Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6
Index
Downloads: This chapterpdf (PDF - 1.11MB) The complete bookPDF (PDF - 22.87MB) | Feedback

Index

Table Of Contents

Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z

Index

Symbols

/bits subnet masks B-3

?

command string A-4

help A-4

Numerics

4GE SSM

connector types 6-12

fiber 6-12

SFP 6-12

802.1Q tagging 7-9

802.1Q trunk 6-30

A

AAA

about 35-1

accounting 38-18

addressing, configuring 68-2

authentication

CLI access 37-19

network access 38-2

privileged EXEC mode 37-19

authorization

command 37-22

downloadable access lists 38-14

network access 38-11

local database support 35-8

performance 38-1

server 77-4

adding 35-11

types 35-1

support summary 35-3

web clients 38-6

abbreviating commands A-3

ABR

definition of 24-2

Access Control Server 70-4, 70-13

Access Group pane

description 26-7

access hours, username attribute 67-81

accessing the security appliance using SSL 74-6

accessing the security appliance using TKS1 74-6

access list filter, username attribute 67-82

access lists

about 14-1

ACE logging, configuring 20-1

deny flows, managing 20-5

downloadable 38-14

exemptions from posture validation 70-11

global access rules 34-2

group policy WebVPN filter 67-74

implicit deny 14-3, 34-3

inbound 34-3

IP address guidelines 14-3

IPsec 64-27

IPv6

about 19-1

configuring 19-4

default settings 19-3

logging 20-1

NAT guidelines 14-3

Network Admission Control, default 70-10

object groups 13-2

outbound 34-3

phone proxy 48-7

remarks 15-5

scheduling activation 13-16

types 14-1

username for Clientless SSL VPN 67-88

access ports 7-7

ACEs

See access lists

activation key

entering 3-33

location 3-32

obtaining 3-33

Active/Active failover

about 63-1

actions 63-5

command replication 63-3

configuration synchronization 63-3

configuring

asymmetric routing support 63-18

failover criteria 63-16

failover group preemption 63-12

HTTP replication 63-14

interface monitoring 63-14

virtual MAC addresses 63-16

device initialization 63-3

duplicate MAC addresses, avoiding 63-2, 63-17

optional settings

about 63-6

configuring 63-12

primary status 63-2

secondary status 63-2

triggers 63-4

Active/Standby failover

about 62-1

actions 62-4

command replication 62-3

configuration synchronization 62-2

device initialization 62-2

primary unit 62-2

secondary unit 62-2

triggers 62-4

Active Directory, settings for password management 67-28

Active Directory proceduresC-16to ??

