manualshive.com logo in svg

AudioCodes Mediant 500L MSBR, Configuration Manual

The AudioCodes Mediant 500L MSBR is a versatile and reliable device for all your communication needs. Easily configure your device with the free Configuration Manual available for download from our website. Ensure seamless operation with easy-to-follow instructions. Download the manual today for hassle-free setup.

Share
Download
background image

Configuration Guide 

6. SPI Firewall 

Version 7.2 

25 

Security Setup 

SPI Firewall 

The device provides a built-in firewall feature. The firewall allows or denies traffic using a 

rule set. The firewall  rules are set using ACLs. The firewall can be session-aware or 

stateless. There are two modes of firewall: manual and automatic. To configure the firewall 

in automatic mode, use the following commands: 

Table 6-1: Firewall - Automatic Mode 

Command 

Description 

# configure data 

Enter the data configuration menu. 

(config-data)# interface 

gigabitethernet 0/0 

Enter the interface. 

(conf-if-GE 0/0)# firewall enable 

Enables the firewall. 

(conf-if-GE 0/0)# no firewall 

enable 

Disables firewall. 

 

An automatic firewall performs a stateful packet inspection and keeps track of the state of 

each connection and is able to drop inbound protocol data units if they do not belong to a 

known connection. For example, if a user initiates an HTTP request to a sever on the WAN 

(anything connected to the WAN interface), the device allows that server to respond to the 

user. 
To configure a manual firewall, use ACLs and apply the ACL rules on an interface IN or OUT 

direction. The firewall can only be configured on Layer-3 interfaces. 

Table 6-2: Firewall – Manual Configuration 

Command 

Description 

# configure data 

Enter the data configuration menu. 

(config-data)# interface 

gigabitethernet 0/0 

Enter the interface. 

(conf-if-GE 0/0)# ip access-group 

name {in|out} 

Apply an access-list to the interface (inbound or 

outbound). 

(conf-if-GE 0/0)# no ip access-

group name {in|out} 

Remove an access-list to the interface (inbound 

or outbound). 

 
To view whether the firewall "caught" packets, use the following command: 

Table 6-3: Firewall –Verification 

Command 

Description 

# show data access-lists 

Displays all access lists and packets that have 

been caught. 

# show data ip access-list FW_out 

Displays specific ACL and packets caught. 

 

 

 

Summary of Contents for Mediant 500L MSBR

Page 1: ...Configuration Guide AudioCodes Mediant Multi Service Business Routers MSBR Series Security Setup Version 7 2...

Page 2: ......

Page 3: ...Balancing using NAT 23 6 SPI Firewall 25 6 1 Configuration Example 26 7 IPSec Tunneling 29 7 1 Configuration Examples 31 7 1 1 Configuring IPSec 31 7 1 2 Configuring IPSec with GRE 35 7 1 3 Configurin...

Page 4: ...Mediant MSBRs 4 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 5: ...is product Customer Support Customer technical support and services are provided by AudioCodes or by an authorized AudioCodes Service Partner For more information on how to buy technical support for A...

Page 6: ...pdated with enabling NAT traversal 31821 Configuring IPSec with RSA added 31822 Typo in Section Configuring Port Forwarding 31823 New command config isakmp ike 31825 Typos incorrect IP addresses in Co...

Page 7: ...on of the security functionality of AudioCodes Mediant Multi Service Business Routers MSBR hereafter referred to as device using the command line interface CLI The document describes the CLI commands...

Page 8: ...Mediant MSBRs 8 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 9: ...r or word ACL can be addressed using a number or a word Note access list names are case sensitive deny or permit connection using this rule is denied or permitted using this keyword protocol connectio...

Page 10: ...tes the ACL with the name Name From Version 6 8 ACL numbering is supported Every line in the ACL has a number Every next line number is incremented by 10 To add a line between line number 10 and 20 st...

Page 11: ...192 168 120 0 0 0 0 255 log 0 matches DC Access deny ip any any log 0 matches The following example allows access from any IP to segment 192 168 199 0 24 only for SSH TCP port 22 Telnet TCP port 23 S...

Page 12: ...Mediant MSBRs 12 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 13: ...cted as a single host IP address range of IP addresses with mask or local address It also can be any address Range of IP addresses can be defined using a wildcard source port source can be matched usi...

Page 14: ...2 0 64 log config ext6 nacl exit config data exit You can view the configured ACL using the following command config data show data access lists Extended IP access list 150 150 10 permit ipv6 2000 100...

Page 15: ...ists command config data exit show data access lists Extended IP access list 150 150 10 permit ipv6 2000 100 1 0 64 2000 100 2 0 64 log 0 matches 150 20 permit ipv6 2000 101 1 0 64 2000 100 2 0 64 log...

