AudioCodes Mediant 500L MSBR Скачать руководство пользователя страница 9

Страница: 9 / 74

Configuration Guide

2. Access Control List

Version 7.2

Security Setup

Access Control List

The device supports access control lists (ACL). The ACLs are tools to categorize traffic

based on source IP or/and destination IP, protocols or ports used by traffic. The

categorization is done by matching traffic to rules defined in the ACL. The ACLs usually work

in combination with other features such as QoS, Firewall, IPSec and NAT. The ACLs are

used to select which traffic to apply to which feature. The device supports two types of ACLs

– connectionless and connection-aware or stateful. Connection-aware access lists only

match first packets based on a rule, for example, traffic from source to destination.

Subsequent packets with the same rule are categorized without matching. This saves CPU

and memory resources. The ACLs can only be configured on Layer-3 interfaces.
To configure ACLs, use the following commands:

Table 2-1: Access Control List

Command

Description

# configure data

Enter the data configuration menu.

(config-data)# access-list

[number or word] [deny or

permit] <protocol> <source>

<source port> <destination>

<destination port> <mode> [log]



[number or word] – ACL can be addressed

using a number or a word.

Note:

access-list

names are case sensitive.



[deny or permit] – connection using this rule

is denied or permitted using this keyword.



<protocol> - connection is matched using

one of the protocols: tcp, udp, ah, esp, gre,

icmp, igmp, ip or manually selected using a

number, 0 to 255, that represents the

protocol field of the IP packet.



<source> - source can be selected as a

single host IP address, range of IP

addresses with mask or local address. It

also can be "any" address. Range of IP

addresses need to be selected using

wildcard.



<source port> - source can be matched

using TCP or UDP port. The <source port>

can be omitted.



<destination> - destination can be selected

as a single host IP address, range of IP

addresses with mask or local address. It

also can be "any" address. Range of IP

addresses needs to be selected using a

wildcard.



<destination port> - destination can be

matched using TCP or UDP port. The

<destination port> can be omitted.



<mode> - mode of the ACL. If the keyword

"established" is used, the ACL will be

connection aware. If the keyword "stateless"

is used, the ACL will be connectionless. The

keyword "dscp" can be used to match the

DSCP field of the IP packet. By default, the

ACL will be connection aware. The <mode>

can be omitted.



[LOG] – if the log keyword is used, if a

packet matches the rule, the event is logged

Содержание Mediant 500L MSBR

Страница 1: ...Configuration Guide AudioCodes Mediant Multi Service Business Routers MSBR Series Security Setup Version 7 2...

Страница 2: ......

Страница 3: ...Balancing using NAT 23 6 SPI Firewall 25 6 1 Configuration Example 26 7 IPSec Tunneling 29 7 1 Configuration Examples 31 7 1 1 Configuring IPSec 31 7 1 2 Configuring IPSec with GRE 35 7 1 3 Configurin...

Страница 4: ...Mediant MSBRs 4 Document LTRT 31828 Security Setup This page is intentionally left blank...

Страница 5: ...is product Customer Support Customer technical support and services are provided by AudioCodes or by an authorized AudioCodes Service Partner For more information on how to buy technical support for A...

Страница 6: ...pdated with enabling NAT traversal 31821 Configuring IPSec with RSA added 31822 Typo in Section Configuring Port Forwarding 31823 New command config isakmp ike 31825 Typos incorrect IP addresses in Co...

Страница 7: ...on of the security functionality of AudioCodes Mediant Multi Service Business Routers MSBR hereafter referred to as device using the command line interface CLI The document describes the CLI commands...

Страница 8: ...Mediant MSBRs 8 Document LTRT 31828 Security Setup This page is intentionally left blank...

Страница 9: ...r or word ACL can be addressed using a number or a word Note access list names are case sensitive deny or permit connection using this rule is denied or permitted using this keyword protocol connectio...

Страница 10: ...tes the ACL with the name Name From Version 6 8 ACL numbering is supported Every line in the ACL has a number Every next line number is incremented by 10 To add a line between line number 10 and 20 st...

Страница 11: ...192 168 120 0 0 0 0 255 log 0 matches DC Access deny ip any any log 0 matches The following example allows access from any IP to segment 192 168 199 0 24 only for SSH TCP port 22 Telnet TCP port 23 S...

Страница 12: ...Mediant MSBRs 12 Document LTRT 31828 Security Setup This page is intentionally left blank...