ActiveX filtering 39-2

Adaptive Security Algorithm 1-25

Add/Edit Access Group dialog box

description 26-7

Add/Edit IGMP Join Group dialog box

description 26-6

Add/Edit OSPF Neighbor Entry dialog box 24-12

admin context

about 5-2

changing 5-24

administrative access

using ICMP for 37-11

administrative distance 22-3, 22-5

Advanced Encryption Standard (AES) 64-9, 64-10

AIP

See IPS module

AIP SSC

loading an image 58-21, 58-23, 60-14

AIP SSM

about 58-1

loading an image 58-21, 58-23, 60-14

port-forwarding

enabling 8-6, 9-8

alternate address, ICMP message B-15

analyzing syslog messages 77-2

Application Access Panel, WebVPN 74-88

application access using Clientless SSL VPN

group policy attribute for Clientless SSL VPN 67-75

username attribute for Clientless SSL VPN 67-89

application access using WebVPN

and hosts file errors 74-72

quitting properly 74-73

application inspection

about 42-1

applying 42-6

configuring 42-6

inspection class map 33-6

inspection policy map 33-2

security level requirements 8-2, 9-2

special actions 33-1

Application Profile Customization Framework 74-84

area border router 24-2

ARP

NAT 29-22

ARP inspection

about 4-10

enabling 4-12

static entry 4-11

ARP spoofing 4-10

ARP test, failover 61-15

ASA (Adaptive Security Algorithm) 1-25

ASA 5505

Base license 7-2

client

authentication 71-12

configuration restrictions, table 71-2

device pass-through 71-8

group policy attributes pushed to 71-10

mode 71-3

remote management 71-9

split tunneling 71-8

TCP 71-4

trustpoint 71-7

tunnel group 71-7

tunneling 71-5

Xauth 71-4

MAC addresses 7-4

maximum VLANs 7-2

native VLAN support 7-10

non-forwarding interface 7-7

power over Ethernet 7-4

protected switch ports 7-8, 7-10

Security Plus license 7-2

server (headend) 71-1

SPAN 7-4

Spanning Tree Protocol, unsupported 7-8

ASA 5550 throughput 8-6, 9-9

ASA CX module

about 59-1

ASA feature compatibility 59-4

authentication proxy

about 59-3

port 59-10

troubleshooting 59-20

basic settings 59-7

cabling 59-6

configuration 59-6

debugging 59-19

failover 59-5

licensing 59-4

management access 59-2

management defaults 59-5

management IP address 59-7

monitoring 59-12

password reset 59-17

PRSM 59-3

reload 59-18

security policy 59-9

sending traffic to 59-11

shutdown 59-19

traffic flow 59-2

VPN 59-4

ASBR

definition of 24-2

ASDM software

allowing access 37-6

installing 81-2

ASR 63-18

asymmetric routing

TCP state bypass 53-4

asymmetric routing support 63-18

attacks

DNS HINFO request 57-7

DNS request for all records 57-7

DNS zone transfer 57-7

DNS zone transfer from high port 57-7

fragmented ICMP traffic 57-6

IP fragment 57-4

IP impossible packet 57-4

large ICMP traffic 57-6

ping of death 57-6

proxied RPC request 57-7

statd buffer overflow 57-8

TCP FIN only flags 57-7

TCP NULL flags 57-6

TCP SYN+FIN flags 57-6

UDP bomb 57-7

UDP chargen DoS 57-7

UDP snork 57-7

attributes

RADIUS C-27

username 67-80

attribute-value pairs

TACACS+ C-38

attribute-value pairs (AVP) 67-36

authentication

about 35-2

ASA 5505 as Easy VPN client 71-12

CLI access 37-19

FTP 38-3

HTTP 38-3

network access 38-2

privileged EXEC mode 37-19

Telnet 38-3

web clients 38-6

WebVPN users with digital certificates 74-28, 74-29

authorization

about 35-2

command 37-22

downloadable access lists 38-14

network access 38-11

Auto-MDI/MDIX 6-2, 7-4

auto-signon

group policy attribute for Clientless SSL VPN 67-73

username attribute for Clientless SSL VPN 67-91

Auto-Update, configuring 81-16

B

backup server attributes, group policy 67-56

Baltimore Technologies, CA server support 41-4

banner message, group policy 67-48

basic threat detection

See threat detection

before configuring KCD 74-44

bits subnet masks B-3

Black Ice firewall 67-67

Botnet Traffic Filter

actions 55-2

address categories 55-2

blacklist

adding entries 55-9

description 55-2

blocking traffic manually 55-15

classifying traffic 55-12

configuring 55-6

databases 55-2

default settings 55-6

DNS Reverse Lookup Cache

information about 55-4

maximum entries 55-4

using with dynamic database 55-10

DNS snooping 55-10

dropping traffic 55-13

graylist 55-13

dynamic database

enabling use of 55-7

files 55-3

information about 55-2

searching 55-16

updates 55-7

examples 55-19

feature history 55-22

graylist

description 55-2

dropping traffic 55-13

guidelines and limitations 55-6

information about 55-1

licensing 55-6

monitoring 55-17

static database

adding entries 55-9

information about 55-3

syslog messages 55-17

task flow 55-7

threat level

dropping traffic 55-13

whitelist

adding entries 55-9

description 55-2

working overview 55-5

bridge

entry timeout 4-15

table, See MAC address table

broadcast Ping test 61-15

building blocks 13-1

bypass authentication 71-8

bypassing firewall checks 53-3

C

CA

certificate validation, not done in WebVPN 74-5

CRs and 41-2

public key cryptography 41-2

revoked certificates 41-2

supported servers 41-4

cached Kerberos tickets

clearing 74-48

showing 74-47

caching 74-81

capturing packets 82-14

cascading access lists 64-23

CA server

Digicert 41-4

Geotrust 41-4

Godaddy 41-4

iPlanet 41-4

Netscape 41-4

RSA Keon 41-4

Thawte 41-4

certificate

authentication, e-mail proxy 74-79

Cisco Unified Mobility 50-5

Cisco Unified Presence 51-4

enrollment protocol 41-11

group matching

configuring 64-17

rule and policy, creating 64-17

Certificate Revocation Lists

See CRLs

certificates

phone proxy 48-15

required by phone proxy 48-16

change query interval 26-8

change query response time 26-8

change query timeout value 26-8

changing between contexts 5-23

changing the severity level 77-18

Cisco-AV-Pair LDAP attributes C-13

Cisco Integrated Firewall 67-66

Cisco IOS CS CA

server support 41-4

Cisco IP Communicator 48-10

Cisco IP Phones

DHCP 11-6

Cisco IP Phones, application inspection 44-25

Cisco Security Agent 67-66

Cisco Trust Agent 70-13

Cisco UMA. See Cisco Unified Mobility.

Cisco Unified Mobility

architecture 50-2

ASA role 47-2, 47-3

certificate 50-5

functionality 50-1

NAT and PAT requirements 50-3, 50-4

trust relationship 50-5

Cisco Unified Presence

ASA role 47-2, 47-3

configuring the TLS Proxy 51-8

debugging the TLS Proxy 51-14

NAT and PAT requirements 51-2

sample configuration 51-14

trust relationship 51-4

Cisco UP. See Cisco Unified Presence.