Page 16: ...Mediant MSBRs 16 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 17: ...e device configure data access list telnet_mgmt permit ip host mgmt_ws local log access list telnet_mgmt deny ip any any log Configure the ACL for the Telnet connection configure system cli terminal w...

Page 18: ...Mediant MSBRs 18 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 19: ...on the Gigabitethernet0 0 interface To disable NAPT per interface use the following commands Table 5 1 NAT and NAPT Commands Command Description configure data Configuration of ACLs is in the data le...

Page 20: ...that there is only one address in the NAT pool Table 5 3 NAT Rules Command Description config data ip nat inside source list tcp_nat interface gigabitethernet 0 0 pool tcp_pool Configure IP NAT trans...

Page 21: ...e supports load balancing using NAT If there are more than two servers on the LAN side of the device a connection to the WAN address can be forwarded to one of the servers in a round robin fashion To...

Page 22: ...Below is the output of the show data ip nat translations command show data ip nat translations Note static translations are not shown NAT summary 1 TCP 0 UDP 2 ICMP Total 3 NAT connections Pro Inside...

Page 23: ...output of the show data ip nat translations command displays a source address 180 1 100 20 from port 4355 that accesses IP address 180 1 100 10 on port 80 The connection is then NATed to the inside ad...

Page 24: ...Mediant MSBRs 24 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 25: ...f they do not belong to a known connection For example if a user initiates an HTTP request to a sever on the WAN anything connected to the WAN interface the device allows that server to respond to the...

Page 26: ...fic configure data Create the ACL config data ip access list extended FW_out config ext nacl permit tcp 192 168 0 0 0 0 0 255 any eq 20 log config ext nacl permit tcp 192 168 0 0 0 0 0 255 any eq 21 l...

Page 27: ..._out permit tcp 192 168 0 0 0 0 0 255 any eq 22 log 0 matches FW_out permit tcp 192 168 0 0 0 0 0 255 any eq 23 log 0 matches FW_out permit udp 192 168 0 0 0 0 0 255 any eq 5000 log 2 matches FW_out p...

Page 28: ...Mediant MSBRs 28 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 29: ...nyone on the Internet are not able to read and understand the traffic between the segments This solution is also applicable to other applications that need to encrypt traffic such as protecting classi...

Page 30: ...pto map config crypto map set peer 180 1 100 21 Configure the peer IP address config crypto map set transform set crypto_set1 Configure the transform set config crypto map set security association lif...

Page 31: ...is encrypted Figure 7 2 IPSec Example IPSec configuration of the device on the right hand side Corporate Branch Users is as follows access list ipsec permit ip 192 168 0 0 0 0 0 255 10 0 0 0 0 0 0 25...

Page 32: ...et transform set crypto_set1 set security association lifetime seconds 28000 match address ipsec exit crypto isakmp key P ssw0rd address 180 1 100 20 interface GigabitEthernet 0 0 crypto map MAP1 Note...

Page 33: ...two subnets to be connected using two IPSec tunnels then in addition to the previous primary configuration the following configuration needs to be added to the device on the branch site access list i...

Page 34: ...ess 180 1 100 21 The above configuration assumes that the third router s GigabitEthernet 0 0 address is 180 1 100 40 Configuration of the third device is as follows interface gig 0 0 ip address 180 1...

Page 35: ...rnet interfaces is encrypted Figure 7 3 GRE over IPSec The following shows the MSBR1 configuration conf d int gigabitethernet 0 0 ip address 180 1 1 1 255 255 255 0 no firewall enable exit int vla 1 i...

Page 36: ...ipsec exit interface GigabitEthernet 0 0 crypto map MAP1 The following shows the MSBR2 configuration conf d int gigabitethernet 0 0 ip address 180 1 1 2 255 255 255 0 no firewall enable exit int vla 1...

Page 37: ...0 0 S 180 1 1 2 32 1 0 is directly connected GigabitEthernet 0 0 IPSec S 192 168 1 0 24 1 1 is directly connected GRE 1 S 192 168 2 0 24 1 1 is directly connected GRE 1 S 192 168 3 0 24 1 1 is directl...

Page 38: ...h 11 10 17 24 936858 00 90 8f 89 35 a9 00 90 8f 59 4b 56 ethertype IPv4 0x0800 length 150 180 1 1 2 180 1 1 1 ESP spi 0x3647ff5a seq 0xc length 11 10 17 25 933155 00 90 8f 59 4b 56 00 90 8f 89 35 a9 e...