Страница 13: ...cted as a single host IP address range of IP addresses with mask or local address It also can be any address Range of IP addresses can be defined using a wildcard source port source can be matched usi...

Страница 14: ...2 0 64 log config ext6 nacl exit config data exit You can view the configured ACL using the following command config data show data access lists Extended IP access list 150 150 10 permit ipv6 2000 100...

Страница 15: ...ists command config data exit show data access lists Extended IP access list 150 150 10 permit ipv6 2000 100 1 0 64 2000 100 2 0 64 log 0 matches 150 20 permit ipv6 2000 101 1 0 64 2000 100 2 0 64 log...

Страница 16: ...Mediant MSBRs 16 Document LTRT 31828 Security Setup This page is intentionally left blank...

Страница 17: ...e device configure data access list telnet_mgmt permit ip host mgmt_ws local log access list telnet_mgmt deny ip any any log Configure the ACL for the Telnet connection configure system cli terminal w...

Страница 18: ...Mediant MSBRs 18 Document LTRT 31828 Security Setup This page is intentionally left blank...

Страница 19: ...on the Gigabitethernet0 0 interface To disable NAPT per interface use the following commands Table 5 1 NAT and NAPT Commands Command Description configure data Configuration of ACLs is in the data le...

Страница 20: ...that there is only one address in the NAT pool Table 5 3 NAT Rules Command Description config data ip nat inside source list tcp_nat interface gigabitethernet 0 0 pool tcp_pool Configure IP NAT trans...

Страница 21: ...e supports load balancing using NAT If there are more than two servers on the LAN side of the device a connection to the WAN address can be forwarded to one of the servers in a round robin fashion To...

Страница 22: ...Below is the output of the show data ip nat translations command show data ip nat translations Note static translations are not shown NAT summary 1 TCP 0 UDP 2 ICMP Total 3 NAT connections Pro Inside...

Страница 23: ...output of the show data ip nat translations command displays a source address 180 1 100 20 from port 4355 that accesses IP address 180 1 100 10 on port 80 The connection is then NATed to the inside ad...

Страница 24: ...Mediant MSBRs 24 Document LTRT 31828 Security Setup This page is intentionally left blank...

Страница 25: ...f they do not belong to a known connection For example if a user initiates an HTTP request to a sever on the WAN anything connected to the WAN interface the device allows that server to respond to the...

Страница 26: ...fic configure data Create the ACL config data ip access list extended FW_out config ext nacl permit tcp 192 168 0 0 0 0 0 255 any eq 20 log config ext nacl permit tcp 192 168 0 0 0 0 0 255 any eq 21 l...

Страница 27: ..._out permit tcp 192 168 0 0 0 0 0 255 any eq 22 log 0 matches FW_out permit tcp 192 168 0 0 0 0 0 255 any eq 23 log 0 matches FW_out permit udp 192 168 0 0 0 0 0 255 any eq 5000 log 2 matches FW_out p...

Страница 28: ...Mediant MSBRs 28 Document LTRT 31828 Security Setup This page is intentionally left blank...

Страница 29: ...nyone on the Internet are not able to read and understand the traffic between the segments This solution is also applicable to other applications that need to encrypt traffic such as protecting classi...

Страница 30: ...pto map config crypto map set peer 180 1 100 21 Configure the peer IP address config crypto map set transform set crypto_set1 Configure the transform set config crypto map set security association lif...

Страница 31: ...is encrypted Figure 7 2 IPSec Example IPSec configuration of the device on the right hand side Corporate Branch Users is as follows access list ipsec permit ip 192 168 0 0 0 0 0 255 10 0 0 0 0 0 0 25...

Страница 32: ...et transform set crypto_set1 set security association lifetime seconds 28000 match address ipsec exit crypto isakmp key P ssw0rd address 180 1 100 20 interface GigabitEthernet 0 0 crypto map MAP1 Note...

Страница 33: ...two subnets to be connected using two IPSec tunnels then in addition to the previous primary configuration the following configuration needs to be added to the device on the branch site access list i...

Страница 34: ...ess 180 1 100 21 The above configuration assumes that the third router s GigabitEthernet 0 0 address is 180 1 100 40 Configuration of the third device is as follows interface gig 0 0 ip address 180 1...

Страница 35: ...rnet interfaces is encrypted Figure 7 3 GRE over IPSec The following shows the MSBR1 configuration conf d int gigabitethernet 0 0 ip address 180 1 1 1 255 255 255 0 no firewall enable exit int vla 1 i...

