Security Guide vA1(7), Cisco ACE 4700 Series Application Control Engine Appliance

Table Of Contents

A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U -

Index

A

AAA

accounting configuration, displaying 2-52

accounting log information, displaying 2-52

accounting method, defining default 2-47

authentication configuration, displaying 2-53

groups, displaying 2-48

LDAP server, configuring for 2-35

LDAP server configuration, displaying 2-51

local and remote support 2-4

login authentication method, defining 2-45

overview 2-2

quick start 2-8

RADIUS server, configuring for 2-25

RADIUS server configuration, displaying 2-49

server, adding 2-24

server groups, configuring 2-38

status and statistics 2-48

TACACS+ server, configuring for 2-31

TACACS+ server configuration, displaying 2-50

user accounts, creating 2-23

accounting

configuration, displaying 2-52

default method, defining 2-47

log information, displaying 2-52

RADIUS server accounting settings, configuring 2-17

TACACS+ server accounting settings, configuring 2-12

ACLs

alternate address, ICMP message 1-14

BPDU 1-16

clearing statistics 1-31

comments in extended ACLs 1-15

configuration information, displaying 1-30

dynamic NAT 5-10

EtherType, configuring 1-16

EtherType examples 1-29

extended, configuring 1-6

extended examples 1-21

guidelines 1-3

implicit deny 1-3

inbound 1-22

IP extended ACL 1-7

IPs with NAT 1-25

maximum entries 1-4

merged 1-2

order of entries 1-3

outbound 1-22

overview 1-1

quick start 1-4

resequencing entries 1-18

static NAT 5-20

statistics, displaying 1-30

TCP 1-7

types 1-2

UDP 1-7

application protocol inspection

class map overview 3-6

configuration examples 3-78, 3-79, 3-81

DNS 3-9, 3-71

FTP 3-10, 3-71

HTTP 3-8, 3-71

ICMP 3-11, 3-72

Layer 3 and 4 HTTP parameter map 3-73

Layer 3 and 4 quick start 3-22

Layer 3 and 4 traffic policy configuration 3-61

Layer 7 FTP command inspection class map 3-54

Layer 7 FTP command inspection configuration 3-53

Layer 7 FTP command inspection quick start 3-19

Layer 7 HTTP deep packet inspection class map 3-25

Layer 7 HTTP deep packet inspection configuration 3-24

Layer 7 HTTP deep packet inspection policy map 3-46

Layer 7 HTTP deep packet inspection quick start 3-15

limitations 3-3

NAT and PAT support 3-3

overview 3-2

policy map overview 3-6

process flow diagram 3-7

protocol inspection overview 3-2

RTSP 3-13, 3-72

service policy, defining 3-76

service policy, displaying 3-82

standards 3-3

statistics 3-82

supported protocols 3-3

authentication

configuration, displaying 2-53

local and remote support 2-4

local database 2-5

login method, defining 2-45

overview 2-7

RADIUS server authentication settings, configuring 2-16

TACACS+ server accounting settings, configuring 2-11

B

BPDU, in ACL 1-16

buffer

size, for connection parameter map 4-7

C

class map

associating with Layer 7 policy map 3-59

associating with policy map 3-50, 3-68

dynamic NAT 5-13

Layer 3 and 4 access list match criteria 3-63

Layer 3 and 4 class map, associating with policy map 4-27

Layer 3 and 4 class map, creating 3-61

Layer 3 and 4 description 3-63

Layer 3 and 4 port range criteria 3-64

Layer 4, creating 4-23

Layer 4 description 4-24

Layer 4 IP address criteria 4-24

Layer 4 port number criteria 4-25

Layer 7 FTP command inspection, configuring 3-54

Layer 7 FTP command inspection description 3-55

Layer 7 FTP request methods 3-55

Layer 7 HTTP deep packet inspection, configuring 3-25

Layer 7 HTTP deep packet inspection description 3-27

overview in application protocol inspection process 3-6

static NAT 5-20

configurational examples

application protocol inspection 3-81

FTP 3-79

HTTP 3-78

IP fragment reassembly parameters 4-39

TCP/IP normalization 4-39

connection

clearing 4-53

embryonic, handling timeout of 4-13

half-closed, handling timeout of 4-14

inactive, handling timeout of 4-14

statistics, clearing 4-56

connection parameter map

action for segment overrun 4-10

associating with policy map 4-28

buffer size setting 4-7

configuring for TCP/IP normalization 4-6

creating for TCP/IP, UDP, and ICMP 4-7

