Instruction/ maintenance manual of the product SSG 20 Juniper Networks
Go to page of 86
Juniper Networks , Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-200 0 www .juniper .net Part Number: 530-015646-01, Revision 03 Security Products SSG 20 Hard w are Installation and .
2 Copyright Notice Copyright © 2006 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks lo go are registered trademarks of Juniper Ne tworks, Inc.
T able of Conten ts 3 T able of Contents About This Guide 5 Organization . ................ ............. ............. ............. ................ ............. ............. .. 6 WebUI Convention s ................ ............. .............
4 T able of Contents SSG 20 Hardw are Installation and Configuration Guide Using Telnet ..................... ................ ............. ............. ............. ................ 30 Default Device Set tings ........ ............. ..........
5 About This Guide The Juniper Networks Secure Services Gate wa y (S SG) 20 device is an integrated router and fir ew all platform th at pro vides Internet Prot ocol Security (IPSec) virtual private netw ork (VPN) and firew all services for a branch office or a ret ail outlet.
SSG 20 Hardw are Installation and Configuration Guide 6 Organization Organization This guide contains the follo wing sections: Chapter 1, “Hardw are Ov ervie w ,” describes the chassis and com ponents of an SSG 20 device .
CLI Convent ions 7 About This Guide Figure 1: Navigational P ath and Configuration Settings CLI Conventions The follo wing conventions ar e used to pr e sent the syntax of CLI commands in ex amples and in text. In ex amples: Anything inside squar e brack ets [ ] is optional.
SSG 20 Hardw are Installation and Configuration Guide 8 Obtaining Documentation and T echnical Suppor t Obtaining Documentation and T echnical Suppor t T o obtain technical documentation for any Juniper Networks product, visit www .juniper .net/techpubs/ .
9 Chapter 1 Hard w are Over view This chapter pro vides detailed descriptions of the SSG 20 chassis and its components . It contains the f ollowing sections: “P ort and P ow er Connect or s.
SSG 20 Hardw are Installation and Configuration Guide 10 Port and Power Connectors P or t and Pow er Connector s This section describes and displays the location of the built-in ports and pow er connector s . Refer t o the following figur e for built-in port locations and T able 1 for the pow er connector descriptions .
Front Panel 11 F ront P anel This section describes the follo wing elements on the front panel of an SSG 20 device: System St atus LEDs P ort De scriptions Mini Phy sical Interface Module P ort Descriptions System Status LEDs The system status LEDs displa y informatio n about critical device functions .
SSG 20 Hardw are Installation and Configuration Guide 12 Front P anel PIM 2 Green On steadily Indicat es that the mini PIM is functioning. Blinking Indicates that the min i PIM is passing traffi c. Off Indicates that the mini PIM is not operat ional.
Front Panel 13 Por t Descriptions This section e xplains the purpose and function of the follo wing: Ethernet P orts Console P ort AU X Po r t Ethernet Por ts Five 1 0/1 00 Ethernet ports provide LAN conne ctions t o hubs , switches , local servers , and workstations .
SSG 20 Hardw are Installation and Configuration Guide 14 Front P anel AUX P or t The auxiliary (A UX) po rt is an RJ-45 ser ial port wired as data terminal equipment (D TE) that can be connected to a modem to allow r em ote administration. W e do not recommend using this port for regular r emote administration.
Front Panel 15 T able 4: Mini PIM LED States on the SSG 20 T ype Name Color State Description ADSL 2/2+ (Annex A and B) SYNC Green On steadily Indicates that the ADSL interface i s trained Blinkin.
SSG 20 Hardw are Installation and Configuration Guide 16 Back Panel Back P anel This section describes the follo wing elem ents on the back panel o f an SSG 20 device: P ow er A dapter Rad.
Back Panel 17 Grounding Lu g A one-hole grounding lug is provided on the rear of the chassis t o connect the device t o earth ground (see Figure 6). T o ground the device befor e connecting pow er , connect a grounding cable to earth ground and then att ach the cable to the lug on the rear of the chassis .
SSG 20 Hardw are Installation and Configuration Guide 18 Back Panel Antennae T ypes The SSG 20-W LAN device supports three types of custom-built radio antennae: Div ers ity antennae — The di.
