P/N 093-0624-000 Rev.

A 1 September 2002
NetScreen-5XP
NetScreen-5XT
1
2
3
Internet
Hub/Switch
Straight-Through
Cross-Over
Router, DSL modem or
cable modem
NetScreen 5XP/5XT
Your LAN
4a 4b 4c
Power
Before using the NetScreen-5XP or NetScreen-5XT, you
must first connect it to a network and perform an initial
configuration. This Getting Started guide provides instructions
to do these two tasks.
This guide is divided into two sections:
Typical Connection to Network
Initial Configuration
For more configuration examples and detail, see the NetScreen-5XP Installers Guide or the NetScreen-5XT Installers Guide and
the NetScreen Concepts & Examples ScreenOS Reference Guide.
Sfep 1
Using the WHITE straight-through cable, connect the
UNTRUSTED interface to the external router, cable modem, or
DSL modem.
Sfep 2
If the computer is in a LAN (see diagram above), connect the
COLORED cross-over cable
1
from the NetScreen devices
TRUSTED
2
interface to the internal switch or hub.
If the computer is a single workstation, get another straight-
through cable
1
and connect it from the TRUSTED
2
interface
directly to the Ethernet port on the workstation. (Diagram not
shown.)
Sfep 3
Connect the power cable between the NetScreen device and a
power source. NetScreen also recommends a surge protector.
Sfep 4
a. Check to see if the Power LED glows.
b. After startup, check that the Status LED blinks green.
c. To assure network connectivity, check to see if the Link Status
LEDs glow.
Sfep 5
a. Ensure that your PC is properly connected to your LAN (refer
to the diagram above).
b. If necessary, change the TCP/IP settings of your PC so that it
can obtain its IP address automatically from the NetScreen
device via DHCP. For instructions, consult your PC operating
system documentation.
Note: Make sure that a DHCP server is not already on the
internal network.
c. If necessary, restart the PC to enable the changes to take
effect.
1. NetScreen-5XT ports are auto-sensing/auto-polarity, so they can
use either a cross-over cable or a straight-through cable.
2. On the the NetScreen-5XT, use the Trusted1 port.
Geff|nQ Sforfeo
7\SLFDO&RQQHFWLRQWR1HWZRUN
P/N 093-0624-000 Rev. A 2 September 2002
NetScreen-5XP
NetScreen-5XT
,QLWLDO&RQILJXUDWLRQ
Sfep 1
a. Launch a Web browser and, in the URL address field, enter
http://192.168.1.1. The Enter Network Password dialog box
appears.
b. Both the user name and password are case-sensitive. In the
dialog box, enter the following information and click OK:
User Name netscreen
Password netscreen
Sfep 2
The Initial Configuration Wizard appears:
Select either NAT Mode or Route Mode and click Next.
Sfep 3

Enter a new administrator login and password and click Next.
If you selected NAT Mode, follow the steps that are marked
If you selected Route Mode, follow the steps that are marked
The Initial Configuration Wizard allows you to configure the
NetScreen-5XP or NetScreen-5XT device to operate in one of
two ways: in Route mode without NAT enabled, or in Route
mode with NAT enabled on the Trust zone interface. By default,
the device is shipped in Route mode with NAT enabled on the
Trust zone interface.
Route Mode without NAT
In Route mode, the NetScreen device operates at Layer 3. All
interfaces must be in different subnets. In Route mode, you can
configure individual interfaces to perform NAT.
An interface that does not perform NAT routes traffic without
changing the source address and port number in the IP packet
header as the packet traverses the interface. Hosts connected
to an interface that does not perform NAT must have public IP
addresses, and no Mapped and Virtual IP addresses can be
established.
Route Mode with NAT Enabled
When a Route mode interface performs NAT, the NetScreen
device replaces the source IP address of the host that sent the
packet with the IP address of the Untrusted port of the
NetScreen device. Also, it replaces the source port number with
a random port number generated by the NetScreen device.
The NetScreen-5XP and NetScreen-5XT devices also support Transparent mode operation. In Transparent mode, the NetScreen
device operates as a Layer-2 bridge. Any hosts in your local network must have IP addresses that are public, routable, and
accessible from external networks. To configure your device in Transparent mode, see the NetScreen Concepts & Examples
ScreenOS Reference Guide.
NAT
Route
Sfep 4

