Index Symbols
/bits subnet masks B-3
?
command string A-4
help A-4
Numerics
4GE SSM
connector types 6-12
fiber 6-12
SFP 6-12
802.1Q tagging 7-9
802.1Q trunk 6-30
A
AAA
about 35-1
accounting 38-18
addressing, configuring 68-2
authentication
CLI access 37-19
network access 38-2
privileged EXEC mode 37-19
authorization
command 37-22
downloadable access lists 38-14
network access 38-11
local database support 35-8
performance 38-1
server 77-4
adding 35-11
types 35-1
support summary 35-3
web clients 38-6
abbreviating commands A-3
ABR
definition of 24-2
Access Control Server 70-4, 70-13
Access Group pane
description 26-7
access hours, username attribute 67-81
accessing the security appliance using SSL 74-6
accessing the security appliance using TKS1 74-6
access list filter, username attribute 67-82
access lists
about 14-1
ACE logging, configuring 20-1
deny flows, managing 20-5
downloadable 38-14
exemptions from posture validation 70-11
global access rules 34-2
group policy WebVPN filter 67-74
implicit deny 14-3, 34-3
inbound 34-3
IP address guidelines 14-3
IPsec 64-27
IPv6
about 19-1
configuring 19-4
default settings 19-3
logging 20-1
NAT guidelines 14-3
Network Admission Control, default 70-10
object groups 13-2
outbound 34-3
phone proxy 48-7
remarks 15-5
scheduling activation 13-16
types 14-1
username for Clientless SSL VPN 67-88
access ports 7-7
ACEs
See access lists
activation key
entering 3-33
location 3-32
obtaining 3-33
Active/Active failover
about 63-1
actions 63-5
command replication 63-3
configuration synchronization 63-3
configuring
asymmetric routing support 63-18
failover criteria 63-16
failover group preemption 63-12
HTTP replication 63-14
interface monitoring 63-14
virtual MAC addresses 63-16
device initialization 63-3
duplicate MAC addresses, avoiding 63-2, 63-17
optional settings
about 63-6
configuring 63-12
primary status 63-2
secondary status 63-2
triggers 63-4
Active/Standby failover
about 62-1
actions 62-4
command replication 62-3
configuration synchronization 62-2
device initialization 62-2
primary unit 62-2
secondary unit 62-2
triggers 62-4
Active Directory, settings for password management 67-28
Active Directory procedures C-16 to ??
ActiveX filtering 39-2
Adaptive Security Algorithm 1-25
Add/Edit Access Group dialog box
description 26-7
Add/Edit IGMP Join Group dialog box
description 26-6
Add/Edit OSPF Neighbor Entry dialog box 24-12
admin context
about 5-2
changing 5-24
administrative access
using ICMP for 37-11
administrative distance 22-3, 22-5
Advanced Encryption Standard (AES) 64-9, 64-10
AIP
See IPS module
AIP SSC
loading an image 58-21, 58-23, 60-14
AIP SSM
about 58-1
loading an image 58-21, 58-23, 60-14
port-forwarding
enabling 8-6, 9-8
alternate address, ICMP message B-15
analyzing syslog messages 77-2
Application Access Panel, WebVPN 74-88
application access using Clientless SSL VPN
group policy attribute for Clientless SSL VPN 67-75
username attribute for Clientless SSL VPN 67-89
application access using WebVPN
and hosts file errors 74-72
quitting properly 74-73
application inspection
about 42-1
applying 42-6
configuring 42-6
inspection class map 33-6
inspection policy map 33-2
security level requirements 8-2, 9-2
special actions 33-1
Application Profile Customization Framework 74-84
area border router 24-2
ARP
NAT 29-22
ARP inspection
about 4-10
enabling 4-12
static entry 4-11
ARP spoofing 4-10
ARP test, failover 61-15
ASA (Adaptive Security Algorithm) 1-25
ASA 5505
Base license 7-2
client
authentication 71-12
configuration restrictions, table 71-2
device pass-through 71-8
group policy attributes pushed to 71-10
mode 71-3
remote management 71-9
split tunneling 71-8
TCP 71-4
trustpoint 71-7
tunnel group 71-7
tunneling 71-5
Xauth 71-4
MAC addresses 7-4
maximum VLANs 7-2
native VLAN support 7-10
non-forwarding interface 7-7
power over Ethernet 7-4
protected switch ports 7-8, 7-10
Security Plus license 7-2
server (headend) 71-1
SPAN 7-4
Spanning Tree Protocol, unsupported 7-8
ASA 5550 throughput 8-6, 9-9
ASA CX module
about 59-1
ASA feature compatibility 59-4
authentication proxy
about 59-3
port 59-10
troubleshooting 59-20
basic settings 59-7
cabling 59-6
configuration 59-6
debugging 59-19
failover 59-5
licensing 59-4
management access 59-2
management defaults 59-5
management IP address 59-7
monitoring 59-12
password reset 59-17
PRSM 59-3
reload 59-18
security policy 59-9
sending traffic to 59-11
shutdown 59-19
traffic flow 59-2
VPN 59-4
ASBR
definition of 24-2
ASDM software
allowing access 37-6
installing 81-2
ASR 63-18
asymmetric routing
TCP state bypass 53-4
asymmetric routing support 63-18
attacks
DNS HINFO request 57-7
DNS request for all records 57-7
DNS zone transfer 57-7
DNS zone transfer from high port 57-7
fragmented ICMP traffic 57-6
IP fragment 57-4
IP impossible packet 57-4
large ICMP traffic 57-6
ping of death 57-6
proxied RPC request 57-7
statd buffer overflow 57-8
TCP FIN only flags 57-7
TCP NULL flags 57-6
TCP SYN+FIN flags 57-6
UDP bomb 57-7
UDP chargen DoS 57-7
UDP snork 57-7
attributes
RADIUS C-27
username 67-80
attribute-value pairs
TACACS+ C-38
attribute-value pairs (AVP) 67-36
authentication
about 35-2
ASA 5505 as Easy VPN client 71-12
CLI access 37-19
FTP 38-3
HTTP 38-3
network access 38-2
privileged EXEC mode 37-19
Telnet 38-3
web clients 38-6
WebVPN users with digital certificates 74-28, 74-29
authorization
about 35-2
command 37-22
downloadable access lists 38-14
network access 38-11
Auto-MDI/MDIX 6-2, 7-4
auto-signon
group policy attribute for Clientless SSL VPN 67-73
username attribute for Clientless SSL VPN 67-91
Auto-Update, configuring 81-16
B
backup server attributes, group policy 67-56
Baltimore Technologies, CA server support 41-4
banner message, group policy 67-48
basic threat detection
See threat detection
before configuring KCD 74-44
bits subnet masks B-3
Black Ice firewall 67-67
Botnet Traffic Filter
actions 55-2
address categories 55-2
blacklist
adding entries 55-9
description 55-2
blocking traffic manually 55-15
classifying traffic 55-12
configuring 55-6
databases 55-2
default settings 55-6
DNS Reverse Lookup Cache
information about 55-4
maximum entries 55-4
using with dynamic database 55-10
DNS snooping 55-10
dropping traffic 55-13
graylist 55-13
dynamic database
enabling use of 55-7
files 55-3
information about 55-2
searching 55-16
updates 55-7
examples 55-19
feature history 55-22
graylist
description 55-2
dropping traffic 55-13
guidelines and limitations 55-6
information about 55-1
licensing 55-6
monitoring 55-17
static database
adding entries 55-9
information about 55-3
syslog messages 55-17
task flow 55-7
threat level
dropping traffic 55-13
whitelist
adding entries 55-9
description 55-2
working overview 55-5
bridge
entry timeout 4-15
table, See MAC address table
broadcast Ping test 61-15
building blocks 13-1
bypass authentication 71-8
bypassing firewall checks 53-3
C
CA
certificate validation, not done in WebVPN 74-5
CRs and 41-2
public key cryptography 41-2
revoked certificates 41-2
supported servers 41-4
cached Kerberos tickets
clearing 74-48
showing 74-47
caching 74-81
capturing packets 82-14
cascading access lists 64-23
CA server
Digicert 41-4
Geotrust 41-4
Godaddy 41-4
iPlanet 41-4
Netscape 41-4
RSA Keon 41-4
Thawte 41-4
certificate
authentication, e-mail proxy 74-79
Cisco Unified Mobility 50-5
Cisco Unified Presence 51-4
enrollment protocol 41-11
group matching
configuring 64-17
rule and policy, creating 64-17
Certificate Revocation Lists
See CRLs
certificates
phone proxy 48-15
required by phone proxy 48-16
change query interval 26-8
change query response time 26-8
change query timeout value 26-8
changing between contexts 5-23
changing the severity level 77-18
Cisco-AV-Pair LDAP attributes C-13
Cisco Integrated Firewall 67-66
Cisco IOS CS CA
server support 41-4
Cisco IP Communicator 48-10
Cisco IP Phones
DHCP 11-6
Cisco IP Phones, application inspection 44-25
Cisco Security Agent 67-66
Cisco Trust Agent 70-13
Cisco UMA. See Cisco Unified Mobility.
Cisco Unified Mobility
architecture 50-2
ASA role 47-2, 47-3
certificate 50-5
functionality 50-1
NAT and PAT requirements 50-3, 50-4
trust relationship 50-5
Cisco Unified Presence
ASA role 47-2, 47-3
configuring the TLS Proxy 51-8
debugging the TLS Proxy 51-14
NAT and PAT requirements 51-2
sample configuration 51-14
trust relationship 51-4
Cisco UP. See Cisco Unified Presence.
Class A, B, and C addresses B-1
class-default class map 32-9
classes, logging
filtering messages by 77-16
message class variables 77-4
types 77-4
classes, resource
See resource management
class map
inspection 33-6
Layer 3/4
management traffic 32-14
match commands 32-12, 32-15
through traffic 32-12
regular expression 13-15
clearing cached Kerberos tickets 74-48
CLI
abbreviating commands A-3
adding comments A-5
command line editing A-3
command output paging A-5
displaying A-5
help A-4
paging A-5
syntax formatting A-3
client
VPN 3002 hardware, forcing client update 66-4
Windows, client update notification 66-4
client access rules, group policy 67-68
client firewall, group policy 67-63
clientless authentication 70-13
Clientless SSL VPN
configuring for specific users 67-85
client mode 71-3
client update, performing 66-4
cluster
IP address, load balancing 66-6
load balancing configurations 66-9
mixed scenarios 66-10
virtual 66-6
command authorization
about 37-14
configuring 37-22
multiple contexts 37-16
command prompts A-2
comments
configuration A-5
configuration
clearing 2-18
comments A-5
factory default
commands 2-10
restoring 2-11
saving 2-16
text file 2-19
URL for a context 5-21
viewing 2-18
configuration examples
CSC SSM 60-16
logging 77-20
configuration examples for SNMP 79-28
configuration mode
accessing 2-2
prompt A-2
connection blocking 57-2
connection limits
configuring 53-1
per context 5-17
connect time, maximum, username attribute 67-82
console port logging 77-11
content transformation, WebVPN 74-82
context mode 27-2
context modes 22-2, 23-3, 24-3, 25-3, 26-3, 60-6
contexts
See security contexts
conversion error, ICMP message B-15
cookies, enabling for WebVPN 74-10
copying files using copy smb
command 81-8
Coredump 82-14
CRACK protocol 64-35
crash dump 82-14
creating a custom event list 77-13
crypto map
acccess lists 64-27
applying to interfaces 64-26, 73-10
clearing configurations 64-35
creating an entry to use the dynamic crypto map 69-13
definition 64-20
dynamic 64-32
dynamic, creating 69-12
entries 64-20
examples 64-28
policy 64-21
crypto show commands table 64-34
CSC SSM
about 60-1
loading an image 58-21, 58-23, 60-14
sending traffic to 60-10
what to scan 60-3
CSC SSM feature history 60-18
custom firewall 67-67
customization, Clientless SSL VPN
group policy attribute 67-71
login windows for users 67-27
username attribute 67-87
username attribute for Clientless SSL VPN 67-24
custom messages list
logging output destination 77-4
cut-through proxy
AAA performance 38-1
CX module
about 59-1
ASA feature compatibility 59-4
authentication proxy
about 59-3
port 59-10
troubleshooting 59-20
basic settings 59-7
cabling 59-6
configuration 59-6
debugging 59-19
failover 59-5
licensing 59-4
management access 59-2
management defaults 59-5
management IP address 59-7
monitoring 59-12
password reset 59-17
PRSM 59-3
reload 59-18
security policy 59-9
sending traffic to 59-11
shutdown 59-19
traffic flow 59-2
VPN 59-4
D
data flow
routed firewall 4-17
transparent firewall 4-23
date and time in messages 77-18
DDNS 12-2
debug messages 82-13
default
class 5-9
DefaultL2Lgroup 67-1
DefaultRAgroup 67-1
domain name, group policy 67-51
group policy 67-1, 67-8, 67-36
LAN-to-LAN tunnel group 67-17
remote access tunnel group, configuring 67-7
routes, defining equal cost routes 22-4
tunnel group 64-19, 67-2
default configuration
commands 2-10
restoring 2-11
default policy 32-7
default routes
about 22-4
configuring 22-4
delay sending flow-create events
flow-create events
delay sending 78-9
deleting files from Flash 81-2
deny flows, logging 20-5
deny in a crypto map 64-23
deny-message
group policy attribute for Clientless SSL VPN 67-71
username attribute for Clientless SSL VPN 67-87