19 Chapter 2 Installing and Connecting the Device This chapter describes how to mount an SSG 20 de vice and connect cables a nd pow er to the de vice .
SSG 20 Hardw are Installation and Configuration Guide 20 Before Y ou Begin Before Y ou Begin The location of the chassis, the lay out of the mounting equipmen t, and th e security of your wiring room are crucia l for pr oper system operation.
Installing Equipment 21 T o front-mount an SSG 20 device ont o a standar d 19-inch equipment r ack, perform the follo wing steps: Figure 7: SSG 20 F ront-mount 1. Align the pow er supply rack-mount ea r to the left-fr ont edge of the de vice . 2. Place the scre ws in the holes and us e a phillips screw drive r to secur e them.
SSG 20 Hardw are Installation and Configuration Guide 22 Connecting Interface Cables to a Dev ice T o desk -mount an SSG 20 device , perf orm the follo wing steps: Figure 9: SSG 20 Desk-mount 1. A ttach the desktop st and to the side of the device .
Connecting a Device to a Network 23 Connecting a Device to a Network An SSG 20 device pro vides fir ew all and general security for networks when it is placed between internal networks and the untrusted netw ork.
SSG 20 Hardw are Installation and Configuration Guide 24 Connecting a Device to a Network Ethernet Por ts T o establish a high-speed connection, co nn ect the pro vided Ethernet cable from the Ethernet port mark ed 0/0 on an SSG 20 de vice to the e xternal ro uter .
Connecting a Device to a Network 25 Figure 11: Microfilter and Splitter on Y our Network Connection ISDN, T1, E1, and V .92 Mini PIMs T o conne ct the mini PIMs to a de vice , perform the f ollowing steps: 1. Hav e ready a length of the type of cable used by the interface .
SSG 20 Hardw are Installation and Configuration Guide 26 Connecting a Device to a Network Wireless Antennae If you ar e using the wireless interface , you need to connect the pr ovided antennae on the device .
27 Chapter 3 Configuring the Device ScreenOS softw are is pr e installed on an SSG 20 de vice . When the device is po wer ed on, it is ready t o be configured.
SSG 20 Hardw are Installation and Configuration Guide 28 Accessing a Device Accessing a Device Y o u can configure and manage a device in sev er al wa ys: Console: The Console port on the device allo ws y ou to access the device through a serial cable connected t o y our workst ation or terminal.
Accessing a Device 29 3. Launch a serial terminal-emulation program on y our workst ation. The required settings to launch a console session are as fo llow s: Baud rate: 9600 P arity: None Data bits: 8 Stop bit: 1 Flow Control: None 4.
SSG 20 Hardw are Installation and Configuration Guide 30 Accessing a Device Figure 14: WebUI Login Prompt 4. If y ou hav e not yet changed the def ault login f or the admin name and passwor d, enter netscree n at both the admin name and passwor d prompts .
Default Device Settings 31 Default Device Settings This section describes the default settin gs and operation of an SSG 20 device . T able 5 shows the def ault zone bindings for ports on the devices .
SSG 20 Hardw are Installation and Configuration Guide 32 Default Device Settings T o unset ethernet0/3 from bgr oup0 and assign it to the T rust zone with a static IP address of 192.
Basic Device Configuration 33 Basic Device Configuration This section describes the follo wing basic configuration settings: Root A dmin Name and P asswor d Date and Time Bridge Group .
SSG 20 Hardw are Installation and Configuration Guide 34 Basic Device Configuration Date and Time The time set o n an SSG 20 device affect s events such as the setup of VPN tunnels . The easiest way t o set the date and time on the device is to use the W e bUI to synchroniz e the device system clock with the workst ation clock.
Basic Device Configuration 35 CLI unset interface bgro up0 por t ether net0/3 unset interface bgro up0 por t ether net0/4 set interface bgroup 1 por t ethern et0/3 set interface bgroup 1 por t ethern et0/4 set interface bgroup1 por t wireless0/2 set interface bgroup 1 zone DMZ set interface bgroup1 ip 10.
SSG 20 Hardw are Installation and Configuration Guide 36 Basic Device Configuration Hostname and Domain Name The domain name defines th e network or subnetwork that the device belongs t o, while the hostname refer s t o a specific device . The hostname and domain name together uniquely identify the de vice in the network.
