Shulou(Shulou.com)06/01 Report--

Password recovery:

Use the console port of the laptop to connect to the firewall, and the user name and password are entered into the serial number behind the body, which will warn you to reset configure. After pressing "y" twice, the firewall restores the factory settings and restarts. Unplug the console line when the firewall is started, otherwise you will enter a tftp mode of transferring images. )

The default user name and password of the factory is netscreen,ether1 ip is 192.168.1.1, set the ip address of the notebook to a 192.168.1.0 IP of the 24 network segment, connect to the ether1 with a network cable, and you can access it with a browser.

"the interface of NetScreen can operate in three different modes: network address Translation (NAT), routing (Route), and Transparency. If an interface bound to a layer 3 (model of OSI) section has an IP address, you can define a NAT or routing mode of operation for that interface. Interfaces bound to layer 2 sections, such as predefined v1-trust, v1-untrust, and v1-dmz, or user-defined layer 2 sections, must be in transparent mode. Select the mode of operation when configuring the interface. Vsys cannot be in transparent mode. "

I must be a little at a loss to see the interface mode of netscreen for the first time (at least I am stupid and react in this way). In fact, it is easy to understand if I understand these modes. Since the transparent bridge is working at the second layer, it must be layer2, that is, v1MytrustGravity v1Myuntrust and v1-dmz (because after selecting the mode, you can see that the type attribute of ineteface says "Layer2",: -) in the interface of netscreen).

After understanding, it is easy to configure. I chose ether7 to connect to wan and ether8 to connect to lan (there are already nat devices inside lan, so I use netscreen as a bridge). Ether7 connects to the public network, which, of course, is an untrusted zone. Ether7- > v1 Mustang untrustworthy ether8 connects to the intranet, ether8- > v1-trust. You don't have to set ip.

In order to log in to the firewall in the intranet, go to "network"-> "zones"-> "v1-trust" and check "web ui", "telnet" and "ping" (just check it according to your needs). One of the more peculiar things about netscreen is vlan1 (something strange to me, of course I don't think I'm used to it). I thought it was a virtual network built by 802.1q protocol like vlan in extreme, but I didn't see the tag setting of 802.1q or the real port. Later, we found out that it was only a virtual thing (it is not very clear in understanding). After we set IP on vlan1, we checked permissions such as "web ui", so we can log in to the firewall with this IP (not corresponding to a physical port).

Finally, to allow communication between ports, the firewall rule is-- what is not explicitly allowed is prohibited-- so we need to set up rules so that v1-trust and v1-untrust data can be released. "Polices"-> "from v1-trust to v1-untrust", select permit (default is any), "from v1-untrust to v1-trust", select permit.

Finish work, connect ether7 and ether8 network cable to test the effect.

Of course, direct access rules like firewall are useless, so in "screening"-> "screen", I checked some options to prevent * * for v1-untrust, and now I have intercepted some data, which can be regarded as playing a role). If you really want to play a role, the key is to make selective release rules, otherwise the firewall is just a hub, without any effect.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.