Class A, B, and C addresses B-1

class-default class map 32-9

classes, logging

filtering messages by 77-16

message class variables 77-4

types 77-4

classes, resource

See resource management

class map

inspection 33-6

Layer 3/4

management traffic 32-14

match commands 32-12, 32-15

through traffic 32-12

regular expression 13-15

clearing cached Kerberos tickets 74-48

CLI

abbreviating commands A-3

adding comments A-5

command line editing A-3

command output paging A-5

displaying A-5

help A-4

paging A-5

syntax formatting A-3

client

VPN 3002 hardware, forcing client update 66-4

Windows, client update notification 66-4

client access rules, group policy 67-68

client firewall, group policy 67-63

clientless authentication 70-13

Clientless SSL VPN

configuring for specific users 67-85

client mode 71-3

client update, performing 66-4

cluster

IP address, load balancing 66-6

load balancing configurations 66-9

mixed scenarios 66-10

virtual 66-6

command authorization

about 37-14

configuring 37-22

multiple contexts 37-16

command prompts A-2

comments

configuration A-5

configuration

clearing 2-18

comments A-5

factory default

commands 2-10

restoring 2-11

saving 2-16

text file 2-19

URL for a context 5-21

viewing 2-18

configuration examples

CSC SSM 60-16

logging 77-20

configuration examples for SNMP 79-28

configuration mode

accessing 2-2

prompt A-2

connection blocking 57-2

connection limits

configuring 53-1

per context 5-17

connect time, maximum, username attribute 67-82

console port logging 77-11

content transformation, WebVPN 74-82

context mode 27-2

context modes 22-2, 23-3, 24-3, 25-3, 26-3, 60-6

contexts

See security contexts

conversion error, ICMP message B-15

cookies, enabling for WebVPN 74-10

copying files using copy smb

command 81-8

Coredump 82-14

CRACK protocol 64-35

crash dump 82-14

creating a custom event list 77-13

crypto map

acccess lists 64-27

applying to interfaces 64-26, 73-10

clearing configurations 64-35

creating an entry to use the dynamic crypto map 69-13

definition 64-20

dynamic 64-32

dynamic, creating 69-12

entries 64-20

examples 64-28

policy 64-21

crypto show commands table 64-34

CSC SSM

about 60-1

loading an image 58-21, 58-23, 60-14

sending traffic to 60-10

what to scan 60-3

CSC SSM feature history 60-18

custom firewall 67-67

customization, Clientless SSL VPN

group policy attribute 67-71

login windows for users 67-27

username attribute 67-87

username attribute for Clientless SSL VPN 67-24

custom messages list

logging output destination 77-4

cut-through proxy

AAA performance 38-1

CX module

about 59-1

ASA feature compatibility 59-4

authentication proxy

about 59-3

port 59-10

troubleshooting 59-20

basic settings 59-7

cabling 59-6

configuration 59-6

debugging 59-19

failover 59-5

licensing 59-4

management access 59-2

management defaults 59-5

management IP address 59-7

monitoring 59-12

password reset 59-17

PRSM 59-3

reload 59-18

security policy 59-9

sending traffic to 59-11

shutdown 59-19

traffic flow 59-2

VPN 59-4

D

data flow

routed firewall 4-17

transparent firewall 4-23

date and time in messages 77-18

DDNS 12-2

debug messages 82-13

default

class 5-9

DefaultL2Lgroup 67-1

DefaultRAgroup 67-1

domain name, group policy 67-51

group policy 67-1, 67-8, 67-36

LAN-to-LAN tunnel group 67-17

remote access tunnel group, configuring 67-7

routes, defining equal cost routes 22-4

tunnel group 64-19, 67-2

default configuration

commands 2-10

restoring 2-11

default policy 32-7

default routes

about 22-4

configuring 22-4

delay sending flow-create events

flow-create events

delay sending 78-9

deleting files from Flash 81-2

deny flows, logging 20-5

deny in a crypto map 64-23

deny-message

group policy attribute for Clientless SSL VPN 67-71

username attribute for Clientless SSL VPN 67-87

DES, IKE policy keywords (table) 64-9, 64-10

device ID, including in messages 77-17

device ID in messages 77-17

device pass-through, ASA 5505 as Easy VPN client 71-8

DfltGrpPolicy 67-37

DHCP

addressing, configuring 68-3

Cisco IP Phones 11-6

options 11-4

relay 11-7

server 11-3

transparent firewall 34-5

DHCP Intercept, configuring 67-52

DHCP Relay panel 12-6

DHCP services 10-6

Diffie-Hellman

Group 5 64-10, 64-11

groups supported 64-10, 64-11

DiffServ preservation 54-5

digital certificates

authenticating WebVPN users 74-28, 74-29

SSL 74-11

directory hierarchy search C-3

disabling content rewrite 74-83

disabling messages 77-18

disabling messages, specific message IDs 77-18

DMZ, definition 1-22

DNS

dynamic 12-2

inspection

about 43-2

managing 43-1

rewrite, about 43-2

rewrite, configuring 43-3

NAT effect on 29-24

server, configuring 10-11, 67-40

DNS HINFO request attack 57-7

DNS request for all records attack 57-7

DNS zone transfer attack 57-7

DNS zone transfer from high port attack 57-7

domain attributes, group policy 67-51

domain name 10-3

dotted decimal subnet masks B-3

downloadable access lists

configuring 38-14

converting netmask expressions 38-18

DSCP preservation 54-5

dual IP stack, configuring 8-2

dual-ISP support 22-6

duplex, configuring 6-11, 7-5

dynamic crypto map 64-32

creating 69-12

See also crypto map

Dynamic DNS 12-2

dynamic NAT

about 29-8

network object NAT 30-4

twice NAT 31-4

dynamic PAT

network object NAT 30-6

See also NAT

twice NAT 31-8

E

Easy VPN

client

authentication 71-12

configuration restrictions, table 71-2

enabling and disabling 71-1

group policy attributes pushed to 71-10

mode 71-3

remote management 71-9

trustpoint 71-7

tunnels 71-9

Xauth 71-4

server (headend) 71-1

Easy VPN client

ASA 5505

device pass-through 71-8

split tunneling 71-8

TCP 71-4

tunnel group 71-7