DES, IKE policy keywords (table) 64-9, 64-10
device ID, including in messages 77-17
device ID in messages 77-17
device pass-through, ASA 5505 as Easy VPN client 71-8
DfltGrpPolicy 67-37
DHCP
addressing, configuring 68-3
Cisco IP Phones 11-6
options 11-4
relay 11-7
server 11-3
transparent firewall 34-5
DHCP Intercept, configuring 67-52
DHCP Relay panel 12-6
DHCP services 10-6
Diffie-Hellman
Group 5 64-10, 64-11
groups supported 64-10, 64-11
DiffServ preservation 54-5
digital certificates
authenticating WebVPN users 74-28, 74-29
SSL 74-11
directory hierarchy search C-3
disabling content rewrite 74-83
disabling messages 77-18
disabling messages, specific message IDs 77-18
DMZ, definition 1-22
DNS
dynamic 12-2
inspection
about 43-2
managing 43-1
rewrite, about 43-2
rewrite, configuring 43-3
NAT effect on 29-24
server, configuring 10-11, 67-40
DNS HINFO request attack 57-7
DNS request for all records attack 57-7
DNS zone transfer attack 57-7
DNS zone transfer from high port attack 57-7
domain attributes, group policy 67-51
domain name 10-3
dotted decimal subnet masks B-3
downloadable access lists
configuring 38-14
converting netmask expressions 38-18
DSCP preservation 54-5
dual IP stack, configuring 8-2
dual-ISP support 22-6
duplex, configuring 6-11, 7-5
dynamic crypto map 64-32
creating 69-12
See also crypto map
Dynamic DNS 12-2
dynamic NAT
about 29-8
network object NAT 30-4
twice NAT 31-4
dynamic PAT
network object NAT 30-6
See also NAT
twice NAT 31-8
E
Easy VPN
client
authentication 71-12
configuration restrictions, table 71-2
enabling and disabling 71-1
group policy attributes pushed to 71-10
mode 71-3
remote management 71-9
trustpoint 71-7
tunnels 71-9
Xauth 71-4
server (headend) 71-1
Easy VPN client
ASA 5505
device pass-through 71-8
split tunneling 71-8
TCP 71-4
tunnel group 71-7
tunneling 71-5
echo reply, ICMP message B-15
ECMP 22-3
editing command lines A-3
egress VLAN for VPN sessions 67-44
EIGRP 34-5
DUAL algorithm 27-2
hello interval 27-13
hello packets 27-1
hold time 27-2, 27-13
neighbor discovery 27-1
stub routing 27-3
stuck-in-active 27-2
e-mail
configuring for WebVPN 74-79
proxies, WebVPN 74-79
proxy, certificate authentication 74-79
WebVPN, configuring 74-79
enable command 2-1
enabling logging 77-6
enabling secure logging 77-16
end-user interface, WebVPN, defining 74-88
Enterprises 11-6
Entrust, CA server support 41-4
established command, security level requirements 8-2, 9-2
EtherChannel
adding interfaces 6-27
channel group 6-27
compatibility 6-5
converting existing interfaces 6-13
example 6-34
failover 6-10
guidelines 6-10
interface requirements 6-5
LACP 6-6
load balancing
configuring 6-29
overview 6-7
MAC address 6-7
management interface 6-27
maximum interfaces 6-29
minimum interfaces 6-29
mode
active 6-6
on 6-7
passive 6-6
monitoring 6-33
overview 6-5
port priority 6-27
system priority 6-29
Ethernet
Auto-MDI/MDIX 6-2, 7-4
duplex 6-11, 7-5
jumbo frames, ASA 5580 6-32
MTU 8-11, 9-14
speed 6-11, 7-5
EtherType access list
compatibilty with extended access lists 34-2
implicit deny 34-3
evaluation license 3-21
exporting NetFlow records 78-5
extended ACLs
configuring
for management traffic 15-2
external group policy, configuring 67-39
F
facility, syslog 77-8
factory default configuration
commands 2-10
restoring 2-11
failover
about 61-1
Active/Active, See Active/Active failover
Active/Standby, See Active/Standby failover
configuration file
terminal messages, Active/Active 63-3
terminal messages, Active/Standby 62-2
contexts 62-2
debug messages 61-16
disabling 62-18, 63-24
Ethernet failover cable 61-3
failover link 61-3
forcing 62-17, 63-23
guidelines 60-6, 79-17
health monitoring 61-14
interface health 61-15
interface monitoring 61-15
interface tests 61-15
link communications 61-3
MAC addresses
about 62-2
automatically assigning 5-12
monitoring, health 61-14
network tests 61-15
primary unit 62-2
redundant interfaces 6-10
restoring a failed group 62-18, 63-24
restoring a failed unit 62-18, 63-24
secondary unit 62-2
SNMP syslog traps 61-17
Stateful Failover, See Stateful Failover
state link 61-4
system log messages 61-16
system requirements 61-2
testing 62-18, 63-24
Trusted Flow Acceleration 65-7
type selection 61-8
unit health 61-14
fast path 1-26
fiber interfaces 6-12
Fibre Channel interfaces
default settings 16-2, 17-2, 18-2, 34-7
filter (access list)
group policy attribute for Clientless SSL VPN 67-74
username attribute for Clientless SSL VPN 67-88
filtering
ActiveX 39-2
FTP 39-14
Java applet 39-4
Java applets 39-4
security level requirements 8-2, 9-2
servers supported 39-6
show command output A-4
URLs 39-1, 39-7
filtering messages 77-4
firewall
Black Ice 67-67
Cisco Integrated 67-66
Cisco Security Agent 67-66
custom 67-67
Network Ice 67-67
none 67-66
Sygate personal 67-67
Zone Labs 67-67
firewall mode
about 4-1
configuring 4-1
firewall policy, group policy 67-63
Flash memory
removing files 81-2
flash memory available for logs 77-15
flow control for 10 Gigabit Ethernet 6-22
flow-export actions 78-4
format of messages 77-3
fragmentation policy, IPsec 64-15
fragmented ICMP traffic attack 57-6
fragment protection 1-23
fragment size 57-2
FTP inspection
about 43-11
configuring 43-11
G
general attributes, tunnel group 67-3
general parameters, tunnel group 67-3
general tunnel-group connection parameters 67-3
generating RSA keys 41-9
global e-mail proxy attributes 74-79
global IPsec SA lifetimes, changing 64-29
group-lock, username attribute 67-84
group policy
address pools 67-62
attributes 67-40
backup server attributes 67-56
client access rules 67-68
configuring 67-39
default domain name for tunneled packets 67-51
definition 67-1, 67-36
domain attributes 67-51
Easy VPN client, attributes pushed to ASA 5505 71-10
external, configuring 67-39
firewall policy 67-63
hardware client user idle timeout 67-54
internal, configuring 67-40
IP phone bypass 67-54
IPSec over UDP attributes 67-49
LEAP Bypass 67-55
network extension mode 67-55
security attributes 67-46
split tunneling attributes 67-49
split-tunneling domains 67-52
user authentication 67-53
VPN attributes 67-42
VPN hardware client attributes 67-53
webvpn attributes 67-70
WINS and DNS servers 67-40
group policy, default 67-36
group policy, secure unit authentication 67-53
group policy attributes for Clientless SSL VPN
application access 67-75
auto-signon 67-73
customization 67-71
deny-message 67-71
filter 67-74
home page 67-73
html-content filter 67-72
keep-alive-ignore 67-76
port forward 67-75
port-forward-name 67-76
sso-server 67-77
url-list 67-74
groups
SNMP 79-16
GTP inspection
about 46-3
configuring 46-3
H
H.225 timeouts 44-9
H.245 troubleshooting 44-10
H.323
transparent firewall guidelines 4-4
H.323 inspection
about 44-4
configuring 44-3
limitations 44-5
troubleshooting 44-10
hairpinning 64-26
hardware client, group policy attributes 67-53
help, command line A-4
high availability
about 61-1
HMAC hashing method 64-2, 73-3
hold-period 70-17
homepage
group policy attribute for Clientless SSL VPN 67-73
username attribute for Clientless SSL VPN 67-86
host
SNMP 79-16
hostname
configuring 10-2
in banners 10-2
multiple context mode 10-2
hosts, subnet masks for B-3
hosts file
errors 74-72
reconfiguring 74-73
WebVPN 74-72
HSRP 4-4
html-content-filter
group policy attribute for Clientless SSL VPN 67-72
username attribute for Clientless SSL VPN 67-86
HTTP
filtering 39-1
HTTP(S)
authentication 37-19
filtering 39-7
HTTP/HTTPS Web VPN proxy, setting 74-11
HTTP compression, Clientless SSL VPN, enabling 67-76, 67-91
HTTP inspection
about 43-16
configuring 43-16
HTTP redirection for login, Easy VPN client on the ASA 5505 71-12
HTTPS/Telnet/SSH
allowing network or host access to ASDM 37-1
HTTPS for WebVPN sessions 74-7
hub-and-spoke VPN scenario 64-26
I
ICMP
rules for access to ADSM 37-11
testing connectivity 82-1
type numbers B-15
identity NAT
about 29-11
network object NAT 30-12
twice NAT 31-20
idle timeout
hardware client user, group policy 67-54
username attribute 67-82
ID method for ISAKMP peers, determining 64-13
IKE
benefits 64-2, 73-3
creating policies 64-11
keepalive setting, tunnel group 67-4
pre-shared key, Easy VPN client on the ASA 5505 71-7
See also ISAKMP
IKEv1 64-19
ILS inspection 45-1
IM 44-19
implementing SNMP 79-16
inbound access lists 34-3
Individual user authentication 71-12
information reply, ICMP message B-15
information request, ICMP message B-15
inheritance
tunnel group 67-1
username attribute 67-81
inside, definition 1-22
inspection_default class-map 32-9
inspection engines
See application inspection
Instant Messaging inspection 44-19
intercept DHCP, configuring 67-52
interface
MTU 8-11, 9-14
interfaces
ASA 5505
enabled status 7-7
MAC addresses 7-4
maximum VLANs 7-2
non-forwarding 7-7
protected switch ports 7-8, 7-10
switch port configuration 7-7
trunk ports 7-9
ASA 5550 throughput 8-6, 9-9
configuring for remote access 69-7
default settings 16-2, 17-2, 18-2, 34-7, 60-6
duplex 6-11, 7-5
enabling 6-24
failover monitoring 61-15
fiber 6-12
IDs 6-23
IP address 8-7, 9-12
MAC addresses
automatically assigning 5-22
manually assigning to interfaces 8-11, 9-14
mapped name 5-20
naming, physical and subinterface 8-7, 9-10, 9-11
redundant 6-25
SFP 6-12
speed 6-11, 7-5
subinterfaces 6-30
internal group policy, configuring 67-40
Internet Security Association and Key Management Protocol
See ISAKMP
IP addresses
classes B-1
configuring an assignment method for remote access clients 68-1
configuring for VPNs 68-1
configuring local IP address pools 68-2
interface 8-7, 9-12
management, transparent firewall 9-7
private B-2
subnet mask B-4
IP fragment attack 57-4
IP impossible packet attack 57-4
IP overlapping fragments attack 57-5
IP phone 71-8
phone proxy provisioning 48-12
IP phone bypass, group policy 67-54
IP phones
addressing requirements for phone proxy 48-9
supported for phone proxy 48-3
IPSec
anti-replay window 54-12
modes 65-2
over UDP, group policy, configuring attributes 67-49
remote-access tunnel group 67-8
setting maximum active VPN sessions 66-3
IPsec
access list 64-27
basic configuration with static crypto maps 64-29
Cisco VPN Client 64-2
configuring 64-1, 64-19
crypto map entries 64-20
fragmentation policy 64-15
over NAT-T, enabling 64-14
over TCP, enabling 64-15
SA lifetimes, changing 64-29
tunnel 64-19
view configuration commands table 64-34
IPSec parameters, tunnel group 67-4
ipsec-ra, creating an IPSec remote-access tunnel 67-8
IPS module
about 58-1
configuration 58-7
operating modes 58-2
sending traffic to 58-17
traffic flow 58-2
virtual sensors 58-15
IP spoofing, preventing 57-1
IP teardrop attack 57-5
IPv6
commands 21-10
configuring alongside IPv4 8-2
default route 22-5
dual IP stack 8-2
duplicate address detection 8-12, 9-15
neighbor discovery 28-1
router advertisement messages 28-3
static neighbors 28-4
static routes 22-5
IPv6 addresses
anycast B-9
command support for 21-10
format B-5
multicast B-8
prefixes B-10
required B-10
types of B-6
unicast B-6
IPv6 prefixes 28-11
ISAKMP
about 64-2
configuring 64-1
determining an ID method for peers 64-13
disabling in aggressive mode 64-13
enabling on the outside interface 69-8
keepalive setting, tunnel group 67-4
See also IKE
J
Java applet filtering 39-4
Java applets, filtering 39-2
Java object signing 74-82
Join Group pane
description 26-6
jumbo frames, ASA 5580 6-32
K
KCD 74-41, 74-42
before configuring 74-44
KCD status
showing 74-46
keep-alive-ignore
group policy attribute for Clientless SSL VPN 67-76
username attribute for Clientless SSL VPN 67-90
Kerberos
configuring 35-11
support 35-6
Kerberos tickets
clearing 74-48
showing 74-47
L
L2TP description 65-1
LACP 6-6
LAN-to-LAN tunnel group, configuring 67-17
large ICMP traffic attack 57-6
latency
about 54-1
configuring 54-2, 54-3
reducing 54-8
Layer 2 firewall
See transparent firewall
Layer 2 forwarding table
See MAC address table
Layer 2 Tunneling Protocol 65-1
Layer 3/4
matching multiple policy maps 32-6
LCS Federation Scenario 51-2
LDAP
application inspection 45-1
attribute mapping 35-18
Cisco-AV-pair C-13
configuring 35-11
configuring a AAA server C-2 to ??
directory search C-3
example configuration procedures C-16 to ??