Page 39: ...1 ICMP echo reply id 27378 seq 1 length 40 10 21 07 702933 00 90 8f 59 4b 56 00 90 8f 89 35 a9 ethertype IPv4 0x0800 length 98 180 1 1 1 180 1 1 2 GREv0 proto IPv4 0x0800 length 64 192 168 11 1 192 16...

Page 40: ...ng RSA Each certificate in the file must be Base64 encoded PEM When copying and pasting the certificates to the device each Base64 ASCII encoded certificate string must be enclosed between BEGIN CERTI...

Page 41: ...ates a self signed certificate delete Deletes certificate detail Displays certificates export Exports certificates import Imports certificates signing request Generates signing requests status Display...

Page 42: ...wing message is displayed Enter data below Type a period on an empty line to finish 3 Paste a root certificate BEGIN CERTIFICATE MIIFxz output omitted tjkjeqG END CERTIFICATE 4 Enter dot to end root c...

Page 43: ...IFICATE REQUEST Send this request to your security administrator for signing then upload the new signed certificate to the device 4 Using the signing request obtain the device certificate and then imp...

Page 44: ...tatus Certificate subject C IL ST Center L Lod O AC OU R D CN ca local emailAddress tim g audiocodes com Certificate issuer C IL ST Center L Lod O AC OU R D CN ca local emailAddress tim g audiocodes c...

Page 45: ...Configuration of MSBR 31 is as follows configure data access list IPSEC permit gre any any access list ALL_BUT_IPSEC deny gre any any access list ALL_BUT_IPSEC permit ip any any crypto isakmp policy 1...

Page 46: ...server provide host name ip dhcp server ntp server 0 0 0 0 ip dhcp server tftp server 0 0 0 0 ip dhcp server override router address 0 0 0 0 ip dhcp server next server 0 0 0 0 service dhcp ip dns ser...

Page 47: ...p set peer 10 31 2 31 set transform set crypto_set set security association lifetime seconds 3600 match address IPSEC set default route exit interface GigabitEthernet 0 0 ip address 10 4 2 86 255 255...

Page 48: ...rface GigabitEthernet 0 0 ip route 10 31 2 0 255 255 255 0 10 4 2 1 GigabitEthernet 0 0 ip route 192 168 0 0 255 255 255 0 gre 2 To check that IPSec is up use the show data crypto status command The e...

Page 49: ...ranch may be dynamic and change every time the interface PPPoE 0 reconnects In this scenario the identity of the MSBR Branch should therefore not be by IP address because it changes instead it should...

Page 50: ...2 DSL configuration is automatic Termination cpe no shutdown exit interface EFM 0 2 no ip address mtu auto desc VDSL no ipv6 enable no service dhcp ip dns server static no shutdown exit interface BVI...

Page 51: ...0 0 0 0 0 PPPOE 0 1 exit The MSBR Branch configuration defines the IKEv2 peer as an IP address It s important to note that the identity of the MSBR Branch is set to home timg pro Configuration of MSBR...

Page 52: ...rewall enable no link state monitor no ipv6 nd ra suppress ipv6 address autoconfig no shutdown exit interface BVI 100 ip address 192 168 100 1 255 255 255 0 mtu auto desc Bridge ip dhcp server network...

Page 53: ...it ip nat inside source list all_but_ipsec interface PPPOE 0 ip route 0 0 0 0 0 0 0 0 PPPOE 0 1 exit The MSBR HQ has an IKEv2 peer that is configured with an FQDN as home timg pro This DNS resolves in...

Page 54: ...Mediant MSBRs 54 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 55: ...ure data Enter the data configuration menu config data user user name password password Configure a user with a name user name and password password Some operating systems don t have NAT traversal NAT...

Page 56: ...version two protocols are selected for the authentication The key LinePass 1 is used for the IPSec encryption between the client and server The following is the user configuration for the clients vpn...

Page 57: ...Server Version 7 2 57 Security Setup 2 Click the Set up a virtual private network VPN connection link Figure 8 2 Select Connection Type 3 Select the Let me decide later option and then click Next Fig...

Page 58: ...e which will later become the dialer s name in the Network Connection window 6 Click Next Figure 8 4 L2TP Username and Password 7 Enter the user name and password that was previously configured on the...

Page 59: ...de 8 L2TP VPN Server Version 7 2 59 Security Setup Figure 8 6 Network Connections Window 9 Right click VPN Connection that you just created and then choose Properties Figure 8 7 VPN Connection Propert...

Page 60: ...Advanced Properties 11 Select the Use preshared key for authentication option and then enter the key previously configured on device and then click OK 12 Click OK until you re back at the Network Conn...

Page 61: ...etup 15 When the connection is successfully established in the device use the show data l2tp server command to view the connected users MSBR 1 show data l2tp server Conn Username IP Rx Tx Uptime 300 A...

