AudioCodes Mediant MSBR Series Configuration Manual
  1. Manuals
  2. Brands
  3. AudioCodes Manuals
  4. Network Router
  5. Mediant MSBR Series
  6. Configuration manual

AudioCodes Mediant MSBR Series Configuration Manual

Multi-service business routers
Hide thumbs Also See for Mediant MSBR Series:
Table of Contents

Advertisement

Quick Links

Configuration Guide
AudioCodes Mediant™ Multi-Service Business Routers (MSBR) Series
Security Setup
Version 7.2

Advertisement

Table of Contents
loading

Related Manuals for AudioCodes Mediant MSBR Series

Summary of Contents for AudioCodes Mediant MSBR Series

  • Page 1 Configuration Guide AudioCodes Mediant™ Multi-Service Business Routers (MSBR) Series Security Setup Version 7.2...

  • Page 3: Table Of Contents

    Configuration Guide Contents Table of Contents Introduction ......................7 Access Control List ..................... 9 Configuration Example ..................11 ACLv6 ......................... 13 Configuration Example ..................14 Management Access Lists ................17 Configuration Example ..................17 NAT and NAPT ....................19 Configuration Examples ..................22 5.1.1 Configuring TCP and ICMP NAT ................
  • Page 4 Security Setup This page is intentionally left blank. Mediant MSBRs Document #: LTRT-31828...
  • Page 5 Please contact your local recycling authority for disposal of this product. Customer Support Customer technical support and services are provided by AudioCodes or by an authorized AudioCodes Service Partner. For more information on how to buy technical support for AudioCodes products and for contact information, please visit our website at https://www.audiocodes.com/services-support/maintenance-and-support.
  • Page 6 IPSec with VTI removed 31828 IKEv2 added Documentation Feedback AudioCodes continually strives to produce high quality documentation. If you have any comments (suggestions or errors) regarding this document, please fill out the Documentation Feedback form on our website at https://online.audiocodes.com/documentation-feedback. Mediant MSBRs...

  • Page 7: Introduction

    Configuration Guide 1. Introduction Introduction This document describes configuration of the security functionality of AudioCodes Mediant Multi-Service Business Routers (MSBR), hereafter referred to as device, using the command-line interface (CLI). The document describes the CLI commands required for configuring each aspect of security, providing typical configuration examples for some of the features.
  • Page 8 Security Setup This page is intentionally left blank. Mediant MSBRs Document #: LTRT-31828...

  • Page 9: Access Control List

    Configuration Guide 2. Access Control List Access Control List The device supports access control lists (ACL). The ACLs are tools to categorize traffic based on source IP or/and destination IP, protocols or ports used by traffic. The categorization is done by matching traffic to rules defined in the ACL. The ACLs usually work in combination with other features such as QoS, Firewall, IPSec and NAT.
  • Page 10 Security Setup Command Description and a counter will increment in the show command. (config-data)# ip access-list Alternative method to configure ACLs is by [extended or standard] [Name or using the ip access-list command. This number] accesses the ACL with the [name or number] configuration level.

  • Page 11: Configuration Example

    Configuration Guide 2. Access Control List Configuration Example This example configures an ACL rule called "DC-Access" that allows traffic from any source to a specific class C subnet: # configure data (config-data)# access-list DC-Access permit ip any 192.168.100.0 0.0.0.255 log (config-data)# access-list DC-Access permit ip any 192.168.110.0 0.0.0.255 log (config-data)# access-list DC-Access permit ip any 192.168.120.0...
  • Page 12 Security Setup This page is intentionally left blank. Mediant MSBRs Document #: LTRT-31828...

  • Page 13: Aclv6

    Configuration Guide 3. ACLv6 ACLv6 The device supports ACL for the IPv6 protocol. Configuration rules are the same as for IPv4. Table 3-1: ACLv6 Commands Command Description # configure data Configuration of ACLs is in the data level. (config-data)# ipv6 access-list Accesses the ACL with the [name or number] [extended or standard] [Name or configuration level.

