Download
Share
Print this page
  1. Manuals
  2. Brands
  3. NetScreen Technologies Manuals
  4. Network Hardware
  5. NetScreen-25
  6. Installer's manual

NetScreen Technologies NetScreen-25 Installer's Manual

Network security device
Hide thumbs Also See for NetScreen-25:

Advertisement

Quick Links

Download this manual

Advertisement

loading
Need help?

Need help?

Do you have a question about the NetScreen-25 and is the answer not in the manual?

Questions and answers

Related Manuals for NetScreen Technologies NetScreen-25

Summary of Contents for NetScreen Technologies NetScreen-25

  • Page 2: Copyright Notice

    Defects in the 1. License Grant. This is a license, not a sales agreement, product will be reported to NetScreen in a form and with between you, the end user, and NetScreen Technologies, Inc. supporting information reasonably requested by NetScreen ÃÃÃ...
  • Page 3 to enable it to verify, diagnose, and correct the defect. For Some jurisdictions do not allow the exclusions and returned product, the customer shall notify NetScreen of any limitations of incidental, consequential or special damages, nonconforming product during the warranty period, obtain a so the above exclusions and limitations may not apply to you.
  • Page 5 ÃÃÃ...
  • Page 6 ÃÃÃ...
  • Page 7 The NetScreen-25 is a network security device which protects your local area network (LAN) when connected to the Internet. Using a NetScreen-25 as a firewall, you can configure access policies that control inbound and outbound network traffic. With IPSec VPN tunnels, you can access distant private networks over the public Internet safely and reliably.
  • Page 8 These pages generally contain links to dialog boxes through links such as New Policy, New Manual Key User, New Entry, Edit, and so forth. Menu column categories Links The NetScreen-25 Central Display Area ÃÃÃ...

