You are on page 1of 4

P/N 093-0620-000 Rev.

A 1 September 2002
NetScreen-204/-208
Internet
Router
Ethernet port 3
LAN
Ethernet port 1
The numbers on the diagram are
paired with the steps below.
Condition LEDs 4a 4b
4c
3
1
2
Power Supply
NetScreen-204/-208
Link Status LEDs
A B
A: Blinking = Link activity
B: Illuminated = Link is up
Dark = Link is down
Before using the NetScreen-200 series, you must first connect
the device to a network and perform an initial configuration.
This Getting Started guide provides instructions to do these two
tasks, and how to log in and make basic security modifications.
This guide is divided into three sections:
Typical Connection to Network
Initial Configuration
Basic Security and Policy Administration
For more configuration examples and detail, see the NetScreen-200 Series Installers Guide and
the NetScreen Concepts & Examples ScreenOS Reference Guide.
Sfep 1
Connect Ethernet port 3 to the external router.
NOTE: Depending on your service, the router might also be called
a cable modem or DSL modem.
Sfep 2
Connect Ethernet port 1 to the internal switch or hub.
NOTE: Your administration workstation must be connected to the
same network as Ethernet port 1 on the NetScreen-204/-208.
Sfep 3
a. To turn on the unit, connect the power cable from the back
of the unit to the power source. (For DC wiring instructions,
see the NetScreen-200 Series Installers Guide.)
b. Turn the power switch to the ON position. The Status and
Power lights glow.
Sfep 4
a. Check that the Power LED glows.
b. After startup, check that the Status LED blinks green.
c. Check the Link Status LEDs to assure network
connectivity.
Geff|nQ Sforfeo
7\SLFDO&RQQHFWLRQWR1HWZRUN
P/N 093-0620-000 Rev. A 2 September 2002
NetScreen-204/-208
,QLWLDO&RQILJXUDWLRQ
Sfep 1
a. Record the IP address and netmask of your workstation. You
need to re-enter them later in this process.
b. Change the IP address and netmask of your workstation to
192.168.1.2 255.255.255.0.
c. If needed, restart the workstation to enable the changes to
take effect. The workstation is now part of the same subnet as
the NetScreen-204/-208 default IP address, which is
192.168.1.1.
Sfep 2
a. Launch a Web browser and, in the URL address field, enter
http://192.168.1.1.
The Enter Network Password dialog box appears.
b. Both the user name and password are case-sensitive. In the
dialog box, enter the following information:
User Name netscreen
Password netscreen
c. Click OK.
Transparent mode: To take some basic security precautions
and create an outgoing access policy, see the "Basic Security
and Policy Administration" section on page 3.
Route mode: Proceed to Step 3.
Sfep 3
To configure and bind the ethernet1 physical interface to the
Trust security zone:
a. In the NetScreen WebUI, select Network > Interfaces. The
Network > Interfaces page appears.
b. On the ethernet1 interface, click Edit to open the Network >
Interfaces(Edit) dialog box.
The NetScreen-204/-208 device supports two operational
modes: Transparent mode and Route mode. By default, the
device is shipped in Transparent mode.
Transparent Mode
In Transparent mode, the NetScreen device operates as a
Layer-2 bridge. The device inspects packets traversing the
firewall without modifying any of the source or destination
information in the IP packet header. Because it does not
translate addresses, the IP addresses on the protected network
must be valid, routable addresses on the Untrusted side of the
network.
In Transparent mode, the IP addresses for the V1-Trust security
zone and V1-Untrust security zone are set at 0.0.0.0, making
the presence of the NetScreen device invisible to the network,
but firewall, VPN and traffic management are still enforced
based on the policy set and configuration of the device.
Route Mode
In Route mode, the NetScreen device operates at Layer 3.
Unlike Transparent mode, all interfaces must be in different
subnets. In Route mode, you can configure individual interfaces
to perform NAT.
An interface that does not perform NAT routes traffic without
changing the source address and port number in the IP packet
header as the packet traverses the interface. Hosts connected
to an interface that does not perform NAT must have public IP
addresses, and no Mapped and Virtual IP addresses can be
established.
When a Route mode interface performs NAT, the NetScreen
device replaces the source IP address of the host that sent the
packet with the IP address of the Untrusted port of the
NetScreen device. Also, it replaces the source port number with
a random port number generated by the NetScreen device.