  • Page 14: Configuration Example

    Security Setup Configuration Example This example configures an IPv6 ACL rule. Configuration is applied at firewall index for line 10, 20, and then 15. # configure data (config-data)# ipv6 access-list extended 150 (config-ext6-nacl)# 10 permit ipv6 2000:100:1::0/64 2000:100:2::0/64 log (config-ext6-nacl)# 20 permit ipv6 2000:102:1::0/64 2000:100:2::0/64 log (config-ext6-nacl)# 15 permit ipv6 2000:101:1::0/64 2000:100:2::0/64 log...

  • Page 15: Show Data Access-Lists

    Configuration Guide 3. ACLv6 The result can be shown using the show data access-lists command: (config-data)# exit # show data access-lists Extended IP access list 150 10 permit ipv6 2000:100:1::0/64 2000:100:2::0/64 log matches) 20 permit ipv6 2000:101:1::0/64 2000:100:2::0/64 log matches) 30 permit ipv6 2000:102:1::0/64 2000:100:2::0/64 log matches) 40 deny ipv6 any any...
  • Page 16 Security Setup This page is intentionally left blank. Mediant MSBRs Document #: LTRT-31828...

  • Page 17: Management Access Lists

    Configuration Guide 4. Management Access Lists Management Access Lists When an access list is created for management using the protocols SNMP, Telnet, SSH or CWMP, it is possible to use DNS names instead of IP or IPv6 addresses. The device resolves the name to an IP address and acts upon the ACL rules.
  • Page 18 Security Setup This page is intentionally left blank. Mediant MSBRs Document #: LTRT-31828...

  • Page 19: Nat And Napt

    Configuration Guide 5. NAT and NAPT NAT and NAPT The device supports the NAT and PAT protocols. The PAT protocol for the device is addressed as Network Address and Port Translation (NAPT). NAT changes the inside address of your network with an external address. NAPT changes the inside addresses of your network with a single external address with several ports.
  • Page 20 Security Setup Both NAT and NAPT can use a pool of addresses to contact (or to show) the outside word (the WAN). For NAT and NAPT, a range of IP addresses and ports can be configured using ACLs. This range of IP addresses is called a NAT pool. To configure the NAT pool, use the following commands.
  • Page 21 Configuration Guide 5. NAT and NAPT To access a specific port on an IP address on the inside network while using NAT, configure port forwarding using the following configuration steps: Table 5-6: NAT Port Forwarding Configuration Command Description # configure data Enter the data configuration menu.

  • Page 22: Configuration Examples

    Security Setup Configuration Examples 5.1.1 Configuring TCP and ICMP NAT This example configures a NAT for TCP and ICMP traffic. UDP traffic will not use NAT. # configure data (config-data)# access-list gen_nat permit tcp 192.168.0.0 0.0.0.255 any # gen_nat is a short for general NAT (config-data)# access-list gen_nat permit icmp 192.168.0.0 0.0.0.255 any log (config-data)# ip nat pool nat_pool 180.1.100.50 180.1.100.50...

  • Page 23: Configuring Load Balancing Using Nat

    Configuration Guide 5. NAT and NAPT 5.1.3 Configuring Load Balancing using NAT This example includes two HTTP servers on the NAT side. One with IP address 192.168.0.3 and one with IP address 192.168.0.4. Both are identical HTTP server with main page. To access these servers, a secondary IP address of the WAN interface GigabitEthernet 0/0 is configured.
  • Page 24 Security Setup This page is intentionally left blank. Mediant MSBRs Document #: LTRT-31828...

  • Page 25: Spi Firewall

    Configuration Guide 6. SPI Firewall SPI Firewall The device provides a built-in firewall feature. The firewall allows or denies traffic using a rule set. The firewall rules are set using ACLs. The firewall can be session-aware or stateless. There are two modes of firewall: manual and automatic. To configure the firewall in automatic mode, use the following commands: Table 6-1: Firewall - Automatic Mode Command...

  • Page 26: Configuration Example

    Security Setup Note that when a firewall is enabled, all inbound traffic is denied access; however, the user can still explicitly permit only ICMP inbound traffic. Table 6-4: Firewall – Permit ICMP Inbound Traffic Command Description (config-data)# ip firewall allow- Allow ICMP (ping) on interfaces without an icmp access-list.
  • Page 27 Configuration Guide 6. SPI Firewall After simulating the ICMP, UDP traffic on port 5000 and traffic on other ports that are not allowed by the firewall, the output of the show data access command displays the following: # show data access-lists Extended IP access list FW_out FW_out permit tcp 192.168.0.0 0.0.0.255 any eq 20 log matches)
  • Page 28 Security Setup This page is intentionally left blank. Mediant MSBRs Document #: LTRT-31828...