Страница 36: ...ipsec exit interface GigabitEthernet 0 0 crypto map MAP1 The following shows the MSBR2 configuration conf d int gigabitethernet 0 0 ip address 180 1 1 2 255 255 255 0 no firewall enable exit int vla 1...

Страница 37: ...0 0 S 180 1 1 2 32 1 0 is directly connected GigabitEthernet 0 0 IPSec S 192 168 1 0 24 1 1 is directly connected GRE 1 S 192 168 2 0 24 1 1 is directly connected GRE 1 S 192 168 3 0 24 1 1 is directl...

Страница 38: ...h 11 10 17 24 936858 00 90 8f 89 35 a9 00 90 8f 59 4b 56 ethertype IPv4 0x0800 length 150 180 1 1 2 180 1 1 1 ESP spi 0x3647ff5a seq 0xc length 11 10 17 25 933155 00 90 8f 59 4b 56 00 90 8f 89 35 a9 e...

Страница 39: ...1 ICMP echo reply id 27378 seq 1 length 40 10 21 07 702933 00 90 8f 59 4b 56 00 90 8f 89 35 a9 ethertype IPv4 0x0800 length 98 180 1 1 1 180 1 1 2 GREv0 proto IPv4 0x0800 length 64 192 168 11 1 192 16...

Страница 40: ...ng RSA Each certificate in the file must be Base64 encoded PEM When copying and pasting the certificates to the device each Base64 ASCII encoded certificate string must be enclosed between BEGIN CERTI...

Страница 41: ...ates a self signed certificate delete Deletes certificate detail Displays certificates export Exports certificates import Imports certificates signing request Generates signing requests status Display...

Страница 42: ...wing message is displayed Enter data below Type a period on an empty line to finish 3 Paste a root certificate BEGIN CERTIFICATE MIIFxz output omitted tjkjeqG END CERTIFICATE 4 Enter dot to end root c...

Страница 43: ...IFICATE REQUEST Send this request to your security administrator for signing then upload the new signed certificate to the device 4 Using the signing request obtain the device certificate and then imp...

Страница 44: ...tatus Certificate subject C IL ST Center L Lod O AC OU R D CN ca local emailAddress tim g audiocodes com Certificate issuer C IL ST Center L Lod O AC OU R D CN ca local emailAddress tim g audiocodes c...

Страница 45: ...Configuration of MSBR 31 is as follows configure data access list IPSEC permit gre any any access list ALL_BUT_IPSEC deny gre any any access list ALL_BUT_IPSEC permit ip any any crypto isakmp policy 1...

Страница 46: ...server provide host name ip dhcp server ntp server 0 0 0 0 ip dhcp server tftp server 0 0 0 0 ip dhcp server override router address 0 0 0 0 ip dhcp server next server 0 0 0 0 service dhcp ip dns ser...

Страница 47: ...p set peer 10 31 2 31 set transform set crypto_set set security association lifetime seconds 3600 match address IPSEC set default route exit interface GigabitEthernet 0 0 ip address 10 4 2 86 255 255...

Страница 48: ...rface GigabitEthernet 0 0 ip route 10 31 2 0 255 255 255 0 10 4 2 1 GigabitEthernet 0 0 ip route 192 168 0 0 255 255 255 0 gre 2 To check that IPSec is up use the show data crypto status command The e...

Страница 49: ...ranch may be dynamic and change every time the interface PPPoE 0 reconnects In this scenario the identity of the MSBR Branch should therefore not be by IP address because it changes instead it should...

Страница 50: ...2 DSL configuration is automatic Termination cpe no shutdown exit interface EFM 0 2 no ip address mtu auto desc VDSL no ipv6 enable no service dhcp ip dns server static no shutdown exit interface BVI...

Страница 51: ...0 0 0 0 0 PPPOE 0 1 exit The MSBR Branch configuration defines the IKEv2 peer as an IP address It s important to note that the identity of the MSBR Branch is set to home timg pro Configuration of MSBR...

Страница 52: ...rewall enable no link state monitor no ipv6 nd ra suppress ipv6 address autoconfig no shutdown exit interface BVI 100 ip address 192 168 100 1 255 255 255 0 mtu auto desc Bridge ip dhcp server network...

Страница 53: ...it ip nat inside source list all_but_ipsec interface PPPOE 0 ip route 0 0 0 0 0 0 0 0 PPPOE 0 1 exit The MSBR HQ has an IKEv2 peer that is configured with an FQDN as home timg pro This DNS resolves in...