Enter the IP address for the interface that is connected to the
external router, cable modem, or DSL modem. Enter a gateway
address (the gateway address is the IP address of the router port
connected to the NetScreen device). Click Next.
Select Dynamic IP using PPPoE to enable the NetScreen device
to act as a PPPoE client, receiving an IP address for the Untrust
zone interface from an ISP; enter the username and password
assigned by the ISP. Select Static IP to assign a unique and fixed
IP address to the Untrust zone interface; enter the IP address and
netmask and gateway address (the gateway address is the IP
address of the router port connected to the NetScreen device).
Click Next.
Sfep 5
If you want to change the IP address of the Trust zone interface,
enter a new IP address and netmask .
Note: If you change the IP address and netmask of the Trust
zone interface, your PC and the Trust interface of the
NetScreen device may then be on different subnetworks. To
manage the NetScreen device through the WebUI, make sure
that both your PC and the NetScreen device are in the same
IP network and use the same netmask.
Click Next.
Sfep
Select No if you do not want to manage the NetScreen device via
WebUI or telnet, or ping the device. Or, you can deselect the
management services you want to enable. Click Next.
Sfep 7
Select Yes if you want to manage the NetScreen device from a
specific host on your network; enter the IP address of the host.
Click Next.
Sfep 8
Select No if you do not want the NetScreen device to assign IP
addresses to hosts in the Trust interface zone. Otherwise, the
NetScreen device will act as a DHCP server and assign dynamic
IP addresses to hosts in the Trust interface zone. You can enter a
different range for the IP addresses to be assigned. You can also
optionally enter the addresses of the DNS server(s).
Note: If you specify a different IP address range, your PC and
the Trust interface of the NetScreen device may then be on
Route
NAT
Route NAT
Route NAT
Route NAT
NAT
P/N 093-0624-000 Rev. A 4 September 2002
NetScreen-5XP
NetScreen-5XT
different subnetworks. To manage the NetScreen device
through the WebUI, make sure that both your PC and the
NetScreen device are in the same IP network and use the
same netmask.
Click Next.
Sfep
A confirmation screen like the following appears:
Click Previous to re-enter configuration information. Click Next to
enter the configuration. You can select to start the WebUI to
manage the NetScreen device through the URL
http://192.168.1.1. (Make sure that both your PC and the
NetScreen device are in the same IP network and use the same
netmask.)
Congratulations! Your NetScreen configuration is complete. To
take some basic security precautions, see the Basic Security and
Policy Administration Section.
%DVLF6HFXULW\DQG3ROLF\$GPLQLVWUDWLRQ
Sfep 1
By default, the NetScreen-5XP and NetScreen-5XT devices allow
PCs in your network to start any kind of session with outside
computers, while outside computers are not allowed to start
sessions with your PCs. You can set up access policies that tell
NetScreen device what kinds of sessions to restrict or permit.
Do you want to prevent PCs in your network from using certain
kinds of services?
To set up an access policy to restrict the kinds of traffic that can be
initiated from inside your network to go out to the Internet, use the
WebUI Outgoing Policy wizard. In the WebUI, select Wizards >
Outgoing Policy.
Do you have a computer in your network, such as a Web server,
that provides services?
To set up an access policy to permit certain kinds of traffic that can
be initiated from outside computers to your network, use the
WebUI Incoming Policy wizard. In the WebUI, select Wizards >
Incoming Policy.
Sfep 2
The firewall attack protection (Screen) menu allows you to tailor
detection and threshold levels for a range of potential intruder
attacks.
a. In the WebUI, select Zones under Network.
b. At the Network > Zones page, select Edit for the zone for
which you want to configure firewall attack protection.
c. At the top of the Network > Zones(Edit) page, select SCREEN.
d. Select the appropriate protection options and click Apply.
Remember these features must be configured on each zone
where they are required.
Route NAT
To receive important news on product updates and to gain access to online product support,
please visit our website at www.netscreen.com and register your product.