  • Page 9: Down Arrow Key

    These guidelines apply to all NetScreen commands. • A parameter inside [ ] (square brackets) is optional. • A parameter inside { } (braces) is required. • Anything inside < > is a variable. • If there is more than one choice for a parameter inside [ ] and { }, they are separated by a pipe ( | ).
  • Page 10 These technical publications ship with the NetScreen-25 device: NetScreen-25 Installer’s Guide NetScreen-25 Getting Started Guide The following publications are included on the documentation CD: NetScreen CLI Reference Guide NetScreen WebUI Reference Guide NetScreen Concepts & Examples ScreenOS Reference Guide NetScreen Message Log Reference Guide Note: To receive important news on product updates, please visit our Web site at www.netscreen.com and register your product.
  • Page 11 Port Port Port Port Port Figure 1-1 Front Panel of the NetScreen-25 A front view of the NetScreen-25 is shown above. The label on the left side indicates the model name: NetScreen-25. Status-1 LED Power LED Status-2 LED Flash LED...
  • Page 12 • Session LED: Glows orange when there is over 90% utilization of sessions, and is dark during normal operation. The NetScreen-25 supports 4,000 concurrent sessions. • Compact Flash LED: Glows a steady green when a card is plugged in with no activity, and flashes green when there is activity.
  • Page 13 1-3. The left LED indicates network traffic activity and the right LED indicates if the link is up (connected to an active device). Figure 1-3 Ethernet LEDs The back panel of the NetScreen-25 is shown in Figure 1-4. Power Switch...
  • Page 14 Warnings”, before you begin installation. 1. To replace a failed fuse on the NetScreen-25 it is necessary to take the device off-line, turn the power switch off and disconnect the power cable. 2. Using a screwdriver, separate the lid of the external fuse cover from the...
  • Page 15 5. Replace the power cable and turn the device power switch on. The below table displays the RJ-45 to DB-9 adapter connection definitions. Both the console and the modem ports on the NetScreen-25 must use this configuration in order to employ a standard UART port.
  • Page 17 8uhƒ‡r…Ã! Follow the instructions in this chapter to connect the NetScreen-25 device to the network and to configure the software for the first time. For further configuration options, see the NetScreen Concepts & Examples ScreenOS Reference Guide on the product CD.
  • Page 18 Note when configuring multiple NetScreen-25 devices, each NetScreen-25 may be in default mode and will have a default IP address of 192.168.1.1. Putting two more more NetScreen-25 devices on the same subnet in default mode will cause IP address conflicts. To avoid this problem, install and configure each NetScreen-25 device separately before connecting them to the network.
  • Page 19 Figure 2-7 Sample Configuration with a Router Connected to the Untrusted Port, Local Area Network (LAN) Connected to the Trusted Port The NetScreen-25 has three operational ports and one port reserved for future applications. Table 2-2 Port and Interface Detail...
  • Page 20 To use the DMZ, connect a cable from the DMZ port on the NetScreen-25 to the switch linking the machines in the DMZ to the DMZ interface. See Figure 2-8 an example of this configuration. Internet Router Crossover cable Untrusted Port...
  • Page 21 Included with the NetScreen-25 is a RJ-45 to DB-9 serial cable for command line access purposes. Connect the RJ-45 cable to the console port located in the front of the NetScreen-25 chassis. Connect the DB-9 interface to your PC. See Figure 1-1 on page 1-1.
  • Page 23 8uhƒ‡r…Ã" The NetScreen-25 device supports three operational modes: Transparent mode, NAT (Network Address Translation) mode, and Route mode. In Transparent mode, the NetScreen device inspects packets traversing the firewall without modifying any of the source or destination information in the IP packet header.
  • Page 24 Note: For instructions on configuring the NetScreen-25 for NAT or Route mode, see the NetScreen Concepts and Examples ScreenOS Reference Guide. There are two methods for configuring the NetScreen-25 for the first time: via the Web user interface (WebUI) and via the command line interface (CLI).
  • Page 25 IP address. You can then log on through a Web browser and reset the system IP address. The following sections detail the procedures for administration of the NetScreen- 25 device from the administrator’s workstation. Note: The NetScreen-25 ships from the factory with the IP address set to 192.168.1.1. Refer to Table 3-4 for administration requirements.
  • Page 26 Figure 3-9 Enter Network Password Dialog Box 5. In the dialog box, type netscreen for both the Username and Password, and then click OK. Note: The username and Password are case-sensitive. After configuring the NetScreen device for the first time, change the default Username and Password as described in “Changing the Administrator Login Name and Password”...
  • Page 27 NetScreen-25, and then click OK. Note: Check the Synchronize system clock with this client checkbox to synchronize the NetScreen-25 clock with the clock in the administrator’s workstation. The IP address must be a valid and available IP address on your local network and the subnet mask must be an appropriate value for your local network.
  • Page 28 Figure 3-12 Access Policies Page The NetScreen-25 has a Trusted interface, an Untrusted interface, a DMZ interface and a fourth interface reserved for future use. These are physical interfaces used for channeling network user traffic. To configure the NetScreen-25 device for Network Address Translation (NAT) mode or Route mode, you must configure the Trusted, Untrusted, and DMZ (if used) interfaces.
  • Page 29 3. Enter the following, and then click Save: •IP Address: Type an IP address for the Trusted interface. •Netmask: Type an appropriate netmask. •Default Gateway: Type the IP address of the router (if there is one) that exists between the Trusted network and the NetScreen-25. ÃÃÃ...
  • Page 30 Interface Configuration dialog box. Figure 3-14 Untrusted Interface Configuration If the untrusted IP address on the NetScreen-25 is dynamically assigned by an ISP, leave the IP address and netmask fields empty and select DHCP. If the ISP is using Point-to-Point Protocol over Ethernet, select PPPoE and enter the name and password.
