 appears.
Figure 3-7 NetScreen Quick Start-Configuring NAT
3. Enter the IP address, subnet mask of the NetScreen-5 Trusted interface.
4. To configure the Untrusted interface, use one of the following three methods:
a. To use Dynamic Host Control Protocol, select
DHCP.
b. To use Point-to-Point Protocol over Ethernet, select
PPPoE and enter the
User name and
Password for the login prompt.
c. To assign an IP address, subnet mask, and gateway IP address manually, select
Manually Assign and then enter the settings in the appropriate fields.
If you leave the
Launch web browser for further configuration check box selected (the default), Quick Start opens your Web browser and displays the Username and Password dialog box, as shown in
Figure 3-11 on page 325.
If you clear the
Launch web browser for further configuration check box, you must start your Web browser manually when Quick Start exits. For more information on logging in manually, see
"Logging On" on page 325
Configuring Via the WebUI
You can also perform the initial configuration through a Web browser without the NetScreen-5 Quick Start disk. To do this, you need to
· Change the IP address of the management workstation to the same subnet as the NetScreen-5 default System IP address.
Then after making an Ethernet connection to the NetScreen-5, you can log on through a Web browser. The following section details this procedure.
Before you begin, be sure you connected the NetScreen-5 hardware to the network as outlined
on page 313.
Setting the System IP Address
For remote administration of the NetScreen device over a network connection, you must change the system IP address. The NetScreen-5 ships from the factory with a default IP address of 192.168.1.1. To change this to an address on the same subnet as the other network devices to which the NetScreen-5 is connected, enter the following command:
1. Record your workstation's IP address and subnet mask. You must re-enter them later in this process.
|
Note: To find your workstation IP address: Start>>Settings>>Control Panel>Network>Configuration, select TCP/IP and then click Properties.
|
2. Change the IP address of the workstation to 192.168.1.2 and a subnet mask of 255.255.255.0. You might have to restart the workstation to enable these changes to take effect
|
Note: For Windows NT users, ensure that you are logged on to the workstation as an administrator.
|
.
3. Start your Web browser.
4. In the URL field of the browser, enter the IP address of the NetScreen-5: http://192.168.1.1.
|
Note: The NetScreen-5 ships from the factory with the IP address set to 192.168.1.1.
|
Figure 3-8 Enter Network Password Dialog Box
5. In the dialog box, type
netscreen for both the user name and password, and then click
OK.
6. An IP Address Configuration dialog box, as shown in
Figure 3-9 on page 323 is displayed for first-time configuration.
Figure 3-9 Initial IP Address Configuration
7. Enter a new System IP address and subnet mask for the NetScreen-5, and then click
OK to save your settings.
|
Note: The IP address must be a valid and available IP address on your local network, and the subnet mask must be an appropriate value for your local network.
|
The Configuring in Progress screen appears, as shown in
Figure 3-10.
Figure 3-10 Configuring in Progress Screen
The NetScreen-5 is in Transparent mode. To change it to NAT mode, you must configure the Trusted and Untrusted interfaces. To do that, refer to chapter 2, "System Parameters
" in the
NetScreen Concepts and Examples ScreenOS Reference Guide.
8. Reconfigure your administration workstation IP address to the original settings that you recorded in the first step. Depending on the operating system, you might have to restart your workstation.
Once the IP configuration is complete, you must again log on.
1. When the Web browser is activated, enter the newly created IP address of the NetScreen-5.
The User name and Password dialog box displays.
2. In the User name and Password dialog box, type
netscreen for both the user name and password, and then click
OK.
Figure 3-11 Username and Password Dialog Box
|
Note: The login name and password are case-sensitive.
|
Allowing Outbound Traffic
The NetScreen-5 ships with a default Access Policy allowing all traffic inside the network to access the Internet. The Access Policies pages appear with the Default Outgoing page displayed, as shown in
Figure 3-12 on page 326.
|
Note: For more information on Access Policies, please refer to the NetScreen Concepts and Examples ScreenOS Reference Guide.
|
Figure 3-12 Default Outgoing Access Policy
Testing the Configuration
Use a Web browser to access an external Web site (for example, www.netscreen.com). You should be able to locate the site and access the available Web pages.
If you cannot access the Web site, check the following:
· Link lights on the NetScreen-5, workstations, hubs, and the router are illuminated.
