Cisco Security Appliance Command Line Configuration Guide, Version 7.2
Index
Downloads: This chapterpdf (PDF - 1.13MB) The complete bookPDF (PDF - 13.04MB) | Feedback

Index

Table Of Contents

Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z

Index

Symbols

/bits subnet masks D-3

?

command string C-4

help C-4

Numerics

4GE SSM

connector types 5-1

fiber 5-3

SFP 5-3

support A-9

802.1Q tagging 4-11

802.1Q trunk 5-3

A

AAA

about 13-1

accounting 19-13

addressing, configuring 31-2

authentication

CLI access 40-5

network access 19-1

privileged EXEC mode 40-6

authorization

command 40-7

downloadable access lists 19-8

network access 19-6

local database support 13-9

performance 19-1

server

adding 13-12

types 13-2

support summary 13-3

web clients 19-5

abbreviating commands C-3

Access Control Server 33-1, 33-2, 33-5

access hours, username attribute 30-74

accessing the security appliance using SSL 37-3

accessing the security appliance using TKS1 37-3

access list filter, username attribute 30-76

access lists

about 16-1

ACE logging, configuring 16-20

comments 16-18

deny flows, managing 16-22

downloadable 19-9

EtherType, adding 16-8

exemptions from posture validation 33-4

extended

about 16-5

adding 16-6

group policy WebVPN filter 30-66

implicit deny 16-3

inbound 18-1

interface, applying 18-2

IP address guidelines 16-3

IPsec 27-20

logging 16-20

NAT guidelines 16-3

Network Admission Control, default 33-3

object groups 16-18

outbound 18-1

remarks 16-18

scheduling activation 16-18

standard, adding 16-11

types 16-2

WebVPN username connections 30-83

access ports 4-9

ACEs

See access lists

Active/Active failover

about 14-10

actions 14-14

command replication 14-12

configuration synchronization 14-12

configuring

asymmetric routing support 14-36

cable-based failover 14-28

failover criteria 14-35

failover group preemption 14-34

HTTP replication 14-35

interface monitoring 14-35

LAN-based failover 14-30

prerequisites 14-28

virtual MAC addresses 14-36

device initialization 14-12

duplicate MAC addresses, avoiding 14-11, 14-36

primary status 14-11

secondary status 14-11

triggers 14-14

Active/Standby failover

about 14-7

actions 14-9

command replication 14-8

configuration synchronization 14-7

configuring

cable-based 14-21

failover criteria 14-27

HTTP replication 14-26

interface monitoring 14-26

interface poll times 14-40

LAN-based 14-22

prerequisites 14-21

unit poll times 14-40

virtual MAC addresses 14-27

device initialization 14-7

primary unit 14-7

secondary unit 14-7

triggers 14-9

Active Directory, settings for password management 30-24

Active Directory proceduresE-19to E-22

Adaptive Security Algorithm 1-4

admin context

about 3-2

changing 6-13

administrative distance 9-3

Advanced Encryption Standard (AES) 27-3

AIP SSM

about 22-1

checking status 22-13

configuration 22-2

initial setup 22-4

loading an image 22-14

sending traffic to 22-2

support A-9

alternate address, ICMP message D-15

Application Access Panel, WebVPN 37-34

application access using WebVPN

and e-mail proxy 37-51

and hosts file errors 37-18

and Web Access 37-51

configuring client applications 37-50

enabling cookies on browser 37-50

group policy WebVPN attribute 30-67

privileges 37-50

quitting properly 37-19

re-enabling 37-20

setting up on client 37-50

username WebVPN attribute 30-84

using e-mail 37-51

with IMAP client 37-51

application inspection

about 25-2

applying 25-5

configuring 25-5

inspection class map 21-11

inspection policy map 21-8

security level requirements 7-1

special actions 21-7

Application Profile Customization Framework 37-30

ARP inspection

about 26-1

enabling 26-2

static entry 26-2

ARP spoofing 26-2

ARP test, failover 14-18

ASA (Adaptive Security Algorithm) 1-4

ASA 5505

Base license 4-2

client

authentication 34-12

configuration restrictions, table 34-2

device pass-through 34-8

group policy attributes pushed to 34-10

mode 34-3

remote management 34-9

split tunneling 34-8

TCP 34-4

trustpoint 34-7

tunnel group 34-7

tunneling 34-5

Xauth 34-4

interfaces, about 4-1

MAC addresses 4-4

maximum VLANs 4-2

native VLAN support 4-11

non-forwarding interface 4-6

power over Ethernet 4-4

protected switch ports 4-9

Security Plus license 4-2

server (headend) 34-1

SPAN 4-4

Spanning Tree Protocol, unsupported 4-9

VLAN interface configuration 4-5

ASDM software

allowing access 40-4

configuring ASDM and WebVPN on the same interface 40-4

installing 41-3

ASR 14-36

asymmetric routing support 14-36

attributes

LDAP E-5

policy E-2

RADIUS E-25

username 30-74

attribute-value pairs

TACACS+ E-32

attribute-value pairs (AVP) 30-31

authentication

about 13-1

ASA 5505 as Easy VPN client 34-12

CLI access 40-5

FTP 19-3

HTTP 19-2

network access 19-1

privileged EXEC mode 40-6

restrictions, WebVPN 37-5

Telnet 19-2

web clients 19-5

WebVPN users with digital certificates 37-15

authorization

about 13-2

command 40-7

downloadable access lists 19-8

network access 19-6

Auto-MDI/MDIX 5-1

auto-signon

group policy WebVPN attribute 30-66

username WebVPN attribute 30-85

Auto-Update, configuring 41-10

B

backup device, load balancing 29-6