hierarchy example C-3
SASL 35-6
user authentication 35-6
user authorization 35-16
LEAP Bypass, group policy 67-55
licenses
activation key
entering 3-33
location 3-32
obtaining 3-33
ASA 5505 3-2
ASA 5510 3-3, 3-8
ASA 5520 3-4
ASA 5540 3-5
ASA 5550 3-6
ASA 5580 3-7
ASA 5585-X 3-12, 3-13, 3-14
Cisco Unified Communications Proxy features 47-4, 49-5, 50-6, 51-7, 52-8
default 3-21
evaluation 3-21
failover 3-31
guidelines 3-31
managing 3-1
preinstalled 3-21
Product Authorization Key 3-33
shared
backup server, configuring 3-37
backup server, information 3-25
client, configuring 3-37
communication issues 3-25
failover 3-25
maximum clients 3-27
monitoring 3-44
overview 3-23
server, configuring 3-35
SSL messages 3-25
temporary 3-21
viewing current 3-38
VPN Flex 3-21
licensing requirements
CSC SSM 60-5
logging 77-5
licensing requirements for SNMP 79-17
link up/down test 61-15
LLQ
See low-latency queue
load balancing
cluster configurations 66-9
concepts 66-6
eligible clients 66-8
eligible platforms 66-8
implementing 66-7
mixed cluster scenarios 66-10
platforms 66-8
prerequisites 66-8
local user database
adding a user 35-20
configuring 35-20
logging in 37-20
support 35-8
lockout recovery 37-31
logging
access lists 20-1
classes
filtering messages by 77-4
types 77-4, 77-16
device-id, including in system log messages 77-17
e-mail
source address 77-10
EMBLEM format 77-14
facility option 77-8
filtering
by message class 77-16
by message list 77-4
by severity level 77-1
logging queue, configuring 77-15
output destinations 77-8
console port 77-8, 77-10, 77-11
internal buffer 77-1, 77-6
Telnet or SSH session 77-6
queue
changing the size of 77-15
configuring 77-15
viewing queue statistics 77-19
severity level, changing 77-19
timestamp, including 77-18
logging feature history 77-20
logging queue
configuring 77-15
login
banner, configuring 37-7
console 2-1
enable 2-1
FTP 38-3
global configuration mode 2-2
local user 37-20
password 10-1
simultaneous, username attribute 67-81
SSH 37-5
Telnet 10-1
windows, customizing for users of Clientless SSL VPN sessions 67-27
low-latency queue
applying 54-2, 54-3
M
MAC address
redundant interfaces 6-4
MAC addresses
ASA 5505 7-4
ASA 5505 device pass-through 71-8
automatically assigning 5-22
failover 62-2
manually assigning to interfaces 8-11, 9-14
security context classification 5-3
MAC address table
about 4-23
built-in-switch 4-14
entry timeout 4-15
MAC learning, disabling 4-16
resource management 5-17
static entry 4-15
MAC learning, disabling 4-16
management interfaces
default settings 16-2, 17-2, 18-2, 34-7
management IP address, transparent firewall 9-7
man-in-the-middle attack 4-10
mapped addresses
guidelines 29-21
mapped interface name 5-20
mask
reply, ICMP message B-15
request, ICMP message B-15
Master Passphrase 10-6
match commands
inspection class map 33-4
Layer 3/4 class map 32-12, 32-15
matching, certificate group 64-17
maximum active IPSec VPN sessions, setting 66-3
maximum connect time,username attribute 67-82
maximum object size to ignore username attribute for Clientless SSL VPN 67-90
MD5, IKE policy keywords (table) 64-9, 64-10, 64-11
media termination address, criteria 48-6
message filtering 77-4
message list
filtering by 77-4
message-of-the-day banner 37-8
messages, logging
classes
about 77-4
list of 77-4
component descriptions 77-3
filtering by message list 77-4
format of 77-3
message list, creating 77-13
severity levels 77-3
messages classes 77-4
messages in EMBLEM format 77-14
metacharacters, regular expression 13-13
MGCP inspection
about 44-11
configuring 44-11
mgmt0 interfaces
default settings 16-2, 17-2, 18-2, 34-7
MIBs 79-2
MIBs for SNMP 79-29
Microsoft Access Proxy 51-1
Microsoft Active Directory, settings for password management 67-28
Microsoft Internet Explorer client parameters, configuring 67-57
Microsoft KCD 74-41, 74-42
Microsoft Windows CA, supported 41-4
mixed cluster scenarios, load balancing 66-10
mixed-mode Cisco UCM cluster, configuring for phone proxy 48-17
MMP inspection 50-1
mobile redirection, ICMP message B-15
mode
context 5-15
firewall 4-1
modular policy framework
configuring flow-export actions for NetFlow 78-5
monitoring
CSC SSM 60-13
failover 61-14
OSPF 24-16
resource management 5-29
SNMP 79-1
monitoring logging 77-19
monitoring NSEL 78-10
monitoring switch traffic, ASA 5505 7-4
More prompt A-5
MPF
default policy 32-7
examples 32-18
feature directionality 32-3
features 32-2
flows 32-6
matching multiple policy maps 32-6
service policy, applying 32-17
See also class map
See also policy map
MPLS
LDP 34-6
router-id 34-6
TDP 34-6
MRoute pane
description 26-4
MSIE client parameters, configuring 67-57
MTU 8-11, 9-14
MTU size, Easy VPN client, ASA 5505 71-5
multicast traffic 4-4
multiple context mode
logging 77-2
See security contexts
N
NAC
See Network Admission Control
naming an interface
other models 8-7, 9-10, 9-11
NAT
about 29-1
bidirectional initiation 29-2
disabling proxy ARP for global addresses 21-11
DNS 29-24
dynamic
about 29-8
dynamic NAT
network object NAT 30-4
twice NAT 31-4
dynamic PAT
about 29-10
network object NAT 30-6
twice NAT 31-8
identity
about 29-11
identity NAT
network object NAT 30-12
twice NAT 31-20
implementation 29-16
interfaces 29-21
mapped address guidelines 29-21
network object
comparison with twice NAT 29-16
network object NAT
about 29-17
configuring 30-1
dynamic NAT 30-4
dynamic PAT 30-6
examples 30-15
guidelines 30-2
identity NAT 30-12
monitoring 30-14
prerequisites 30-2
static NAT 30-10
no proxy ARP 30-13, 31-19
object
extended PAT 30-6
flat range for PAT 30-6
routed mode 29-13
route lookup 30-13, 31-24
RPC not supported with 45-3
rule order 29-20
static
about 29-3
few-to-many mapping 29-7
many-to-few mapping 29-6, 29-7
one-to-many 29-6
static NAT
network object NAT 30-10
twice NAT 31-15
static with port translation
about 29-4
terminology 29-2
transparent mode 29-13
twice
extended PAT 31-8
flat range for PAT 31-8
twice NAT
about 29-17
comparison with network object NAT 29-16
configuring 31-1
dynamic NAT 31-4
dynamic PAT 31-8
examples 31-24
guidelines 31-2
identity NAT 31-20
monitoring 31-24
prerequisites 31-2
static NAT 31-15
types 29-3
VPN 29-14
VPN client rules 29-20
native VLAN support 7-10
NAT-T
enabling IPsec over NAT-T 64-14
using 64-15
neighbor reachable time 28-3
neighbor solicitation messages 28-2
neighrbor advertisement messages 28-2
NetFlow
overview 78-1
NetFlow collector
configuring 78-5
NetFlow event
matching to configured collectors 78-5
NetFlow event logging
disabling 78-9
Network Activity test 61-15
Network Admission Control
ACL, default 70-10
clientless authentication 70-13
configuring 67-59
exemptions 70-11
revalidation timer 70-10
uses, requirements, and limitations 70-1
network extension mode 71-3
network extension mode, group policy 67-55
Network Ice firewall 67-67
network object NAT
about 29-17
comparison with twice NAT 29-16
configuring 30-1
dynamic NAT 30-4
dynamic PAT 30-6
examples 30-15
guidelines 30-2
identity NAT 30-12
monitoring 30-14
prerequisites 30-2
static NAT 30-10
Nokia VPN Client 64-35
non-secure Cisco UCM cluster, configuring phone proxy 48-15
No Payload Encryption 3-30
no proxy ARP 31-19
NSEL and syslog messages
redundant messages 78-2
NSEL configuration examples 78-12
NSEL feature history 78-14
NSEL licensing requirements 78-3
NSEL runtime counters
clearing 78-10
NTLM support 35-6
NT server
configuring 35-11
support 35-6
O
object groups
about 13-1
configuring 13-6
removing 13-11
object NAT
See network object NAT
open ports B-14
operating systems, posture validation exemptions 70-11
OSPF
area authentication 24-11
area MD5 authentication 24-11
area parameters 24-10
authentication key 24-9
authentication support 24-2
cost 24-9
dead interval 24-9
defining a static neighbor 24-12
interaction with NAT 24-2
interface parameters 24-8
link-state advertisement 24-2
logging neighbor states 24-13
LSAs 24-2
MD5 authentication 24-9
monitoring 24-16
NSSA 24-11
packet pacing 24-16
processes 24-2
redistributing routes 24-4
route calculation timers 24-13
route summarization 24-7
outbound access lists 34-3
output destination 77-5
output destinations 77-1, 77-6
e-mail address 77-1, 77-6
SNMP management station 77-1, 77-6
Telnet or SSH session 77-1, 77-6
outside, definition 1-22
oversubscribing resources 5-8
P
packet
capture 82-14
classifier 5-3
packet flow
routed firewall 4-17
transparent firewall 4-23
packet trace, enabling 82-7
paging screen displays A-5
parameter problem, ICMP message B-15
password
resetting on SSM hardware module 82-11
password management, Active Directory settings 67-28
passwords
changing 10-2
recovery 82-8
security appliance 10-1
username, setting 67-80
WebVPN 74-109
password-storage, username attribute 67-84
PAT
Easy VPN client mode 71-3
See dynamic PAT
pause frames for flow control 6-22
PDA support for WebVPN 74-78
peers
alerting before disconnecting 64-16
ISAKMP, determining ID method 64-13
performance, optimizing for WebVPN 74-81
permit in a crypto map 64-23
phone proxy
access lists 48-7
ASA role 47-3
certificates 48-15
Cisco IP Communicator 48-10
Cisco UCM supported versions 48-3
configuring mixed-mode Cisco UCM cluster 48-17
configuring non-secure Cisco UCM cluster 48-15
event recovery 48-41
IP phone addressing 48-9
IP phone provisioning 48-12
IP phones supported 48-3
Linksys routers, configuring 48-26
NAT and PAT requirements 48-8
ports 48-7
rate limiting 48-11
required certificates 48-16
sample configurations 48-43
SAST keys 48-41
TLS Proxy on ASA, described 47-3
troubleshooting 48-27
ping
See ICMP
ping of death attack 57-6
PKI protocol 41-11
PoE 7-4
policing
flow within a tunnel 54-11
policy, QoS 54-1
policy map
inspection 33-2
Layer 3/4
about 32-1
feature directionality 32-3
flows 32-6
pools, address
DHCP 11-3
port-forward
group policy attribute for Clientless SSL VPN 67-75
username attribute for Clientless SSL VPN 67-89
port-forwarding
enabling 8-6, 9-8
port-forward-name
group policy attribute for Clientless SSL VPN 67-76
username attribute for Clientless SSL VPN 67-90
ports
open on device B-14
phone proxy 48-7
TCP and UDP B-11
port translation
about 29-4
posture validation
exemptions 70-11
revalidation timer 70-10
uses, requirements, and limitations 70-1
power over Ethernet 7-4
PPPoE, configuring 72-1 to 72-5
prerequisites for use
CSC SSM 60-5
pre-shared key, Easy VPN client on the ASA 5505 71-7
primary unit, failover 62-2
printers 71-8
private networks B-2
privileged EXEC mode, accessing 2-1
privileged mode
accessing 2-1
prompt A-2
privilege level, username, setting 67-80
Product Authorization Key 3-33
prompts
command A-2
more A-5
protocol numbers and literal values B-11
Protocol pane (PIM)
description 26-10
proxied RPC request attack 57-7
proxy
See e-mail proxy
proxy ARP
NAT
NAT
proxy ARP 29-22
proxy ARP, disabling 21-11
proxy bypass 74-83
proxy servers
SIP and 44-19
PRSM 59-3
public key cryptography 41-2
Q
QoS
about 54-1, 54-3
DiffServ preservation 54-5
DSCP preservation 54-5
feature interaction 54-4
policies 54-1
priority queueing
IPSec anti-replay window 54-12
statistics 54-15
token bucket 54-2
traffic shaping
overview 54-4
viewing statistics 54-15
Quality of Service
See QoS
question mark
command string A-4
help A-4
queue, logging
changing the size of 77-15
viewing statistics 77-19
queue, QoS
latency, reducing 54-8
limit 54-2, 54-3
R
RADIUS
attributes C-27
Cisco AV pair C-13
configuring a AAA server C-27
configuring a server 35-11
downloadable access lists 38-14
network access authentication 38-4
network access authorization 38-14
support 35-4
RAS, H.323 troubleshooting 44-10
rate limit 77-19
rate limiting 54-3
rate limiting, phone proxy 48-11
RealPlayer 44-15
reboot, waiting until active sessions end 64-16
redirect, ICMP message B-15
redundancy, in site-to-site VPNs, using crypto maps 64-34
redundant interface
EtherChannel
converting existing interfaces 6-13
redundant interfaces
configuring 6-25
failover 6-10
MAC address 6-4
setting the active interface 6-27
Registration Authority description 41-2
regular expression 13-12
reloading
context 5-26
security appliance 82-8
remote access
IPSec tunnel group, configuring 67-8
restricting 67-84
tunnel group, configuring default 67-7
VPN, configuring 69-1, 69-15
remote management, ASA 5505 71-9
Request Filter pane
description 26-11
resetting the SSM hardware module password 82-11
resource management
about 5-8
assigning a context 5-21
class 5-16
configuring 5-8
default class 5-9
monitoring 5-29
oversubscribing 5-8
resource types 5-17
unlimited 5-9
resource usage 5-32
revalidation timer, Network Admission Control 70-10
revoked certificates 41-2
rewrite, disabling 74-83
RFCs for SNMP 79-29
RIP
authentication 25-2
definition of 25-1
enabling 25-4
support for 25-2
RIP panel
limitations 25-3
RIP Version 2 Notes 25-3
routed mode
about 4-1
NAT 29-13
setting 4-1
route map
definition 23-1
route maps
defining 23-4
uses 23-1
router
advertisement, ICMP message B-15
solicitation, ICMP message B-15
router advertisement messages 28-3
router advertisement transmission interval 28-8
router lifetime value 28-8
routes
about default 22-4
configuring default routes 22-4
configuring IPv6 default 22-5
configuring IPv6 static 22-5
configuring static routes 22-3
routing
other protocols 34-5
RSA
keys, generating 37-4, 41-9
RTSP inspection
about 44-15
configuring 44-15
rules
ICMP 37-10
running configuration
copying 81-8
saving 2-16
S
same security level communication
enabling 8-15, 9-18
SAs, lifetimes 64-29
SAST keys 48-41
SCCP (Skinny) inspection
about 44-25
configuration 44-25
configuring 44-25
SDI
configuring 35-11
support 35-5
secondary unit, failover 62-2
secure unit authentication 71-12
secure unit authentication, group policy 67-53
security, WebVPN 74-5, 74-13
Security Agent, Cisco 67-66
security appliance
CLI A-1
connecting to 2-1
managing licenses 3-1
managing the configuration 2-15
reloading 82-8
upgrading software 81-2
viewing files in Flash memory 81-1
security association
clearing 64-34
See also SAs
security attributes, group policy 67-46
security contexts
about 5-1
adding 5-18
admin context
about 5-2
changing 5-24
assigning to a resource class 5-21
cascading 5-6
changing between 5-23
classifier 5-3
command authorization 37-16
configuration
URL, changing 5-25
URL, setting 5-21
logging in 5-7
MAC addresses
automatically assigning 5-22
classifying using 5-3
managing 5-1, 5-23
mapped interface name 5-20
monitoring 5-27
multiple mode, enabling 5-15
nesting or cascading 5-7
prompt A-2
reloading 5-26
removing 5-24
resource management 5-8
resource usage 5-32
saving all configurations 2-17
unsupported features 5-14
VLAN allocation 5-20
security level
about 8-1
interface 8-8, 9-10, 9-12
security models for SNMP 79-16
sending messages to an e-mail address 77-10
sending messages to an SNMP server 77-11
sending messages to ASDM 77-11
sending messages to a specified output destination 77-16
sending messages to a syslog server 77-8
sending messages to a Telnet or SSH session 77-12
sending messages to the console port 77-11
sending messages to the internal log buffer 77-9
service policy
applying 32-17
default 32-17
interface 32-18
session management path 1-26
severity levels, of system log messages
changing 77-1
filtering by 77-1
list of 77-3
severity levels, of system messages
definition 77-3
SHA, IKE policy keywords (table) 64-9, 64-10, 64-11
shared license
backup server, configuring 3-37
backup server, information 3-25
client, configuring 3-37
communication issues 3-25
failover 3-25
maximum clients 3-27
monitoring 3-44
server, configuring 3-35
SSL messages 3-25
show command, filtering output A-4
showing cached Kerberos tickets 74-47
showing KCD status 74-46
simultaneous logins, username attribute 67-81
single mode
backing up configuration 5-15
configuration 5-15
enabling 5-15
restoring 5-16
single sign-on
See SSO
single-signon
group policy attribute for Clientless SSL VPN 67-77
username attribute for Clientless SSL VPN 67-92
SIP inspection
about 44-19
configuring 44-19
instant messaging 44-19
timeouts 44-24
troubleshooting 44-24
site-to-site VPNs, redundancy 64-34
Smart Call Home monitoring 80-19
smart tunnels 74-48
SMTP inspection 43-31
SNMP
about 79-1
failover 79-17
management station 77-1, 77-6
prerequisites 79-17
SNMP configuration 79-18
SNMP groups 79-16
SNMP hosts 79-16
SNMP monitoring 79-26, 79-27
SNMP terminology 79-2
SNMP traps 79-2
SNMP users 79-16
SNMP Version 3 79-15, 79-23
SNMP Versions 1 and 2c 79-22
source quench, ICMP message B-15
SPAN 7-4
Spanning Tree Protocol, unsupported 7-8
speed, configuring 6-11, 7-5
split tunneling
ASA 5505 as Easy VPN client 71-8
group policy 67-49
group policy, domains 67-52
SSCs
management access 58-4
management defaults 58-6
management interface 58-11
password reset 58-23, 60-15
reload 58-24, 60-16
reset 58-24, 60-16
routing 58-8
sessioning to 58-10
shutdown 58-24, 60-16
SSH
authentication 37-19
concurrent connections 37-2
login 37-5
password 10-1
RSA key 37-4
username 37-5
SSL
certificate 74-11
used to access the security appliance 74-6
SSL/TLS encryption protocols
configuring 74-10
WebVPN 74-10
SSL VPN Client
compression 75-16
DPD 75-15
enabling
permanent installation 75-7
installing
order 75-6
keepalive messages 75-16
viewing sessions 75-19
SSMs
loading an image 58-21, 58-23, 60-14
management access 58-4
management defaults 58-6
password reset 58-23, 60-15
reload 58-24, 60-16
reset 58-24, 60-16
routing 58-8
sessioning to 58-10
shutdown 58-24, 60-16
sso-server
group policy attribute for Clientless SSL VPN 67-77
username attribute for Clientless SSL VPN 67-92
SSO with WebVPN 74-13 to ??