Страница 54: ...Mediant MSBRs 54 Document LTRT 31828 Security Setup This page is intentionally left blank...

Страница 55: ...ure data Enter the data configuration menu config data user user name password password Configure a user with a name user name and password password Some operating systems don t have NAT traversal NAT...

Страница 56: ...version two protocols are selected for the authentication The key LinePass 1 is used for the IPSec encryption between the client and server The following is the user configuration for the clients vpn...

Страница 57: ...Server Version 7 2 57 Security Setup 2 Click the Set up a virtual private network VPN connection link Figure 8 2 Select Connection Type 3 Select the Let me decide later option and then click Next Fig...

Страница 58: ...e which will later become the dialer s name in the Network Connection window 6 Click Next Figure 8 4 L2TP Username and Password 7 Enter the user name and password that was previously configured on the...

Страница 59: ...de 8 L2TP VPN Server Version 7 2 59 Security Setup Figure 8 6 Network Connections Window 9 Right click VPN Connection that you just created and then choose Properties Figure 8 7 VPN Connection Propert...

Страница 60: ...Advanced Properties 11 Select the Use preshared key for authentication option and then enter the key previously configured on device and then click OK 12 Click OK until you re back at the Network Conn...

Страница 61: ...etup 15 When the connection is successfully established in the device use the show data l2tp server command to view the connected users MSBR 1 show data l2tp server Conn Username IP Rx Tx Uptime 300 A...

Страница 62: ...Mediant MSBRs 62 Document LTRT 31828 Security Setup This page is intentionally left blank...

Страница 63: ...entication globally config data interface gigabitethernet 4 3 Configure the interface gigabitethernet 4 3 conf if GE 4 3 authentication dot1x single host multi host Configure dot1x on the interface us...

Страница 64: ...Windows 7 To activate dot1x authentication on Windows 7 1 Press the Windows R key combination to open the Run window Figure 9 1 Run Window 2 In the Open field type services msc and then click OK Figur...

Страница 65: ...7 2 65 Security Setup 4 Right click Wired AutoConfig and then from the shortcut menu choose Start as shown below Figure 9 3 Wired AutoConfig Service The actions above should activate dot1x authentica...

Страница 66: ...dot1x on Windows 7 To configure dot1x on Windows 7 1 Press the Windows R key combination to open the Run window Figure 9 4 Run Window 2 In the Open field type ncpa cpl and then click OK the Network Co...

Страница 67: ...lick an interface that dot1x needs to be configured on and then choose Properties the following dialog box appears Figure 9 6 Local Area Connection 4 Select the Enable IEEE 802 1X authentication check...

Страница 68: ...the following dialog box appears Figure 9 7 Protected EAP Properties 7 Clear the Validate server certificate check box and make sure that Secured Password EAP MSCHAP v2 is selected 8 Click Configure...

Страница 69: ...dot1x server is used or anytime that windows logon is not used clear the Automatically use my check box If Windows authentication is used select the check box 10 Click OK until you re back at the Auth...

Страница 70: ...alog box appears Figure 9 10 Advanced Settings 12 Make sure that the Specify Authentication mode check box is selected 13 Select User authentication for user authentication You can also enter the cred...

Страница 71: ...ta config data dot1x radius server local config data dot1x local user AudioCodes password P ssw0rd config data dot1x lan authentication enable config data interface gigabitethernet 4 1 conf if GE 4 1...

Страница 72: ...Mediant MSBRs 72 Document LTRT 31828 Security Setup This page is intentionally left blank...

Страница 73: ...de An external DNS server on the device s WAN side is advertised only the source port is randomized DNS proxy mode The device is configured as a DNS server on its LAN side Both the DNS Query ID and so...

Страница 74: ...oCodes Ltd All rights reserved AudioCodes AC HD VoIP HD VoIP Sounds Better IPmedia Mediant MediaPack What s Inside Matters OSN SmartTAP User Management Pack VMAS VoIPerfect VoIPerfectHD Your Gateway T...

Результаты поиска

Содержание Mediant 500L MSBR

Отзывы:

Похожие инструкции для Mediant 500L MSBR

Бренды по названию

Популярные бренды

AudioCodes Mediant 500L MSBR, Руководство по настройке

Результаты поиска

Содержание Mediant 500L MSBR

Отзывы:

Похожие инструкции для Mediant 500L MSBR

Бренды по названию

Популярные бренды