backup server attributes, group policy 30-48

Baltimore Technologies, CA server support 39-5

banner message, group policy 30-41

bits subnet masks D-3

Black Ice firewall 30-58

BPDUs

ACL, EtherType 16-10

BPDUs, EtherType access list 16-10

bridge

entry timeout 26-4

table, See MAC address table

broadcast Ping test 14-19

bypass authentication 34-8

C

CA

certificate validation, not done in WebVPN 37-2

CRs and 39-2

public key cryptography 39-1

revoked certificates 39-2

server support 39-5

supported servers 39-5

caching 37-28

capturing packets 43-11

cascading access lists 27-15

certificate

authentication, e-mail proxy 37-27

enrollment protocol 39-7

group matching

configuring 27-9

rule and policy, creating 27-10

Certificate Revocation Lists

See CRLs

certification authority

See CA

changing between contexts 6-11

Cisco-AV-Pair LDAP attributes E-14

Cisco Integrated Firewall 30-58

Cisco IP Phones

DHCP 10-4

Cisco IP Phones, application inspection 25-74

Cisco LDAP attributes E-5

Cisco Security Agent 30-58

Cisco Trust Agent 33-5

Class A, B, and C addresses D-1

class-default class map 21-4

classes, logging

filtering messages by 42-16

message class variables 42-16

types 42-16

classes, MPF

See class map

classes, resource

See resource management

class map

inspection 21-11

Layer 3/4

management traffic 21-7

match commands 21-5

through traffic 21-5

regular expression 21-14

CLI

abbreviating commands C-3

adding comments C-6

command line editing C-3

command output paging C-5

displaying C-5

help C-4

paging C-5

syntax formatting C-3

client

VPN 3002 hardware, forcing client update 29-4

Windows, client update notification 29-4

client access rules, group policy 30-59

client firewall, group policy 30-55

clientless authentication 33-5

client mode 34-3

client update, performing 29-4

cluster

IP address, load balancing 29-6

load balancing configurations 29-8

mixed scenarios 29-8

virtual 29-6

command authorization

about 40-7

configuring 40-7

command prompts C-2

comments

access lists 16-18

configuration C-6

configuration

clearing 2-9

comments C-6

factory default

commands 2-1

restoring 2-2

saving 2-6

text file 2-9

URL for a context 6-9

viewing 2-8

configuration mode

accessing 2-5

prompt C-2

connection blocking 23-11

connection limits

configuring 23-6

per context 6-6

connect time, maximum, username attribute 30-76

console port logging 42-8

content transformation, WebVPN 37-28

contexts

See security contexts

conversion error, ICMP message D-16

cookies, enabling for WebVPN 37-5

CRACK protocol 27-28

crash dump 43-11

crypto map

acccess lists 27-20

applying to interfaces 27-20, 36-7

clearing configurations 27-27

creating an entry to use the dynamic crypto map 32-7

definition 27-12

dynamic 27-24

dynamic, creating 32-6

entries 27-12

examples 27-21

policy 27-13

crypto show commands 27-26

CSC SSM

about 22-5

checking status 22-13

failover 22-7

getting started 22-7

loading an image 22-14

sending traffic to 22-11

support A-9

what to scan 22-9

CSD support A-11

custom firewall 30-58

customization, WebVPN

group policy WebVPN attribute 30-63

login windows for WebVPN users 30-23

username WebVPN attribute 30-21, 30-82

cut-through proxy 19-1

D

data flow

routed firewall 15-3

transparent firewall 15-13

DDNS 10-6

debugging IPSec 28-7

debug messages 43-11

default

class 6-3

DefaultL2Lgroup 30-1

DefaultRAgroup 30-1

domain name, group policy 30-43

group policy 30-1, 30-31

LAN-to-LAN tunnel group 30-13

remote access tunnel group, configuring 30-5

routes, defining equal cost routes 9-4

tunnel group 27-11, 30-2

default configuration

commands 2-1

restoring 2-2

default policy 21-3

default routes

about 9-4

configuring 9-4

deny flows, logging 16-22

deny in a crypto map 27-15

deny-message

group policy WebVPN attribute 30-64

username WebVPN attribute 30-83

DES, IKE policy keywords (table) 27-3

device ID, including in messages 42-19

device pass-through, ASA 5505 as Easy VPN client 34-8

DfltGrpPolicy 30-32

DHCP

addressing, configuring 31-3

Cisco IP Phones 10-4

options 10-3

relay 10-5

server 10-1, 10-2

transparent firewall 16-6

DHCP Intercept, configuring 30-44

Diffie-Hellman

Group 5 27-4

groups supported 27-4

DiffServ preservation 24-5

digital certificates

authenticating WebVPN users 37-15

SSL 37-5

WebVPN authentication restrictions 37-5

directory hierarchy search E-4

disabling content rewrite 37-29

disabling messages, specific message IDs 42-20

DMZ, definition 1-1

DNS

configuring for WebVPN 37-16

dynamic 10-6

inspection

about 25-14

managing 25-13

rewrite, about 25-14

rewrite, configuring 25-15

NAT effect on 17-15

server, configuring 30-35

domain attributes, group policy 30-43

domain name 8-2

dotted decimal subnet masks D-3

downloadable access lists

configuring 19-9

converting netmask expressions 19-12

DSCP preservation 24-5

dual IP stack, configuring 12-4

dual-ISP support 9-5

duplex, configuring 5-1

dynamic crypto map 27-24

creating 32-6

See also crypto map

Dynamic DNS 10-6

dynamic NAT

See NAT

E

Easy VPN

client

authentication 34-12

configuration restrictions, table 34-2