Transparent Mode: Steps 1 - 2
Route Mode: Steps 1 - 5
For more configuration examples and detail, see the NetScreen Concepts & Examples ScreenOS Reference Guide.
Transparent Route
Transparent Route
Route
P/N 093-0620-000 Rev. A 3 September 2002
NetScreen-204/-208
c. Under Zone Name, select Trust as the layer 3 zone to bind
the interface, and click Apply.
d. Enter an IP address and network mask within the same
subnet as the internal network and click Apply
e. Select either NAT Mode or Route Mode, and then click OK.
Sfep 4
Binding and configuring the ethernet1 physical interface to the
Trust zone binds the ethernet3 physical interface to the Untrust
security zone. To configure the ethernet3 interface:
a. On the ethernet3 interface, click Edit to open the Network >
Interfaces(Edit) dialog box.
b. If your ISP is using PPPoE, select Obtain IP using PPPoE,
enter the name and password provided by your ISP, and click
OK.
c. If your ISP is using DHCP, select Obtain IP using DHCP,
enter the name and password, and click OK.
d. If your ISP has assigned a static IP address, enter the
following, and click OK:
Static IP: (Select)
IP Address: Type the assigned untrusted IP address.
Netmask: Type an appropriate netmask.
Default Gateway: Type the IP address of the external router.
Sfep 5
Binding and configuring the ethernet1 physical interface to the
Trust zone binds the ethernet2 physical interface to the DMZ
security zone. To configure the ethernet2 interface:
a. On the ethernet2 interface, click Edit for the interface to open
the Network > Interfaces(Edit) dialog box.
b. Enter an IP address and network mask within the same
subnet as the DMZ network. Click OK.
Congratulations! Your NetScreen-204/-208 configuration for
NAT or Route mode is complete. To take some basic security
precautions and create an outgoing access policy, see the
"Basic Security and Policy Administration" section.
%DVLF6HFXULW\DQG3ROLF\$GPLQLVWUDWLRQ
Sfep 1
Because all NetScreen devices ship with the same login name
and password, you should change these immediately.
a. In the WebUI, select Admin under Configuration. Click
Administrators.
b. In the Local Admin User Database list, click Edit in the entry
for the Administrator Name "netscreen".
c. Enter the following, and then click OK:
Name: (Type your new login name.)
Old Password: netscreen
New Password: (Type your new password.)
Confirm Password: (Type your new password again.)
NOTE: The login name and password are case-sensitive
and must be alphanumeric without symbols.
Be sure to remember your login name and password!
If you forget them, you must reset the unit to its factory
settings, erasing any configuration changes and restoring the
default login name and password. For more information,
please refer to Resetting the Device to Factory Default
Settings in the NetScreen-200 Series Installers Guide.
Sfep 2
Changing the HTTP port number on which you conduct
administrative traffic improves security. To change and use the
new port number, do the following:
a. In the WebUI, select Admin under Configuration, and then
select Management.
b. Change the HTTP port number from 80 to any number
between 1024 and 32,767. Then click Apply.
When you next contact the NetScreen device, you must add the
new port number to the IP address in the URL field of your web
browser. For example, if the System IP address is 192.168.1.1
and your new port number is 1080, type: http://192.168.1.1:1080.
Sfep 3
The firewall attack protection (Screen) menu allows you to tailor
detection and threshold levels for a range of potential intruder
attacks.
a. In the WebUI, select Zones under Network.
a. At the Network > Zones page, select Edit for the zone for
which you want to configure firewall attack protection.
b. At the top of the Network > Zones(Edit) page, select SCREEN.
Route
Route
P/N 093-0620-000 Rev. A 4 September 2002
NetScreen-204/-208
c. Select the appropriate protection options and click Apply.
Remember these features must be configured on each zone
where they are required.
Sfep 4
By default, the NetScreen-204/-208 denies all network traffic
passing to or from the Internet.
To set up an access policy that allows all traffic initiated from
inside your network to go out to the Internet, follow these
instructions:
a. In the WebUI, select Wizards > Outgoing Policy.
b. Select Permit unrestricted access to the untrusted zone.
and click Next.
c. Click Next to enter the configuration and then click Finish to
close the Wizard.
To receive important news on product updates and to gain access to online product support,
please visit our website at www.netscreen.com and register your product.