AudioCodes Mediant 500L MSBR Configuration Manual Download Page 73

Page: 73 / 74

Configuration Guide

10. DNS Query Randomization

Version 7.2

Security Setup

10 DNS Query Randomization

The device supports DNS query source port and Query ID randomization from Version 6.8.

The purpose of this feature is to prevent DNS spoofing attacks.
There are two modes of operation for DNS Query Randomization:



Forwarding Plan mode:

An external DNS server on the device’s WAN side is

advertised); only the source port is randomized.



DNS proxy mode:

The device is configured as a DNS server on its LAN side.

Both the DNS Query ID and source port used on the device’s WAN side are

randomized. This option activates the randomization feature on all outgoing DNS

queries from the device to the WAN side.

10.1 Configuration Example

This example shows how to activate the DNS query randomization feature above:

# configure data

(config-data)# ip dns randomization

(config-data)# exit

Summary of Contents for Mediant 500L MSBR

Page 1: ...Configuration Guide AudioCodes Mediant Multi Service Business Routers MSBR Series Security Setup Version 7 2...

Page 2: ......

Page 3: ...Balancing using NAT 23 6 SPI Firewall 25 6 1 Configuration Example 26 7 IPSec Tunneling 29 7 1 Configuration Examples 31 7 1 1 Configuring IPSec 31 7 1 2 Configuring IPSec with GRE 35 7 1 3 Configurin...

Page 4: ...Mediant MSBRs 4 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 5: ...is product Customer Support Customer technical support and services are provided by AudioCodes or by an authorized AudioCodes Service Partner For more information on how to buy technical support for A...

Page 6: ...pdated with enabling NAT traversal 31821 Configuring IPSec with RSA added 31822 Typo in Section Configuring Port Forwarding 31823 New command config isakmp ike 31825 Typos incorrect IP addresses in Co...

Page 7: ...on of the security functionality of AudioCodes Mediant Multi Service Business Routers MSBR hereafter referred to as device using the command line interface CLI The document describes the CLI commands...

Page 8: ...Mediant MSBRs 8 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 9: ...r or word ACL can be addressed using a number or a word Note access list names are case sensitive deny or permit connection using this rule is denied or permitted using this keyword protocol connectio...

Page 10: ...tes the ACL with the name Name From Version 6 8 ACL numbering is supported Every line in the ACL has a number Every next line number is incremented by 10 To add a line between line number 10 and 20 st...

Page 11: ...192 168 120 0 0 0 0 255 log 0 matches DC Access deny ip any any log 0 matches The following example allows access from any IP to segment 192 168 199 0 24 only for SSH TCP port 22 Telnet TCP port 23 S...

Page 12: ...Mediant MSBRs 12 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 13: ...cted as a single host IP address range of IP addresses with mask or local address It also can be any address Range of IP addresses can be defined using a wildcard source port source can be matched usi...

Page 14: ...2 0 64 log config ext6 nacl exit config data exit You can view the configured ACL using the following command config data show data access lists Extended IP access list 150 150 10 permit ipv6 2000 100...

Page 15: ...ists command config data exit show data access lists Extended IP access list 150 150 10 permit ipv6 2000 100 1 0 64 2000 100 2 0 64 log 0 matches 150 20 permit ipv6 2000 101 1 0 64 2000 100 2 0 64 log...

Page 16: ...Mediant MSBRs 16 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 17: ...e device configure data access list telnet_mgmt permit ip host mgmt_ws local log access list telnet_mgmt deny ip any any log Configure the ACL for the Telnet connection configure system cli terminal w...

Page 18: ...Mediant MSBRs 18 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 19: ...on the Gigabitethernet0 0 interface To disable NAPT per interface use the following commands Table 5 1 NAT and NAPT Commands Command Description configure data Configuration of ACLs is in the data le...

Page 20: ...that there is only one address in the NAT pool Table 5 3 NAT Rules Command Description config data ip nat inside source list tcp_nat interface gigabitethernet 0 0 pool tcp_pool Configure IP NAT trans...

Page 21: ...e supports load balancing using NAT If there are more than two servers on the LAN side of the device a connection to the WAN address can be forwarded to one of the servers in a round robin fashion To...

Page 22: ...Below is the output of the show data ip nat translations command show data ip nat translations Note static translations are not shown NAT summary 1 TCP 0 UDP 2 ICMP Total 3 NAT connections Pro Inside...

Page 23: ...output of the show data ip nat translations command displays a source address 180 1 100 20 from port 4355 that accesses IP address 180 1 100 10 on port 80 The connection is then NATed to the inside ad...

Page 24: ...Mediant MSBRs 24 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 25: ...f they do not belong to a known connection For example if a user initiates an HTTP request to a sever on the WAN anything connected to the WAN interface the device allows that server to respond to the...

Page 26: ...fic configure data Create the ACL config data ip access list extended FW_out config ext nacl permit tcp 192 168 0 0 0 0 0 255 any eq 20 log config ext nacl permit tcp 192 168 0 0 0 0 0 255 any eq 21 l...