Basic Wireless Configuration 37 Backup Untrust Interface Configuration The SSG 20 device allo ws y ou to configur e a backup interface f or untrust failo ver .
SSG 20 Hardw are Installation and Configuration Guide 38 Basic Wireless Configuration Once you ha ve set an SSID to the wirele ss0/0 interface , you can access the de vice using the default wir eless0/0 interface IP address in the steps described in “ A cce ssing a Device” on page 28.
Basic Wireless Configuration 39 T able 7: Wireless Authentication and Encr yption Options Refer to the Concepts & Ex amples ScreenOS Refer ence Guide for configu ration ex amples , SSID attributes , and CLI commands relating to wireless security configuratio ns .
SSG 20 Hardw are Installation and Configuration Guide 40 Basic Wireless Configuration 5. A ctivate wireless changes . Wireless > General Settings > Click A ctivate Changes . CLI 1. Set the WLAN co untry code and IP address . set wlan countr y-code { code_id } set interface wireless_interface ip ip_a ddr/net mask 2.
Mini PIM Configuration 41 Mini PIM Configuration This section explains how to configur e the mini phy sical interface modules (PIMs): ADSL2/2+ In terface ISDN Interface T1 Interface E1 Interf ace V .
SSG 20 Hardw are Installation and Configuration Guide 42 Mini PIM Configuration V ir tual Circuits T o add virtual circuits , you cr e ate subinterfaces to the ADSL2/2+ interface . Y ou can create up t o 1 0 ADSL2/2+ subinterfaces . F or ex ample , to cr eate a new subinterface named adsl1/0.
Mini PIM Configuration 43 We b U I Network > Interf aces > List > Edit (f or the adsl1/0 interface): Enter the follo wing, then click Apply : VPI/VCI: 1 / 32 Multiplexing Meth od: LLC (s .
SSG 20 Hardw are Installation and Configuration Guide 44 Mini PIM Configuration Static IP Address and Netmask If your service gav e you a specific, fixe d IP address and netmask f or your network, then configure the IP address and netmas k for the network and the IP address of the router port connected to the device .
Mini PIM Configuration 45 CLI set interface bgroup 0 dhcp ser ver option dn s1 1.1.1.152 save F or more inf ormation about configuring the ADSL and ADSL2/2+ interfaces , refer to t h e Concepts & Examples ScreenOS R eference Guide .
SSG 20 Hardw are Installation and Configuration Guide 46 Mini PIM Configuration A T&T Pub 540 14 ITU G.75 1, G.7 03 T o configure the T1 mini PIM, use the W ebUI or CLI as follow s: We.
Mini PIM Configuration 47 set ppp pro file “juniper test” au th local-name “jun iper” set ppp profile “juniper test” au th secret “password” set interface serial1/0 ppp profile “juniper test” set interface serial1/0 ip 172.18.1.
SSG 20 Hardw are Installation and Configuration Guide 48 Basic Firewall Protections Basic Firewall Protections The devices are configur ed with a default policy that permits workstations in the T .
Resetting a Device to Factor y De faults 49 Resetting a Device to F actor y Defaults If you lose the admin passwor d, you can reset the de vice to its def ault settings . This action destro ys any existing configur ations but rest ores access to the de vice .
SSG 20 Hardw are Installation and Configuration Guide 50 Resetting a Device to F actor y Defaults.
Required T ools and Par ts 51 Chapter 4 Ser vicing the Device This chapter describes service and maintenance procedures f or an SSG 20 de vice . It contains the f ollowing sections: “Requir .
SSG 20 Hardw are Installation and Configuration Guide 52 Replacing a Mini-Physical Inter face Module Removing a Blank F aceplate T o maintain proper airflo w through the SSG 20 device , blank faceplates should remain o ver slots that do not contain mi ni PIMs .
Replacing a Mini-Physical I nterface Module 53 8. Grasp the scr ew s on each side of the mini PIM faceplate and slide the mini PIM out of the device . Place the mini PIM in the electrost atic bag or on the antistatic mat. Figure 16: Removing a Mini PIM 9.
SSG 20 Hardw are Installation and Configuration Guide 54 Upgrading Memor y 6. If necessary , arrange the cables to pr ev ent them from dislodging or dev elo ping stress points: a. Secure the cables so that they are not supporting their own weight as the y hang to the floor .