Page 62: ...Mediant MSBRs 62 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 63: ...entication globally config data interface gigabitethernet 4 3 Configure the interface gigabitethernet 4 3 conf if GE 4 3 authentication dot1x single host multi host Configure dot1x on the interface us...

Page 64: ...Windows 7 To activate dot1x authentication on Windows 7 1 Press the Windows R key combination to open the Run window Figure 9 1 Run Window 2 In the Open field type services msc and then click OK Figur...

Page 65: ...7 2 65 Security Setup 4 Right click Wired AutoConfig and then from the shortcut menu choose Start as shown below Figure 9 3 Wired AutoConfig Service The actions above should activate dot1x authentica...

Page 66: ...dot1x on Windows 7 To configure dot1x on Windows 7 1 Press the Windows R key combination to open the Run window Figure 9 4 Run Window 2 In the Open field type ncpa cpl and then click OK the Network Co...

Page 67: ...lick an interface that dot1x needs to be configured on and then choose Properties the following dialog box appears Figure 9 6 Local Area Connection 4 Select the Enable IEEE 802 1X authentication check...

Page 68: ...the following dialog box appears Figure 9 7 Protected EAP Properties 7 Clear the Validate server certificate check box and make sure that Secured Password EAP MSCHAP v2 is selected 8 Click Configure...

Page 69: ...dot1x server is used or anytime that windows logon is not used clear the Automatically use my check box If Windows authentication is used select the check box 10 Click OK until you re back at the Auth...

Page 70: ...alog box appears Figure 9 10 Advanced Settings 12 Make sure that the Specify Authentication mode check box is selected 13 Select User authentication for user authentication You can also enter the cred...

Page 71: ...ta config data dot1x radius server local config data dot1x local user AudioCodes password P ssw0rd config data dot1x lan authentication enable config data interface gigabitethernet 4 1 conf if GE 4 1...

Page 72: ...Mediant MSBRs 72 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 73: ...de An external DNS server on the device s WAN side is advertised only the source port is randomized DNS proxy mode The device is configured as a DNS server on its LAN side Both the DNS Query ID and so...

Page 74: ...oCodes Ltd All rights reserved AudioCodes AC HD VoIP HD VoIP Sounds Better IPmedia Mediant MediaPack What s Inside Matters OSN SmartTAP User Management Pack VMAS VoIPerfect VoIPerfectHD Your Gateway T...

Reviews:

No comments

Related manuals for Mediant 500L MSBR

AudioCodes MediaPack MP-262 Quick Manual preview
MediaPack MP-262
Brand: AudioCodes Pages: 2
ZyXEL Communications P-324 User Manual preview
P-324
Brand: ZyXEL Communications Pages: 352
Valcom IP Solutions PagePro VIP-204 User Manual preview
IP Solutions PagePro VIP-204
Brand: Valcom Pages: 4
Adman Technologies DH-1 User Manual preview
DH-1
Brand: Adman Technologies Pages: 26
Asus Aaeon AIOT-QM User Manual preview
Aaeon AIOT-QM
Brand: Asus Pages: 39
2N OfficeRoute User Manual preview
OfficeRoute
Brand: 2N Pages: 113
Vantron VT-M2M-C335 User Manual preview
VT-M2M-C335
Brand: Vantron Pages: 15
daviteq STHC-B-ISG02DB-03 User Manual preview
STHC-B-ISG02DB-03
Brand: daviteq Pages: 25
Technicolor TG650S Setup And User Manual preview
TG650S
Brand: Technicolor Pages: 114
ActionTec GT704-WG User Manual preview
GT704-WG
Brand: ActionTec Pages: 127
Arris DCX3600 User Manual preview
DCX3600
Brand: Arris Pages: 42
Z-Wave Z-Box User Manual preview
Z-Box
Brand: Z-Wave Pages: 28
Avaya 700457013 Job Aid preview
700457013
Brand: Avaya Pages: 14
Avaya 9110 Instruction Manual preview
9110
Brand: Avaya Pages: 22
3Com 3CRWE51196 - OfficeConnect Wireless Cable/DSL... User Manual preview
3CRWE51196 - OfficeConnect Wireless Cable/DSL...
Brand: 3Com Pages: 88
Agilent Technologies 829-0027 User Manual preview
829-0027
Brand: Agilent Technologies Pages: 58
Eagle Fusion Quick Reference Manual preview
Fusion
Brand: Eagle Pages: 6
iiNet TG-789 Quick Setup Manual preview
TG-789
Brand: iiNet Pages: 24

Brands by name

Popular brands

Load more brands