NETSCREEN-200 SERIES User’s Guide Version 5.0 P/N 093-1253-000 Rev.
Copyright Notice Copyright © 2005 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc.
Contents Preface...............................................................................................................................................v Guide Organization .................................................................................................. v Command Line Interface (CLI) Conventions ............................................................ vi Juniper Networks NetScreen Publications ................................................................
Contents Establishing a Terminal Emulator Connection................................................ 22 Changing Your Admin Name and Password ................................................. 23 Setting Port and Interface IP Addresses ......................................................... 23 Viewing Current Interface Settings ............................................................23 Setting the IP Address of the Management Interface ...............................
Preface The Juniper Networks NetScreen-200 Series consists of versatile, purpose-built, highperformance security systems that provide IPSec VPN and firewall services for medium and large enterprise offices, e-business sites, data centers, and carrier infrastructures.
Preface COMMAND LINE INTERFACE (CLI) CONVENTIONS The following conventions are used when presenting the syntax of a command line interface (CLI) command: • Anything inside square brackets [ ] is optional. • Anything inside braces { } is required. • If there is more than one choice, each choice is separated by a pipe ( | ). For example, set interface { ethernet1 | ethernet2 | ethernet3 } manage means “set the management options for the ethernet1, ethernet2, or ethernet3 interface”.
Chapter 1 Overview 1 This chapter provides detailed descriptions of the NetScreen-200 Series system devices and their components.
Chapter 1 Overview NETSCREEN-200 SYSTEMS This NetScreen-200 Series currently includes the NetScreen-204 device and the NetScreen-208 device. NetScreen-204 Device The NetScreen-204 is a chassis-based, rack-mountable network security device with four ethernet 10/100 Base-T interface ports. The figure below shows a NetScreen-204 device.
The Front Panel THE FRONT PANEL The features shared in common by NetScreen-204 and NetScreen-208 devices include: • A System Status LED display • An Asset Recovery Pinhole • A Console port • A Modem port • A Compact Flash Card Slot • Ethernet interfaces System Status LED Display The front panel of each NetScreen-200 Series device has a System Status display, which contains six LEDs.
Chapter 1 Overview Alarm System Alarm red Critical alarm: • Failure of hardware component or software module (such as a cryptographic algorithm). • Firewall attacks detected. amber Major alarm: • Low memory (less than 10% remaining). • High CPU utilization (more than 90% in use). • Session full. • Maximum number of VPN tunnels reached. • HA status changed or redundant group member not found. Session Flash Session Utilization Memory Card Status off No alarms.
The Front Panel Console and Modem Ports The Console port is an RJ-45 serial console port connector, for vt100 terminal emulator programs to perform local configuration and administration. The Modem port is an RJ-45 serial console port connector, for establishing remote console sessions using dialup connections through a 9600 bps modem connected via an RS-232 cable. Dialing into the modem establishes the dialup console connection. The table below lists the RJ-45 to DB-9 adapter connection definitions.
Chapter 1 Overview Ethernet Interfaces Each Ethernet port is a 10/100 auto-sensing interface with two link LEDs. The left LED indicates network traffic, and the right LED indicates an active network link. Network Traffic: Blinking = link activity Network Link: On = link is up Off = link is down THE REAR PANEL The figure below shows the rear panel of a NetScreen-200 Series device (with an AC power supply).
The Rear Panel Power Fuse Each NetScreen-200 Series device uses a 2.5 Amp, slow-blow power fuse rated for 250 Volts. To replace a fuse on a NetScreen-200 Series device: 1. Take the device off-line by turning the power switch OFF and disconnecting the power cable. 2. Using a screwdriver, separate the lid of the external fuse cover from the surface of the power outlet. 3. Gently remove the fuse assembly. 4. Slide the new fuse into the opening until the fuse clicks into place. 5.
Chapter 1 Overview 8 User’s Guide
2 Chapter 2 Installing the Device This chapter describes how to install a device in an equipment rack or on a desktop, and how to connect the device to other devices.