Upgrading Memor y 55 6. Release the 128 MB DIMM DRAM by pressing y our thumbs outwar d on the locking tabs on each side of the module so t h a t t h e ta bs m ove away f ro m th e module . Figure 19: Unlocking the Memor y Module 7. Grip the long edge of the memory modu le and slide it out.
SSG 20 Hardw are Installation and Configuration Guide 56 Upgrading Memor y 9. Place the memory-card cov er ov er the slot. 1 0. Use the phillips screw driver to tighten the scre ws , securing the cov er to the device .
57 Appendix A Specifications This appendix pro vides general sy stem specifications for an SSG 20 device . It contains the f ollowing sections: “Phy sical” on page 58 “Electrical” .
SSG 20 Hardw are Installation and Configuration Guide 58 Physical Ph y sical T able 8: SSG 20 Ph ysical Specifications Electrical T able 9: SSG 20 Electrical Specifications Environmental T olerance T able 10: SSG 20 Environ mental T olerance Description V alue Chassis dimensions 294 mm x 194.
Cer tifications 59 Cer tifications Safety C AN/CS A-C2 2.2 No. 60950-1-0 3/UL 60950-1 Safety of Info rmation T echnology Equipment EN 60950-1 (2000) Thir d Edition Safety of Inf ormation T.
SSG 20 Hardw are Installation and Configuration Guide 60 Connectors T1 Interface FCC P art 68 - TIA 968 Industry Canada CS-03 UL 60950-1 Applicable requirements f o r TNV circuit with outside plant lead connection Connectors Figure 22 show s the location of the pins on the RJ-45 connector .
Connectors 61 Figure 23 show s the location of the pins on the DB-9 female connector . Figure 23: DB-9 Female Connector T able 12 pro vides the DB-9 connect or pinouts .
SSG 20 Hardw are Installation and Configuration Guide 62 Connectors.
63 Appendix B Initial Configuration Wizard This appendix pro vides detailed informat ion about the Initial Configur ation Wizar d (ICW) for an SSG 20 device . After you ha ve ph ysically connected y our device t o the network, you can use the ICW to configure the interf aces that are inst alled on your device .
SSG 20 Hardw are Installation and Configuration Guide 64 1. Rapid Deplo yment Window Figure 24: Rapid Deployment Window If your network uses NetScreen-Security Manager (NSM), you can us e a Rapid Deployment configlet t o automatically configure the de vice .
65 3. WLAN Access P oint Window If you ar e using the device in the W ORLD o r ET SI re gulatory domain, you must choose a country code . Se lect the appropriate options , then click Next .
SSG 20 Hardw are Installation and Configuration Guide 66 5. ADSL2/2+ Interface Window If you ha ve the ADSL2/2+ mini PIM insta lled in your de vice , you can configure the adslx/0 interface using the f ollo wing window .
67 T able 13: F ields in ADSL Interface Configuration Window If you do not know these settin gs , refer to the Common Settings for Service Pro v iders document that came with the service provider de vice . Field Description Infor mation from Service Pr ovider: VPI/VCI VPI/VCI v alues to identif y the permanent virtual circ uit.
SSG 20 Hardw are Installation and Configuration Guide 68 6. T1 Interface Windows If you ha ve the T1 mini-PIM installed in yo ur device and you selected the Frame Rela y option, the follo wing win.
69 T able 14: F ields in T1 Ph ysical La yer T ab Window Field Description Clocking Sets th e transmit c lock on t he inte rface . Line Buildout Sets the dist ance at which an interface driv es a line .
SSG 20 Hardw are Installation and Configuration Guide 70 Figure 30: T1 F rame Rela y T ab Window T able 15: F ields in T1 F rame Relay T ab Window Field Description No-K eepalive chec kbox Enables no-keepaliv es .
71 If you ha ve the T1 mini-P IM installed in y our device and you selected the PPP option, the follo wing additional w indow s are displa y ed: PPP Option with PPP T ab Windo w PPP Option.
SSG 20 Hardw are Installation and Configuration Guide 72 Figure 32: PPP Option with Peer User T ab Window T able 17: F ields in PPP Option with P eer User T ab Window If you ha ve the T1 mini-PIM .
