Example: Configuring NetScreen5GT Devices to Permit Internal Hosts (NSM Procedure)

In this example, you configure a NetScreen-5GT ADSL security device to permit internal hosts to access the Internet through the ADSL interface and permit Internet users to access a local Web server while protecting other internal hosts. To segregate traffic flow to the Web server from the rest of the internal network, configure the Web server in the DMZ, and then create a firewall rule that permits HTTP traffic only to the DMZ zone.

To configure a NetScreen-5GT device to permit internal hosts:

  1. Add the NetScreen-5GT ADSL security device as ADSL 1 (device name).To enable the DMZ zone, select the Trust/Untrust/DMZ port mode.
  2. Configure the adsl1 interface in the Untrust zone:
    • Double-click the device icon to open the device configuration. In the device navigation tree, select Network > Interface.
  3. Right click the adsl1 interface and select the Edit icon. The General Properties screen appears. Using the information you previously obtained from the service provider, configure the following options:
    • For VPI, enter 0; for VCI, enter 35.
    • For Multiplexing Mode, select VC Multiplexing.
    • For IP address/netmask, enter 1.1.1.1/24.
    • Ensure that Manageable is enabled.
    • Ensure that the Management IP is 1.1.1.1.
    • Ensure that the Mode is NAT.
  4. In the interface navigation tree, select NAT > MIP. Configure the following options:
    • For Mapped IP, enter 1.1.1.5.
    • For Netmask, enter 32.
    • For Host IP, enter 10.1.1.5.
    • Ensure that the Host Virtual Router is set to trust-vr.
  5. Click OK to add the MIP, and then click OK again to save your changes to the ADSL interface.
  6. Configure the Trust interface (ethernet1 in the Trust zone).
  7. Right-click ethernet1 and select the Edit icon. The General Properties screen appears. Configure the interface to use an IP address and netmask of 192.168.1.1/24. For Interface Mode, select NAT.
  8. Select the DHCP Server IP Pools tab, and then configure the following options:
    • For starting IP, enter 192.168.1.3.
    • For Value, select End IP.
    • For ending IP, enter 192.168.1.33.
  9. In the interface navigation tree, select DHCP. For DHCP Mode, select DHCP Server.
  10. Click OK to add the new IP pool, and then click OK again to save your changes to the Trust interface.
  11. Configure the DMZ interface (ethernet2 in the DMZ zone).
  12. Double-click ethernet2. The General Properties screen appears. Configure the interface to use an IP address and netmask of 10.1.1.1/24. For Interface Mode, select NAT.
  13. Click OK to save your changes to the DMZ interface, and then click OK to save and apply your changes to the device configuration.
  14. Create a Global MIP to reference the MIP you created for the adsl1 interface. You use a Global MIP when configuring NAT in a Security Policy rule; the Global MIP references the MIP for an individual device, enabling you to use one object (the Global MIP object) to represent multiple MIPs in a single rule.
  15. In the navigation tree, select Object Manager > NAT Objects > MIP.
  16. Click the Add icon to display the new Global MIP dialog box.
  17. Configure the Global MIP.
  18. Create a firewall rule that routes inbound HTTP traffic from any address in the Untrust zone to the MIP host (the Web server) in the DMZ zone. Configure the rule.

Related Documentation