tunneling 71-5

echo reply, ICMP message B-15

ECMP 22-3

editing command lines A-3

egress VLAN for VPN sessions 67-44

EIGRP 34-5

DUAL algorithm 27-2

hello interval 27-13

hello packets 27-1

hold time 27-2, 27-13

neighbor discovery 27-1

stub routing 27-3

stuck-in-active 27-2

e-mail

configuring for WebVPN 74-79

proxies, WebVPN 74-79

proxy, certificate authentication 74-79

WebVPN, configuring 74-79

enable command 2-1

enabling logging 77-6

enabling secure logging 77-16

end-user interface, WebVPN, defining 74-88

Enterprises 11-6

Entrust, CA server support 41-4

established command, security level requirements 8-2, 9-2

EtherChannel

adding interfaces 6-27

channel group 6-27

compatibility 6-5

converting existing interfaces 6-13

example 6-34

failover 6-10

guidelines 6-10

interface requirements 6-5

LACP 6-6

load balancing

configuring 6-29

overview 6-7

MAC address 6-7

management interface 6-27

maximum interfaces 6-29

minimum interfaces 6-29

mode

active 6-6

on 6-7

passive 6-6

monitoring 6-33

overview 6-5

port priority 6-27

system priority 6-29

Ethernet

Auto-MDI/MDIX 6-2, 7-4

duplex 6-11, 7-5

jumbo frames, ASA 5580 6-32

MTU 8-11, 9-14

speed 6-11, 7-5

EtherType access list

compatibilty with extended access lists 34-2

implicit deny 34-3

evaluation license 3-21

exporting NetFlow records 78-5

extended ACLs

configuring

for management traffic 15-2

external group policy, configuring 67-39

F

facility, syslog 77-8

factory default configuration

commands 2-10

restoring 2-11

failover

about 61-1

Active/Active, See Active/Active failover

Active/Standby, See Active/Standby failover

configuration file

terminal messages, Active/Active 63-3

terminal messages, Active/Standby 62-2

contexts 62-2

debug messages 61-16

disabling 62-18, 63-24

Ethernet failover cable 61-3

failover link 61-3

forcing 62-17, 63-23

guidelines 60-6, 79-17

health monitoring 61-14

interface health 61-15

interface monitoring 61-15

interface tests 61-15

link communications 61-3

MAC addresses

about 62-2

automatically assigning 5-12

monitoring, health 61-14

network tests 61-15

primary unit 62-2

redundant interfaces 6-10

restoring a failed group 62-18, 63-24

restoring a failed unit 62-18, 63-24

secondary unit 62-2

SNMP syslog traps 61-17

Stateful Failover, See Stateful Failover

state link 61-4

system log messages 61-16

system requirements 61-2

testing 62-18, 63-24

Trusted Flow Acceleration 65-7

type selection 61-8

unit health 61-14

fast path 1-26

fiber interfaces 6-12

Fibre Channel interfaces

default settings 16-2, 17-2, 18-2, 34-7

filter (access list)

group policy attribute for Clientless SSL VPN 67-74

username attribute for Clientless SSL VPN 67-88

filtering

ActiveX 39-2

FTP 39-14

Java applet 39-4

Java applets 39-4

security level requirements 8-2, 9-2

servers supported 39-6

show command output A-4

URLs 39-1, 39-7

filtering messages 77-4

firewall

Black Ice 67-67

Cisco Integrated 67-66

Cisco Security Agent 67-66

custom 67-67

Network Ice 67-67

none 67-66

Sygate personal 67-67

Zone Labs 67-67

firewall mode

about 4-1

configuring 4-1

firewall policy, group policy 67-63

Flash memory

removing files 81-2

flash memory available for logs 77-15

flow control for 10 Gigabit Ethernet 6-22

flow-export actions 78-4

format of messages 77-3

fragmentation policy, IPsec 64-15

fragmented ICMP traffic attack 57-6

fragment protection 1-23

fragment size 57-2

FTP inspection

about 43-11

configuring 43-11

G

general attributes, tunnel group 67-3

general parameters, tunnel group 67-3

general tunnel-group connection parameters 67-3

generating RSA keys 41-9

global e-mail proxy attributes 74-79

global IPsec SA lifetimes, changing 64-29

group-lock, username attribute 67-84

group policy

address pools 67-62

attributes 67-40

backup server attributes 67-56

client access rules 67-68

configuring 67-39

default domain name for tunneled packets 67-51

definition 67-1, 67-36

domain attributes 67-51

Easy VPN client, attributes pushed to ASA 5505 71-10

external, configuring 67-39

firewall policy 67-63

hardware client user idle timeout 67-54

internal, configuring 67-40

IP phone bypass 67-54

IPSec over UDP attributes 67-49

LEAP Bypass 67-55

network extension mode 67-55

security attributes 67-46

split tunneling attributes 67-49

split-tunneling domains 67-52

user authentication 67-53

VPN attributes 67-42

VPN hardware client attributes 67-53

webvpn attributes 67-70

WINS and DNS servers 67-40

group policy, default 67-36

group policy, secure unit authentication 67-53

group policy attributes for Clientless SSL VPN

application access 67-75

auto-signon 67-73

customization 67-71

deny-message 67-71

filter 67-74

home page 67-73

html-content filter 67-72

keep-alive-ignore 67-76

port forward 67-75

port-forward-name 67-76

sso-server 67-77

url-list 67-74

groups

SNMP 79-16

GTP inspection

about 46-3

configuring 46-3

H

H.225 timeouts 44-9

H.245 troubleshooting 44-10

H.323

transparent firewall guidelines 4-4

H.323 inspection

about 44-4

configuring 44-3

limitations 44-5

troubleshooting 44-10

hairpinning 64-26

hardware client, group policy attributes 67-53

help, command line A-4

high availability

about 61-1

HMAC hashing method 64-2, 73-3

hold-period 70-17

homepage

group policy attribute for Clientless SSL VPN 67-73

username attribute for Clientless SSL VPN 67-86

host

SNMP 79-16

hostname

configuring 10-2

in banners 10-2

multiple context mode 10-2

hosts, subnet masks for B-3

hosts file

errors 74-72

reconfiguring 74-73

WebVPN 74-72

HSRP 4-4

html-content-filter

group policy attribute for Clientless SSL VPN 67-72

username attribute for Clientless SSL VPN 67-86

HTTP

filtering 39-1

HTTP(S)