Page 27: ..._out permit tcp 192 168 0 0 0 0 0 255 any eq 22 log 0 matches FW_out permit tcp 192 168 0 0 0 0 0 255 any eq 23 log 0 matches FW_out permit udp 192 168 0 0 0 0 0 255 any eq 5000 log 2 matches FW_out p...

Page 28: ...Mediant MSBRs 28 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 29: ...nyone on the Internet are not able to read and understand the traffic between the segments This solution is also applicable to other applications that need to encrypt traffic such as protecting classi...

Page 30: ...pto map config crypto map set peer 180 1 100 21 Configure the peer IP address config crypto map set transform set crypto_set1 Configure the transform set config crypto map set security association lif...

Page 31: ...is encrypted Figure 7 2 IPSec Example IPSec configuration of the device on the right hand side Corporate Branch Users is as follows access list ipsec permit ip 192 168 0 0 0 0 0 255 10 0 0 0 0 0 0 25...

Page 32: ...et transform set crypto_set1 set security association lifetime seconds 28000 match address ipsec exit crypto isakmp key P ssw0rd address 180 1 100 20 interface GigabitEthernet 0 0 crypto map MAP1 Note...

Page 33: ...two subnets to be connected using two IPSec tunnels then in addition to the previous primary configuration the following configuration needs to be added to the device on the branch site access list i...

Page 34: ...ess 180 1 100 21 The above configuration assumes that the third router s GigabitEthernet 0 0 address is 180 1 100 40 Configuration of the third device is as follows interface gig 0 0 ip address 180 1...

Page 35: ...rnet interfaces is encrypted Figure 7 3 GRE over IPSec The following shows the MSBR1 configuration conf d int gigabitethernet 0 0 ip address 180 1 1 1 255 255 255 0 no firewall enable exit int vla 1 i...

Page 36: ...ipsec exit interface GigabitEthernet 0 0 crypto map MAP1 The following shows the MSBR2 configuration conf d int gigabitethernet 0 0 ip address 180 1 1 2 255 255 255 0 no firewall enable exit int vla 1...

Page 37: ...0 0 S 180 1 1 2 32 1 0 is directly connected GigabitEthernet 0 0 IPSec S 192 168 1 0 24 1 1 is directly connected GRE 1 S 192 168 2 0 24 1 1 is directly connected GRE 1 S 192 168 3 0 24 1 1 is directl...

Page 38: ...h 11 10 17 24 936858 00 90 8f 89 35 a9 00 90 8f 59 4b 56 ethertype IPv4 0x0800 length 150 180 1 1 2 180 1 1 1 ESP spi 0x3647ff5a seq 0xc length 11 10 17 25 933155 00 90 8f 59 4b 56 00 90 8f 89 35 a9 e...

Page 39: ...1 ICMP echo reply id 27378 seq 1 length 40 10 21 07 702933 00 90 8f 59 4b 56 00 90 8f 89 35 a9 ethertype IPv4 0x0800 length 98 180 1 1 1 180 1 1 2 GREv0 proto IPv4 0x0800 length 64 192 168 11 1 192 16...

Page 40: ...ng RSA Each certificate in the file must be Base64 encoded PEM When copying and pasting the certificates to the device each Base64 ASCII encoded certificate string must be enclosed between BEGIN CERTI...

Page 41: ...ates a self signed certificate delete Deletes certificate detail Displays certificates export Exports certificates import Imports certificates signing request Generates signing requests status Display...

Page 42: ...wing message is displayed Enter data below Type a period on an empty line to finish 3 Paste a root certificate BEGIN CERTIFICATE MIIFxz output omitted tjkjeqG END CERTIFICATE 4 Enter dot to end root c...

Page 43: ...IFICATE REQUEST Send this request to your security administrator for signing then upload the new signed certificate to the device 4 Using the signing request obtain the device certificate and then imp...

Page 44: ...tatus Certificate subject C IL ST Center L Lod O AC OU R D CN ca local emailAddress tim g audiocodes com Certificate issuer C IL ST Center L Lod O AC OU R D CN ca local emailAddress tim g audiocodes c...

Page 45: ...Configuration of MSBR 31 is as follows configure data access list IPSEC permit gre any any access list ALL_BUT_IPSEC deny gre any any access list ALL_BUT_IPSEC permit ip any any crypto isakmp policy 1...

Page 46: ...server provide host name ip dhcp server ntp server 0 0 0 0 ip dhcp server tftp server 0 0 0 0 ip dhcp server override router address 0 0 0 0 ip dhcp server next server 0 0 0 0 service dhcp ip dns ser...

Page 47: ...p set peer 10 31 2 31 set transform set crypto_set set security association lifetime seconds 3600 match address IPSEC set default route exit interface GigabitEthernet 0 0 ip address 10 4 2 86 255 255...

Page 48: ...rface GigabitEthernet 0 0 ip route 10 31 2 0 255 255 255 0 10 4 2 1 GigabitEthernet 0 0 ip route 192 168 0 0 255 255 255 0 gre 2 To check that IPSec is up use the show data crypto status command The e...

Page 49: ...ranch may be dynamic and change every time the interface PPPoE 0 reconnects In this scenario the identity of the MSBR Branch should therefore not be by IP address because it changes instead it should...