embryonic connection timeout 4-13

half-closed connection timeout 4-14

inactive connection timeout 4-14

Nagle's algorithm 4-11

out-of-order segments, limiting 4-10

random TCP sequence numbers 4-12

reserved bit handling 4-12

segment size setting 4-8

slow start algorithm 4-16

TCP options, handling 4-17

TCP SYN retries, limiting 4-11

TCP SYN segments with data, handling 4-17

type of service 4-22

urgent pointer policy 4-21

content type verification

HTTP message 3-49

D

dead-time

RADIUS server group setting 2-41

RADIUS server setting 2-29

TACACS+ server group setting 2-40

TACACS+ server setting 2-34

destination NAT 5-2, 5-5, 5-17, 5-24, 5-31

DNS 3-71

application protocol inspection, configuring 3-71

application protocol support 3-3

configuration example 3-81

inspection overview 3-9

Don't Fragment bit, handling 4-31

dynamic NAT

See NAT

E

embryonic connection, handling timeout of 4-13

EtherType ACL

configuring 1-16

examples 1-29

extended ACL

comments in 1-15

configuring 1-6

examples 1-21

F

fixups

See application protocol inspection

fragment reassembly parameters

See IP fragment reassembly parameters

FTP

application protocol support 3-3, 3-4

associating class map with policy map 3-59

class map 3-54

configuration examples 3-79

inline match commands in policy map 3-58

inspection overview 3-10

Layer 3 and 4 FTP application protocol inspection, configuring 3-71

Layer 7 FTP command inspection, configuring 3-53

policy actions 3-60

policy map 3-56, 3-57

request methods, defining for command inspection 3-55

strict 3-10, 3-71

G

global addresses, guidelines for NAT 5-6

H

header value string expressions 3-33

HTTP

application protocol support 3-4

associating class map with policy map 3-50

class map 3-25

configuration examples 3-78

content length, defining 3-29

content match criteria, defining 3-28

content type verification match criteria, defining 3-49

header for inspection 3-30

header value string expressions 3-33

HTTP/1/1 header fields, supported 3-31

inline match commands in policy map 3-48

inspection overview 3-8

internal compliance checks 3-50

Layer 3 and 4 HTTP application protocol inspection, configuring 3-71

Layer 7 HTTP deep packet inspection, configuring 3-24

Layer 7 HTTP deep packet inspection policy map 3-46

maximum header length for inspection 3-35

MIME type for inspection 3-37

parameter map 3-73

policy actions 3-51

policy map 3-46

request method for inspection 3-41

restricted category, defining (port misuse) 3-39

statistics from inspection 3-82

strict HTTP match criteria, defining 3-50

transfer encoding type for inspection 3-42

URL for inspection 3-43

URL length for inspection 3-45

HTTP/1/1 header fields, supported 3-31

I

ICMP

application protocol inspection, configuring 3-72

application protocol support 3-4, 3-5

conversion-error, ICMP message 1-14

echo, ICMP message 1-14

echo reply, ICMP message 1-14

information reply, ICMP message 1-14

information request, ICMP message 1-14

inspection overview 3-11

mask reply, ICMP message 1-14

mask request, ICMP message 1-14

mobile redirect, ICMP message 1-14

NAT of ICMP error messages 3-72

parameter-problem, ICMP message 1-14

redirect, ICMP message 1-14

router-advertisement, ICMP message 1-14

router-solicitation, ICMP message 1-14

security, disabling 4-31

source quench, ICMP message 1-14

time-exceeded, ICMP message 1-14

timestamp-reply, ICMP message 1-14

timestamp-request, ICMP message 1-14

traceroute, ICMP message 1-14

types 1-14

unreachable, ICMP message 1-14

inbound ACLs 1-22

inline match commands

content type verification for HTTP inspection 3-49

in Layer 7 FTP command inspection policy map 3-58

in Layer 7 HTTP deep packet inspection policy map 3-48

strict HTTP for HTTP inspection 3-50

inspection engines

See application protocol inspection

IP

ACL 1-7

address pool, for dynamic NAT 5-10

for ACL with NAT 1-25

normalization, overview 4-3

options, handling 4-32

IP fragment reassembly parameters

configuration example 4-39

configuring 4-35

maximum fragment size setting 4-37

maximum fragments setting 4-37