authentication 37-19

filtering 39-7

HTTP/HTTPS Web VPN proxy, setting 74-11

HTTP compression, Clientless SSL VPN, enabling 67-76, 67-91

HTTP inspection

about 43-16

configuring 43-16

HTTP redirection for login, Easy VPN client on the ASA 5505 71-12

HTTPS/Telnet/SSH

allowing network or host access to ASDM 37-1

HTTPS for WebVPN sessions 74-7

hub-and-spoke VPN scenario 64-26

I

ICMP

rules for access to ADSM 37-11

testing connectivity 82-1

type numbers B-15

identity NAT

about 29-11

network object NAT 30-12

twice NAT 31-20

idle timeout

hardware client user, group policy 67-54

username attribute 67-82

ID method for ISAKMP peers, determining 64-13

IKE

benefits 64-2, 73-3

creating policies 64-11

keepalive setting, tunnel group 67-4

pre-shared key, Easy VPN client on the ASA 5505 71-7

See also ISAKMP

IKEv1 64-19

ILS inspection 45-1

IM 44-19

implementing SNMP 79-16

inbound access lists 34-3

Individual user authentication 71-12

information reply, ICMP message B-15

information request, ICMP message B-15

inheritance

tunnel group 67-1

username attribute 67-81

inside, definition 1-22

inspection_default class-map 32-9

inspection engines

See application inspection

Instant Messaging inspection 44-19

intercept DHCP, configuring 67-52

interface

MTU 8-11, 9-14

interfaces

ASA 5505

enabled status 7-7

MAC addresses 7-4

maximum VLANs 7-2

non-forwarding 7-7

protected switch ports 7-8, 7-10

switch port configuration 7-7

trunk ports 7-9

ASA 5550 throughput 8-6, 9-9

configuring for remote access 69-7

default settings 16-2, 17-2, 18-2, 34-7, 60-6

duplex 6-11, 7-5

enabling 6-24

failover monitoring 61-15

fiber 6-12

IDs 6-23

IP address 8-7, 9-12

MAC addresses

automatically assigning 5-22

manually assigning to interfaces 8-11, 9-14

mapped name 5-20

naming, physical and subinterface 8-7, 9-10, 9-11

redundant 6-25

SFP 6-12

speed 6-11, 7-5

subinterfaces 6-30

internal group policy, configuring 67-40

Internet Security Association and Key Management Protocol

See ISAKMP

IP addresses

classes B-1

configuring an assignment method for remote access clients 68-1

configuring for VPNs 68-1

configuring local IP address pools 68-2

interface 8-7, 9-12

management, transparent firewall 9-7

private B-2

subnet mask B-4

IP fragment attack 57-4

IP impossible packet attack 57-4

IP overlapping fragments attack 57-5

IP phone 71-8

phone proxy provisioning 48-12

IP phone bypass, group policy 67-54

IP phones

addressing requirements for phone proxy 48-9

supported for phone proxy 48-3

IPSec

anti-replay window 54-12

modes 65-2

over UDP, group policy, configuring attributes 67-49

remote-access tunnel group 67-8

setting maximum active VPN sessions 66-3

IPsec

access list 64-27

basic configuration with static crypto maps 64-29

Cisco VPN Client 64-2

configuring 64-1, 64-19

crypto map entries 64-20

fragmentation policy 64-15

over NAT-T, enabling 64-14

over TCP, enabling 64-15

SA lifetimes, changing 64-29

tunnel 64-19

view configuration commands table 64-34

IPSec parameters, tunnel group 67-4

ipsec-ra, creating an IPSec remote-access tunnel 67-8

IPS module

about 58-1

configuration 58-7

operating modes 58-2

sending traffic to 58-17

traffic flow 58-2

virtual sensors 58-15

IP spoofing, preventing 57-1

IP teardrop attack 57-5

IPv6

commands 21-10

configuring alongside IPv4 8-2

default route 22-5

dual IP stack 8-2

duplicate address detection 8-12, 9-15

neighbor discovery 28-1

router advertisement messages 28-3

static neighbors 28-4

static routes 22-5

IPv6 addresses

anycast B-9

command support for 21-10

format B-5

multicast B-8

prefixes B-10

required B-10

types of B-6

unicast B-6

IPv6 prefixes 28-11

ISAKMP

about 64-2

configuring 64-1

determining an ID method for peers 64-13

disabling in aggressive mode 64-13

enabling on the outside interface 69-8

keepalive setting, tunnel group 67-4

See also IKE

J

Java applet filtering 39-4

Java applets, filtering 39-2

Java object signing 74-82

Join Group pane

description 26-6

jumbo frames, ASA 5580 6-32

K

KCD 74-41, 74-42

before configuring 74-44

KCD status

showing 74-46

keep-alive-ignore

group policy attribute for Clientless SSL VPN 67-76

username attribute for Clientless SSL VPN 67-90

Kerberos

configuring 35-11

support 35-6

Kerberos tickets

clearing 74-48

showing 74-47

L

L2TP description 65-1

LACP 6-6

LAN-to-LAN tunnel group, configuring 67-17

large ICMP traffic attack 57-6

latency

about 54-1

configuring 54-2, 54-3

reducing 54-8

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

Layer 2 Tunneling Protocol 65-1

Layer 3/4

matching multiple policy maps 32-6

LCS Federation Scenario 51-2

LDAP

application inspection 45-1

attribute mapping 35-18

Cisco-AV-pair C-13

configuring 35-11

configuring a AAA serverC-2to ??

directory search C-3

example configuration proceduresC-16to ??