configuring HTTP Basic and NTLM authentication 74-14
configuring HTTP form protocol 74-20
configuring SiteMinder 74-15, 74-17
startup configuration
copying 81-8
saving 2-16
statd buffer overflow attack 57-8
Stateful Failover
about 61-10
state information 61-10
state link 61-4
stateful inspection 1-25
bypassing 53-3
state information 61-10
state link 61-4
static ARP entry 4-11
static bridge entry 4-15
Static Group pane
description 26-6
static NAT
about 29-3
few-to-many mapping 29-7
many-to-few mapping 29-6, 29-7
network object NAT 30-10
twice NAT 31-15
static NAT with port translation
about 29-4
static routes
configuring 22-3
statistics, QoS 54-15
stealth firewall
See transparent firewall
stuck-in-active 27-2
subcommand mode prompt A-2
subinterfaces, adding 6-30
subnet masks
/bits B-3
about B-2
address range B-4
determining B-3
dotted decimal B-3
number of hosts B-3
Sun Microsystems Javaâ„¢ Runtime Environment (JRE) and WebVPN 74-66
Sun RPC inspection
about 45-3
configuring 45-3
SVC
See SSL VPN Client
switch MAC address table 4-14
switch ports
access ports 7-7
protected 7-8, 7-10
SPAN 7-4
trunk ports 7-9
Sygate Personal Firewall 67-67
SYN attacks, monitoring 5-33
SYN cookies 5-33
syntax formatting A-3
syslogd server program 77-5
syslog messages
analyzing 77-2
syslog messaging for SNMP 79-27
syslog server
designating more than one as output destination 77-5
EMBLEM format
configuring 77-14
enabling 77-8, 77-14
system configuration 5-2
system log messages
classes 77-4
classes of 77-4
configuring in groups
by message list 77-4
by severity level 77-1
device ID, including 77-17
disabling logging of 77-1
filtering by message class 77-4
managing in groups
by message class 77-16
output destinations 77-1, 77-6
syslog message server 77-6
Telnet or SSH session 77-6
severity levels
about 77-3
changing the severity level of a message 77-1
timestamp, including 77-18
T
TACACS+
command authorization, configuring 37-29
configuring a server 35-11
network access authorization 38-11
support 35-5
tail drop 54-3
TCP
ASA 5505 as Easy VPN client 71-4
connection limits per context 5-17
ports and literal values B-11
sequence number randomization
disabling using Modular Policy Framework 53-12, 53-14
TCP FIN only flags attack 57-7
TCP Intercept
enabling using Modular Policy Framework 53-12, 53-14
monitoring 5-33
TCP normalization 53-3
TCP NULL flags attack 57-6
TCP state bypass
AAA 53-5
configuring 53-10
failover 53-5
firewall mode 53-5
inspection 53-5
mutliple context mode 53-5
NAT 53-5
SSMs and SSCs 53-5
TCP Intercept 53-5
TCP normalization 53-5
unsupported features 53-5
TCP SYN+FIN flags attack 57-6
Telnet
allowing management access 37-1
authentication 37-19
concurrent connections 37-2
login 37-4
password 10-1
template timeout intervals
configuring for flow-export actions 78-7
temporary license 3-21
testing configuration 82-1
threat detection
basic
drop types 56-2
enabling 56-4
overview 56-2
rate intervals 56-2
rate intervals, setting 56-4
statistics, viewing 56-5
system performance 56-3
scanning
attackers, viewing 56-18
default limits, changing 56-17
enabling 56-17
host database 56-15
overview 56-15
shunned hosts, releasing 56-18
shunned hosts, viewing 56-17
shunning attackers 56-17
system performance 56-15
targets, viewing 56-18
scanning statistics
enabling 56-7
system performance 56-6
viewing 56-9
time exceeded, ICMP message B-15
time ranges, access lists 13-16
timestamp, including in system log messages 77-18
timestamp reply, ICMP message B-15
timestamp request, ICMP message B-15
TLS1, used to access the security appliance 74-6
TLS Proxy
applications supported by ASA 47-3
Cisco Unified Presence architecture 51-1
configuring for Cisco Unified Presence 51-8
licenses 47-4, 49-5, 50-6, 51-7, 52-8
tocken bucket 54-2
toolbar, floating, WebVPN 74-89
traffic flow
routed firewall 4-17
transparent firewall 4-23
traffic shaping
overview 54-4
transform set
creating 69-1, 69-10
definition 64-19
transmit queue ring limit 54-2, 54-3
transparent firewall
about 4-2
ARP inspection
about 4-10
enabling 4-12
static entry 4-11
data flow 4-23
DHCP packets, allowing 34-5
guidelines 4-7
H.323 guidelines 4-4
HSRP 4-4
MAC address timeout 4-15
MAC learning, disabling 4-16
management IP address 9-7
multicast traffic 4-4
packet handling 34-5
static bridge entry 4-15
unsupported features 4-7
VRRP 4-4
transparent mode
NAT 29-13
troubleshooting
H.323 44-9
H.323 RAS 44-10
phone proxy 48-27
SIP 44-24
troubleshooting SNMP 79-24
trunk, 802.1Q 6-30
trunk ports 7-9
Trusted Flow Acceleration
failover 65-7
modes 4-6, 4-10, 4-14, 15-1, 34-7, 63-7, 65-7
trustpoint 41-3
trustpoint, ASA 5505 client 71-7
trust relationship
Cisco Unified Mobility 50-5
Cisco Unified Presence 51-4
tunnel
ASA 5505 as Easy VPN client 71-5
IPsec 64-19
security appliance as a tunnel endpoint 64-2
tunnel group
ASA 5505 as Easy VPN client 71-7
configuring 67-6
creating 67-8
default 64-19, 67-1, 67-2
default, remote access, configuring 67-7
default LAN-to-LAN, configuring 67-17
definition 67-1, 67-2
general parameters 67-3
inheritance 67-1
IPSec parameters 67-4
LAN-to-LAN, configuring 67-17
name and type 67-8
remote access, configuring 69-11
remote-access, configuring 67-8
tunnel-group
general attributes 67-3
tunnel-group ISAKMP/IKE keepalive settings 67-4
tunneling, about 64-1
tunnel mode 65-2
twice NAT
about 29-17
comparison with network object NAT 29-16
configuring 31-1
dynamic NAT 31-4
dynamic PAT 31-8
examples 31-24
guidelines 31-2
identity NAT 31-20
monitoring 31-24
prerequisites 31-2
static NAT 31-15
tx-ring-limit 54-2, 54-3
U
UDP
bomb attack 57-7
chargen DoS attack 57-7
connection limits per context 5-17
connection state information 1-26
ports and literal values B-11
snork attack 57-7
unreachable, ICMP message B-15
unreachable messages
required for MTU discovery 37-10
url-list
group policy attribute for Clientless SSL VPN 67-74
username attribute for Clientless SSL VPN 67-89
URLs
context configuration, changing 5-25
context configuration, setting 5-21
filtering 39-1
filtering, about 39-7
filtering, configuration 39-11
user, VPN
definition 67-1
user access, restricting remote 67-84
user authentication, group policy 67-53
user EXEC mode
accessing 2-1
prompt A-2
username
adding 35-20
clientless authentication 70-14
encrypted 35-23
management tunnels 71-9
password 35-23
WebVPN 74-109
Xauth for Easy VPN client 71-4
username attributes
access hours 67-81
configuring 67-79, 67-80
group-lock 67-84
inheritance 67-81
password, setting 67-80
password-storage 67-84
privilege level, setting 67-80
simultaneous logins 67-81
vpn-filter 67-82
vpn-framed-ip-address 67-83
vpn-idle timeout 67-82
vpn-session-timeout 67-82
vpn-tunnel-protocol 67-83
username attributes for Clientless SSL VPN
auto-signon 67-91
customization 67-87
deny message 67-87
filter (access list) 67-88
homepage 67-86
html-content-filter 67-86
keep-alive ignore 67-90
port-forward 67-89
port-forward-name 67-90
sso-server 67-92
url-list 67-89
username configuration, viewing 67-79
username webvpn mode 67-85
users
SNMP 79-16
U-turn 64-26
V
VeriSign, configuring CAs example 41-4
viewing QoS statistics 54-15
viewing RMS 81-19
virtual cluster 66-6
IP address 66-6
master 66-6
virtual firewalls
See security contexts
virtual HTTP 38-3
virtual reassembly 1-23
virtual sensors 58-15
VLAN mapping 67-44
VLANs 6-30
802.1Q trunk 6-30
allocating to a context 5-20
ASA 5505
MAC addresses 7-4
maximum 7-2
mapped interface name 5-20
subinterfaces 6-30
VoIP
proxy servers 44-19
troubleshooting 44-9
VPN
address pool, configuring (group-policy) 67-62
address range, subnets B-4
parameters, general, setting 66-1
setting maximum number of IPSec sessions 66-3
VPN attributes, group policy 67-42
VPN client
NAT rules 29-20
VPN Client, IPsec attributes 64-2
vpn-filter username attribute 67-82
VPN flex license 3-21
vpn-framed-ip-address username attribute 67-83
VPN hardware client, group policy attributes 67-53
vpn-idle-timeout username attribute 67-82
vpn load balancing
See load balancing 66-6
vpn-session-timeout username attribute 67-82
vpn-tunnel-protocol username attribute 67-83
VRRP 4-4
W
WCCP 40-1
web caching 40-1
web clients, secure authentication 38-6
web e-Mail (Outlook Web Access), Outlook Web Access 74-80
WebVPN
assigning users to group policies 74-31, 74-32
authenticating with digital certificates 74-28, 74-29
CA certificate validation not done 74-5
client application requirements 74-110
client requirements 74-110
configuring
e-mail 74-79
configuring WebVPN and ASDM on the same interface 74-7
cookies 74-10
defining the end-user interface 74-88
definition 74-2
e-mail 74-79
e-mail proxies 74-79
end user set-up 74-87
floating toolbar 74-89
group policy attributes, configuring 74-33
hosts file 74-72
hosts files, reconfiguring 74-73
HTTP/HTTPS proxy, setting 74-11
Java object signing 74-82
PDA support 74-78
security preautions 74-5, 74-13
security tips 74-109
setting HTTP/HTTPS proxy 74-8
SSL/TLS encryption protocols 74-10
supported applications 74-110
troubleshooting 74-72
unsupported features 74-4
use of HTTPS 74-7
usernames and passwords 74-109
use suggestions 74-87, 74-110
WebVPN, Application Access Panel 74-88
webvpn attributes
group policy 67-70
welcome message, group policy 67-48
WINS server, configuring 67-40
X
Xauth, Easy VPN client 71-4
XOFF frames 6-22
Z
Zone Labs firewalls 67-67
Zone Labs Integrity Server 67-64
Index
Symbols
/bits subnet masks B-3
?