MTU setting 4-36

quick start 4-35

reassembly timeout setting 4-38

L

Layer 3 and 4 application protocol inspection, configuring

associating class map with policy map 3-68

class map 3-61

policy actions 3-70

policy map 3-67

LDAP server

ACE configuration 2-35

configuration, displaying 2-51

configuration overview 2-19

directory server overview 2-6

parameters, setting 2-36

port, setting 2-37

search filter configuration 2-44

server group, creating 2-38

timeout, setting 2-37

user profile attribute type configuration 2-42

virtualization attributes, defining 2-13, 2-18, 2-20

local database authentication 2-5

login authentication method, defining 2-45

M

merged ACLs 1-2

MIME type, supported for HTTP inspection 3-37

MPLS, in ACL 1-16, 1-18

MTU

in IP fragment reassembly configuration 4-36

N

Nagle's algorithm 4-11

NAT

ACL configuration, dynamic 5-10

ACL configuration, static 5-20

application protocol inspection support 3-3

as policy map action, dynamic 5-15

as policy map action, static 5-22

class map configuration, dynamic 5-13

class map configuration, static 5-20

destination 5-2, 5-5, 5-17, 5-24, 5-31

dynamic NAT, overview 5-3

dynamic NAT and PAT, configuring 5-7

dynamic PAT, overview 5-4

global address guidelines 5-6

global IP address pool 5-10

idle timeout, configuring 5-7

IPs in ACLs 1-25

maximum number of statements 5-5

overview 5-1

policy map configuration, dynamic 5-14

policy map configuration, static 5-21

quick start, dynamic NAT and PAT 5-8

quick start, static NAT 5-18

service policy, global dynamic 5-17

service policy, local dynamic 5-16

service policy, static 5-24

source 5-2, 5-3, 5-4, 5-7

static NAT, overview 5-5

static NAT and port redirection, configuring 5-17

static port redirection 5-5

network address translation

See NAT

normalization parameters

configuring 4-29

Don't Fragment bit, handling 4-31

ICMP security, disabling 4-31

IP options, handling 4-32

packet TTL setting 4-33

TCP normalization, disabling 4-30

unicast reverse-path forwarding, configuring 4-34

O

order of ACL entries 1-3

outbound ACLs 1-22

P

packet TTL setting 4-33

parameter map

associating with Layer 3 and 4 policy map 3-75

case sensitivity, disabling 3-74

configuring for Layer 3 and 4 HTTP inspection 3-73

maximum content bytes setting 3-75

maximum header bytes setting 3-74

PAT

configuring 5-7

overview 5-4

policy map

actions, defining 3-51, 3-60, 3-70

associating with connection parameter map 4-28

dynamic NAT 5-14

dynamic NAT as policy map action 5-15

Layer 3 and 4, associating with class map 3-68

Layer 3 and 4, associating with parameter map 3-75

Layer 3 and 4, associating with service policy 4-29

Layer 3 and 4, configuring HTTP parameter map 3-73

Layer 3 and 4, creating 3-67, 4-27

Layer 3 and 4, defining 3-67

Layer 3 and 4, description 3-68

Layer 3 and 4 policy map, associating with class map 4-27

Layer 7 FTP command inspection, adding description 3-57

Layer 7 FTP command inspection, associating with class map 3-59

Layer 7 FTP command inspection, creating 3-57

Layer 7 FTP command inspection, defining 3-56

Layer 7 FTP command inspection, inline match commands 3-58

Layer 7 HTTP deep packet inspection, adding description 3-47

Layer 7 HTTP deep packet inspection, associating with class map 3-50

Layer 7 HTTP deep packet inspection, creating 3-46

Layer 7 HTTP deep packet inspection, inline match commands 3-48

overview in application protocol inspection process 3-6

static NAT 5-21

static NAT as policy map action 5-22

port

for LDAP server 2-37

number or range for Layer 3 and 4 application protocol inspection 3-64

port redirection, configuring 5-17

port redirection

configuring 5-17

overview 5-5

preshared key

RADIUS, setting for 2-28

TACACS+, setting for 2-33

Q

quick start

AAA configuration 2-8

ACL configuration 1-4

dynamic NAT and PAT configuration 5-8

IP fragment reassembly configuration 4-35

Layer 3 and 4 application protocol inspection 3-22

Layer 7 FTP command inspection 3-19

Layer 7 HTTP deep packet inspection 3-15

static NAT configuration 5-18

TCP/IP normalization 4-3

R

RADIUS server