Chapter 2 Installing the Device GENERAL INSTALLATION GUIDELINES Observing the following precautions can prevent injuries, equipment failures and shutdowns. • Never assume that the power supply is disconnected from a power source. Always check first. • Room temperature might not be sufficient to keep equipment at acceptable temperatures without an additional circulation system. Ensure that the room in which you operate the device has adequate air circulation.
Connecting the Power There are two ways to rack-mount the NetScreen-200 Series: • Front mount • Mid-mount Front Mount To front mount the NetScreen-200 Series device on your equipment rack: 1. Screw the front mount bracket to the side of the chassis. 2. Screw the front mount bracket to the rack, as shown below. Mid-Mount To mid-mount the NetScreen-200 Series device on your equipment rack: 1. Screw the mid-mount bracket to the side of the chassis. 2.
Chapter 2 Installing the Device WIRING A DC POWER SUPPLY The DC power supply, ON/OFF switch, grounding screw, and terminal blocks, are located in the back of the chassis of the power supply unit. Power Switch Grounding Screw DC Power Terminal Blocks Warning: You must shut off the current to the DC feed wires before connecting the wires to the power supplies. Also, make sure that the ON/OFF switch is in the OFF position. To connect the DC power supply to a grounding point at your site: 1.
Connecting the NetScreen-200 Device to Other Devices CONNECTING THE NETSCREEN-200 DEVICE TO OTHER DEVICES To connect the device, use the ethernet interfaces (ethernet1 through ethernet4 on the NetScreen-204, or ethernet1 through ethernet8 on the NetScreen-208). The purpose of each interface depends upon the security zone to which it is bound. By default, the zone and interface bindings are as follows: • ethernet1 is bound to the Trust security zone by default.
Chapter 2 Installing the Device 14 User’s Guide
3 Chapter 3 Configuring the Device This chapter describes how to perform initial configuration on a NetScreen-200 Series device once you have mounted it in a rack or desktop, plugged in the necessary cables, then turn the power ON.
Chapter 3 Configuring the Device OPERATIONAL MODES The NetScreen-200 Series device supports two device modes: Transparent mode and Route mode. The default mode is Route. Transparent Mode In Transparent mode, the NetScreen-200 device operates as a Layer-2 bridge. Because the device cannot translate packet IP addresses, it cannot perform Network Address Translation (NAT).
The NetScreen-200 Series Device Interfaces THE NETSCREEN-200 SERIES DEVICE INTERFACES Each NetScreen-200 device provides ethernet interfaces for access and connectivity. In addition, there are logical (non-physical) interfaces that perform special Layer-2 or management functions.
Chapter 3 Configuring the Device CONNECTING THE DEVICE AS A SINGLE SECURITY GATEWAY There are many ways to connect a NetScreen-200 Series device to your network system. In most cases, the device serves as a single security gateway that protects at least one LAN (usually connected to the device from a switch or a hub). Connectivity Examples In the following example, a NetScreen-208 device connects to the protected LAN through ethernet1 (bound to the Trust security zone).
Connecting the Device as a Single Security Gateway In the following example, a NetScreen-208 device connects to a protected LAN through ethernet1 (bound to the Trust security zone) and to a protected DMZ through ethernet2 (bound to the DMZ security zone). The device connects externally to a router through ethernet3 (bound to the Untrust security zone).
Chapter 3 Configuring the Device ESTABLISHING AN HA CONNECTION BETWEEN DEVICES To assure continuous traffic flow in the event of system failure, you can cable and configure two NetScreen devices in a redundant cluster. The devices propagate all network, configuration and session information to each other. Should one device fail, the other takes over the traffic processing. Note: For the NetScreen-204, the default HA interface is ethernet4. For the NetScreen-208, the default HA interface is ethernet8.
Establishing an HA Connection Between Devices Note: The cabling instructions given below reproduce the configuration shown previously. However, this is not the only possible HA configuration. In addition, the instructions assume that all physical ports and interfaces are set at their default settings. If you have changed the port and interface configurations, the instructions below might not work properly. To cable two NetScreen-200 Series devices together for HA and connect them to the network: 1.