enabling and disabling 34-1

group policy attributes pushed to 34-10

mode 34-3

remote management 34-9

trustpoint 34-7

tunnels 34-9

Xauth 34-4

server (headend) 34-1

Easy VPN client

ASA 5505

device pass-through 34-8

split tunneling 34-8

TCP 34-4

tunnel group 34-7

tunneling 34-5

echo reply, ICMP message D-15

ECMP 9-3

editing command lines C-3

EIGRP 16-6

e-mail

closing the Outlook connection 37-27

configuring for WebVPN 37-26

proxies, WebVPN 37-26

proxy, certificate authentication 37-27

WebVPN, configuring 37-26

EMBLEM format, using in logs 42-20

enable command 2-5

end-user interface, WebVPN, defining 37-33

Enterprises 10-4

Entrust, CA server support 39-5

established command, security level requirements 7-2

Ethernet

Auto-MDI/MDIX 5-1

duplex 5-1

speed 5-1

EtherType

assigned numbers 16-10

See also access lists

external group policy, configuring 30-34

F

facility, syslog 42-8

factory default configuration

commands 2-1

restoring 2-2

failover

about 14-1

Active/Active, configuring 14-28

Active/Active, See Active/Active failover

Active/Standby, configuring 14-20

Active/Standby, See Active/Standby failover

configuration file

terminal messages, Active/Active 14-12

terminal messages, Active/Standby 14-8

configuring 14-20

contexts 14-7

controlling 14-50

debug messages 14-52

disabling 14-51

displaying commands 14-49

encrypting failover communication 14-40

Ethernet failover cable 14-4

examples

Active/Active LAN-based failover B-22, B-28

Active/Standby cable-based failover B-20, B-26

Active/Standby LAN-based failover B-21, B-27

failover link 14-3

forcing 14-50

health monitoring 14-17

interface health 14-18

interface monitoring 14-18

interface tests 14-18

licenses 14-3

link communications 14-3

MAC addresses

about 14-7

automatically assigning 6-11

monitoring, configuration 14-50

monitoring, health 14-17

network tests 14-18

primary unit 14-7

restoring a failed group 14-51

restoring a failed unit 14-51

secondary unit 14-7

serial cable 14-4

SNMP syslog traps 14-52

software versions 14-3

Stateful Failover, See Stateful Failover

state link 14-5

subsecond 14-40

system log messages 14-52

system requirements 14-2

testing 14-50

type selection 14-15

understanding 14-1

unit health 14-18

verifying the configuration 14-41

fast path 1-4

fiber interfaces 5-3

filter (access list)

group policy WebVPN attribute 30-66

username WebVPN attribute 30-83

filtering

about 20-1

ActiveX 20-2

FTP 20-9

Java applets 20-3

security level requirements 7-2

servers supported 20-4

show command output C-4

URLs 20-4

firewall

Black Ice 30-58

Cisco Integrated 30-58

Cisco Security Agent 30-58

custom 30-58

Network Ice 30-58

none 30-58

Sygate personal 30-58

Zone Labs 30-58

firewall mode

about 15-1

configuring 2-5

firewall policy, group policy 30-55

FO (failover) license 14-3

FO_AA license 14-3

format of messages 42-23

fragmentation policy, IPsec 27-8

fragment size 23-11

FTP inspection

about 25-27

configuring 25-27

functions, WebVPN

username WebVPN attribute 30-79

WebVPN group policy attribute 30-62

G

general attributes, tunnel group 30-2

general parameters, tunnel group 30-2

general tunnel-group connection parameters 30-2

generating RSA keys 39-6

global addresses

recommendations 17-14

specifying 17-24

global e-mail proxy attributes 37-26

global IPsec SA lifetimes, changing 27-22

group-lock, username attribute 30-77

group policy

address pools 30-54

attributes 30-35

backup server attributes 30-48

client access rules 30-59

configuring 30-34

default domain name for tunneled packets 30-43

definition 30-1, 30-31

domain attributes 30-43

Easy VPN client, attributes pushed to ASA 5505 34-10

external, configuring 30-34

firewall policy 30-55

hardware client user idle timeout 30-46

internal, configuring 30-35

IP phone bypass 30-46

IPSec over UDP attributes 30-41

LEAP Bypass 30-47

network extension mode 30-47

security attributes 30-39

split tunneling attributes 30-42

split-tunneling domains 30-44

user authentication 30-45

VPN attributes 30-36

VPN hardware client attributes 30-45

webvpn attributes 30-61

WINS and DNS servers 30-35

group policy, default 30-31

group policy, secure unit authentication 30-45

group policy WebVPN attributes

application access 30-67

auto-signon 30-66

customization 30-63

deny-message 30-64

filter 30-66

home page 30-65

html-content filter 30-64

keep-alive-ignore 30-68

port forward 30-67

port-forward-name 30-68

sso-server 30-69

svc 30-70

url-list 30-67

GTP inspection

about 25-35

configuring 25-34

H

H.225 timeouts 25-45

H.245 troubleshooting 25-46

H.323 inspection

about 25-41

configuring 25-40

limitations 25-42

troubleshooting 25-47

hairpinning 27-20

hardware client, group policy attributes 30-45

help, command line C-4

HMAC hashing method 27-3

hold-period 33-8

homepage

group policy WebVPN attribute 30-65

username WebVPN attribute 30-82

hostname

configuring 8-2

in banners 8-2

multiple context mode 8-2

hosts, subnet masks for D-3

hosts file

errors 37-18

reconfiguring 37-20

WebVPN 37-19

HSRP 15-9

html-content-filter

group policy WebVPN attribute 30-64

username WebVPN attribute 30-81

HTTP(S)