ACE configuration 2-25

adding 2-24

authentication settings, configuring 2-16

configuration, displaying 2-49

dead-time setting 2-29

global preshared key setting 2-28

NAS-IP-Address attribute setting 2-28

number of retransmissions, setting 2-30

parameters, setting 2-25

server accounting settings, configuring 2-17

server group, creating 2-38

server group dead-time setting 2-41

server overview 2-6

timeout setting 2-31

remarks in extended ACLs 1-15

reordering ACL entries 1-18

request methods

FTP command inspection, defining for 3-55

HTTP inspection, defining for 3-41

resequencing ACL entries 1-18

reserved bits, handling in connection parameter map 4-12

restricted category, defining for HTTP inspection (port misuse) 3-39

reverse-path forwarding, configuring 4-34

RTSP

application protocol inspection, configuring 3-72

application protocol support 3-5

inspection overview 3-13

restrictions 3-14

rules, maximum in ACL 1-4

S

segments, limiting out-of-order 4-10

segment size

action for overrun 4-10

for connection parameter map 4-8

server groups

configuring 2-38

creating 2-38

LDAP 2-38

RADIUS 2-38

TACACS+ 2-38

service policy

applying to VLAN interfaces 3-76

associating with Layer 3 and 4 policy map 4-29

configuration information 3-83

dynamic NAT, global 5-17

dynamic NAT, local 5-16

static NAT, local 5-24

slow start algorithm, enabling in connection parameter map 4-16

source NAT 5-2, 5-3, 5-4, 5-7

static NAT

See NAT

statistics

AAA 2-48

ACL, clearing 1-31

ACL, displaying 1-30

connection, clearing 4-56

HTTP inspection 3-82

IP, clearing 4-54

IP fragmentation and reassembly, clearing 4-55

IP fragmentation and reassembly, displaying 4-49

IP traffic 4-46

service policy 4-52

TCP, clearing 4-54

TCP, displaying 4-50

TCP/IP and UDP connections 4-44

TCP/IP connections and IP reassembly, clearing 4-53

TCP/IP connections and IP reassembly, displaying 4-41

UDP, clearing 4-55

UDP, displaying 4-51

T

TACACS+ server

accounting settings, configuring 2-12

ACE configuration 2-31

adding 2-24

Cisco Secure Access Control Server (ACS) 2-11, 2-12

configuration, displaying 2-50

dead-time setting 2-34

global preshared key setting 2-33

parameters, setting 2-32

server authentication settings, configuring 2-11

server group, creating 2-38

server group dead-time setting 2-40

server overview 2-5

timeout setting 2-35

TCP

ACL 1-7

normalization, disabling 4-30

normalization, overview 4-2

options, handling in connection parameter map 4-17

port numbers and key words 1-9

sequence numbers, randomizing 4-12

slow start algorithm, enabling in connection parameter map 4-16

SYN retries, limiting in connection parameter map 4-11

SYN segments with data, handling in connection parameter map 4-17

TCP/IP and UDP configurations, displaying 4-41

TCP/IP normalization

clearing connections 4-53

configuration example 4-39

connection parameter map, configuring 4-6

IP fragment reassembly parameters, configuring 4-35

Layer 3 and 4 policy map, configuring 4-27

Layer 4 class map, configuring 4-23

normalization parameters, configuring 4-29

overview 4-2

quick start 4-3

statistics, clearing 4-53, 4-55

statistics, displaying 4-41

statistics, IP fragmentation and reassembly 4-49

statistics, IP traffic 4-46

statistics, service policy 4-52

statistics, TCP 4-50

statistics, TCP/IP connections 4-44

statistics, UDP 4-51

TCP/IP and UDP configurations, displaying 4-41

traffic policy, configuring 4-22

traffic class

See class map

traffic policies

TCP/IP normalization 4-22

transfer encoding, defining for HTTP inspection 3-42

TTL setting 4-33

type of service, setting in connection parameter map 4-22

U

UDP

ACL 1-7

port numbers and key words 1-11

UDP and TCP/IP configurations, displaying 4-41

unicast reverse-path forwarding, configuring 4-34

urgent pointer policy, setting in connection parameter map 4-21

URL

defining for HTTP deep packet inspection 3-43

length, defining for HTTP deep packet inspection 3-45

regular expressions 3-44

URL request logging 3-72


Click the links on the left to view the individual chapters in HTML format.