command string A-4
help A-4
Numerics
4GE SSM
connector types 6-12
fiber 6-12
SFP 6-12
802.1Q tagging 7-9
802.1Q trunk 6-30
A
AAA
about 35-1
accounting 38-18
addressing, configuring 68-2
authentication
CLI access 37-19
network access 38-2
privileged EXEC mode 37-19
authorization
command 37-22
downloadable access lists 38-14
network access 38-11
local database support 35-8
performance 38-1
server 77-4
adding 35-11
types 35-1
support summary 35-3
web clients 38-6
abbreviating commands A-3
ABR
definition of 24-2
Access Control Server 70-4, 70-13
Access Group pane
description 26-7
access hours, username attribute 67-81
accessing the security appliance using SSL 74-6
accessing the security appliance using TKS1 74-6
access list filter, username attribute 67-82
access lists
about 14-1
ACE logging, configuring 20-1
deny flows, managing 20-5
downloadable 38-14
exemptions from posture validation 70-11
global access rules 34-2
group policy WebVPN filter 67-74
implicit deny 14-3, 34-3
inbound 34-3
IP address guidelines 14-3
IPsec 64-27
IPv6
about 19-1
configuring 19-4
default settings 19-3
logging 20-1
NAT guidelines 14-3
Network Admission Control, default 70-10
object groups 13-2
outbound 34-3
phone proxy 48-7
remarks 15-5
scheduling activation 13-16
types 14-1
username for Clientless SSL VPN 67-88
access ports 7-7
ACEs
See access lists
activation key
entering 3-33
location 3-32
obtaining 3-33
Active/Active failover
about 63-1
actions 63-5
command replication 63-3
configuration synchronization 63-3
configuring
asymmetric routing support 63-18
failover criteria 63-16
failover group preemption 63-12
HTTP replication 63-14
interface monitoring 63-14
virtual MAC addresses 63-16
device initialization 63-3
duplicate MAC addresses, avoiding 63-2, 63-17
optional settings
about 63-6
configuring 63-12
primary status 63-2
secondary status 63-2
triggers 63-4
Active/Standby failover
about 62-1
actions 62-4
command replication 62-3
configuration synchronization 62-2
device initialization 62-2
primary unit 62-2
secondary unit 62-2
triggers 62-4
Active Directory, settings for password management 67-28
Active Directory procedures C-16 to ??
ActiveX filtering 39-2
Adaptive Security Algorithm 1-25
Add/Edit Access Group dialog box
description 26-7
Add/Edit IGMP Join Group dialog box
description 26-6
Add/Edit OSPF Neighbor Entry dialog box 24-12
admin context
about 5-2
changing 5-24
administrative access
using ICMP for 37-11
administrative distance 22-3, 22-5
Advanced Encryption Standard (AES) 64-9, 64-10
AIP
See IPS module
AIP SSC
loading an image 58-21, 58-23, 60-14
AIP SSM
about 58-1
loading an image 58-21, 58-23, 60-14
port-forwarding
enabling 8-6, 9-8
alternate address, ICMP message B-15
analyzing syslog messages 77-2
Application Access Panel, WebVPN 74-88
application access using Clientless SSL VPN
group policy attribute for Clientless SSL VPN 67-75
username attribute for Clientless SSL VPN 67-89
application access using WebVPN
and hosts file errors 74-72
quitting properly 74-73
application inspection
about 42-1
applying 42-6
configuring 42-6
inspection class map 33-6
inspection policy map 33-2
security level requirements 8-2, 9-2
special actions 33-1
Application Profile Customization Framework 74-84
area border router 24-2
ARP
NAT 29-22
ARP inspection
about 4-10
enabling 4-12
static entry 4-11
ARP spoofing 4-10
ARP test, failover 61-15
ASA (Adaptive Security Algorithm) 1-25
ASA 5505
Base license 7-2
client
authentication 71-12
configuration restrictions, table 71-2
device pass-through 71-8
group policy attributes pushed to 71-10
mode 71-3
remote management 71-9
split tunneling 71-8
TCP 71-4
trustpoint 71-7
tunnel group 71-7
tunneling 71-5
Xauth 71-4
MAC addresses 7-4
maximum VLANs 7-2
native VLAN support 7-10
non-forwarding interface 7-7
power over Ethernet 7-4
protected switch ports 7-8, 7-10
Security Plus license 7-2
server (headend) 71-1
SPAN 7-4
Spanning Tree Protocol, unsupported 7-8
ASA 5550 throughput 8-6, 9-9
ASA CX module
about 59-1
ASA feature compatibility 59-4
authentication proxy
about 59-3
port 59-10
troubleshooting 59-20
basic settings 59-7
cabling 59-6
configuration 59-6
debugging 59-19
failover 59-5
licensing 59-4
management access 59-2
management defaults 59-5
management IP address 59-7
monitoring 59-12
password reset 59-17
PRSM 59-3
reload 59-18
security policy 59-9
sending traffic to 59-11
shutdown 59-19
traffic flow 59-2
VPN 59-4
ASBR
definition of 24-2
ASDM software
allowing access 37-6
installing 81-2
ASR 63-18
asymmetric routing
TCP state bypass 53-4
asymmetric routing support 63-18
attacks
DNS HINFO request 57-7
DNS request for all records 57-7
DNS zone transfer 57-7
DNS zone transfer from high port 57-7
fragmented ICMP traffic 57-6
IP fragment 57-4
IP impossible packet 57-4
large ICMP traffic 57-6
ping of death 57-6
proxied RPC request 57-7
statd buffer overflow 57-8
TCP FIN only flags 57-7
TCP NULL flags 57-6
TCP SYN+FIN flags 57-6
UDP bomb 57-7
UDP chargen DoS 57-7
UDP snork 57-7
attributes
RADIUS C-27
username 67-80
attribute-value pairs
TACACS+ C-38
attribute-value pairs (AVP) 67-36
authentication
about 35-2
ASA 5505 as Easy VPN client 71-12
CLI access 37-19
FTP 38-3
HTTP 38-3
network access 38-2
privileged EXEC mode 37-19
Telnet 38-3
web clients 38-6
WebVPN users with digital certificates 74-28, 74-29
authorization
about 35-2
command 37-22
downloadable access lists 38-14
network access 38-11
Auto-MDI/MDIX 6-2, 7-4
auto-signon
group policy attribute for Clientless SSL VPN 67-73
username attribute for Clientless SSL VPN 67-91
Auto-Update, configuring 81-16
B
backup server attributes, group policy 67-56
Baltimore Technologies, CA server support 41-4
banner message, group policy 67-48
basic threat detection
See threat detection
before configuring KCD 74-44
bits subnet masks B-3
Black Ice firewall 67-67
Botnet Traffic Filter
actions 55-2
address categories 55-2
blacklist
adding entries 55-9
description 55-2
blocking traffic manually 55-15
classifying traffic 55-12
configuring 55-6
databases 55-2
default settings 55-6
DNS Reverse Lookup Cache
information about 55-4
maximum entries 55-4
using with dynamic database 55-10
DNS snooping 55-10
dropping traffic 55-13
graylist 55-13
dynamic database
enabling use of 55-7
files 55-3
information about 55-2
searching 55-16
updates 55-7
examples 55-19
feature history 55-22
graylist
description 55-2
dropping traffic 55-13
guidelines and limitations 55-6
information about 55-1
licensing 55-6
monitoring 55-17
static database
adding entries 55-9
information about 55-3
syslog messages 55-17
task flow 55-7
threat level
dropping traffic 55-13
whitelist
adding entries 55-9
description 55-2
working overview 55-5
bridge
entry timeout 4-15
table, See MAC address table
broadcast Ping test 61-15
building blocks 13-1
bypass authentication 71-8
bypassing firewall checks 53-3
C
CA
certificate validation, not done in WebVPN 74-5
CRs and 41-2
public key cryptography 41-2
revoked certificates 41-2
supported servers 41-4
cached Kerberos tickets
clearing 74-48
showing 74-47
caching 74-81
capturing packets 82-14
cascading access lists 64-23
CA server
Digicert 41-4
Geotrust 41-4
Godaddy 41-4
iPlanet 41-4
Netscape 41-4
RSA Keon 41-4
Thawte 41-4
certificate
authentication, e-mail proxy 74-79
Cisco Unified Mobility 50-5
Cisco Unified Presence 51-4
enrollment protocol 41-11
group matching
configuring 64-17
rule and policy, creating 64-17
Certificate Revocation Lists
See CRLs
certificates
phone proxy 48-15
required by phone proxy 48-16
change query interval 26-8
change query response time 26-8
change query timeout value 26-8
changing between contexts 5-23
changing the severity level 77-18
Cisco-AV-Pair LDAP attributes C-13
Cisco Integrated Firewall 67-66
Cisco IOS CS CA
server support 41-4
Cisco IP Communicator 48-10
Cisco IP Phones
DHCP 11-6
Cisco IP Phones, application inspection 44-25
Cisco Security Agent 67-66
Cisco Trust Agent 70-13
Cisco UMA. See Cisco Unified Mobility.
Cisco Unified Mobility
architecture 50-2
ASA role 47-2, 47-3
certificate 50-5
functionality 50-1
NAT and PAT requirements 50-3, 50-4
trust relationship 50-5
Cisco Unified Presence
ASA role 47-2, 47-3
configuring the TLS Proxy 51-8
debugging the TLS Proxy 51-14
NAT and PAT requirements 51-2
sample configuration 51-14
trust relationship 51-4
Cisco UP. See Cisco Unified Presence.
Class A, B, and C addresses B-1
class-default class map 32-9
classes, logging
filtering messages by 77-16
message class variables 77-4
types 77-4
classes, resource
See resource management
class map
inspection 33-6
Layer 3/4
management traffic 32-14
match commands 32-12, 32-15
through traffic 32-12
regular expression 13-15
clearing cached Kerberos tickets 74-48
CLI
abbreviating commands A-3
adding comments A-5
command line editing A-3
command output paging A-5
displaying A-5
help A-4
paging A-5
syntax formatting A-3
client
VPN 3002 hardware, forcing client update 66-4
Windows, client update notification 66-4
client access rules, group policy 67-68
client firewall, group policy 67-63
clientless authentication 70-13
Clientless SSL VPN
configuring for specific users 67-85
client mode 71-3
client update, performing 66-4
cluster
IP address, load balancing 66-6
load balancing configurations 66-9
mixed scenarios 66-10
virtual 66-6
command authorization
about 37-14
configuring 37-22
multiple contexts 37-16
command prompts A-2
comments
configuration A-5
configuration
clearing 2-18
comments A-5
factory default
commands 2-10
restoring 2-11
saving 2-16
text file 2-19
URL for a context 5-21
viewing 2-18
configuration examples
CSC SSM 60-16
logging 77-20
configuration examples for SNMP 79-28
configuration mode
accessing 2-2
prompt A-2
connection blocking 57-2
connection limits
configuring 53-1
per context 5-17
connect time, maximum, username attribute 67-82
console port logging 77-11
content transformation, WebVPN 74-82
context mode 27-2
context modes 22-2, 23-3, 24-3, 25-3, 26-3, 60-6
contexts
See security contexts
conversion error, ICMP message B-15
cookies, enabling for WebVPN 74-10
copying files using copy smb
command 81-8
Coredump 82-14
CRACK protocol 64-35
crash dump 82-14
creating a custom event list 77-13
crypto map
acccess lists 64-27
applying to interfaces 64-26, 73-10
clearing configurations 64-35
creating an entry to use the dynamic crypto map 69-13
definition 64-20
dynamic 64-32
dynamic, creating 69-12
entries 64-20
examples 64-28
policy 64-21
crypto show commands table 64-34
CSC SSM
about 60-1
loading an image 58-21, 58-23, 60-14
sending traffic to 60-10
what to scan 60-3
CSC SSM feature history 60-18
custom firewall 67-67
customization, Clientless SSL VPN
group policy attribute 67-71
login windows for users 67-27
username attribute 67-87
username attribute for Clientless SSL VPN 67-24
custom messages list
logging output destination 77-4
cut-through proxy
AAA performance 38-1
CX module
about 59-1
ASA feature compatibility 59-4
authentication proxy
about 59-3
port 59-10
troubleshooting 59-20
basic settings 59-7
cabling 59-6
configuration 59-6
debugging 59-19
failover 59-5
licensing 59-4
management access 59-2
management defaults 59-5
management IP address 59-7
monitoring 59-12
password reset 59-17
PRSM 59-3
reload 59-18
security policy 59-9
sending traffic to 59-11
shutdown 59-19
traffic flow 59-2
VPN 59-4
D
data flow
routed firewall 4-17
transparent firewall 4-23
date and time in messages 77-18
DDNS 12-2
debug messages 82-13
default
class 5-9
DefaultL2Lgroup 67-1
DefaultRAgroup 67-1
domain name, group policy 67-51
group policy 67-1, 67-8, 67-36
LAN-to-LAN tunnel group 67-17
remote access tunnel group, configuring 67-7
routes, defining equal cost routes 22-4
tunnel group 64-19, 67-2
default configuration
commands 2-10
restoring 2-11
default policy 32-7
default routes
about 22-4
configuring 22-4
delay sending flow-create events
flow-create events
delay sending 78-9
deleting files from Flash 81-2
deny flows, logging 20-5
deny in a crypto map 64-23
deny-message
group policy attribute for Clientless SSL VPN 67-71
username attribute for Clientless SSL VPN 67-87
DES, IKE policy keywords (table) 64-9, 64-10
