Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1
Index
Downloads: This chapterpdf (PDF - 956.0KB) The complete bookPDF (PDF - 12.29MB) | The complete bookePub (ePub - 3.58MB) | The complete bookMobi (Mobi - 3.47MB) | Feedback

Index

A

AAA

accounting 7-21

authentication

network access 7-2

authorization

downloadable access lists 7-17

network access 7-14

performance 7-1

web clients 7-10

access lists

downloadable 7-17

global access rules 6-2

implicit deny 6-3

inbound 6-3

outbound 6-3

phone proxy 16-7

ActiveX filtering 29-2

AIP

See IPS module

AIP SSC

loading an image 30-24, 31-21, 31-23, 32-14

AIP SSM

about 31-1

loading an image 30-24, 31-21, 31-23, 32-14

application inspection

about 9-1

applying 9-7

configuring 9-7

inspection class map 2-5

inspection policy map 2-4

special actions 2-1

ASA CX module

about 30-1

ASA feature compatibility 30-5

authentication proxy

about 30-5

port 30-17

troubleshooting 30-31

basic settings 30-15

cabling 30-9

configuration 30-8

debugging 30-30

failover 30-7

licensing 30-6

management access 30-4

management defaults 30-8

management IP address 30-14

monitoring 30-25

password reset 30-22

PRSM 30-5

reload 30-22

security policy 30-16

sending traffic to 30-18

shutdown 30-23

traffic flow 30-2

VPN 30-5

asymmetric routing

TCP state bypass 22-4

attacks

DNS request for all records 28-10

DNS zone transfer 28-10

DNS zone transfer from high port 28-10

fragmented ICMP traffic 28-6, 28-9

IP fragment 28-4, 28-7

IP impossible packet 28-4, 28-7

large ICMP traffic 28-6, 28-9

ping of death 28-6, 28-9

proxied RPC request 28-10

statd buffer overflow 28-11

TCP NULL flags 28-6, 28-9

TCP SYN+FIN flags 28-6, 28-9

authentication

FTP 7-4

HTTP 7-3

network access 7-2

Telnet 7-3

web clients 7-10

authorization

downloadable access lists 7-17

network access 7-14

B

basic threat detection

See threat detection

Botnet Traffic Filter

actions 26-2

address categories 26-2

blacklist

adding entries 26-9

description 26-2

blocking traffic manually 26-15

classifying traffic 26-12

configuring 26-7

databases 26-2

default settings 26-6

DNS Reverse Lookup Cache

information about 26-4

using with dynamic database 26-10

DNS snooping 26-10

dropping traffic 26-13

graylist 26-13

dynamic database

enabling use of 26-8

files 26-3

information about 26-2

searching 26-16

updates 26-8

examples 26-19

feature history 26-22

graylist

description 26-2

dropping traffic 26-13

guidelines and limitations 26-6

information about 26-1

licensing 26-6

monitoring 26-17

static database

adding entries 26-9

information about 26-3

syslog messages 26-17

task flow 26-7

threat level

dropping traffic 26-13

whitelist

adding entries 26-9

description 26-2

working overview 26-5

bypassing firewall checks 22-3

C

certificate

Cisco Unified Mobility 18-5

Cisco Unified Presence 19-4

certificates

phone proxy 16-15

required by phone proxy 16-16

Cisco IP Communicator 16-10

Cisco IP Phones, application inspection 11-25

Cisco UMA. See Cisco Unified Mobility.

Cisco Unified Mobility

architecture 18-2

ASA role 14-2, 14-3, 15-2

certificate 18-5

functionality 18-1

NAT and PAT requirements 18-3, 18-4

trust relationship 18-5

Cisco Unified Presence

ASA role 14-2, 14-3, 15-2

configuring the TLS Proxy 19-8

debugging the TLS Proxy 19-14

NAT and PAT requirements 19-2

sample configuration 19-15

trust relationship 19-4

Cisco UP. See Cisco Unified Presence.