authentication 40-5

filtering 20-4

HTTP/HTTPS Web VPN proxy, setting 37-5

HTTP compression, WebVPN, enabling 30-69, 30-86

HTTP inspection

about 25-47

configuring 25-47

HTTP redirection for login, Easy VPN client on the ASA 5505 34-12

HTTPS for WebVPN sessions 37-3

hub-and-spoke VPN scenario 27-20

I

ICMP

testing connectivity 43-1

type numbers D-15

idle timeout

hardware client user, group policy 30-46

username attribute 30-75

ID method for ISAKMP peers, determining 27-6

IKE

benefits 27-2

creating policies 27-4

keepalive setting, tunnel group 30-3

pre-shared key, Easy VPN client on the ASA 5505 34-7

See also ISAKMP

ILS inspection 25-56

IM 25-69

inbound access lists 18-1

Individual user authentication 34-12

information reply, ICMP message D-15

information request, ICMP message D-15

inheritance

tunnel group 30-1

username attribute 30-74

inside, definition 1-1

inspection_default class-map 21-4

inspection engines

See application inspection

Instant Messaging inspection 25-69

intercept DHCP, configuring 30-44

interfaces

ASA 5505

about 4-1

enabled status 4-9

IP address 4-7

MAC addresses 4-4

maximum VLANs 4-2

non-forwarding 4-6

protected switch ports 4-9

switch port configuration 4-9

trunk ports 4-11

VLAN interface configuration 4-5

configuring for remote access 32-2

configuring IPv6 on 12-3

duplex 5-1

enabled status 5-1

enabling 5-2

failover monitoring 14-18

fiber 5-3

global addresses 17-24

IDs 5-2

IP address 7-4

MAC addresses

automatically assigning 6-11

manually assigning to interfaces 7-4

mapped name 6-8

naming, physical and subinterface 7-3

naming, VLAN 4-6

SFP 5-3

speed 5-1

subinterfaces 5-3

viewing monitored interface status 14-49

internal group policy, configuring 30-35

Internet Security Association and Key Management Protocol

See ISAKMP

intrusion prevention configuration 22-2

IP addresses

ASA 5505 4-7

classes D-1

configuring an assignment method for remote access clients 31-1

configuring for VPNs 31-1

configuring local IP address pools 31-2

interface 7-4

management, transparent firewall 8-5

private D-2

subnet mask D-4

IP phone 34-8

IP phone bypass, group policy 30-46

IPS configuration 22-2

IPSec

anti-replay window 24-12

enabling debug 28-7

modes 28-2

over UDP, group policy, configuring attributes 30-41

remote-access tunnel group 30-6

setting maximum active VPN sessions 29-3

IPsec

access list 27-20

basic configuration with static crypto maps 27-22

Cisco VPN Client 27-2

configuring 27-1, 27-11

crypto map entries 27-12

fragmentation policy 27-8

over NAT-T, enabling 27-7

over TCP, enabling 27-8

SA lifetimes, changing 27-22

tunnel 27-11

viewing configuration 27-26

IPSec parameters, tunnel group 30-3

ipsec-ra, creating an IPSec remote-access tunnel 30-6

IP spoofing, preventing 23-10

IPv6

access lists 12-6

commands 12-1

configuring alongside IPv4 12-4

default route 12-5

dual IP stack 12-4

duplicate address detection 12-4

enabling 12-3

neighbor discovery 12-7

router advertisement messages 12-9

static neighbor 12-11

static routes 12-5

verifying 12-11

IPv6 addresses

anycast D-9

command support for 12-1

format D-5

multicast D-8

prefixes D-10

required D-10

types of D-6

unicast D-6

ISAKMP

about 27-2

configuring 27-1, 27-2

determining an ID method for peers 27-6

disabling in aggressive mode 27-6

enabling on the outside interface 27-6, 32-3

keepalive setting, tunnel group 30-3

policies, configuring 27-5

See also IKE

J

Java applets, filtering 20-2

Java object signing 37-29

java-trustpoint 37-29

K

keep-alive-ignore

group policy WebVPN attribute 30-68

username WebVPN attribute 30-85

Kerberos

configuring 13-12

support 13-5

L

L2TP description 28-1

LAN-to-LAN tunnel group, configuring 30-13

latency

about 24-1

configuring 24-2, 24-3

reducing 24-8

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

Layer 2 Tunneling Protocol 28-1

Layer 3/4

matching multiple policy maps 21-18

LDAP

AAA support 13-6

application inspection 25-56

attribute mapping 13-8

Cisco attributes E-5

Cisco-AV-pair E-14

configuring 13-12

configuring a AAA serverE-2to E-18

directory about E-3

directory search E-4

example configuration proceduresE-19to E-22

hierarchy example E-3

permissions policy E-2

SASL 13-6

schema example E-15

schema loading E-18

schema planningE-3to E-5

server configuration about E-3

server type 13-7

user authentication 13-6

user authorization 13-7

user permissions E-18

LEAP Bypass, group policy 30-47

licenses

FO 14-3

FO_AA 14-3

managing 41-1

per model A-1

UR 14-3

link up/down test 14-18

LLQ

See low-latency queue

load balancing

cluster configurations 29-8

concepts 29-6

eligible clients 29-7

eligible platforms 29-7

implementing 29-6

mixed cluster scenarios 29-8

platforms 29-7

prerequisites 29-7

local user database

adding a user 13-11

configuring 13-10

logging in 40-6

support 13-9

lockout recovery 40-16

log buffer

save to internal Flash 42-13

send to FTP server 42-14

logging

access lists 16-20

classes

filtering messages by 42-15

types 42-16

device-id, including in system log messages 42-19

e-mail

configuring as output destination 42-9

destination address 42-10

source address 42-9

EMBLEM format 42-20

facility option 42-8

filtering

by message class 42-16

by message list 42-17

by severity level 42-5

logging queue, configuring 42-19