device ID, including in messages 77-17
device ID in messages 77-17
device pass-through, ASA 5505 as Easy VPN client 71-8
DfltGrpPolicy 67-37
DHCP
addressing, configuring 68-3
Cisco IP Phones 11-6
options 11-4
relay 11-7
server 11-3
transparent firewall 34-5
DHCP Intercept, configuring 67-52
DHCP Relay panel 12-6
DHCP services 10-6
Diffie-Hellman
Group 5 64-10, 64-11
groups supported 64-10, 64-11
DiffServ preservation 54-5
digital certificates
authenticating WebVPN users 74-28, 74-29
SSL 74-11
directory hierarchy search C-3
disabling content rewrite 74-83
disabling messages 77-18
disabling messages, specific message IDs 77-18
DMZ, definition 1-22
DNS
dynamic 12-2
inspection
about 43-2
managing 43-1
rewrite, about 43-2
rewrite, configuring 43-3
NAT effect on 29-24
server, configuring 10-11, 67-40
DNS HINFO request attack 57-7
DNS request for all records attack 57-7
DNS zone transfer attack 57-7
DNS zone transfer from high port attack 57-7
domain attributes, group policy 67-51
domain name 10-3
dotted decimal subnet masks B-3
downloadable access lists
configuring 38-14
converting netmask expressions 38-18
DSCP preservation 54-5
dual IP stack, configuring 8-2
dual-ISP support 22-6
duplex, configuring 6-11, 7-5
dynamic crypto map 64-32
creating 69-12
See also crypto map
Dynamic DNS 12-2
dynamic NAT
about 29-8
network object NAT 30-4
twice NAT 31-4
dynamic PAT
network object NAT 30-6
See also NAT
twice NAT 31-8
E
Easy VPN
client
authentication 71-12
configuration restrictions, table 71-2
enabling and disabling 71-1
group policy attributes pushed to 71-10
mode 71-3
remote management 71-9
trustpoint 71-7
tunnels 71-9
Xauth 71-4
server (headend) 71-1
Easy VPN client
ASA 5505
device pass-through 71-8
split tunneling 71-8
TCP 71-4
tunnel group 71-7
tunneling 71-5
echo reply, ICMP message B-15
ECMP 22-3
editing command lines A-3
egress VLAN for VPN sessions 67-44
EIGRP 34-5
DUAL algorithm 27-2
hello interval 27-13
hello packets 27-1
hold time 27-2, 27-13
neighbor discovery 27-1
stub routing 27-3
stuck-in-active 27-2
e-mail
configuring for WebVPN 74-79
proxies, WebVPN 74-79
proxy, certificate authentication 74-79
WebVPN, configuring 74-79
enable command 2-1
enabling logging 77-6
enabling secure logging 77-16
end-user interface, WebVPN, defining 74-88
Enterprises 11-6
Entrust, CA server support 41-4
established command, security level requirements 8-2, 9-2
EtherChannel
adding interfaces 6-27
channel group 6-27
compatibility 6-5
converting existing interfaces 6-13
example 6-34
failover 6-10
guidelines 6-10
interface requirements 6-5
LACP 6-6
load balancing
configuring 6-29
overview 6-7
MAC address 6-7
management interface 6-27
maximum interfaces 6-29
minimum interfaces 6-29
mode
active 6-6
on 6-7
passive 6-6
monitoring 6-33
overview 6-5
port priority 6-27
system priority 6-29
Ethernet
Auto-MDI/MDIX 6-2, 7-4
duplex 6-11, 7-5
jumbo frames, ASA 5580 6-32
MTU 8-11, 9-14
speed 6-11, 7-5
EtherType access list
compatibilty with extended access lists 34-2
implicit deny 34-3
evaluation license 3-21
exporting NetFlow records 78-5
extended ACLs
configuring
for management traffic 15-2
external group policy, configuring 67-39
F
facility, syslog 77-8
factory default configuration
commands 2-10
restoring 2-11
failover
about 61-1
Active/Active, See Active/Active failover
Active/Standby, See Active/Standby failover
configuration file
terminal messages, Active/Active 63-3
terminal messages, Active/Standby 62-2
contexts 62-2
debug messages 61-16
disabling 62-18, 63-24
Ethernet failover cable 61-3
failover link 61-3
forcing 62-17, 63-23
guidelines 60-6, 79-17
health monitoring 61-14
interface health 61-15
interface monitoring 61-15
interface tests 61-15
link communications 61-3
MAC addresses
about 62-2
automatically assigning 5-12
monitoring, health 61-14
network tests 61-15
primary unit 62-2
redundant interfaces 6-10
restoring a failed group 62-18, 63-24
restoring a failed unit 62-18, 63-24
secondary unit 62-2
SNMP syslog traps 61-17
Stateful Failover, See Stateful Failover
state link 61-4
system log messages 61-16
system requirements 61-2
testing 62-18, 63-24
Trusted Flow Acceleration 65-7
type selection 61-8
unit health 61-14
fast path 1-26
fiber interfaces 6-12
Fibre Channel interfaces
default settings 16-2, 17-2, 18-2, 34-7
filter (access list)
group policy attribute for Clientless SSL VPN 67-74
username attribute for Clientless SSL VPN 67-88
filtering
ActiveX 39-2
FTP 39-14
Java applet 39-4
Java applets 39-4
security level requirements 8-2, 9-2
servers supported 39-6
show command output A-4
URLs 39-1, 39-7
filtering messages 77-4
firewall
Black Ice 67-67
Cisco Integrated 67-66
Cisco Security Agent 67-66
custom 67-67
Network Ice 67-67
none 67-66
Sygate personal 67-67
Zone Labs 67-67
firewall mode
about 4-1
configuring 4-1
firewall policy, group policy 67-63
Flash memory
removing files 81-2
flash memory available for logs 77-15
flow control for 10 Gigabit Ethernet 6-22
flow-export actions 78-4
format of messages 77-3
fragmentation policy, IPsec 64-15
fragmented ICMP traffic attack 57-6
fragment protection 1-23
fragment size 57-2
FTP inspection
about 43-11
configuring 43-11
G
general attributes, tunnel group 67-3
general parameters, tunnel group 67-3
general tunnel-group connection parameters 67-3
generating RSA keys 41-9
global e-mail proxy attributes 74-79
global IPsec SA lifetimes, changing 64-29
group-lock, username attribute 67-84
group policy
address pools 67-62
attributes 67-40
backup server attributes 67-56
client access rules 67-68
configuring 67-39
default domain name for tunneled packets 67-51
definition 67-1, 67-36
domain attributes 67-51
Easy VPN client, attributes pushed to ASA 5505 71-10
external, configuring 67-39
firewall policy 67-63
hardware client user idle timeout 67-54
internal, configuring 67-40
IP phone bypass 67-54
IPSec over UDP attributes 67-49
LEAP Bypass 67-55
network extension mode 67-55
security attributes 67-46
split tunneling attributes 67-49
split-tunneling domains 67-52
user authentication 67-53
VPN attributes 67-42
VPN hardware client attributes 67-53
webvpn attributes 67-70
WINS and DNS servers 67-40
group policy, default 67-36
group policy, secure unit authentication 67-53
group policy attributes for Clientless SSL VPN
application access 67-75
auto-signon 67-73
customization 67-71
deny-message 67-71
filter 67-74
home page 67-73
html-content filter 67-72
keep-alive-ignore 67-76
port forward 67-75
port-forward-name 67-76
sso-server 67-77
url-list 67-74
groups
SNMP 79-16
GTP inspection
about 46-3
configuring 46-3
H
H.225 timeouts 44-9
H.245 troubleshooting 44-10
H.323
transparent firewall guidelines 4-4
H.323 inspection
about 44-4
configuring 44-3
limitations 44-5
troubleshooting 44-10
hairpinning 64-26
hardware client, group policy attributes 67-53
help, command line A-4
high availability
about 61-1
HMAC hashing method 64-2, 73-3
hold-period 70-17
homepage
group policy attribute for Clientless SSL VPN 67-73
username attribute for Clientless SSL VPN 67-86
host
SNMP 79-16
hostname
configuring 10-2
in banners 10-2
multiple context mode 10-2
hosts, subnet masks for B-3
hosts file
errors 74-72
reconfiguring 74-73
WebVPN 74-72
HSRP 4-4
html-content-filter
group policy attribute for Clientless SSL VPN 67-72
username attribute for Clientless SSL VPN 67-86
HTTP
filtering 39-1
HTTP(S)
authentication 37-19
filtering 39-7
HTTP/HTTPS Web VPN proxy, setting 74-11
HTTP compression, Clientless SSL VPN, enabling 67-76, 67-91
HTTP inspection
about 43-16
configuring 43-16
HTTP redirection for login, Easy VPN client on the ASA 5505 71-12
HTTPS/Telnet/SSH
allowing network or host access to ASDM 37-1
HTTPS for WebVPN sessions 74-7
hub-and-spoke VPN scenario 64-26
I
ICMP
rules for access to ADSM 37-11
testing connectivity 82-1
type numbers B-15
identity NAT
about 29-11
network object NAT 30-12
twice NAT 31-20
idle timeout
hardware client user, group policy 67-54
username attribute 67-82
ID method for ISAKMP peers, determining 64-13
IKE
benefits 64-2, 73-3
creating policies 64-11
keepalive setting, tunnel group 67-4
pre-shared key, Easy VPN client on the ASA 5505 71-7
See also ISAKMP
IKEv1 64-19
ILS inspection 45-1
IM 44-19
implementing SNMP 79-16
inbound access lists 34-3
Individual user authentication 71-12
information reply, ICMP message B-15
information request, ICMP message B-15
inheritance
tunnel group 67-1
username attribute 67-81
inside, definition 1-22
inspection_default class-map 32-9
inspection engines
See application inspection
Instant Messaging inspection 44-19
intercept DHCP, configuring 67-52
interface
MTU 8-11, 9-14
interfaces
ASA 5505
enabled status 7-7
MAC addresses 7-4
maximum VLANs 7-2
non-forwarding 7-7
protected switch ports 7-8, 7-10
switch port configuration 7-7
trunk ports 7-9
ASA 5550 throughput 8-6, 9-9
configuring for remote access 69-7
default settings 16-2, 17-2, 18-2, 34-7, 60-6
duplex 6-11, 7-5
enabling 6-24
failover monitoring 61-15
fiber 6-12
IDs 6-23
IP address 8-7, 9-12
MAC addresses
automatically assigning 5-22
manually assigning to interfaces 8-11, 9-14
mapped name 5-20
naming, physical and subinterface 8-7, 9-10, 9-11
redundant 6-25
SFP 6-12
speed 6-11, 7-5
subinterfaces 6-30
internal group policy, configuring 67-40
Internet Security Association and Key Management Protocol
See ISAKMP
IP addresses
classes B-1
configuring an assignment method for remote access clients 68-1
configuring for VPNs 68-1
configuring local IP address pools 68-2
interface 8-7, 9-12
management, transparent firewall 9-7
private B-2
subnet mask B-4
IP fragment attack 57-4
IP impossible packet attack 57-4
IP overlapping fragments attack 57-5
IP phone 71-8
phone proxy provisioning 48-12
IP phone bypass, group policy 67-54
IP phones
addressing requirements for phone proxy 48-9
supported for phone proxy 48-3
IPSec
anti-replay window 54-12
modes 65-2
over UDP, group policy, configuring attributes 67-49
remote-access tunnel group 67-8
setting maximum active VPN sessions 66-3
IPsec
access list 64-27
basic configuration with static crypto maps 64-29
Cisco VPN Client 64-2
configuring 64-1, 64-19
crypto map entries 64-20
fragmentation policy 64-15
over NAT-T, enabling 64-14
over TCP, enabling 64-15
SA lifetimes, changing 64-29
tunnel 64-19
view configuration commands table 64-34
IPSec parameters, tunnel group 67-4
ipsec-ra, creating an IPSec remote-access tunnel 67-8
IPS module
about 58-1
configuration 58-7
operating modes 58-2
sending traffic to 58-17
traffic flow 58-2
virtual sensors 58-15
IP spoofing, preventing 57-1
IP teardrop attack 57-5
IPv6
commands 21-10
configuring alongside IPv4 8-2
default route 22-5
dual IP stack 8-2
duplicate address detection 8-12, 9-15
neighbor discovery 28-1
router advertisement messages 28-3
static neighbors 28-4
static routes 22-5
IPv6 addresses
anycast B-9
command support for 21-10
format B-5
multicast B-8
prefixes B-10
required B-10
types of B-6
unicast B-6
IPv6 prefixes 28-11
ISAKMP
about 64-2
configuring 64-1
determining an ID method for peers 64-13
disabling in aggressive mode 64-13
enabling on the outside interface 69-8
keepalive setting, tunnel group 67-4
See also IKE
J
Java applet filtering 39-4
Java applets, filtering 39-2
Java object signing 74-82
Join Group pane
description 26-6
jumbo frames, ASA 5580 6-32
K
KCD 74-41, 74-42
before configuring 74-44
KCD status
showing 74-46
keep-alive-ignore
group policy attribute for Clientless SSL VPN 67-76
username attribute for Clientless SSL VPN 67-90
Kerberos
configuring 35-11
support 35-6
Kerberos tickets
clearing 74-48
showing 74-47
L
L2TP description 65-1
LACP 6-6
LAN-to-LAN tunnel group, configuring 67-17
large ICMP traffic attack 57-6
latency
about 54-1
configuring 54-2, 54-3
reducing 54-8
Layer 2 firewall
See transparent firewall
Layer 2 forwarding table
See MAC address table
Layer 2 Tunneling Protocol 65-1
Layer 3/4
matching multiple policy maps 32-6
LCS Federation Scenario 51-2
LDAP
application inspection 45-1
attribute mapping 35-18
Cisco-AV-pair C-13
configuring 35-11
configuring a AAA server C-2 to ??
directory search C-3
example configuration procedures C-16 to ??