  • Page 29: Ipsec Tunneling

    Configuration Guide 7. IPSec Tunneling IPSec Tunneling The device supports the IPSec tunnel protocol. IPSec tunnels encrypt sessions between two points. These points could be single computers, network segment or selected hosts. The IPSec encryption uses the AES, 3DES or DES algorithms. There are many practical uses for encrypting data.
  • Page 30 Security Setup Command Description (config-isakmp)# group 2 Configures the Diffie-Hellman group. (config-isakmp)# ike v1 Selects IKE version 1 or IKE version 2 (config-isakmp)# lifetime 3600 The lifetime is the period of re-authentication. In this case, the tunnel is re-authenticated every hour.

  • Page 31: Configuration Examples

    Configuration Guide 7. IPSec Tunneling Configuration Examples This section provides configuration examples for IPSec. 7.1.1 Configuring IPSec This example includes two routers connected back to back using interface Gigabitethernet0/0, as shown in Figure 7-2: IPSec Example. All traffic captured in the access-list is encrypted.
  • Page 32 Security Setup crypto isakmp key P@ssw0rd address 180.1.100.21 interface GigabitEthernet 0/0 crypto map MAP1 IPSec configuration of the device on the Corporate HQ is as follows: access-list ipsec permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255 crypto isakmp policy 1 encryption aes 128 authentication pre-share hash sha group 2...

  • Page 33: Interface Gigabitethernet

    Configuration Guide 7. IPSec Tunneling Use the show data crypto status command to view the IPSec status. The following is the output from the command on the device on the branch site: # show data crypto status IKE peer [180.1.100.21] [MAP1-1] status [connected]...

  • Page 34: Crypto Isakmp Key P@Ssw0Rd Address 180.1.100.20

    Security Setup If configuration requires two devices connected to the Corporate HQ device, then instead of the previous addition to the device, the following configuration needs to be applied to the Corporate HQ device: access-list ipsec permit ip 10.0.2.0 0.0.0.255 192.168.2.0 0.0.0.255 crypto map MAP1 2 ipsec-isakmp set peer 180.1.100.40...

  • Page 35: Configuring Ipsec With Gre

    Configuration Guide 7. IPSec Tunneling 7.1.2 Configuring IPSec with GRE This example includes IPSec with GRE where two devices are connected back to back via the Gigabit Ethernet 0/0 interface. Only GRE traffic that is being "caught" by the access list permit gre any any, between the Gigabit Ethernet interfaces is encrypted.

  • Page 36: Access-List

    Security Setup ip route 192.168.1.0 255.255.255.0 gre 1 ip route 192.168.2.0 255.255.255.0 gre 1 ip route 192.168.3.0 255.255.255.0 gre 1 access-list ipsec permit gre any any log crypto isakmp key Aa123456 address 180.1.1.2 crypto isakmp policy 10 encr aes 128 authentication pre-share hash sha group 2...
  • Page 37 Configuration Guide 7. IPSec Tunneling crypto isakmp policy 10 encryption aes 128 authentication pre-share hash sha group 2 lifetime 3600 crypto ipsec transform-set crypto_set1 esp-3des esp-sha-hm mode tunnel exit crypto map MAP1 10 ipsec-isakmp set peer 180.1.1.1 set transform-set crypto_set1 set security-association lifetime seconds 28000 match address ipsec exit...
  • Page 38 Security Setup 192.168.11.0/24 [1/1] is directly connected, GRE 1 192.168.12.0/24 [1/1] is directly connected, GRE 1 192.168.13.0/24 [1/1] is directly connected, GRE 1 MSBR2# A debug capture is run while pinging from MSBR1 VLAN 1 to MSBR2 VLAN 1, using the command: debug capture data interface gigabitethernet 0/0 proto all host 180.1.1.1...
  • Page 39 Configuration Guide 7. IPSec Tunneling Note the output of the capture with the "ipsec" keyword, which allows viewing encrypted traffic: debug capture data interface gigabitethernet 0/0 ipsec proto all host 180.1.1.1 Note that traffic is upon the GRE tunnel: debug capture data interface gigabitethernet 0/0 ipsec proto all host 180.1.1.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode...