Page 50: ...2 DSL configuration is automatic Termination cpe no shutdown exit interface EFM 0 2 no ip address mtu auto desc VDSL no ipv6 enable no service dhcp ip dns server static no shutdown exit interface BVI...

Page 51: ...0 0 0 0 0 PPPOE 0 1 exit The MSBR Branch configuration defines the IKEv2 peer as an IP address It s important to note that the identity of the MSBR Branch is set to home timg pro Configuration of MSBR...

Page 52: ...rewall enable no link state monitor no ipv6 nd ra suppress ipv6 address autoconfig no shutdown exit interface BVI 100 ip address 192 168 100 1 255 255 255 0 mtu auto desc Bridge ip dhcp server network...

Page 53: ...it ip nat inside source list all_but_ipsec interface PPPOE 0 ip route 0 0 0 0 0 0 0 0 PPPOE 0 1 exit The MSBR HQ has an IKEv2 peer that is configured with an FQDN as home timg pro This DNS resolves in...

Page 54: ...Mediant MSBRs 54 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 55: ...ure data Enter the data configuration menu config data user user name password password Configure a user with a name user name and password password Some operating systems don t have NAT traversal NAT...

Page 56: ...version two protocols are selected for the authentication The key LinePass 1 is used for the IPSec encryption between the client and server The following is the user configuration for the clients vpn...

Page 57: ...Server Version 7 2 57 Security Setup 2 Click the Set up a virtual private network VPN connection link Figure 8 2 Select Connection Type 3 Select the Let me decide later option and then click Next Fig...

Page 58: ...e which will later become the dialer s name in the Network Connection window 6 Click Next Figure 8 4 L2TP Username and Password 7 Enter the user name and password that was previously configured on the...

Page 59: ...de 8 L2TP VPN Server Version 7 2 59 Security Setup Figure 8 6 Network Connections Window 9 Right click VPN Connection that you just created and then choose Properties Figure 8 7 VPN Connection Propert...

Page 60: ...Advanced Properties 11 Select the Use preshared key for authentication option and then enter the key previously configured on device and then click OK 12 Click OK until you re back at the Network Conn...

Page 61: ...etup 15 When the connection is successfully established in the device use the show data l2tp server command to view the connected users MSBR 1 show data l2tp server Conn Username IP Rx Tx Uptime 300 A...

Page 62: ...Mediant MSBRs 62 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 63: ...entication globally config data interface gigabitethernet 4 3 Configure the interface gigabitethernet 4 3 conf if GE 4 3 authentication dot1x single host multi host Configure dot1x on the interface us...

Page 64: ...Windows 7 To activate dot1x authentication on Windows 7 1 Press the Windows R key combination to open the Run window Figure 9 1 Run Window 2 In the Open field type services msc and then click OK Figur...

Page 65: ...7 2 65 Security Setup 4 Right click Wired AutoConfig and then from the shortcut menu choose Start as shown below Figure 9 3 Wired AutoConfig Service The actions above should activate dot1x authentica...

Page 66: ...dot1x on Windows 7 To configure dot1x on Windows 7 1 Press the Windows R key combination to open the Run window Figure 9 4 Run Window 2 In the Open field type ncpa cpl and then click OK the Network Co...

Page 67: ...lick an interface that dot1x needs to be configured on and then choose Properties the following dialog box appears Figure 9 6 Local Area Connection 4 Select the Enable IEEE 802 1X authentication check...

Page 68: ...the following dialog box appears Figure 9 7 Protected EAP Properties 7 Clear the Validate server certificate check box and make sure that Secured Password EAP MSCHAP v2 is selected 8 Click Configure...

Page 69: ...dot1x server is used or anytime that windows logon is not used clear the Automatically use my check box If Windows authentication is used select the check box 10 Click OK until you re back at the Auth...

Page 70: ...alog box appears Figure 9 10 Advanced Settings 12 Make sure that the Specify Authentication mode check box is selected 13 Select User authentication for user authentication You can also enter the cred...

Page 71: ...ta config data dot1x radius server local config data dot1x local user AudioCodes password P ssw0rd config data dot1x lan authentication enable config data interface gigabitethernet 4 1 conf if GE 4 1...

Page 72: ...Mediant MSBRs 72 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 73: ...de An external DNS server on the device s WAN side is advertised only the source port is randomized DNS proxy mode The device is configured as a DNS server on its LAN side Both the DNS Query ID and so...

Page 74: ...oCodes Ltd All rights reserved AudioCodes AC HD VoIP HD VoIP Sounds Better IPmedia Mediant MediaPack What s Inside Matters OSN SmartTAP User Management Pack VMAS VoIPerfect VoIPerfectHD Your Gateway T...

Search results

Summary of Contents for Mediant 500L MSBR

Reviews:

Related manuals for Mediant 500L MSBR

Brands by name

Popular brands

AudioCodes Mediant 500L MSBR, Configuration Manual

Search results

Summary of Contents for Mediant 500L MSBR

Reviews:

Related manuals for Mediant 500L MSBR

Brands by name

Popular brands