hierarchy example C-3

SASL 35-6

user authentication 35-6

user authorization 35-16

LEAP Bypass, group policy 67-55

licenses

activation key

entering 3-33

location 3-32

obtaining 3-33

ASA 5505 3-2

ASA 5510 3-3, 3-8

ASA 5520 3-4

ASA 5540 3-5

ASA 5550 3-6

ASA 5580 3-7

ASA 5585-X 3-12, 3-13, 3-14

Cisco Unified Communications Proxy features 47-4, 49-5, 50-6, 51-7, 52-8

default 3-21

evaluation 3-21

failover 3-31

guidelines 3-31

managing 3-1

preinstalled 3-21

Product Authorization Key 3-33

shared

backup server, configuring 3-37

backup server, information 3-25

client, configuring 3-37

communication issues 3-25

failover 3-25

maximum clients 3-27

monitoring 3-44

overview 3-23

server, configuring 3-35

SSL messages 3-25

temporary 3-21

viewing current 3-38

VPN Flex 3-21

licensing requirements

CSC SSM 60-5

logging 77-5

licensing requirements for SNMP 79-17

link up/down test 61-15

LLQ

See low-latency queue

load balancing

cluster configurations 66-9

concepts 66-6

eligible clients 66-8

eligible platforms 66-8

implementing 66-7

mixed cluster scenarios 66-10

platforms 66-8

prerequisites 66-8

local user database

adding a user 35-20

configuring 35-20

logging in 37-20

support 35-8

lockout recovery 37-31

logging

access lists 20-1

classes

filtering messages by 77-4

types 77-4, 77-16

device-id, including in system log messages 77-17

e-mail

source address 77-10

EMBLEM format 77-14

facility option 77-8

filtering

by message class 77-16

by message list 77-4

by severity level 77-1

logging queue, configuring 77-15

output destinations 77-8

console port 77-8, 77-10, 77-11

internal buffer 77-1, 77-6

Telnet or SSH session 77-6

queue

changing the size of 77-15

configuring 77-15

viewing queue statistics 77-19

severity level, changing 77-19

timestamp, including 77-18

logging feature history 77-20

logging queue

configuring 77-15

login

banner, configuring 37-7

console 2-1

enable 2-1

FTP 38-3

global configuration mode 2-2

local user 37-20

password 10-1

simultaneous, username attribute 67-81

SSH 37-5

Telnet 10-1

windows, customizing for users of Clientless SSL VPN sessions 67-27

low-latency queue

applying 54-2, 54-3

M

MAC address

redundant interfaces 6-4

MAC addresses

ASA 5505 7-4

ASA 5505 device pass-through 71-8

automatically assigning 5-22

failover 62-2

manually assigning to interfaces 8-11, 9-14

security context classification 5-3

MAC address table

about 4-23

built-in-switch 4-14

entry timeout 4-15

MAC learning, disabling 4-16

resource management 5-17

static entry 4-15

MAC learning, disabling 4-16

management interfaces

default settings 16-2, 17-2, 18-2, 34-7

management IP address, transparent firewall 9-7

man-in-the-middle attack 4-10

mapped addresses

guidelines 29-21

mapped interface name 5-20

mask

reply, ICMP message B-15

request, ICMP message B-15

Master Passphrase 10-6

match commands

inspection class map 33-4

Layer 3/4 class map 32-12, 32-15

matching, certificate group 64-17

maximum active IPSec VPN sessions, setting 66-3

maximum connect time,username attribute 67-82

maximum object size to ignore username attribute for Clientless SSL VPN 67-90

MD5, IKE policy keywords (table) 64-9, 64-10, 64-11

media termination address, criteria 48-6

message filtering 77-4

message list

filtering by 77-4

message-of-the-day banner 37-8

messages, logging

classes

about 77-4

list of 77-4

component descriptions 77-3

filtering by message list 77-4

format of 77-3

message list, creating 77-13

severity levels 77-3

messages classes 77-4

messages in EMBLEM format 77-14

metacharacters, regular expression 13-13

MGCP inspection

about 44-11

configuring 44-11

mgmt0 interfaces

default settings 16-2, 17-2, 18-2, 34-7

MIBs 79-2

MIBs for SNMP 79-29

Microsoft Access Proxy 51-1

Microsoft Active Directory, settings for password management 67-28

Microsoft Internet Explorer client parameters, configuring 67-57

Microsoft KCD 74-41, 74-42

Microsoft Windows CA, supported 41-4

mixed cluster scenarios, load balancing 66-10

mixed-mode Cisco UCM cluster, configuring for phone proxy 48-17

MMP inspection 50-1

mobile redirection, ICMP message B-15

mode

context 5-15

firewall 4-1

modular policy framework

configuring flow-export actions for NetFlow 78-5

monitoring

CSC SSM 60-13

failover 61-14

OSPF 24-16

resource management 5-29

SNMP 79-1

monitoring logging 77-19

monitoring NSEL 78-10

monitoring switch traffic, ASA 5505 7-4

More prompt A-5

MPF

default policy 32-7

examples 32-18

feature directionality 32-3

features 32-2

flows 32-6

matching multiple policy maps 32-6

service policy, applying 32-17

See also class map

See also policy map

MPLS

LDP 34-6

router-id 34-6

TDP 34-6

MRoute pane

description 26-4

MSIE client parameters, configuring 67-57

MTU 8-11, 9-14

MTU size, Easy VPN client, ASA 5505 71-5

multicast traffic 4-4

multiple context mode

logging 77-2

See security contexts

N

NAC

See Network Admission Control

naming an interface

other models 8-7, 9-10, 9-11

NAT

about 29-1

bidirectional initiation 29-2

disabling proxy ARP for global addresses 21-11

DNS 29-24

dynamic

about 29-8

dynamic NAT

network object NAT 30-4

twice NAT 31-4

dynamic PAT

about 29-10

network object NAT 30-6

twice NAT 31-8

identity

about 29-11

identity NAT

network object NAT 30-12

twice NAT 31-20

implementation 29-16

interfaces 29-21

mapped address guidelines 29-21

network object

comparison with twice NAT 29-16

network object NAT

about 29-17

configuring 30-1

dynamic NAT 30-4

dynamic PAT 30-6

examples 30-15

guidelines 30-2

identity NAT 30-12

monitoring 30-14

prerequisites 30-2

static NAT 30-10

no proxy ARP 30-13, 31-19

object

extended PAT 30-6

flat range for PAT 30-6

routed mode 29-13

route lookup 30-13, 31-24

RPC not supported with 45-3

rule order 29-20

static

about 29-3

few-to-many mapping 29-7

many-to-few mapping 29-6, 29-7

one-to-many 29-6

static NAT

network object NAT 30-10

twice NAT 31-15

static with port translation

about 29-4

terminology 29-2

transparent mode 29-13

twice

extended PAT 31-8

flat range for PAT 31-8

twice NAT

about 29-17

comparison with network object NAT 29-16

configuring 31-1

dynamic NAT 31-4

dynamic PAT 31-8

examples 31-24

guidelines 31-2

identity NAT 31-20

monitoring 31-24

prerequisites 31-2

static NAT 31-15

types 29-3

VPN 29-14

VPN client rules 29-20

native VLAN support 7-10

NAT-T

enabling IPsec over NAT-T 64-14

using 64-15

neighbor reachable time 28-3

neighbor solicitation messages 28-2

neighrbor advertisement messages 28-2

NetFlow

overview 78-1

NetFlow collector

configuring 78-5

NetFlow event

matching to configured collectors 78-5

NetFlow event logging

disabling 78-9

Network Activity test 61-15

Network Admission Control

ACL, default 70-10

clientless authentication 70-13

configuring 67-59

exemptions 70-11

revalidation timer 70-10

uses, requirements, and limitations 70-1

network extension mode 71-3

network extension mode, group policy 67-55

Network Ice firewall 67-67

network object NAT

about 29-17

comparison with twice NAT 29-16

configuring 30-1

dynamic NAT 30-4

dynamic PAT 30-6

examples 30-15

guidelines 30-2

identity NAT 30-12

monitoring 30-14

prerequisites 30-2

static NAT 30-10

Nokia VPN Client 64-35

non-secure Cisco UCM cluster, configuring phone proxy 48-15

No Payload Encryption 3-30

no proxy ARP 31-19

NSEL and syslog messages

redundant messages 78-2

NSEL configuration examples 78-12

NSEL feature history 78-14

NSEL licensing requirements 78-3

NSEL runtime counters

clearing 78-10

NTLM support 35-6

NT server

configuring 35-11

support 35-6

O

object groups

about 13-1

configuring 13-6

removing 13-11

object NAT

See network object NAT

open ports B-14

operating systems, posture validation exemptions 70-11

OSPF

area authentication 24-11

area MD5 authentication 24-11

area parameters 24-10

authentication key 24-9

authentication support 24-2

cost 24-9

dead interval 24-9

defining a static neighbor 24-12

interaction with NAT 24-2

interface parameters 24-8

link-state advertisement 24-2

logging neighbor states 24-13

LSAs 24-2

MD5 authentication 24-9

monitoring 24-16

NSSA 24-11

packet pacing 24-16

processes 24-2

redistributing routes 24-4

route calculation timers 24-13

route summarization 24-7

outbound access lists 34-3

output destination 77-5

output destinations 77-1, 77-6

e-mail address 77-1, 77-6

SNMP management station 77-1, 77-6

Telnet or SSH session 77-1, 77-6

outside, definition 1-22

oversubscribing resources 5-8

P

packet

capture 82-14

classifier 5-3

packet flow

routed firewall 4-17

transparent firewall 4-23

packet trace, enabling 82-7

paging screen displays A-5

parameter problem, ICMP message B-15

password

resetting on SSM hardware module 82-11

password management, Active Directory settings 67-28

passwords

changing 10-2

recovery 82-8

security appliance 10-1

username, setting 67-80

WebVPN 74-109

password-storage, username attribute 67-84

PAT

Easy VPN client mode 71-3

See dynamic PAT

pause frames for flow control 6-22

PDA support for WebVPN 74-78

peers

alerting before disconnecting 64-16

ISAKMP, determining ID method 64-13

performance, optimizing for WebVPN 74-81

permit in a crypto map 64-23

phone proxy

access lists 48-7

ASA role 47-3

certificates 48-15

Cisco IP Communicator 48-10

Cisco UCM supported versions 48-3

configuring mixed-mode Cisco UCM cluster 48-17

configuring non-secure Cisco UCM cluster 48-15

event recovery 48-41

IP phone addressing 48-9

IP phone provisioning 48-12

IP phones supported 48-3

Linksys routers, configuring 48-26

NAT and PAT requirements 48-8

ports 48-7

rate limiting 48-11

required certificates 48-16

sample configurations 48-43

SAST keys 48-41

TLS Proxy on ASA, described 47-3

troubleshooting 48-27

ping

See ICMP

ping of death attack 57-6

PKI protocol 41-11

PoE 7-4

policing

flow within a tunnel 54-11

policy, QoS 54-1

policy map

inspection 33-2

Layer 3/4

about 32-1

feature directionality 32-3

flows 32-6

pools, address

DHCP 11-3

port-forward

group policy attribute for Clientless SSL VPN 67-75

username attribute for Clientless SSL VPN 67-89

port-forwarding

enabling 8-6, 9-8

port-forward-name

group policy attribute for Clientless SSL VPN 67-76

username attribute for Clientless SSL VPN 67-90

ports

open on device B-14

phone proxy 48-7

TCP and UDP B-11

port translation

about 29-4

posture validation

exemptions 70-11

revalidation timer 70-10

uses, requirements, and limitations 70-1

power over Ethernet 7-4

PPPoE, configuring72-1to 72-5

prerequisites for use

CSC SSM 60-5

pre-shared key, Easy VPN client on the ASA 5505 71-7

primary unit, failover 62-2

printers 71-8

private networks B-2

privileged EXEC mode, accessing 2-1

privileged mode

accessing 2-1

prompt A-2

privilege level, username, setting 67-80

Product Authorization Key 3-33

prompts

command A-2

more A-5

protocol numbers and literal values B-11

Protocol pane (PIM)