class-default class map 1-9

class map

inspection 2-5

Layer 3/4

management traffic 1-15

match commands 1-12, 1-15

through traffic 1-12

configuration examples

CSC SSM 32-17

connection blocking 28-2

connection limits

configuring 22-1

context modes 32-6

CSC SSM

about 32-1

loading an image 30-24, 31-21, 31-23, 32-14

sending traffic to 32-10

what to scan 32-3

CSC SSM feature history 32-19

cut-through proxy

AAA performance 7-1

CX module

about 30-1

ASA feature compatibility 30-5

authentication proxy

about 30-5

port 30-17

troubleshooting 30-31

basic settings 30-15

cabling 30-9

configuration 30-8

debugging 30-30

failover 30-7

licensing 30-6

management access 30-4

management defaults 30-8

management IP address 30-14

monitoring 30-25

password reset 30-22

PRSM 30-5

reload 30-22

security policy 30-16

sending traffic to 30-18

shutdown 30-23

traffic flow 30-2

VPN 30-5

D

default policy 1-8

DHCP

transparent firewall 6-6

DiffServ preservation 23-5

DNS

inspection

about 10-2

managing 10-1

NAT effect on 3-28

DNS request for all records attack 28-10

DNS zone transfer attack 28-10

DNS zone transfer from high port attack 28-10

downloadable access lists

configuring 7-17

converting netmask expressions 7-21

DSCP preservation 23-5

dynamic NAT

about 3-7

network object NAT 4-5

twice NAT 5-7

dynamic PAT

network object NAT 4-7

See also NAT

twice NAT 5-11

E

EIGRP 6-6

EtherType access list

compatibilty with extended access lists 6-2

implicit deny 6-3

F

failover

guidelines 32-6

Fibre Channel interfaces

default settings 6-8

filtering

ActiveX 29-2

FTP 29-14

Java applet 29-4

Java applets 29-4

servers supported 29-6

URLs 29-1, 29-7

fragmented ICMP traffic attack 28-6, 28-9

fragment size 28-2

FTP inspection

about 10-10

configuring 10-10

G

GTP inspection

about 13-3

configuring 13-3

H

H.225 timeouts 11-9

H.245 troubleshooting 11-10

H.323 inspection

about 11-4

configuring 11-3

limitations 11-5

troubleshooting 11-11

HTTP

filtering 29-1

HTTP(S)