  • Page 40: Configuring Ipsec With Rsa

    Security Setup 7.1.3 Configuring IPSec with RSA It is possible to use certificates instead of pre-shared password for authentication. The device provides its own Trusted Root Certificate store. This store lets you manage trusted CA certificates to authenticate the remote side. You can import up to 20 certificates to the store (this amount might be less depending on certificate file size).
  • Page 41 Configuration Guide 7. IPSec Tunneling 7.1.3.1.2 Root Certificate or Chain Certificates When importing CA certificate or CA chain certificates, you must first import a root CA certificate, then child certificates. All certificate manipulations must be performed using CLI under the PKI (public key infrastructure) configuration section. Enter the following commands: Configure data crypto isakmp pki 0...
  • Page 42 Security Setup Command Sub-commands Description import Imports private key, in textual PEM format. 7.1.3.1.3 Import Root Certificates Procedure Go to the PKI CLI section: #configure data (config-data)#crypto isakmp Use the following command to import the Root certificate: (config-isakmp-pki)# trusted-root import The following message is displayed: Enter data below.
  • Page 43 MSBR(config-isakmp-pki)# Check if the imported certificate matches the private key with which it was generated: MSBR-31(config-isakmp-pki)# certificate status Certificate subject: /C=IL/CN=MSBR-31 Certificate issuer : /C=IL/ST=CENTER/L=LOD/O=Audiocodes/OU=R&D/CN=ca.local/emailAdd ress=timg@audiocodes.com Signature Algorithm: sha256WithRSAEncryption Time to expiration : 369 days Key size: 2048 bits Active sockets: 0 The currently-loaded private key matches this certificate.
  • Page 44 Security Setup If the imported certificate does not match the generated key, the output is as follows: MSBR-99(config-isakmp-pki)# certificate status Certificate subject: /C=IL/ST=Center/L=Lod/O=AC/OU=R&D/CN=ca.local/emailAddress=tim g@audiocodes.com Certificate issuer : /C=IL/ST=Center/L=Lod/O=AC/OU=R&D/CN=ca.local/emailAddress=tim g@audiocodes.com Signature Algorithm: sha256WithRSAEncryption Time to expiration : 3522 days Key size: 1024 bits...
  • Page 45 Configuration Guide 7. IPSec Tunneling 7.1.3.1.5 Device PKI Configuration Example The following is an example of the configuration of IPSec using PKI authentication between two routers using a GRE tunnel. Both devices have an NTP server configured, and certificates were imported as described in the previous sections. Figure 7-5: Device PKI Configuration Example Configuration of MSBR-31 is as follows: configure data...

  • Page 46: No Napt

    Security Setup mtu auto desc "WAN Copper" no ipv6 enable speed auto duplex auto no service dhcp ip dns server auto no napt crypto map MAP1 firewall enable no shutdown exit interface VLAN 1 ip address 192.168.0.1 255.255.255.0 mtu auto desc "LAN switch VLAN 1"...
  • Page 47 Configuration Guide 7. IPSec Tunneling Configuration of MSBR-86 is as follows: configure data access-list IPSEC permit gre any any access-list ALL_BUT_IPSEC deny gre any any access-list ALL_BUT_IPSEC permit ip any any crypto isakmp policy 1 encr aes 256 authentication rsa-sig hash sha group 5 lifetime 3600...
  • Page 48 Security Setup mtu 1400 desc "WAN GRE 2" no napt tunnel source GigabitEthernet 0/0 tunnel destination 10.31.2.31 keepalive 1 2 no firewall enable no shutdown exit ip nat inside source list ALL_BUT_IPSEC interface GigabitEthernet 0/0 ip route 10.31.2.0 255.255.255.0 10.4.2.1 GigabitEthernet 0/0 ip route 192.168.0.0 255.255.255.0 gre 2 To check that IPSec is up, use the show data crypto status command.