description 26-10

proxied RPC request attack 57-7

proxy

See e-mail proxy

proxy ARP

NAT

NAT

proxy ARP     1

proxy ARP, disabling 21-11

proxy bypass 74-83

proxy servers

SIP and 44-19

PRSM 59-3

public key cryptography 41-2

Q

QoS

about 54-1, 54-3

DiffServ preservation 54-5

DSCP preservation 54-5

feature interaction 54-4

policies 54-1

priority queueing

IPSec anti-replay window 54-12

statistics 54-15

token bucket 54-2

traffic shaping

overview 54-4

viewing statistics 54-15

Quality of Service

See QoS

question mark

command string A-4

help A-4

queue, logging

changing the size of 77-15

viewing statistics 77-19

queue, QoS

latency, reducing 54-8

limit 54-2, 54-3

R

RADIUS

attributes C-27

Cisco AV pair C-13

configuring a AAA server C-27

configuring a server 35-11

downloadable access lists 38-14

network access authentication 38-4

network access authorization 38-14

support 35-4

RAS, H.323 troubleshooting 44-10

rate limit 77-19

rate limiting 54-3

rate limiting, phone proxy 48-11

RealPlayer 44-15

reboot, waiting until active sessions end 64-16

redirect, ICMP message B-15

redundancy, in site-to-site VPNs, using crypto maps 64-34

redundant interface

EtherChannel

converting existing interfaces 6-13

redundant interfaces

configuring 6-25

failover 6-10

MAC address 6-4

setting the active interface 6-27

Registration Authority description 41-2

regular expression 13-12

reloading

context 5-26

security appliance 82-8

remote access

IPSec tunnel group, configuring 67-8

restricting 67-84

tunnel group, configuring default 67-7

VPN, configuring 69-1, 69-15

remote management, ASA 5505 71-9

Request Filter pane

description 26-11

resetting the SSM hardware module password 82-11

resource management

about 5-8

assigning a context 5-21

class 5-16

configuring 5-8

default class 5-9

monitoring 5-29

oversubscribing 5-8

resource types 5-17

unlimited 5-9

resource usage 5-32

revalidation timer, Network Admission Control 70-10

revoked certificates 41-2

rewrite, disabling 74-83

RFCs for SNMP 79-29

RIP

authentication 25-2

definition of 25-1

enabling 25-4

support for 25-2

RIP panel

limitations 25-3

RIP Version 2 Notes 25-3

routed mode

about 4-1

NAT 29-13

setting 4-1

route map

definition 23-1

route maps

defining 23-4

uses 23-1

router

advertisement, ICMP message B-15

solicitation, ICMP message B-15

router advertisement messages 28-3

router advertisement transmission interval 28-8

router lifetime value 28-8

routes

about default 22-4

configuring default routes 22-4

configuring IPv6 default 22-5

configuring IPv6 static 22-5

configuring static routes 22-3

routing

other protocols 34-5

RSA

keys, generating 37-4, 41-9

RTSP inspection

about 44-15

configuring 44-15

rules

ICMP 37-10

running configuration

copying 81-8

saving 2-16

S

same security level communication

enabling 8-15, 9-18

SAs, lifetimes 64-29

SAST keys 48-41

SCCP (Skinny) inspection

about 44-25

configuration 44-25

configuring 44-25

SDI

configuring 35-11

support 35-5

secondary unit, failover 62-2

secure unit authentication 71-12

secure unit authentication, group policy 67-53

security, WebVPN 74-5, 74-13

Security Agent, Cisco 67-66

security appliance

CLI A-1

connecting to 2-1

managing licenses 3-1

managing the configuration 2-15

reloading 82-8

upgrading software 81-2

viewing files in Flash memory 81-1

security association

clearing 64-34

See also SAs

security attributes, group policy 67-46

security contexts

about 5-1

adding 5-18

admin context

about 5-2

changing 5-24

assigning to a resource class 5-21

cascading 5-6

changing between 5-23

classifier 5-3

command authorization 37-16

configuration

URL, changing 5-25

URL, setting 5-21

logging in 5-7

MAC addresses

automatically assigning 5-22

classifying using 5-3

managing 5-1, 5-23

mapped interface name 5-20

monitoring 5-27

multiple mode, enabling 5-15

nesting or cascading 5-7

prompt A-2

reloading 5-26

removing 5-24

resource management 5-8

resource usage 5-32

saving all configurations 2-17

unsupported features 5-14

VLAN allocation 5-20

security level

about 8-1

interface 8-8, 9-10, 9-12

security models for SNMP 79-16

sending messages to an e-mail address 77-10

sending messages to an SNMP server 77-11

sending messages to ASDM 77-11

sending messages to a specified output destination 77-16

sending messages to a syslog server 77-8

sending messages to a Telnet or SSH session 77-12

sending messages to the console port 77-11

sending messages to the internal log buffer 77-9

service policy

applying 32-17

default 32-17

interface 32-18

session management path 1-26

severity levels, of system log messages

changing 77-1

filtering by 77-1

list of 77-3

severity levels, of system messages

definition 77-3

SHA, IKE policy keywords (table) 64-9, 64-10, 64-11

shared license

backup server, configuring 3-37

backup server, information 3-25

client, configuring 3-37

communication issues 3-25

failover 3-25

maximum clients 3-27

monitoring 3-44

server, configuring 3-35

SSL messages 3-25

show command, filtering output A-4

showing cached Kerberos tickets 74-47

showing KCD status 74-46

simultaneous logins, username attribute 67-81

single mode

backing up configuration 5-15

configuration 5-15

enabling 5-15

restoring 5-16

single sign-on

See SSO

single-signon

group policy attribute for Clientless SSL VPN 67-77

username attribute for Clientless SSL VPN 67-92

SIP inspection

about 44-19

configuring 44-19

instant messaging 44-19

timeouts 44-24

troubleshooting 44-24

site-to-site VPNs, redundancy 64-34

Smart Call Home monitoring 80-19

smart tunnels 74-48

SMTP inspection 43-31

SNMP

about 79-1

failover 79-17

management station 77-1, 77-6

prerequisites 79-17

SNMP configuration 79-18

SNMP groups 79-16

SNMP hosts 79-16

SNMP monitoring 79-26, 79-27

SNMP terminology 79-2

SNMP traps 79-2

SNMP users 79-16

SNMP Version 3 79-15, 79-23

SNMP Versions 1 and 2c 79-22

source quench, ICMP message B-15

SPAN 7-4

Spanning Tree Protocol, unsupported 7-8

speed, configuring 6-11, 7-5

split tunneling

ASA 5505 as Easy VPN client 71-8

group policy 67-49

group policy, domains 67-52

SSCs

management access 58-4

management defaults 58-6

management interface 58-11

password reset 58-23, 60-15

reload 58-24, 60-16

reset 58-24, 60-16

routing 58-8

sessioning to 58-10

shutdown 58-24, 60-16

SSH

authentication 37-19

concurrent connections 37-2

login 37-5

password 10-1

RSA key 37-4

username 37-5

SSL

certificate 74-11

used to access the security appliance 74-6

SSL/TLS encryption protocols

configuring 74-10

WebVPN 74-10

SSL VPN Client

compression 75-16

DPD 75-15

enabling

permanent installation 75-7

installing

order 75-6

keepalive messages 75-16

viewing sessions 75-19

SSMs

loading an image 58-21, 58-23, 60-14

management access 58-4

management defaults 58-6

password reset 58-23, 60-15

reload 58-24, 60-16

reset 58-24, 60-16

routing 58-8

sessioning to 58-10

shutdown 58-24, 60-16

sso-server

group policy attribute for Clientless SSL VPN 67-77

username attribute for Clientless SSL VPN 67-92

SSO with WebVPN74-13to ??