filtering 29-7

HTTP inspection

about 10-15

configuring 10-15

I

ICMP

testing connectivity 24-1

identity NAT

about 3-10

network object NAT 4-14

twice NAT 5-21

ILS inspection 12-1

IM 11-19

inbound access lists 6-3

inspection_default class-map 1-9

inspection engines

See application inspection

Instant Messaging inspection 11-19

interfaces

default settings 6-8, 32-6

IP fragment attack 28-4, 28-7

IP impossible packet attack 28-4, 28-7

IP overlapping fragments attack 28-5

IP phone

phone proxy provisioning 16-12

IP phones

addressing requirements for phone proxy 16-9

supported for phone proxy 16-3, 17-2

IPSec

anti-replay window 23-13

IPS module

about 31-1

configuration 31-7

operating modes 31-3

sending traffic to 31-18

traffic flow 31-2

virtual sensors 31-16

IP spoofing, preventing 28-1

IP teardrop attack 28-5

J

Java applet filtering 29-4

Java applets, filtering 29-2

L

large ICMP traffic attack 28-6, 28-9

latency

about 23-1

configuring 23-2, 23-3

reducing 23-9

Layer 3/4

matching multiple policy maps 1-6

LCS Federation Scenario 19-2

LDAP

application inspection 12-1

licenses

Cisco Unified Communications Proxy features 14-4, 17-5, 18-6, 19-7, 20-7

licensing requirements

CSC SSM 32-5

LLQ

See low-latency queue

login

FTP 7-4

low-latency queue

applying 23-2, 23-3

M

management interfaces

default settings 6-8

mapped addresses

guidelines 3-19

match commands

inspection class map 2-4

Layer 3/4 class map 1-12, 1-15

media termination address, criteria 16-6

MGCP inspection

about 11-11

configuring 11-11

mgmt0 interfaces

default settings 6-8

Microsoft Access Proxy 19-1

mixed-mode Cisco UCM cluster, configuring for phone proxy 16-17

MMP inspection 18-1

monitoring

CSC SSM 32-13

MPF

default policy 1-8

examples 1-18

feature directionality 1-3

features 1-2

flows 1-6

matching multiple policy maps 1-6

service policy, applying 1-17

See also class map

See also policy map

MPLS

LDP 6-7

router-id 6-7

TDP 6-7

multi-session PAT 4-16

N

NAT

about 3-1

bidirectional initiation 3-2

DNS 3-28

dynamic

about 3-7

dynamic NAT

network object NAT 4-5

twice NAT 5-7

dynamic PAT

about 3-8

network object NAT 4-7

twice NAT 5-11

identity

about 3-10

identity NAT

network object NAT 4-14

twice NAT 5-21

implementation 3-13

interfaces 3-19

mapped address guidelines 3-19

network object

comparison with twice NAT 3-13

network object NAT

about 3-14

configuring 4-1

dynamic NAT 4-5

dynamic PAT 4-7

examples 4-18

guidelines 4-2

identity NAT 4-14

monitoring 4-17

prerequisites 4-2

static NAT 4-11

no proxy ARP 4-15, 5-20

object

extended PAT 4-7

flat range for PAT 4-7

routed mode 3-11

route lookup 4-15, 5-24

RPC not supported with 12-3

rule order 3-18

static

about 3-3

few-to-many mapping 3-6

many-to-few mapping 3-5, 3-6

one-to-many 3-5

static NAT

network object NAT 4-11

twice NAT 5-18

static with port translation

about 3-4

terminology 3-2

transparent mode 3-11

twice

extended PAT 5-12

flat range for PAT 5-12

twice NAT

about 3-14

comparison with network object NAT 3-13

configuring 5-1

dynamic NAT 5-7

dynamic PAT 5-11

examples 5-25

guidelines 5-2

identity NAT 5-21

monitoring 5-24

prerequisites 5-2

static NAT 5-18

types 3-3

VPN 3-22

VPN client rules 3-18

network object NAT

about 3-14

comparison with twice NAT 3-13

configuring 4-1

dynamic NAT 4-5

dynamic PAT 4-7

examples 4-18

guidelines 4-2

identity NAT 4-14

monitoring 4-17

prerequisites 4-2

static NAT 4-11

non-secure Cisco UCM cluster, configuring phone proxy 16-15

no proxy ARP 5-20

O

object NAT

See network object NAT

outbound access lists 6-3

P

packet trace, enabling 24-7

PAT

per-session and multi-session 4-16

See dynamic PAT

per-session PAT 4-16

phone proxy

access lists 16-7

ASA role 14-3

certificates 16-15

Cisco IP Communicator 16-10

Cisco UCM supported versions 16-3, 17-2

configuring mixed-mode Cisco UCM cluster 16-17

configuring non-secure Cisco UCM cluster 16-15

event recovery 16-42

IP phone addressing 16-9

IP phone provisioning 16-12

IP phones supported 16-3, 17-2

Linksys routers, configuring 16-27

NAT and PAT requirements 16-8

ports 16-7

rate limiting 16-11

required certificates 16-16

sample configurations 16-44

SAST keys 16-42

TLS Proxy on ASA, described 14-3