  • Page 49: Configuring Ipsec With Ikev2

    Configuration Guide 7. IPSec Tunneling 7.1.4 Configuring IPSec with IKEv2 The MSBR supports Internet Key Exchange (IKE) version 2. With IKEv2, the MSBR supports configuring the peer by IP address or FQDN. For the identity of the IKEv2 peer, the MSBR supports: IP address ...
  • Page 50 Security Setup ike v2 exit crypto ipsec transform-set crypto_set esp-aes 256 esp-sha-hmac mode tunnel exit crypto map MAP1 1 ipsec-isakmp set peer 82.80.170.113 set transform-set crypto_set set security-association lifetime seconds 3600 match address ipsec exit interface VLAN 1 no ip address bridge-group 1 mtu auto desc "LAN switch VLAN 1"...
  • Page 51 Configuration Guide 7. IPSec Tunneling no napt no firewall enable no shutdown exit interface pppoe 0 firewall enable napt mtu auto ppp user 0543150513@014 obscured-pass vu/atLSt8g== ppp authentication chap ppp authentication ms-chap ppp authentication ms-chap-v2 ppp authentication pap ppp lcp-echo 6 5 no ppp compression ip address auto ipv6 address autoconfig...
  • Page 52 Security Setup set security-association lifetime seconds 3600 match address ipsec set default-route exit interface dsl 0/2 #DSL configuration is automatic #Termination cpe no shutdown exit interface EFM 0/2 no ip address mtu auto desc "VDSL" no ipv6 enable no service dhcp ip dns server static no shutdown exit...
  • Page 53 Configuration Guide 7. IPSec Tunneling exit ip nat inside source list all_but_ipsec interface PPPOE 0 ip route 0.0.0.0 0.0.0.0 PPPOE 0 1 exit The MSBR HQ has an IKEv2 peer that is configured with an FQDN as home.timg.pro. This DNS resolves into the MSBR Branch's IP address and serves as the MSBR Branch identity. Version 7.2 Security Setup...
  • Page 54 Security Setup This page is intentionally left blank. Mediant MSBRs Document #: LTRT-31828...

  • Page 55: L2Tp Vpn Server

    Configuration Guide 8. L2TP VPN Server L2TP VPN Server The device supports L2TP VPN servers. With this feature, the client can connect to the device from other locations using Windows dialer. To configure the L2TP VPN server, use the following commands: Table 8-1: L2TP VPN Servers Command Description...
  • Page 56 "LinePass!1" is used for the IPSec encryption between the client and server. The following is the user configuration for the clients: vpn-users user AudioCodes key P@ssw0rd exit Note that show running-config displays the passwords and keys in obscured format.
  • Page 57 Configuration Guide 8. L2TP VPN Server Click the Set up a virtual private network (VPN) connection link. Figure 8-2: Select Connection Type Select the Let me decide later option, and then click Next. Figure 8-3: VPN Server IP Address Version 7.2 Security Setup...
  • Page 58 Security Setup In the 'Internet address' field, enter the VPN IP address (typically, the device's WAN interface). In the 'Destination name' field, enter the destination name, which will later become the dialer's name in the Network Connection window. Click Next. Figure 8-4: L2TP Username and Password Enter the user name and password that was previously configured on the device, and then click Create.
  • Page 59 Configuration Guide 8. L2TP VPN Server Figure 8-6: Network Connections Window Right-click VPN Connection that you just created, and then choose Properties. Figure 8-7: VPN Connection Properties Security Tab Version 7.2 Security Setup...
  • Page 60 Security Setup Click the Security tab, and then click Advanced settings. Figure 8-8: VPN Connection Advanced Properties Select the Use preshared key for authentication option, and then enter the key previously configured on device, and then click OK. Click OK until you're back at the Network Connections window. Double-click VPN Connection.
  • Page 61 When the connection is successfully established, in the device use the show data l2tp-server command to view the connected users: MSBR-1# show data l2tp-server Conn# Username Rx/Tx Uptime ----- ----------------------------------- ----------------- -- --------- ------ AudioCodes 192.168.1.3 3832/1514 1220 Total 1 connections. MSBR-1# Version 7.2 Security Setup...
  • Page 62 Security Setup This page is intentionally left blank. Mediant MSBRs Document #: LTRT-31828...