configuring HTTP Basic and NTLM authentication 74-14

configuring HTTP form protocol 74-20

configuring SiteMinder 74-15, 74-17

startup configuration

copying 81-8

saving 2-16

statd buffer overflow attack 57-8

Stateful Failover

about 61-10

state information 61-10

state link 61-4

stateful inspection 1-25

bypassing 53-3

state information 61-10

state link 61-4

static ARP entry 4-11

static bridge entry 4-15

Static Group pane

description 26-6

static NAT

about 29-3

few-to-many mapping 29-7

many-to-few mapping 29-6, 29-7

network object NAT 30-10

twice NAT 31-15

static NAT with port translation

about 29-4

static routes

configuring 22-3

statistics, QoS 54-15

stealth firewall

See transparent firewall

stuck-in-active 27-2

subcommand mode prompt A-2

subinterfaces, adding 6-30

subnet masks

/bits B-3

about B-2

address range B-4

determining B-3

dotted decimal B-3

number of hosts B-3

Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 74-66

Sun RPC inspection

about 45-3

configuring 45-3

SVC

See SSL VPN Client

switch MAC address table 4-14

switch ports

access ports 7-7

protected 7-8, 7-10

SPAN 7-4

trunk ports 7-9

Sygate Personal Firewall 67-67

SYN attacks, monitoring 5-33

SYN cookies 5-33

syntax formatting A-3

syslogd server program 77-5

syslog messages

analyzing 77-2

syslog messaging for SNMP 79-27

syslog server

designating more than one as output destination 77-5

EMBLEM format

configuring 77-14

enabling 77-8, 77-14

system configuration 5-2

system log messages

classes 77-4

classes of 77-4

configuring in groups

by message list 77-4

by severity level 77-1

device ID, including 77-17

disabling logging of 77-1

filtering by message class 77-4

managing in groups

by message class 77-16

output destinations 77-1, 77-6

syslog message server 77-6

Telnet or SSH session 77-6

severity levels

about 77-3

changing the severity level of a message 77-1

timestamp, including 77-18

T

TACACS+

command authorization, configuring 37-29

configuring a server 35-11

network access authorization 38-11

support 35-5

tail drop 54-3

TCP

ASA 5505 as Easy VPN client 71-4

connection limits per context 5-17

ports and literal values B-11

sequence number randomization

disabling using Modular Policy Framework 53-12, 53-14

TCP FIN only flags attack 57-7

TCP Intercept

enabling using Modular Policy Framework 53-12, 53-14

monitoring 5-33

TCP normalization 53-3

TCP NULL flags attack 57-6

TCP state bypass

AAA 53-5

configuring 53-10

failover 53-5

firewall mode 53-5

inspection 53-5

mutliple context mode 53-5

NAT 53-5

SSMs and SSCs 53-5

TCP Intercept 53-5

TCP normalization 53-5

unsupported features 53-5

TCP SYN+FIN flags attack 57-6

Telnet

allowing management access 37-1

authentication 37-19

concurrent connections 37-2

login 37-4

password 10-1

template timeout intervals

configuring for flow-export actions 78-7

temporary license 3-21

testing configuration 82-1

threat detection

basic

drop types 56-2

enabling 56-4

overview 56-2

rate intervals 56-2

rate intervals, setting 56-4

statistics, viewing 56-5

system performance 56-3

scanning

attackers, viewing 56-18

default limits, changing 56-17

enabling 56-17

host database 56-15

overview 56-15

shunned hosts, releasing 56-18

shunned hosts, viewing 56-17

shunning attackers 56-17

system performance 56-15

targets, viewing 56-18

scanning statistics

enabling 56-7

system performance 56-6

viewing 56-9

time exceeded, ICMP message B-15

time ranges, access lists 13-16

timestamp, including in system log messages 77-18

timestamp reply, ICMP message B-15

timestamp request, ICMP message B-15

TLS1, used to access the security appliance 74-6

TLS Proxy

applications supported by ASA 47-3

Cisco Unified Presence architecture 51-1

configuring for Cisco Unified Presence 51-8

licenses 47-4, 49-5, 50-6, 51-7, 52-8

tocken bucket 54-2

toolbar, floating, WebVPN 74-89

traffic flow

routed firewall 4-17

transparent firewall 4-23

traffic shaping

overview 54-4

transform set

creating 69-1, 69-10

definition 64-19

transmit queue ring limit 54-2, 54-3

transparent firewall

about 4-2

ARP inspection

about 4-10

enabling 4-12

static entry 4-11

data flow 4-23

DHCP packets, allowing 34-5

guidelines 4-7

H.323 guidelines 4-4

HSRP 4-4

MAC address timeout 4-15

MAC learning, disabling 4-16

management IP address 9-7

multicast traffic 4-4

packet handling 34-5

static bridge entry 4-15

unsupported features 4-7

VRRP 4-4

transparent mode

NAT 29-13

troubleshooting

H.323 44-9

H.323 RAS 44-10

phone proxy 48-27

SIP 44-24

troubleshooting SNMP 79-24

trunk, 802.1Q 6-30

trunk ports 7-9

Trusted Flow Acceleration

failover 65-7

modes 4-6, 4-10, 4-14, 15-1, 34-7, 63-7, 65-7

trustpoint 41-3

trustpoint, ASA 5505 client 71-7

trust relationship

Cisco Unified Mobility 50-5

Cisco Unified Presence 51-4

tunnel

ASA 5505 as Easy VPN client 71-5

IPsec 64-19

security appliance as a tunnel endpoint 64-2

tunnel group

ASA 5505 as Easy VPN client 71-7

configuring 67-6

creating 67-8

default 64-19, 67-1, 67-2

default, remote access, configuring 67-7

default LAN-to-LAN, configuring 67-17

definition 67-1, 67-2

general parameters 67-3

inheritance 67-1

IPSec parameters 67-4

LAN-to-LAN, configuring 67-17

name and type 67-8

remote access, configuring 69-11

remote-access, configuring 67-8

tunnel-group

general attributes 67-3

tunnel-group ISAKMP/IKE keepalive settings 67-4

tunneling, about 64-1

tunnel mode 65-2

twice NAT

about 29-17

comparison with network object NAT 29-16

configuring 31-1

dynamic NAT 31-4

dynamic PAT 31-8

examples 31-24

guidelines 31-2

identity NAT 31-20

monitoring 31-24

prerequisites 31-2

static NAT 31-15

tx-ring-limit 54-2, 54-3

U

UDP

bomb attack 57-7

chargen DoS attack 57-7

connection limits per context 5-17

connection state information 1-26

ports and literal values B-11

snork attack 57-7

unreachable, ICMP message B-15

unreachable messages

required for MTU discovery 37-10

url-list

group policy attribute for Clientless SSL VPN 67-74

username attribute for Clientless SSL VPN 67-89

URLs

context configuration, changing 5-25

context configuration, setting 5-21

filtering 39-1

filtering, about 39-7

filtering, configuration 39-11

user, VPN

definition 67-1

user access, restricting remote 67-84

user authentication, group policy 67-53

user EXEC mode

accessing 2-1

prompt A-2

username

adding 35-20

clientless authentication 70-14

encrypted 35-23

management tunnels 71-9

password 35-23

WebVPN 74-109

Xauth for Easy VPN client 71-4

username attributes

access hours 67-81

configuring 67-79, 67-80

group-lock 67-84

inheritance 67-81

password, setting 67-80

password-storage 67-84

privilege level, setting 67-80

simultaneous logins 67-81

vpn-filter 67-82

vpn-framed-ip-address 67-83

vpn-idle timeout 67-82

vpn-session-timeout 67-82

vpn-tunnel-protocol 67-83

username attributes for Clientless SSL VPN

auto-signon 67-91

customization 67-87

deny message 67-87

filter (access list) 67-88

homepage 67-86

html-content-filter 67-86

keep-alive ignore 67-90

port-forward 67-89

port-forward-name 67-90

sso-server 67-92

url-list 67-89

username configuration, viewing 67-79

username webvpn mode 67-85

users

SNMP 79-16

U-turn 64-26

V

VeriSign, configuring CAs example 41-4

viewing QoS statistics 54-15

viewing RMS 81-19

virtual cluster 66-6

IP address 66-6

master 66-6

virtual firewalls

See security contexts

virtual HTTP 38-3

virtual reassembly 1-23

virtual sensors 58-15

VLAN mapping 67-44

VLANs 6-30

802.1Q trunk 6-30

allocating to a context 5-20

ASA 5505

MAC addresses 7-4

maximum 7-2

mapped interface name 5-20

subinterfaces 6-30

VoIP

proxy servers 44-19

troubleshooting 44-9

VPN

address pool, configuring (group-policy) 67-62

address range, subnets B-4

parameters, general, setting 66-1

setting maximum number of IPSec sessions 66-3

VPN attributes, group policy 67-42

VPN client

NAT rules 29-20

VPN Client, IPsec attributes 64-2

vpn-filter username attribute 67-82

VPN flex license 3-21

vpn-framed-ip-address username attribute 67-83

VPN hardware client, group policy attributes 67-53

vpn-idle-timeout username attribute 67-82

vpn load balancing

See load balancing 66-6

vpn-session-timeout username attribute 67-82

vpn-tunnel-protocol username attribute 67-83

VRRP 4-4

W

WCCP 40-1

web caching 40-1

web clients, secure authentication 38-6

web e-Mail (Outlook Web Access), Outlook Web Access 74-80

WebVPN

assigning users to group policies 74-31, 74-32

authenticating with digital certificates 74-28, 74-29

CA certificate validation not done 74-5

client application requirements 74-110

client requirements 74-110

configuring

e-mail 74-79

configuring WebVPN and ASDM on the same interface 74-7

cookies 74-10

defining the end-user interface 74-88

definition 74-2

e-mail 74-79

e-mail proxies 74-79

end user set-up 74-87

floating toolbar 74-89

group policy attributes, configuring 74-33

hosts file 74-72

hosts files, reconfiguring 74-73

HTTP/HTTPS proxy, setting 74-11

Java object signing 74-82

PDA support 74-78

security preautions 74-5, 74-13

security tips 74-109

setting HTTP/HTTPS proxy 74-8

SSL/TLS encryption protocols 74-10

supported applications 74-110

troubleshooting 74-72

unsupported features 74-4

use of HTTPS 74-7

usernames and passwords 74-109

use suggestions 74-87, 74-110

WebVPN, Application Access Panel 74-88

webvpn attributes

group policy 67-70

welcome message, group policy 67-48

WINS server, configuring 67-40

X

Xauth, Easy VPN client 71-4

XOFF frames 6-22

Z

Zone Labs firewalls 67-67

Zone Labs Integrity Server 67-64