output destinations

ASDM 42-10

console port 42-8

email address 42-9

internal buffer 42-5

SNMP 42-4

syslog server 42-7

Telnet or SSH session 42-5

queue

changing the size of 42-19

configuring 42-19

viewing queue statistics 42-19

severity level

changing 42-21

severity level, changing 42-21

timestamp, including 42-19

login

banner, configuring 40-17

console 2-5

enable 2-5

FTP 19-3

global configuration mode 2-5

local user 40-6

password 8-1

simultaneous, username attribute 30-75

SSH 40-3

Telnet 8-1

windows, customizing for WebVPN users 30-23

low-latency queue

applying 24-2, 24-3

M

MAC addresses

ASA 5505 4-4

ASA 5505 device pass-through 34-8

automatically assigning 6-11

failover 14-7

manually assigning to interfaces 7-4

security context classification 3-3

MAC address table

about 15-13

built-in-switch 26-3

entry timeout 26-4

MAC learning, disabling 26-4

resource management 6-6

static entry 26-3

MAC learning, disabling 26-4

management IP address, transparent firewall 8-5

man-in-the-middle attack 26-2

MAPI, configuring 37-27

mapped interface name 6-8

mask

reply, ICMP message D-16

request, ICMP message D-15

match commands

inspection class map 21-9

Layer 3/4 class map 21-5

matching, certificate group 27-9

maximum active IPSec VPN sessions, setting 29-3

maximum connect time,username attribute 30-76

maximum object size to ignore username WebVPN attribute 30-85

maximum sessions, IPSec 29-12

MD5, IKE policy keywords (table) 27-3

message list

filtering by 42-17

message-of-the-day banner 40-17

messages, logging

classes

about 42-15

list of 42-16

component descriptions 42-23

filtering by message list 42-17

format of 42-23

message list, creating 42-17

severity levels 42-23

metacharacters, regular expression 21-12

MGCP inspection

about 25-59

configuring 25-58

MIBs 42-1

Microsoft Active Directory, settings for password management 30-24

Microsoft Internet Explorer client parameters, configuring 30-49

Microsoft Windows 2000 CA, supported 39-5

mixed cluster scenarios, load balancing 29-8

mobile redirection, ICMP message D-16

mode

context 3-10

firewall 2-5

Modular Policy Framework

See MPF

monitoring

failover 14-17

OSPF 9-19

resource management 6-16

SNMP 42-1

monitoring switch traffic, ASA 5505 4-4

More prompt C-5

MPF

about 21-1

default policy 21-3

examples 21-21

feature directionality 21-17

features 21-1

flows 21-18

matching multiple policy maps 21-18

service policy, applying 21-21

See also class map

See also policy map

MPLS

LDP 16-9

router-id 16-9

TDP 16-9

MSIE client parameters, configuring 30-49

MTU size, Easy VPN client, ASA 5505 34-5

multicast traffic 15-10

multiple context mode

See security contexts

N

NAC

See Network Admission Control

naming an interface

ASA 5505 4-6

other models 7-3

NAT

about 17-1, 17-2

bypassing NAT

about 17-9

configuration 17-30

DNS 17-15

dynamic NAT

about 17-5

configuring 17-23

implementation 17-17

examples 17-33

exemption from NAT

about 17-9

configuration 17-32

identity NAT

about 17-9

configuration 17-30

NAT ID 17-17

order of statements 17-14

overlapping addresses 17-34

PAT

about 17-7

configuring 17-23

implementation 17-17

policy NAT

about 17-9

port redirection 17-35

RPC not supported with 25-81

same security level 17-13

security level requirements 7-2

static identify, configuring 17-31

static NAT

about 17-7

configuring 17-26

static PAT

about 17-8

configuring 17-27

transparent firewall 15-12

types 17-5

native VLAN support 4-11

NAT-T

enabling IPsec over NAT-T 27-7

using 27-7

Netscape CMS, CA server support 39-5

Network Activity test 14-18

Network Address Translation

See NAT

Network Admission Control

Access Control Server 33-2

ACL, default 33-3

clientless authentication 33-5

configuring 30-51

enabling and disabling 33-2

exemptions 33-4

port 33-7

retransmission retries 33-7

retransmission retry timer 33-7

revalidation timer 33-9

session reinitialization timer 33-8

uses, requirements, and limitations 33-1

network extension mode 34-3

network extension mode, group policy 30-47

Network Ice firewall 30-58

networks, overlapping 17-34

Nokia VPN Client 27-28

NTLM support 13-5

NT server

configuring 13-12

support 13-5

O

object groups

nesting 16-15

removing 16-17

open ports D-14

operating systems, posture validation exemptions 33-4

OSPF

about 9-9

area authentication 9-14

area MD5 authentication 9-14

area parameters 9-13

authentication key 9-11

cost 9-12

dead interval 9-12

default route 9-17

displaying update packet pacing 9-19

enabling 9-10

hello interval 9-12

interface parameters 9-11

link-state advertisement 9-9

logging neighbor states 9-18

MD5 authentication 9-12

monitoring 9-19

NSSA 9-14

packet pacing 9-19

processes 9-9

redistributing routes 9-10

route calculation timers 9-17

route map 9-7

route summarization 9-15

stub area 9-14

summary route cost 9-14

outbound access lists 18-1

Outlook connection, closing 37-27

Outlook Exchange proxy, configuring 37-27

Outlook Web Access (OWA) and WebVPN 37-51

output destinations 42-5

e-mail address 42-5, 42-9

SNMP management station 42-5

specifying 42-9

syslog server 42-5, 42-7

Telnet or SSH session 42-5

viewing logs 42-7

outside, definition 1-1

oversubscribing resources 6-2

P

packet

capture 43-11

classifier 3-3

packet flow

routed firewall 15-3

transparent firewall 15-13