Chapter 3 Configuring the Device Switches 11. Cable together the switches labeled “Switch 3” and “Switch 4.” 12. Cable together the switches labeled “Layer 3 switch 1” and “Layer 3 switch 2.” 13. Cable the switches labeled “Layer 3 switch 1” and “Layer 3 switch 2” to routers. Note: The switch ports must be defined as 802.1Q trunk ports, and the external routers must be able to use either Hot Standby Router Protocol (HSRP) or Virtual Router Redundancy Protocol (VRRP).
Performing Initial Connection and Configuration 6. At the password prompt, type netscreen. Note: Use lowercase letters only. Both login and password are case-sensitive. 7. (Optional) By default, the console times out and terminates automatically after 10 minutes of idle time. To change this timeout interval, execute the following command: set console timeout number where number is the length of idle time in minutes before session termination. To prevent any automatic termination, specify a value of 0.
Chapter 3 Configuring the Device Setting the IP Address of the Management Interface To make an interface work as the management interface, you must set the IP address and subnet mask to the same address range as your computer (or LAN). Use the CLI save command to save your configuration changes. To configure the ethernet1 interface to serve as a management interface: 1. Determine the IP address and subnet mask for your computer (or LAN). 2.
Configuring the Device for Telnet and WebUI Sessions Allowing Outbound Traffic By default, the NetScreen-200 Series device does not allow inbound or outbound traffic, nor does it allow traffic to or from the DMZ. To permit (or deny) traffic, you must create access policies. The following CLI command creates an access policy that permits all kinds of outbound traffic, from any host in your trusted LAN to any device on the untrusted network.
Chapter 3 Configuring the Device 5. (Optional) By default, the console times out and terminates automatically after 10 minutes of idle time. To change this timeout interval, execute the following command: set console timeout number where number is the length of idle time in minutes before session termination. To prevent any automatic termination, specify a value of 0.
Configuring the Device for Telnet and WebUI Sessions The NetScreen WebUI application window appears. Note: NetScreen-Security Manager 2004 (NSM) and NetScreen Rapid Deployment (RD): If you are using NSM, you can optionally configure NetScreen appliances with RD. Refer to the Rapid Deployment Getting Started Guide for more information.
Chapter 3 Configuring the Device ASSET RECOVERY If you lose the admin password, you can use one of the following procedures to reset the NetScreen device to its default settings. This destroys any existing configurations, but restores access to the device. Warning: Resetting the device will delete all existing configuration settings, and the firewall and VPN service will be rendered inoperative.
Asset Recovery Using the Asset Recovery Pinhole to Reset the Device You can also reset the device and restore the factory default settings by pressing the asset recovery pinhole. To perform this operation, you need to make a console connection, as described in “Establishing a Terminal Emulator Connection” on page 22. 1. Locate the asset recovery pinhole on the front panel (see “The Front Panel” on page 3).
Chapter 3 Configuring the Device 30 User’s Guide
Appendix A Specifications A This appendix provides general system specifications for the NetScreen-200 Series devices.
Appendix A Specifications NETSCREEN-200 ATTRIBUTES Height:1.73 inches (4.4 cm) Depth:10.8 inches (27.4 cm) Width:17.5 inches (44.5 cm) Weight: 8 pounds (36 hg) ELECTRICAL SPECIFICATION AC voltage:100-240 VAC +/- 10% DC voltage:-36 to -60 VDC AC Watts:45 Watts DC Watts:50 Watts Fuse Rating:2.
Index Index A asset recovery 28 B back panel 6 C cables connections 19 power 19 RJ-45 connectors 17 RJ45 connectors 5, 13 twisted pair 13, 17 cabling network interfaces 25 power supply 21 changing login and password 23 changing timeout 23, 26 compact flash card slot 5 configuration, multiple devices 19 connecting power supply 11 serial connection 26 system to other devices 12 connectivity 12 console 5, 22, 23, 26 D DC power supply, wiring 12 dialup connection 26 G guide organization v IP address, conf
Index S T session establishing 22 using a dialup connection 26 transparent mode 16 V ventilation 10 viewing port settings 23 IX-II User’s Guide