troubleshooting 16-28

ping

See ICMP

ping of death attack 28-6, 28-9

policing

flow within a tunnel 23-12

policy, QoS 23-1

policy map

inspection 2-4

Layer 3/4

about 1-1

feature directionality 1-3

flows 1-6

ports

phone proxy 16-7

port translation

about 3-4

prerequisites for use

CSC SSM 32-5

presence_proxy_remotecert 15-15

proxied RPC request attack 28-10

proxy servers

SIP and 11-18

PRSM 30-5

Q

QoS

about 23-1, 23-3

DiffServ preservation 23-5

DSCP preservation 23-5

feature interaction 23-4

policies 23-1

priority queueing

IPSec anti-replay window 23-13

statistics 23-16

token bucket 23-2

traffic shaping

overview 23-4

viewing statistics 23-16

Quality of Service

See QoS

queue, QoS

latency, reducing 23-9

limit 23-2, 23-3

R

RADIUS

downloadable access lists 7-17

network access authentication 7-7

network access authorization 7-17

RAS, H.323 troubleshooting 11-11

rate limiting 23-3

rate limiting, phone proxy 16-11

RealPlayer 11-15

routed mode

NAT 3-11

routing

other protocols 6-5

RTSP inspection

about 11-15

configuring 11-14

S

SAST keys 16-42

SCCP (Skinny) inspection

about 11-25

configuration 11-25

configuring 11-24

service policy

applying 1-17

default 1-17

interface 1-18

SIP inspection

about 11-18

configuring 11-18

instant messaging 11-19

timeouts 11-24

troubleshooting 11-24

SMTP inspection 10-32

SSCs

management access 31-4

management defaults 31-6

management interface 31-13

password reset 31-24, 32-15

reload 31-25, 32-16

reset 31-25, 32-16

routing 31-10

sessioning to 31-13

shutdown 31-23, 32-17

SSMs

loading an image 30-24, 31-21, 31-23, 32-14

management access 31-4

management defaults 31-6

password reset 31-24, 32-15

reload 31-25, 32-16

reset 31-25, 32-16

routing 31-10

sessioning to 31-13

shutdown 31-23, 32-17

Startup Wizard

licensing requirements 15-3

statd buffer overflow attack 28-11

stateful inspection

bypassing 22-3

static NAT

about 3-3

few-to-many mapping 3-6

many-to-few mapping 3-5, 3-6

network object NAT 4-11

twice NAT 5-18

static NAT with port translation

about 3-4

statistics, QoS 23-16

Sun RPC inspection

about 12-3

configuring 12-3

T

TACACS+

network access authorization 7-14

tail drop 23-3

TCP

sequence number randomization

disabling using Modular Policy Framework 22-13

TCP Intercept

enabling using Modular Policy Framework 22-13

TCP normalization 22-3

TCP NULL flags attack 28-6, 28-9

TCP state bypass

AAA 22-5

configuring 22-11

failover 22-5

firewall mode 22-5

inspection 22-5

mutliple context mode 22-5

NAT 22-5

SSMs and SSCs 22-5

TCP Intercept 22-5

TCP normalization 22-5

unsupported features 22-5

TCP SYN+FIN flags attack 28-6, 28-9

testing configuration 24-1

threat detection

basic

drop types 27-2

enabling 27-4

overview 27-2

rate intervals 27-2

rate intervals, setting 27-4

statistics, viewing 27-5

system performance 27-3

scanning

attackers, viewing 27-18

default limits, changing 27-17

enabling 27-17

host database 27-15

overview 27-15

shunned hosts, releasing 27-18

shunned hosts, viewing 27-17

shunning attackers 27-17

system performance 27-15

targets, viewing 27-18

scanning statistics

enabling 27-7

system performance 27-6

viewing 27-9

TLS Proxy

applications supported by ASA 14-3

Cisco Unified Presence architecture 19-1

configuring for Cisco Unified Presence 19-8

licenses 14-4, 17-5, 18-6, 19-7, 20-7

tocken bucket 23-2

traffic shaping

overview 23-4

transmit queue ring limit 23-2, 23-3

transparent firewall

DHCP packets, allowing 6-6

packet handling 6-5

transparent mode

NAT 3-11

troubleshooting

H.323 11-9

H.323 RAS 11-11

phone proxy 16-28

SIP 11-24

Trusted Flow Acceleration

modes 6-7

trust relationship

Cisco Unified Mobility 18-5

Cisco Unified Presence 19-4

twice NAT

about 3-14

comparison with network object NAT 3-13

configuring 5-1

dynamic NAT 5-7

dynamic PAT 5-11

examples 5-25

guidelines 5-2

identity NAT 5-21

monitoring 5-24

prerequisites 5-2

static NAT 5-18

tx-ring-limit 23-2, 23-3

U

URLs

filtering 29-1

filtering, about 29-7

filtering, configuration 29-11

V

viewing QoS statistics 23-16

virtual HTTP 7-3

virtual sensors 31-16

VoIP

proxy servers 11-18

troubleshooting 11-9

VPN client

NAT rules 3-18

W

web clients, secure authentication 7-10