· The workstation IP and Netmask have the correct settings.
· The workstation gateway points to the router.
· The workstation has a valid DNS entry.
|
Note: See the NetScreen Command Line Reference Guide.
|
The following section provides information on how to configure the device using the command line interface (CLI).
You can access the CLI either by connecting directly via a console (or serial) cable or you can use the network via Telnet. Connection instructions are offered for both methods.
Connecting via the Console Port
You need direct access to the NetScreen device you want to configure and the following items before you start:
· An RS-232 male-to-female serial cable
· Microsoft Hyperterminal software on the management workstation (or, if you are using a different operating system, a VT100 terminal emulator)
Follow these steps to connect the NetScreen device to the workstation:
1. Connect the serial cable from the management workstation to the serial port on the NetScreen-5.
2. Start the terminal emulator on the workstation.
3. To create a new connection, type a name, select an icon, and then click
OK.
The Connect To dialog box appears.
4. Select the serial port to which the serial cable is connected to the workstation, and click
OK. The COM1 Properties dialog box appears.
5. Configure the port settings as follows, and then click
OK.
- Serial communications 9600 bps
6. Press
ENTER to see the login prompt.
Telnet operates over TCP/IP networks. It allows you to configure the device using the command line interface (CLI).
Before you begin, be sure you connected the NetScreen-5 hardware to the network as outlined in
on page 313.
1. Establish a Telnet connection to the NetScreen device.
2. For Host name, type: 192.168.1.1.
|
Note: Select vt100 for Terminal type.
|
To log on, enter the default administrator name and password.
1. At the login prompt, enter
netscreen.
2. At the password prompt, enter
netscreen.
|
Note: The user name and password are case-sensitive.
|
Setting the System IP Address
You can configure your NetScreen device for either Transparent mode or Network Address Translation (NAT) mode.
At the command line enter:
1. set admin sys-ip <a.b.c.d>
2. save
|
Note: Substitute your actual system IP address for <a.b.c.d.>.
|
Network Address Translation (NAT) Mode
At the command line enter:
1. set admin sys-ip <a.b.c.d>
2. set interface trust ip <a.b.c.d>
3. set interface untrust ip <a.b.c.d>
Allowing Outbound Traffic
To create an outgoing Access Policy that permits any inside traffic to pass through the firewall and access the Internet, enter the following commands:
1. set policy outgoing "inside any" "outside any" any permit
|
Note: Making system-level changes through the CLI does not require restarting the NetScreen-5, whereas making similar changes through the WebUI does.
|
Testing the Configuration
Use a Web browser to access an external Web site (for example, www.netscreen.com). You should be able to locate the site and access the available Web pages.
Changing the Administrator Login Name and Password
Because all NetScreen-5 devices come with the same default login name and password, you should change this information immediately after you install the device. You can change the default administrator login and password either through the WebUI or the CLI.
|
The information in this guide has been widely published, and failure to change the defaults might expose your system to attack.
|
To change the default administrator login and password via the WebUI:
1. Select the
Admin button in the menu column to view the
Admin page, as shown in
Figure 3-13.
Figure 3-13 The Administration Page
2. Type a new Admin Login Name.
|
Note: The login name and password must be alphanumeric. The login username and password are case-sensitive
|
3. Type the old password (initially
netscreen) in the Old Password field. You must enter the old password to change to the new password.
4. Type the new password in the New Password field and the Confirm New Password field.
5. Record the new Administrator Login Name and Password in a secure manner.
|
Make sure that you remember your password! If you forget it, you will have to return the unit to the factory for initialization. This feature has been implemented in this manner as an extra security measure.
|
6. Leave the other fields at their default entries, and select the
Apply button.
The changes require the NetScreen-5 to reset, which it automatically does at this point.
Figure 3-14 on page 32 shows the system message that appears.
Figure 3-14 The System Message Display
7. Click the
Yes button to confirm your command to reset the system.
The next time you log in, use the new login name and password.
|
Note: To receive important news on product updates, please visit our web site at www.netscreen.com and register your product.
|
At the command line enter:
2. set admin password <password>
Record the new Administrator Login Name and Password in a secure manner.
|
Make sure that you remember your password! If you forget it, you will have to return the unit to the factory for initialization. This feature has been implemented in this manner as an extra security measure.
|