paging screen displays C-5

parameter problem, ICMP message D-15

password

resetting on SSM hardware module 43-10

password management, Active Directory settings 30-24

passwords

changing 8-1

clientless authentication 33-6

recovery 43-7

security appliance 8-1

username, setting 30-73

WebVPN 37-44

password-storage, username attribute 30-78

PAT

Easy VPN client mode 34-3

See also NAT

static 17-27

PDA support for WebVPN 37-25

peers

alerting before disconnecting 27-9

ISAKMP, determining ID method 27-6

performance, optimizing for WebVPN 37-28

permit in a crypto map 27-15

ping

See ICMP

PKI protocol 39-7

PoE 4-4

policing

flow within a tunnel 24-11

policy, QoS 24-1

policy map

inspection 21-8

Layer 3/4

about 21-15

adding 21-19

default policy 21-18

feature directionality 21-17

flows 21-18

policy NAT

about 17-9

dynamic, configuring 17-24

static, configuring 17-26

static PAT, configuring 17-28

pools, address

DHCP 10-2

global NAT 17-24

port-forward

group policy WebVPN attribute 30-67

username WebVPN attribute 30-84

port forwarding

automatic applet download 37-18

configuring client applications 37-50

port-forward-name

group policy WebVPN attribute 30-68

username WebVPN attribute 30-85

ports

open on device D-14

redirection, NAT 17-35

TCP and UDP D-11

posture validation

exemptions 33-4

port 33-7

revalidation timer 33-9

uses, requirements, and limitations 33-1

power over Ethernet 4-4

PPPoE, configuring35-1to 35-5

pre-shared key, Easy VPN client on the ASA 5505 34-7

primary unit, failover 14-7

printers 34-8

private networks D-2

privileged EXEC mode, accessing 2-5

privileged mode

accessing 2-5

prompt C-2

privilege level, username, setting 30-73

prompts

command C-2

more C-5

protocol numbers and literal values D-11

proxy

See e-mail proxy

proxy bypass 37-29

proxy servers

SIP and 25-68

public key cryptography 39-1

Q

QoS

about 24-1, 24-3

DiffServ preservation 24-5

DSCP preservation 24-5

feature interaction 24-4

policies 24-1

priority queueing

IPSec anti-replay window 24-12

statistics 24-15

token bucket 24-2

traffic shaping

overview 24-4

viewing statistics 24-15

Quality of Service

See QoS

question mark

command string C-4

help C-4

queue, logging

changing the size of 42-19

viewing statistics 42-19

queue, QoS

latency, reducing 24-8

limit 24-2, 24-3

R

RADIUS

attribute policy E-2

attributes E-25

Cisco AV pair E-14

configuring a AAA server E-24

configuring a server 13-12

downloadable access lists 19-9

network access authentication 19-3

network access authorization 19-8

permissions policy E-2

support 13-3

RAS, H.323 troubleshooting 25-47

rate limiting 24-3

RealPlayer 25-67

reboot, waiting until active sessions end 27-9

redirect, ICMP message D-15

redundancy, in site-to-site VPNs, using crypto maps 27-26

Registration Authority description 39-2

regular expression 21-12

reloading

context 6-14

security appliance 43-6

remarks 16-18

remote access

configuration summary 32-1

IPSec tunnel group, configuring 30-6

restricting 30-77

tunnel group, configuring default 30-5

user, adding 32-4

VPN, configuring 32-1

remote management, ASA 5505 34-9

resetting the SSM hardware module password 43-10

resource management

about 6-2

assigning a context 6-10

class 6-4

configuring 6-1

default class 6-3

monitoring 6-16

oversubscribing 6-2

resource types 6-6

unlimited 6-2

resource usage 6-19

retransmission retries, Network Admission Control 33-7

retransmission retry timer, Network Admission Control 33-7

revalidation timer, Network Admission Control 33-9

revoked certificates 39-2

rewrite, disabling 37-29

RIP

about 9-20

enabling 9-20

routed mode

about 15-1

setting 2-5

route maps

defining 9-7

uses 9-7

router

advertisement, ICMP message D-15

solicitation, ICMP message D-15

routes

about default 9-4

about static 9-2

configuring default routes 9-4

configuring IPv6 default 12-5

configuring IPv6 static 12-5

configuring static routes 9-3

routing

OSPF 9-20

other protocols 16-6

RS-232 cable

See failover 14-4

RSA

KEON, CA server support 39-5

keys, generating 39-6, 40-2

signatures, IKE authentication method 39-2

RTSP inspection

about 25-67

configuring 25-66

running configuration

copying 41-8

saving 2-6

S

same security level communication

enabling 7-6

NAT 17-13

SAs, lifetimes 27-22

SCCP (Skinny) inspection

about 25-74

configuration 25-74

configuring 25-74

SDI

configuring 13-12

support 13-4

secondary device, virtual cluster 29-6

secondary unit, failover 14-7

secure unit authentication 34-12

secure unit authentication, group policy 30-45

security, WebVPN 37-2, 37-6

Security Agent, Cisco 30-58

security appliance

CLI C-1

connecting to 2-4

managing licenses 41-1

managing the configuration 2-6

reloading 43-6

upgrading software 41-3

viewing files in Flash memory 41-2

security association

clearing 27-27

See also SAs

security attributes, group policy 30-39

security contexts

about 3-1

adding 6-7

admin context

about 3-2

changing 6-13

assigning to a resource class 6-10

cascading 3-8

changing between 6-11

classifier 3-3

configuration

URL, changing 6-13

URL, setting 6-9

logging in 3-9

MAC addresses

automatically assigning 6-11

classifying using 3-3

managing 6-1, 6-12

mapped interface name 6-8

monitoring 6-15

multiple mode, enabling 3-10

nesting or cascading 3-9

prompt C-2