  • Page 31 •IP Address: Type an IP address within the same subnet as the DMZ network. •Netmask: Type an appropriate netmask. •Default Gateway: Type the IP address of the router (if there is one) that exists between the DMZ network and the NetScreen-25. ÃÃÃ...
  • Page 32 The NetScreen-25 ships with no configured Access Policies. You need to create access policies to permit specified kinds of traffic in the direction(s) you want. (You can also create access policies to deny and tunnel traffic.) 1. On the Outgoing Access Policies page, click the New Policy link in the lower left corner of the page.
  • Page 33 – Destination Address: Outside Any (Outside Any is a predefined address for all locations on the Untrusted network, usually the Internet.) – Service: Any (Any is a predefined value for any IP service.) – Action: Permit (Allows the traffic defined by the access policy to traverse the firewall.) –...
  • Page 34 Recovery” on page 3-19.) 7. Leave the other fields at their default entries, and select the Apply button. The changes require the NetScreen-25 to reset, which it automatically does at this point. Figure 3-18 shows the system message that appears.
  • Page 35 If the browser cannot access the Web site, check the following: • Link lights on the NetScreen-25, workstations, hubs, and the router are glowing. • The workstation IP and Netmask have the correct settings. • The workstation gateway points to the router.
  • Page 36 The Download File dialog box appears, as shown in Figure 3-20 on page 3-14. Figure 3-20 File Download Dialog Box 3. Click Save and browse to the location where you want to keep the configuration file. Note: For further information regarding uploading and downloading of configuration settings, see the NetScreen Concepts &...
  • Page 37 “Command Line Interface (CLI) Syntax” on page ix. You can access the NetScreen-25 either by connecting directly via a console (or serial) cable to the NetScreen-25 console port, or you can create a network connection via Telnet. Connection instructions are offered for both methods.
  • Page 38 2-2. 1. Establish a Telnet connection to the NetScreen device. 2. For Host name, type: 192.168.1.1, the NetScreen-25 default IP address. If the NetScreen-25’s IP address has been changed, use the new IP address. Note: The Terminal type for Telnet sessions must be vt100. Click on Connect, and on the drop-down menu select Remote System.
  • Page 39 2. At the Password prompt, enter netscreen. Note: The Username and Password are case-sensitive. The NetScreen-25 ships from the factory with a default IP address of 192.168.1.1. To administer the NetScreen device over a network connection, you must change this IP address. To change this to an address on the same subnet as the other network devices to which the NetScreen-25 is connected, enter the following command, substituting your system IP address for <a.b.c.d>:...
  • Page 40 Route mode, see the NetScreen Concepts & Examples ScreenOS Reference Guide. From a workstation on the Trusted side of the NetScreen-25, use a Web browser to access an external Web site (for example, www.netscreen.com). The browser should be able to locate the site and access the available Web pages.
  • Page 41 To restore the NetScreen-25’s original factory default configuration, the user resets the device by pressing the configuration reset pinhole. Warning Resetting the device will delete all existing configuration settings, and the firewall and VPN service will be rendered inoperative. Configuration...
  • Page 42 Process aborted”. The status LED returns to blinking green. If the unit did not reset, an SNMP Alert will be sent, confirming the failure. Note: After successfully resetting and reconfiguring the NetScreen-25, it is strongly advised to backup the new configuration setting, as shown in “Backup...
  • Page 43 Before working on a device that has an On/Off switch, turn OFF the power and unplug the power cord. Warning The NetScreen-25 contains no user-serviceable parts and is housed in a tamper- proof enclosure. Therefore, the chassis should never be opened under any circumstances. Doing so will also void the warranty.
  • Page 44 Warning The Ethernet 10BaseT, 100BaseT, serial, console, and auxiliary ports contain safety extra-low voltage (SELV) circuits. Do not connect the NetScreen-25 to a telephone line or any Telco line (e.g., T-1, T-3, RJ-48 lines). Danger Do not work on the device, specifically, connecting or disconnecting cables during periods of lightning activity, as the unit can function as a conduit.
  • Page 45 Altitude 0-12,000 feet, 0-3,660 meters You can place the NetScreen-25 on a desktop or mounted in a rack. The location of the chassis and the layout of your equipment rack or wiring room are extremely important for proper system operation. Equipment placed too close together will cause inadequate ventilation, besides rendering areas of the device inaccessible for system maintenance during any system malfunctions and shutdowns.
  • Page 46 When planning your site layout and equipment locations, follow the precautions described below to help avoid equipment failures and reduce the possibility of environmentally caused shutdowns. If you are experiencing shutdowns or unusually high errors with your existing equipment, these precautions may help you isolate the cause of the failures and prevent future problems.
  • Page 47 The Bureau of Standards Metrology and Inspection (BSMI) is an agency of the government of China (Taiwan), which requires the following label on technological equipment: ÃÃÃ...
  • Page 49 configuration reset pinhole 1-2 Connection examples 2-2 access policies, outgoing 3-2 Console port 1-2 3-15 Administration requirements 2-3 conventions -ix administrator login, default 3-11 Alarm LED 1-1 Data circuit-terminating equipment See DCE Back panel 1-1 Data Terminal Equipment BSMI, labeling requirements A-5 See DTE DCE 2-2 DMZ 2-2...
  • Page 50 alarm 1-1 ethernet 1-3 compact flash 1-2 Trusted 2-2 power 1-1 Untrusted 2-2 session 1-2 Power 2-2 status 1-1 on/off switch 1-4 status2 1-1 supply 2-2 LEDs 1-3 Power LED 1-1 3-13 Ethernet 1-3 status -vii Link lights 1-3 3-13 Rack 2-2 See also LEDs configuration A-4...
  • Page 51 Ventilation A-3 Web browser, requirements 3-2 WebUI 3-2 Workstation requirements 3-2 ÃÃÃ...
  • Page 52 ÃÃÃ...