hierarchy example C-3
SASL 35-6
user authentication 35-6
user authorization 35-16
LEAP Bypass, group policy 67-55
licenses
activation key
entering 3-33
location 3-32
obtaining 3-33
ASA 5505 3-2
ASA 5510 3-3, 3-8
ASA 5520 3-4
ASA 5540 3-5
ASA 5550 3-6
ASA 5580 3-7
ASA 5585-X 3-12, 3-13, 3-14
Cisco Unified Communications Proxy features 47-4, 49-5, 50-6, 51-7, 52-8
default 3-21
evaluation 3-21
failover 3-31
guidelines 3-31
managing 3-1
preinstalled 3-21
Product Authorization Key 3-33
shared
backup server, configuring 3-37
backup server, information 3-25
client, configuring 3-37
communication issues 3-25
failover 3-25
maximum clients 3-27
monitoring 3-44
overview 3-23
server, configuring 3-35
SSL messages 3-25
temporary 3-21
viewing current 3-38
VPN Flex 3-21
licensing requirements
CSC SSM 60-5
logging 77-5
licensing requirements for SNMP 79-17
link up/down test 61-15
LLQ
See low-latency queue
load balancing
cluster configurations 66-9
concepts 66-6
eligible clients 66-8
eligible platforms 66-8
implementing 66-7
mixed cluster scenarios 66-10
platforms 66-8
prerequisites 66-8
local user database
adding a user 35-20
configuring 35-20
logging in 37-20
support 35-8
lockout recovery 37-31
logging
access lists 20-1
classes
filtering messages by 77-4
types 77-4, 77-16
device-id, including in system log messages 77-17
e-mail
source address 77-10
EMBLEM format 77-14
facility option 77-8
filtering
by message class 77-16
by message list 77-4
by severity level 77-1
logging queue, configuring 77-15
output destinations 77-8
console port 77-8, 77-10, 77-11
internal buffer 77-1, 77-6
Telnet or SSH session 77-6
queue
changing the size of 77-15
configuring 77-15
viewing queue statistics 77-19
severity level, changing 77-19
timestamp, including 77-18
logging feature history 77-20
logging queue
configuring 77-15
login
banner, configuring 37-7
console 2-1
enable 2-1
FTP 38-3
global configuration mode 2-2
local user 37-20
password 10-1
simultaneous, username attribute 67-81
SSH 37-5
Telnet 10-1
windows, customizing for users of Clientless SSL VPN sessions 67-27
low-latency queue
applying 54-2, 54-3
M
MAC address
redundant interfaces 6-4
MAC addresses
ASA 5505 7-4
ASA 5505 device pass-through 71-8
automatically assigning 5-22
failover 62-2
manually assigning to interfaces 8-11, 9-14
security context classification 5-3
MAC address table
about 4-23
built-in-switch 4-14
entry timeout 4-15
MAC learning, disabling 4-16
resource management 5-17
static entry 4-15
MAC learning, disabling 4-16
management interfaces
default settings 16-2, 17-2, 18-2, 34-7
management IP address, transparent firewall 9-7
man-in-the-middle attack 4-10
mapped addresses
guidelines 29-21
mapped interface name 5-20
mask
reply, ICMP message B-15
request, ICMP message B-15
Master Passphrase 10-6
match commands
inspection class map 33-4
Layer 3/4 class map 32-12, 32-15
matching, certificate group 64-17
maximum active IPSec VPN sessions, setting 66-3
maximum connect time,username attribute 67-82
maximum object size to ignore username attribute for Clientless SSL VPN 67-90
MD5, IKE policy keywords (table) 64-9, 64-10, 64-11
media termination address, criteria 48-6
message filtering 77-4
message list
filtering by 77-4
message-of-the-day banner 37-8
messages, logging
classes
about 77-4
list of 77-4
component descriptions 77-3
filtering by message list 77-4
format of 77-3
message list, creating 77-13
severity levels 77-3
messages classes 77-4
messages in EMBLEM format 77-14
metacharacters, regular expression 13-13
MGCP inspection
about 44-11
configuring 44-11
mgmt0 interfaces
default settings 16-2, 17-2, 18-2, 34-7
MIBs 79-2
MIBs for SNMP 79-29
Microsoft Access Proxy 51-1
Microsoft Active Directory, settings for password management 67-28
Microsoft Internet Explorer client parameters, configuring 67-57
Microsoft KCD 74-41, 74-42
Microsoft Windows CA, supported 41-4
mixed cluster scenarios, load balancing 66-10
mixed-mode Cisco UCM cluster, configuring for phone proxy 48-17
MMP inspection 50-1
mobile redirection, ICMP message B-15
mode
context 5-15
firewall 4-1
modular policy framework
configuring flow-export actions for NetFlow 78-5
monitoring
CSC SSM 60-13
failover 61-14
OSPF 24-16
resource management 5-29
SNMP 79-1
monitoring logging 77-19
monitoring NSEL 78-10
monitoring switch traffic, ASA 5505 7-4
More prompt A-5
MPF
default policy 32-7
examples 32-18
feature directionality 32-3
features 32-2
flows 32-6
matching multiple policy maps 32-6
service policy, applying 32-17
See also class map
See also policy map
MPLS
LDP 34-6
router-id 34-6
TDP 34-6
MRoute pane
description 26-4
MSIE client parameters, configuring 67-57
MTU 8-11, 9-14
MTU size, Easy VPN client, ASA 5505 71-5
multicast traffic 4-4
multiple context mode
logging 77-2
See security contexts
N
NAC
See Network Admission Control
naming an interface
other models 8-7, 9-10, 9-11
NAT
about 29-1
bidirectional initiation 29-2
disabling proxy ARP for global addresses 21-11
DNS 29-24
dynamic
about 29-8
dynamic NAT
network object NAT 30-4
twice NAT 31-4
dynamic PAT
about 29-10
network object NAT 30-6
twice NAT 31-8
identity
about 29-11
identity NAT
network object NAT 30-12
twice NAT 31-20
implementation 29-16
interfaces 29-21
mapped address guidelines 29-21
network object
comparison with twice NAT 29-16
network object NAT
about 29-17
configuring 30-1
dynamic NAT 30-4
dynamic PAT 30-6
examples 30-15
guidelines 30-2
identity NAT 30-12
monitoring 30-14
prerequisites 30-2
static NAT 30-10
no proxy ARP 30-13, 31-19
object
extended PAT 30-6
flat range for PAT 30-6
routed mode 29-13
route lookup 30-13, 31-24
RPC not supported with 45-3
rule order 29-20
static
about 29-3
few-to-many mapping 29-7
many-to-few mapping 29-6, 29-7
one-to-many 29-6
static NAT
network object NAT 30-10
twice NAT 31-15
static with port translation
about 29-4
terminology 29-2
transparent mode 29-13
twice
extended PAT 31-8
flat range for PAT 31-8
twice NAT
about 29-17
comparison with network object NAT 29-16
configuring 31-1
dynamic NAT 31-4
dynamic PAT 31-8
examples 31-24
guidelines 31-2
identity NAT 31-20
monitoring 31-24
prerequisites 31-2
static NAT 31-15
types 29-3
VPN 29-14
VPN client rules 29-20
native VLAN support 7-10
NAT-T
enabling IPsec over NAT-T 64-14
using 64-15
neighbor reachable time 28-3
neighbor solicitation messages 28-2
neighrbor advertisement messages 28-2
NetFlow
overview 78-1
NetFlow collector
configuring 78-5
NetFlow event
matching to configured collectors 78-5
NetFlow event logging
disabling 78-9
Network Activity test 61-15
Network Admission Control
ACL, default 70-10
clientless authentication 70-13
configuring 67-59
exemptions 70-11
revalidation timer 70-10
uses, requirements, and limitations 70-1
network extension mode 71-3
network extension mode, group policy 67-55
Network Ice firewall 67-67
network object NAT
about 29-17
comparison with twice NAT 29-16
configuring 30-1
dynamic NAT 30-4
dynamic PAT 30-6
examples 30-15
guidelines 30-2
identity NAT 30-12
monitoring 30-14
prerequisites 30-2
static NAT 30-10
Nokia VPN Client 64-35
non-secure Cisco UCM cluster, configuring phone proxy 48-15
No Payload Encryption 3-30
no proxy ARP 31-19
NSEL and syslog messages
redundant messages 78-2
NSEL configuration examples 78-12
NSEL feature history 78-14
NSEL licensing requirements 78-3
NSEL runtime counters
clearing 78-10
NTLM support 35-6
NT server
configuring 35-11
support 35-6
O
object groups
about 13-1
configuring 13-6
removing 13-11
object NAT
See network object NAT
open ports B-14
operating systems, posture validation exemptions 70-11
OSPF
area authentication 24-11
area MD5 authentication 24-11
area parameters 24-10
authentication key 24-9
authentication support 24-2
cost 24-9
dead interval 24-9
defining a static neighbor 24-12
interaction with NAT 24-2
interface parameters 24-8
link-state advertisement 24-2
logging neighbor states 24-13
LSAs 24-2
MD5 authentication 24-9
monitoring 24-16
NSSA 24-11
packet pacing 24-16
processes 24-2
redistributing routes 24-4
route calculation timers 24-13
route summarization 24-7
outbound access lists 34-3
output destination 77-5
output destinations 77-1, 77-6
e-mail address 77-1, 77-6
SNMP management station 77-1, 77-6
Telnet or SSH session 77-1, 77-6
outside, definition 1-22
oversubscribing resources 5-8
P
packet
capture 82-14
classifier 5-3
packet flow
routed firewall 4-17
transparent firewall 4-23
packet trace, enabling 82-7
paging screen displays A-5
parameter problem, ICMP message B-15
password
resetting on SSM hardware module 82-11
password management, Active Directory settings 67-28
passwords
changing 10-2
recovery 82-8
security appliance 10-1
username, setting 67-80
WebVPN 74-109
password-storage, username attribute 67-84
PAT
Easy VPN client mode 71-3
See dynamic PAT
pause frames for flow control 6-22
PDA support for WebVPN 74-78
peers
alerting before disconnecting 64-16
ISAKMP, determining ID method 64-13
performance, optimizing for WebVPN 74-81
permit in a crypto map 64-23
phone proxy
access lists 48-7
ASA role 47-3
certificates 48-15
Cisco IP Communicator 48-10
Cisco UCM supported versions 48-3
configuring mixed-mode Cisco UCM cluster 48-17
configuring non-secure Cisco UCM cluster 48-15
event recovery 48-41
IP phone addressing 48-9
IP phone provisioning 48-12
IP phones supported 48-3
Linksys routers, configuring 48-26
NAT and PAT requirements 48-8
ports 48-7
rate limiting 48-11
required certificates 48-16
sample configurations 48-43
SAST keys 48-41
TLS Proxy on ASA, described 47-3
troubleshooting 48-27
ping
See ICMP
ping of death attack 57-6
PKI protocol 41-11
PoE 7-4
policing
flow within a tunnel 54-11
policy, QoS 54-1
policy map
inspection 33-2
Layer 3/4
about 32-1
feature directionality 32-3
flows 32-6
pools, address
DHCP 11-3
port-forward
group policy attribute for Clientless SSL VPN 67-75
username attribute for Clientless SSL VPN 67-89
port-forwarding
enabling 8-6, 9-8
port-forward-name
group policy attribute for Clientless SSL VPN 67-76
username attribute for Clientless SSL VPN 67-90
ports
open on device B-14
phone proxy 48-7
TCP and UDP B-11
port translation
about 29-4
posture validation
exemptions 70-11
revalidation timer 70-10
uses, requirements, and limitations 70-1
power over Ethernet 7-4
PPPoE, configuring 72-1 to 72-5
prerequisites for use
CSC SSM 60-5
pre-shared key, Easy VPN client on the ASA 5505 71-7
primary unit, failover 62-2
printers 71-8
private networks B-2
privileged EXEC mode, accessing 2-1
privileged mode
accessing 2-1
prompt A-2
privilege level, username, setting 67-80
Product Authorization Key 3-33
prompts
command A-2
more A-5
protocol numbers and literal values B-11
Protocol pane (PIM)
description 26-10
proxied RPC request attack 57-7
proxy
See e-mail proxy
proxy ARP
NAT
NAT
proxy ARP 29-22
proxy ARP, disabling 21-11
proxy bypass 74-83
proxy servers
SIP and 44-19
PRSM 59-3
public key cryptography 41-2
Q
QoS
about 54-1, 54-3
DiffServ preservation 54-5
DSCP preservation 54-5
feature interaction 54-4
policies 54-1
priority queueing
IPSec anti-replay window 54-12
statistics 54-15
token bucket 54-2
traffic shaping
overview 54-4
viewing statistics 54-15
Quality of Service
See QoS
question mark
command string A-4
help A-4
queue, logging
changing the size of 77-15
viewing statistics 77-19
queue, QoS
latency, reducing 54-8
limit 54-2, 54-3
R
RADIUS
attributes C-27
Cisco AV pair C-13
configuring a AAA server C-27
configuring a server 35-11
downloadable access lists 38-14
network access authentication 38-4
network access authorization 38-14
support 35-4
RAS, H.323 troubleshooting 44-10
rate limit 77-19
rate limiting 54-3
rate limiting, phone proxy 48-11
RealPlayer 44-15
reboot, waiting until active sessions end 64-16
redirect, ICMP message B-15
redundancy, in site-to-site VPNs, using crypto maps 64-34
redundant interface
EtherChannel
converting existing interfaces 6-13
redundant interfaces
configuring 6-25
failover 6-10
MAC address 6-4
setting the active interface 6-27
Registration Authority description 41-2
regular expression 13-12
reloading
context 5-26
security appliance 82-8
remote access
IPSec tunnel group, configuring 67-8
restricting 67-84
tunnel group, configuring default 67-7
VPN, configuring 69-1, 69-15
remote management, ASA 5505 71-9
Request Filter pane
description 26-11
resetting the SSM hardware module password 82-11
resource management
about 5-8
assigning a context 5-21
class 5-16
configuring 5-8
default class 5-9
monitoring 5-29
oversubscribing 5-8
resource types 5-17
unlimited 5-9
resource usage 5-32
revalidation timer, Network Admission Control 70-10
revoked certificates 41-2
rewrite, disabling 74-83
RFCs for SNMP 79-29
RIP
authentication 25-2
definition of 25-1
enabling 25-4
support for 25-2
RIP panel
limitations 25-3
RIP Version 2 Notes 25-3
routed mode
about 4-1
NAT 29-13
setting 4-1
route map
definition 23-1
route maps
defining 23-4
uses 23-1
router
advertisement, ICMP message B-15
solicitation, ICMP message B-15
router advertisement messages 28-3
router advertisement transmission interval 28-8
router lifetime value 28-8
routes
about default 22-4
configuring default routes 22-4
configuring IPv6 default 22-5
configuring IPv6 static 22-5
configuring static routes 22-3
routing
other protocols 34-5
RSA
keys, generating 37-4, 41-9
RTSP inspection
about 44-15
configuring 44-15
rules
ICMP 37-10
running configuration
copying 81-8
saving 2-16
S
same security level communication
enabling 8-15, 9-18
SAs, lifetimes 64-29
SAST keys 48-41
SCCP (Skinny) inspection
about 44-25
configuration 44-25
configuring 44-25
SDI
configuring 35-11
support 35-5
secondary unit, failover 62-2
secure unit authentication 71-12
secure unit authentication, group policy 67-53
security, WebVPN 74-5, 74-13
Security Agent, Cisco 67-66
security appliance
CLI A-1
connecting to 2-1
managing licenses 3-1
managing the configuration 2-15
reloading 82-8
upgrading software 81-2
viewing files in Flash memory 81-1
security association
clearing 64-34
See also SAs
security attributes, group policy 67-46
security contexts
about 5-1
adding 5-18
admin context
about 5-2
changing 5-24
assigning to a resource class 5-21
cascading 5-6
changing between 5-23
classifier 5-3
command authorization 37-16
configuration
URL, changing 5-25
URL, setting 5-21
logging in 5-7
MAC addresses
automatically assigning 5-22
classifying using 5-3
managing 5-1, 5-23
mapped interface name 5-20
monitoring 5-27
multiple mode, enabling 5-15
nesting or cascading 5-7
prompt A-2
reloading 5-26
removing 5-24
resource management 5-8
resource usage 5-32
saving all configurations 2-17
unsupported features 5-14
VLAN allocation 5-20
security level
about 8-1
interface 8-8, 9-10, 9-12
security models for SNMP 79-16
sending messages to an e-mail address 77-10
sending messages to an SNMP server 77-11
sending messages to ASDM 77-11
sending messages to a specified output destination 77-16
sending messages to a syslog server 77-8
sending messages to a Telnet or SSH session 77-12
sending messages to the console port 77-11
sending messages to the internal log buffer 77-9
service policy
applying 32-17
default 32-17
interface 32-18
session management path 1-26
severity levels, of system log messages
changing 77-1
filtering by 77-1
list of 77-3
severity levels, of system messages
definition 77-3
SHA, IKE policy keywords (table) 64-9, 64-10, 64-11
shared license
backup server, configuring 3-37
backup server, information 3-25
client, configuring 3-37
communication issues 3-25
failover 3-25
maximum clients 3-27
monitoring 3-44
server, configuring 3-35
SSL messages 3-25
show command, filtering output A-4
showing cached Kerberos tickets 74-47
showing KCD status 74-46
simultaneous logins, username attribute 67-81
single mode
backing up configuration 5-15
configuration 5-15
enabling 5-15
restoring 5-16
single sign-on
See SSO
single-signon
group policy attribute for Clientless SSL VPN 67-77
username attribute for Clientless SSL VPN 67-92
SIP inspection
about 44-19
configuring 44-19
instant messaging 44-19
timeouts 44-24
troubleshooting 44-24
site-to-site VPNs, redundancy 64-34
Smart Call Home monitoring 80-19
smart tunnels 74-48
SMTP inspection 43-31
SNMP
about 79-1
failover 79-17
management station 77-1, 77-6
prerequisites 79-17
SNMP configuration 79-18
SNMP groups 79-16
SNMP hosts 79-16
SNMP monitoring 79-26, 79-27
SNMP terminology 79-2
SNMP traps 79-2
SNMP users 79-16
SNMP Version 3 79-15, 79-23
SNMP Versions 1 and 2c 79-22
source quench, ICMP message B-15
SPAN 7-4
Spanning Tree Protocol, unsupported 7-8
speed, configuring 6-11, 7-5
split tunneling
ASA 5505 as Easy VPN client 71-8
group policy 67-49
group policy, domains 67-52
SSCs
management access 58-4
management defaults 58-6
management interface 58-11
password reset 58-23, 60-15
reload 58-24, 60-16
reset 58-24, 60-16
routing 58-8
sessioning to 58-10
shutdown 58-24, 60-16
SSH
authentication 37-19
concurrent connections 37-2
login 37-5
password 10-1
RSA key 37-4
username 37-5
SSL
certificate 74-11
used to access the security appliance 74-6
SSL/TLS encryption protocols
configuring 74-10
WebVPN 74-10
SSL VPN Client
compression 75-16
DPD 75-15
enabling
permanent installation 75-7
installing
order 75-6
keepalive messages 75-16
viewing sessions 75-19
SSMs
loading an image 58-21, 58-23, 60-14
management access 58-4
management defaults 58-6
password reset 58-23, 60-15
reload 58-24, 60-16
reset 58-24, 60-16
routing 58-8
sessioning to 58-10
shutdown 58-24, 60-16
sso-server
group policy attribute for Clientless SSL VPN 67-77
username attribute for Clientless SSL VPN 67-92
SSO with WebVPN 74-13 to ??