reloading 6-14

removing 6-12

resource management 6-2

resource usage 6-19

saving all configurations 2-7

unsupported features 3-2

VLAN allocation 6-7

security level

about 7-1

interface 7-3

interface, ASA 5505 4-6

serial cable

See failover

server group 33-2

service policy

applying 21-21

default 21-21

global 21-21

interface 21-21

session management path 1-4

session reinitialization timer, Network Admission Control 33-8

severity levels, of system log messages

changing 42-5

filtering by 42-5

list of 42-23

severity levels, of system messages

definition 42-23

SHA, IKE policy keywords (table) 27-3

show command, filtering output C-4

simultaneous logins, username attribute 30-75

single mode

backing up configuration 3-10

configuration 3-10

enabling 3-10

restoring 3-11

single sign-on

See SSO

single-signon

group policy WebVPN attribute 30-69

username WebVPN attribute 30-87

SIP inspection

about 25-68

configuring 25-68

instant messaging 25-69

timeouts 25-73

troubleshooting 25-73

site-to-site VPNs, redundancy 27-26

SMTP inspection 25-78

SNMP

about 42-1

management station 42-5

MIBs 42-1

traps 42-2

source quench, ICMP message D-15

SPAN 4-4

Spanning Tree Protocol, unsupported 4-9

speed, configuring 5-1

split tunneling

ASA 5505 as Easy VPN client 34-8

group policy 30-42

group policy, domains 30-44

SSH

authentication 40-5

concurrent connections 40-2

login 40-1, 40-2, 40-3

password 8-1

RSA key 40-2

username 40-3

SSL

certificate 37-5

used to access the security appliance 37-3

SSL/TLS encryption protocols

configuring 37-4

WebVPN 37-4

SSL VPN Client

benefits 38-1

compression 38-6

DPD 38-5

enabling 38-3

address assignment 38-3

groups and users 38-4

permanent installation 38-4

tunnel group 38-3

group policy WebVPN attribute 30-70

installing 38-2

images 38-2

order 38-2

keepalive messages 38-6

logging out sessions 38-8

username WebVPN attribute 30-87

viewing sessions 38-7

SSM

checking status 22-13

configuration

AIP SSM 22-2

CSC SSM 22-7

loading an image 22-14

See also AIP SSM

See also CSC SSM

sso-server

group policy WebVPN attribute 30-69

username WebVPN attribute 30-87

SSO with WebVPN37-6to 37-15

configuring HTTP Basic and NTLM authentication 37-6

configuring HTTP form protocol 37-9

configuring SiteMinder 37-7

startup configuration

copying 41-8

saving 2-6

Stateful Failover

about 14-16

state information 14-16

state link 14-5

statistics 14-44, 14-48

stateful inspection 1-4

state information 14-16

state link 14-5

static ARP entry 26-2

static bridge entry 26-3

static NAT

See NAT

static PAT

See PAT

static routes

about 9-2

configuring 9-3

tracking 9-5

statistics, QoS 24-15

stealth firewall

See transparent firewall

subcommand mode prompt C-2

subinterfaces, adding 5-3

subnet masks

/bits D-3

about D-2

address range D-4

determining D-3

dotted decimal D-3

number of hosts D-3

Sun Microsystems Java Runtime Environment and WebVPN 37-50

Sun RPC inspection

about 25-80

configuring 25-80

SVC

See SSL VPN Client

svc

group policy WebVPN attribute 30-70

username WebVPN attribute 30-87

switch MAC address table 26-3

switch ports

access ports 4-9

default configuration 4-4

protected 4-9

SPAN 4-4

trunk ports 4-11

Sygate Personal Firewall 30-58

SYN attacks, monitoring 6-20

SYN cookies 6-20

syntax formatting C-3

syslog server

as output destination 42-7

designating 42-7

designating more than one 42-8

EMBLEM format

configuring 42-20

enabling 42-7

system configuration 3-2

system log messages

classes 42-16

classes of 42-15

configuring in groups

by message list 42-17

by severity level 42-5

creating lists of 42-15

device ID, including 42-19

disabling logging of 42-5

filtering by message class 42-15

managing in groups

by message class 42-16

creating a message list 42-15

output destinations 42-5

email address 42-9

SNMP 42-4

syslog message server 42-5

Telnet or SSH session 42-5

severity levels

about 42-23

changing the severity level of a message 42-5

timestamp, including 42-19

T

TACACS+

command authorization, configuring 40-11

configuring a server 13-12

network access authorization 19-7

support 13-4

tail drop 24-3

TCP

ASA 5505 as Easy VPN client 34-4

connection limits per context 6-6

ports and literal values D-11

sequence number randomization

disabling in NAT configuration 17-24

disabling using Modular Policy Framework 23-8

TCP Intercept

enabling using Modular Policy Framework 23-8

enabling using NAT 17-24

monitoring 6-20

TCP normalization 23-1

Telnet

allowing management access 40-1

authentication 40-5

concurrent connections 40-1

password 8-1

testing configuration 43-1

time exceeded, ICMP message D-15

time ranges, access lists 16-18

timestamp, including in system log messages 42-19

timestamp reply, ICMP message D-15

timestamp request, ICMP message D-15

TLS1, used to access the security appliance 37-3

tocken bucket 24-2

toolbar, floating, WebVPN 37-35

traffic flow

routed firewall 15-3

transparent firewall 15-13

traffic shaping

overview 24-4

Transform 27-12

transform set

creating 32-4

definition 27-12

transmit queue ring limit 24-2, 24-3

transparent firewall

about 15-8

ARP inspection

about 26-1

enabling 26-2

static entry 26-2

data flow 15-13

DHCP packets, allowing 16-6

guidelines 15-10

HSRP 15-9

MAC address timeout 26-4

MAC learning, disabling 26-4