73 T able 18: F ields in Cisco HDLC Option with Cisco HDLC T ab Window 7. E1 Interface Windows If you ha ve the E1 mini-PIM installed in yo ur device and you selected the Frame Rela y option, the .
SSG 20 Hardw are Installation and Configuration Guide 74 T able 19: F ields in E1 Ph ysical La yer T ab Window Figure 35: E1 F rame Rela y T ab Window T able 20: F ields in E1 F rame Relay T ab Window Field Description Clocking Sets th e transmit c lock on t he inte rface .
75 T o configure the E1 in terface wit h PPP options , see “PPP Option with PPP T ab Window” on page 7 1. T o config ure the E1 interface with the Cisco HDLC, see “Cisco HDLC Option with Cisco HDLC T ab Window” on page 72.
SSG 20 Hardw are Installation and Configuration Guide 76 T able 21: F ields in ISDN Ph ysical La yer T ab Window Y o u can select the bri1/0 i nterface t o connect using dialer , multi-link dial er , leased line , or dial w ith BRI. Selecting neither , one , or both options displays a window similar to the f ollowing.
77 Figure 37: ISDN Connection T ab Window T able 22: F ields in ISDN Connection T ab Window Field Description PPP Profile Name Sets a PPP profil e name to the ISDN inter face .
SSG 20 Hardw are Installation and Configuration Guide 78 9. V .92 Modem Interface Window If you ha ve the V .92 mini-PIM installed in your de vice , you can configure the serialx/0 (Modem) interface using the following windo w: Figure 38: Modem Interface Window T able 23: F ields in Modem Interface Window 10.
79 Figure 39: Eth0/0 Interface Window T able 24: F ields in Eth0/0 Interface Window 11. Eth0/1 Interface (DMZ Zone) Window The eth0/1 interface can hav e a static or a dynamic IP address assigned via DHCP .
SSG 20 Hardw are Installation and Configuration Guide 80 Figure 40: Eth0/1 Interface Window T able 25: F ields in Eth0/1 Interface Window 12. Bgroup0 Interface (T rust Zone) Window The bgroup0 interface can hav e a static or a dynamic IP address assigned via DHCP .
81 T able 26: F ields in Bgroup0 Interface Window 13. Wireless0/0 Interface (T rust Zone) Window If you are configuring the SSG 20-WLAN device , you must set a Service Set Identifier (SSID) befor e the wireless0/0 interface can be activated.
SSG 20 Hardw are Installation and Configuration Guide 82 T able 27: F ields in Wireless0/0 Interface Window 14. Interface Summar y Window After you ha ve configure d the W AN interfaces , you will see the Interface Summary window . Figure 43: Interface Summar y Window Field Description Wlan Mode Sets the WLAN radio mode: 5G (802.
83 Check your interface configur ation, then click Next when ready to pr oceed. The Ph ysi cal Ethern et DHCP Inte rface windo w appear s. 15. Ph ysical Ethernet DHCP Interface Window Select Ye s to enable y our device t o assign IP addresses to y our wired netw ork via DHCP .
SSG 20 Hardw are Installation and Configuration Guide 84 17. Confirmation Window Confirm your de vi ce configuration and change as needed. Click Next to save, reb o o t the de vice , and ru n the configur ation. Figure 46: Confirmation Window After the device r eboo ts with the sa ved system configuration, the W ebUI login prompt appears .
Index 85 Index A AAL5 multiplexing ..................... .............. .............. ........ 41 ADSL configuring interface ...................... ........... .............. 41 connecting the cable ................. .............. ..............
86 Index SSG 20 Hardw are Installation and Configuration Guide S static IP address .............. .............. .............. .............. ..... 41 U Untrust zone, configuri ng backup interface ............... 37 V Virtual Path Identif ier/Virtual Ch annel Identifier See VPI/VCI VPI/VCI configuring .
An important point after buying a device Juniper Networks SSG 20 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought Juniper Networks SSG 20 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data Juniper Networks SSG 20 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, Juniper Networks SSG 20 you will learn all the available features of the product, as well as information on its operation. The information that you get Juniper Networks SSG 20 will certainly help you make a decision on the purchase.
If you already are a holder of Juniper Networks SSG 20, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime Juniper Networks SSG 20.
However, one of the most important roles played by the user manual is to help in solving problems with Juniper Networks SSG 20. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device Juniper Networks SSG 20 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center