configuring HTTP Basic and NTLM authentication 74-14
configuring HTTP form protocol 74-20
configuring SiteMinder 74-15, 74-17
startup configuration
copying 81-8
saving 2-16
statd buffer overflow attack 57-8
Stateful Failover
about 61-10
state information 61-10
state link 61-4
stateful inspection 1-25
bypassing 53-3
state information 61-10
state link 61-4
static ARP entry 4-11
static bridge entry 4-15
Static Group pane
description 26-6
static NAT
about 29-3
few-to-many mapping 29-7
many-to-few mapping 29-6, 29-7
network object NAT 30-10
twice NAT 31-15
static NAT with port translation
about 29-4
static routes
configuring 22-3
statistics, QoS 54-15
stealth firewall
See transparent firewall
stuck-in-active 27-2
subcommand mode prompt A-2
subinterfaces, adding 6-30
subnet masks
/bits B-3
about B-2
address range B-4
determining B-3
dotted decimal B-3
number of hosts B-3
Sun Microsystems Javaâ„¢ Runtime Environment (JRE) and WebVPN 74-66
Sun RPC inspection
about 45-3
configuring 45-3
SVC
See SSL VPN Client
switch MAC address table 4-14
switch ports
access ports 7-7
protected 7-8, 7-10
SPAN 7-4
trunk ports 7-9
Sygate Personal Firewall 67-67
SYN attacks, monitoring 5-33
SYN cookies 5-33
syntax formatting A-3
syslogd server program 77-5
syslog messages
analyzing 77-2
syslog messaging for SNMP 79-27
syslog server
designating more than one as output destination 77-5
EMBLEM format
configuring 77-14
enabling 77-8, 77-14
system configuration 5-2
system log messages
classes 77-4
classes of 77-4
configuring in groups
by message list 77-4
by severity level 77-1
device ID, including 77-17
disabling logging of 77-1
filtering by message class 77-4
managing in groups
by message class 77-16
output destinations 77-1, 77-6
syslog message server 77-6
Telnet or SSH session 77-6
severity levels
about 77-3
changing the severity level of a message 77-1
timestamp, including 77-18
T
TACACS+
command authorization, configuring 37-29
configuring a server 35-11
network access authorization 38-11
support 35-5
tail drop 54-3
TCP
ASA 5505 as Easy VPN client 71-4
connection limits per context 5-17
ports and literal values B-11
sequence number randomization
disabling using Modular Policy Framework 53-12, 53-14
TCP FIN only flags attack 57-7
TCP Intercept
enabling using Modular Policy Framework 53-12, 53-14
monitoring 5-33
TCP normalization 53-3
TCP NULL flags attack 57-6
TCP state bypass
AAA 53-5
configuring 53-10
failover 53-5
firewall mode 53-5
inspection 53-5
mutliple context mode 53-5
NAT 53-5
SSMs and SSCs 53-5
TCP Intercept 53-5
TCP normalization 53-5
unsupported features 53-5
TCP SYN+FIN flags attack 57-6
Telnet
allowing management access 37-1
authentication 37-19
concurrent connections 37-2
login 37-4
password 10-1
template timeout intervals
configuring for flow-export actions 78-7
temporary license 3-21
testing configuration 82-1
threat detection
basic
drop types 56-2
enabling 56-4
overview 56-2
rate intervals 56-2
rate intervals, setting 56-4
statistics, viewing 56-5
system performance 56-3
scanning
attackers, viewing 56-18
default limits, changing 56-17
enabling 56-17
host database 56-15
overview 56-15
shunned hosts, releasing 56-18
shunned hosts, viewing 56-17
shunning attackers 56-17
system performance 56-15
targets, viewing 56-18
scanning statistics
enabling 56-7
system performance 56-6
viewing 56-9
time exceeded, ICMP message B-15
time ranges, access lists 13-16
timestamp, including in system log messages 77-18
timestamp reply, ICMP message B-15
timestamp request, ICMP message B-15
TLS1, used to access the security appliance 74-6
TLS Proxy
applications supported by ASA 47-3
Cisco Unified Presence architecture 51-1
configuring for Cisco Unified Presence 51-8
licenses 47-4, 49-5, 50-6, 51-7, 52-8
tocken bucket 54-2
toolbar, floating, WebVPN 74-89
traffic flow
routed firewall 4-17
transparent firewall 4-23
traffic shaping
overview 54-4
transform set
creating 69-1, 69-10
definition 64-19
transmit queue ring limit 54-2, 54-3
transparent firewall
about 4-2
ARP inspection
about 4-10
enabling 4-12
static entry 4-11
data flow 4-23
DHCP packets, allowing 34-5
guidelines 4-7
H.323 guidelines 4-4
HSRP 4-4
MAC address timeout 4-15
MAC learning, disabling 4-16
management IP address 9-7
multicast traffic 4-4
packet handling 34-5
static bridge entry 4-15
unsupported features 4-7
VRRP 4-4
transparent mode
NAT 29-13
troubleshooting
H.323 44-9
H.323 RAS 44-10
phone proxy 48-27
SIP 44-24
troubleshooting SNMP 79-24
trunk, 802.1Q 6-30
trunk ports 7-9
Trusted Flow Acceleration
failover 65-7
modes 4-6, 4-10, 4-14, 15-1, 34-7, 63-7, 65-7
trustpoint 41-3
trustpoint, ASA 5505 client 71-7
trust relationship
Cisco Unified Mobility 50-5
Cisco Unified Presence 51-4
tunnel
ASA 5505 as Easy VPN client 71-5
IPsec 64-19
security appliance as a tunnel endpoint 64-2
tunnel group
ASA 5505 as Easy VPN client 71-7
configuring 67-6
creating 67-8
default 64-19, 67-1, 67-2
default, remote access, configuring 67-7
default LAN-to-LAN, configuring 67-17
definition 67-1, 67-2
general parameters 67-3
inheritance 67-1
IPSec parameters 67-4
LAN-to-LAN, configuring 67-17
name and type 67-8
remote access, configuring 69-11
remote-access, configuring 67-8
tunnel-group
general attributes 67-3
tunnel-group ISAKMP/IKE keepalive settings 67-4
tunneling, about 64-1
tunnel mode 65-2
twice NAT
about 29-17
comparison with network object NAT 29-16
configuring 31-1
dynamic NAT 31-4
dynamic PAT 31-8
examples 31-24
guidelines 31-2
identity NAT 31-20
monitoring 31-24
prerequisites 31-2
static NAT 31-15
tx-ring-limit 54-2, 54-3
U
UDP
bomb attack 57-7
chargen DoS attack 57-7
connection limits per context 5-17
connection state information 1-26
ports and literal values B-11
snork attack 57-7
unreachable, ICMP message B-15
unreachable messages
required for MTU discovery 37-10
url-list
group policy attribute for Clientless SSL VPN 67-74
username attribute for Clientless SSL VPN 67-89
URLs
context configuration, changing 5-25
context configuration, setting 5-21
filtering 39-1
filtering, about 39-7
filtering, configuration 39-11
user, VPN
definition 67-1
user access, restricting remote 67-84
user authentication, group policy 67-53
user EXEC mode
accessing 2-1
prompt A-2
username
adding 35-20
clientless authentication 70-14
encrypted 35-23
management tunnels 71-9
password 35-23
WebVPN 74-109
Xauth for Easy VPN client 71-4
username attributes
access hours 67-81
configuring 67-79, 67-80
group-lock 67-84
inheritance 67-81
password, setting 67-80
password-storage 67-84
privilege level, setting 67-80
simultaneous logins 67-81
vpn-filter 67-82
vpn-framed-ip-address 67-83
vpn-idle timeout 67-82
vpn-session-timeout 67-82
vpn-tunnel-protocol 67-83
username attributes for Clientless SSL VPN
auto-signon 67-91
customization 67-87
deny message 67-87
filter (access list) 67-88
homepage 67-86
html-content-filter 67-86
keep-alive ignore 67-90
port-forward 67-89
port-forward-name 67-90
sso-server 67-92
url-list 67-89
username configuration, viewing 67-79
username webvpn mode 67-85
users
SNMP 79-16
U-turn 64-26
V
VeriSign, configuring CAs example 41-4
viewing QoS statistics 54-15
viewing RMS 81-19
virtual cluster 66-6
IP address 66-6
master 66-6
virtual firewalls
See security contexts
virtual HTTP 38-3
virtual reassembly 1-23
virtual sensors 58-15
VLAN mapping 67-44
VLANs 6-30
802.1Q trunk 6-30
allocating to a context 5-20
ASA 5505
MAC addresses 7-4
maximum 7-2
mapped interface name 5-20
subinterfaces 6-30
VoIP
proxy servers 44-19
troubleshooting 44-9
VPN
address pool, configuring (group-policy) 67-62
address range, subnets B-4
parameters, general, setting 66-1
setting maximum number of IPSec sessions 66-3
VPN attributes, group policy 67-42
VPN client
NAT rules 29-20
VPN Client, IPsec attributes 64-2
vpn-filter username attribute 67-82
VPN flex license 3-21
vpn-framed-ip-address username attribute 67-83
VPN hardware client, group policy attributes 67-53
vpn-idle-timeout username attribute 67-82
vpn load balancing
See load balancing 66-6
vpn-session-timeout username attribute 67-82
vpn-tunnel-protocol username attribute 67-83
VRRP 4-4
W
WCCP 40-1
web caching 40-1
web clients, secure authentication 38-6
web e-Mail (Outlook Web Access), Outlook Web Access 74-80
WebVPN
assigning users to group policies 74-31, 74-32
authenticating with digital certificates 74-28, 74-29
CA certificate validation not done 74-5
client application requirements 74-110
client requirements 74-110
configuring
e-mail 74-79
configuring WebVPN and ASDM on the same interface 74-7
cookies 74-10
defining the end-user interface 74-88
definition 74-2
e-mail 74-79
e-mail proxies 74-79
end user set-up 74-87
floating toolbar 74-89
group policy attributes, configuring 74-33
hosts file 74-72
hosts files, reconfiguring 74-73
HTTP/HTTPS proxy, setting 74-11
Java object signing 74-82
PDA support 74-78
security preautions 74-5, 74-13
security tips 74-109
setting HTTP/HTTPS proxy 74-8
SSL/TLS encryption protocols 74-10
supported applications 74-110
troubleshooting 74-72
unsupported features 74-4
use of HTTPS 74-7
usernames and passwords 74-109
use suggestions 74-87, 74-110
WebVPN, Application Access Panel 74-88
webvpn attributes
group policy 67-70
welcome message, group policy 67-48
WINS server, configuring 67-40
X
Xauth, Easy VPN client 71-4
XOFF frames 6-22
Z
Zone Labs firewalls 67-67
Zone Labs Integrity Server 67-64