Management 0/0 IP address 7-4

management IP address 8-5

multicast traffic 15-10

NAT 15-12

packet handling 16-6

static bridge entry 26-3

unsupported features 15-11

VRRP 15-9

traps, SNMP 42-2

troubleshooting

H.323 25-46

H.323 RAS 25-47

SIP 25-73

trunk, 802.1Q 5-3

trunk ports 4-11

trustpoint 39-3

trustpoint, ASA 5505 client 34-7

tunnel

ASA 5505 as Easy VPN client 34-5

IPsec 27-11

security appliance as a tunnel endpoint 27-1

tunnel group

ASA 5505 as Easy VPN client 34-7

configuring 30-5

creating 30-6

default 27-11, 30-1, 30-2

default, remote access, configuring 30-5

default LAN-to-LAN, configuring 30-13

definition 30-1, 30-2

general parameters 30-2

inheritance 30-1

IPSec parameters 30-3

LAN-to-LAN, configuring 30-13

name and type 30-6

remote access, configuring 32-5

remote-access, configuring 30-6

tunnel-group

general attributes 30-2

webvpn attributes 30-4

tunnel-group ISAKMP/IKE keepalive settings 30-3

tunneling, about 27-1

tunnel mode 28-2

tx-ring-limit 24-2, 24-3

U

UDP

connection limits per context 6-6

connection state information 1-5

ports and literal values D-11

unreachable, ICMP message D-15

UR (unrestricted) license 14-3

url-list

group policy WebVPN attribute 30-67

username WebVPN attribute 30-84

URLs

context configuration, changing 6-13

context configuration, setting 6-9

filtering, about 20-4

filtering, configuration 20-6

user, VPN

definition 30-1

remote access, adding 32-4

user access, restricting remote 30-77

user authentication, group policy 30-45

user EXEC mode

accessing 2-5

prompt C-2

username

adding 13-10

clientless authentication 33-6

encrypted 13-11

management tunnels 34-9

password 13-11

WebVPN 37-44

Xauth for Easy VPN client 34-4

username attributes

access hours 30-74

configuring 30-72, 30-74

group-lock 30-77

inheritance 30-74

password, setting 30-73

password-storage 30-78

privilege level, setting 30-73

simultaneous logins 30-75

vpn-filter 30-76

vpn-framed-ip-address 30-76

vpn-idle timeout 30-75

vpn-session-timeout 30-76

vpn-tunnel-protocol 30-77

username configuration, viewing 30-73

username WebVPN attributes

auto-signon 30-85

customization 30-21, 30-82

deny message 30-83

filter (access list) 30-83

functions 30-79

homepage 30-82

html-content-filter 30-81

keep-alive ignore 30-85

port-forward 30-84

port-forward-name 30-85

sso-server 30-87

svc 30-87

url-list 30-84

username WebVPN mode 30-78

U-turn 27-20

V

VeriSign, configuring CAs example 39-5

viewing logs 42-7

viewing QoS statistics 24-15

viewing RMS 41-13

virtual cluster 29-6

IP address 29-6

master 29-6

virtual firewalls

See security contexts

virtual HTTP 19-3

VLANs 5-4

802.1Q trunk 5-3

allocating to a context 6-7

ASA 5505

configuring 4-5

MAC addresses 4-4

maximum 4-2

mapped interface name 6-8

subinterfaces 5-3

VoIP

proxy servers 25-68

troubleshooting 25-46

VPN

address pool, configuring 32-4

address pool, configuring (group-policy) 30-54

address range, subnets D-4

parameters, general, setting 29-1

setting maximum number of IPSec sessions 29-3

VPN attributes, group policy 30-36

VPN Client, IPsec attributes 27-2

vpn-filter username attribute 30-76

vpn-framed-ip-address username attribute 30-76

VPN hardware client, group policy attributes 30-45

vpn-idle-timeout username attribute 30-75

vpn load balancing

See load balancing 29-6

vpn-session-timeout username attribute 30-76

vpn-tunnel-protocol username attribute 30-77

VRRP 15-9

W

WCCP 10-9

web browsing with WebVPN 37-48

web caching 10-9

web clients, secure authentication 19-5

web e-Mail (Outlook Web Access), Outlook Web Access 37-27

WebVPN

assigning users to group policies 37-16

authenticating with digital certificates 37-15

CA certificate validation not done 37-2

client application requirements 37-45

client requirements 37-45

for file management 37-49

for network browsing 37-49

for port forwarding 37-50

for using applications 37-50

for web browsing 37-48

start-up 37-47

configuring

DNS globally 37-16

e-mail 37-26

configuring for specific users 30-78

configuring WebVPN and ASDM on the same interface 37-3

cookies 37-5

defining the end-user interface 37-33

definition 37-1

digital certificate authentication restrictions 37-5

e-mail 37-26

e-mail proxies 37-26

enable cookies for 37-50

end user set-up 37-33

establishing a session 37-3

floating toolbar 37-35

group policy attributes, configuring 37-17

hosts file 37-19

hosts files, reconfiguring 37-20

HTTP/HTTPS proxy, setting 37-5

Java object signing 37-29

PDA support 37-25

printing and 37-47

remote system configuration and end-user requirements 37-47

security preautions 37-2, 37-6

security tips 37-45

setting HTTP/HTTPS proxy 37-4

SSL/TLS encryption protocols 37-4

supported applications 37-45

supported browsers 37-47

supported types of Internet connections 37-47

troubleshooting 37-18

unsupported features 37-2

URL 37-47

use of HTTPS 37-3

username and password required 37-47

usernames and passwords 37-44

use suggestions 37-33, 37-45

WebVPN, Application Access Panel 37-34

webvpn attributes

group policy 30-61

tunnel-group 30-4

WebVPN group policy attributes functions 30-62

WebVPN tunnel-group connection parameters 30-4

welcome message, group policy 30-41

WINS server, configuring 30-35

X

Xauth, Easy VPN client 34-4

Z

Zone Labs firewalls 30-58

Zone Labs Integrity Server 30-56