  • Page 63: 802.1X

    Configuration Guide 9. 802.1X 802.1X The device supports dot1x from Version 6.8. The dot1x is a protocol that allows or denies access of a host to the network based on the hosts' authentication. To configure 802.1x using an authentication server, perform the following configuration steps: Command Description # configure data...

  • Page 64: Activating Dot1X Authentication On Windows 7

    Security Setup Activating dot1x Authentication on Windows 7  To activate dot1x authentication on Windows 7: Press the Windows + R key combination to open the Run window. Figure 9-1: Run Window In the 'Open' field, type "services.msc", and then click OK. Figure 9-2: Services Window Navigate to the Standard tab, and locate the "Wired AutoConfig"...
  • Page 65 Configuration Guide 9. 802.1X Right-click Wired AutoConfig, and then from the shortcut menu, choose Start, as shown below: Figure 9-3: Wired AutoConfig Service The actions above should activate dot1x authentication for all interfaces on Windows 7. Version 7.2 Security Setup...

  • Page 66: Configuring Dot1X On Windows 7

    Security Setup Configuring dot1x on Windows 7  To configure dot1x on Windows 7: Press the Windows+R key combination to open the Run window. Figure 9-4: Run Window In the 'Open' field, type "ncpa.cpl ", and then click OK; the Network Connections window appears: Figure 9-5: Local Area Connection Properties Mediant MSBRs...
  • Page 67 Configuration Guide 9. 802.1X Right-click an interface that dot1x needs to be configured on, and then choose Properties; the following dialog box appears: Figure 9-6: Local Area Connection Select the 'Enable IEEE 802.1X authentication' check box. Set the authentication method to Microsoft: Protected EAP (PEAP). Version 7.2 Security Setup...
  • Page 68 Security Setup Click Settings; the following dialog box appears: Figure 9-7: Protected EAP Properties Clear the 'Validate server certificate' check box, and make sure that Secured Password (EAP-MSCHAP v2) is selected. Click Configure; the following dialog box appears: Figure 9-8: EAP MSCHAPv2 Properties Mediant MSBRs Document #: LTRT-31828...
  • Page 69 Configuration Guide 9. 802.1X When internal, meaning device's, dot1x server is used, or anytime that windows logon is not used, clear the 'Automatically use my …' check box. If Windows authentication is used, select the check box. Click OK until you're back at the Authentication tab in the Local Area Connection Properties window: Figure 9-9: Authentication Tab Version 7.2...
  • Page 70 Security Setup Click Additional Settings; the following dialog box appears: Figure 9-10: Advanced Settings Make sure that the 'Specify Authentication mode' check box is selected. Select User authentication for user authentication. You can also enter the credentials at this step be clicking Save credentials. Click OK until the interface settings close.

  • Page 71: Example Of Local Authentication Configuration

    This example describes how to use the device's internal dot1x RADIUS to authenticate users: # configure data (config-data)# dot1x radius-server local (config-data)# dot1x local-user AudioCodes password P@ssw0rd (config-data)# dot1x lan-authentication enable (config-data)# interface gigabitethernet 4/1 (conf-if-GE 4/1)# authentication dot1x single-host...
  • Page 72 Security Setup This page is intentionally left blank. Mediant MSBRs Document #: LTRT-31828...

  • Page 73: Dns Query Randomization

    Configuration Guide 10. DNS Query Randomization DNS Query Randomization The device supports DNS query source port and Query ID randomization from Version 6.8. The purpose of this feature is to prevent DNS spoofing attacks. There are two modes of operation for DNS Query Randomization: Forwarding Plan mode: An external DNS server on the device’s WAN side is ...
  • Page 74 Website https://www.audiocodes.com/ ©2020 AudioCodes Ltd. All rights reserved. AudioCodes, AC, HD VoIP, HD VoIP Sounds Better, IPmedia, Mediant, MediaPack, What’s Inside Matters, OSN, SmartTAP, User Management Pack, VMAS, VoIPerfect, VoIPerfectHD, Your Gateway To VoIP, 3GX, VocaNom, AudioCodes One Voice, AudioCodes Meeting Insights, AudioCodes Room Experience and CloudBond are trademarks or registered trademarks of AudioCodes Limited.

This manual is also suitable for:

Mediant 500li msbrMediant 500l msbrMediant 500 msbrMediant 800 msbr

Table of Contents