Example: Updating DNS Servers (NSM Procedure)
When you initiate a PPPoE connection, your ISP automatically provides the IP addresses for the Untrust zone interface and the IP addresses for the Domain Name System (DNS) servers. When the device receives DNS addresses through PPPoE, the new DNS settings overwrite the local settings by default.
If you do not want the new DNS settings to replace the local settings, enable the Manual IP Configuration setting when configuring a PPPoE instance. If you use a static IP address for the Untrust zone interface, you must obtain the IP addresses of the DNS servers and manually enter them on the security device and on the hosts in the Trust zone.
In this example, the security device receives a dynamically assigned IP address for its Untrust zone interface (ethernet3) from the ISP. Because the device also dynamically assigns IP addresses for the three hosts in its Trust zone, the device acts both as a PPPoE client and a DHCP server. The Trust zone interface must be in either NAT mode or Route mode. In this example, it is in NAT mode.
Before setting up the site in this example for PPPoE service, you must have the following: a digital subscriber line (DSL) modem and line, an account with an ISP, and a username and password (obtained from the ISP).
To update a DNS server:
Add a NetScreen-5GT device running ScreenOS 5.0 named “Device A.”.
Configure the ethernet1 interface (Trust Interface):
In the device navigation tree, select Network > Interface.
Double-click the ethernet1 interface. The General Properties screen appears.
Configure the General Properties options:
For Zone, select Trust (default setting).
For IP Address, enter 172.16.30.10.
For Netmask, enter 24.
Ensure that Manageable is enabled and that the Management IP is 172.16.30.10.
For Interface Mode, select NAT (default setting).
In the interface navigation tree, select DHCP. Set the DHCP mode to DHCP Server and configure as follows:
For DNS #1, DNS #2, and Client Gateway, enter 0.0.0.0.
For Lease Time, enter 60 (60 minutes).
Leave all other defaults.
Select the IP Pools tab, and then click the Add icon. the New DHCP IP Pool dialog box appears. Configure the following:
For IP Address, enter 172.16.30.2.
For Value, select End IP.
For End of Dynamic IP Range, enter 172.16.30.5.
Click OK to save the new IP Pool, and then click OK to save your changes to the interface.
Configure the ethernet3 interface (Untrust Interface):
In the device navigation tree, select Network > PPPoE.
Click the Add icon. The New PPPoE Instance dialog box appears. Configure the following options:
For PPPoE Instance, enter eth3-pppoe.
For Interface, select ethernet3.
For username, enter user1.
For password, enter 123456.
For Concentrator-Name, enter ac-11.
Leave all other defaults.
Click OK to add the instance, and then click OK again to save your changes to the device.
Activate PPPoE and DHCP on the network.
Turn off the power to the DSL modem, the security device, and any connected workstations.
Turn on the DSL modem.
Turn on the security device. The device makes a PPPoE connection to the ISP and, through the ISP, gets the IP addresses for the DNS servers.
Activate DHCP on the internal network, by turning on the workstations. The workstations automatically receive the IP addresses for the DNS servers. They get an IP address for themselves when they attempt a TCP/IP connection. Every TCP/IP connection that a host in the Trust zone makes to the Untrust zone automatically goes through the PPPoE encapsulation process.