Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM, 6.2F
Index
Downloads: This chapterpdf (PDF - 529.0KB) The complete bookPDF (PDF - 13.51MB) | Feedback

Index

Table Of Contents

A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X -

Index

A

AAA

accounting 25-15

authentication

CLI access 16-25

network access 25-1

proxy limit 25-8

authorization

command 16-26

downloadable access lists 25-11

network access 25-9

disabling challenges 25-8

local database support 15-6

maximum rules 2-8

overview 15-1

performance 25-1

server

adding 15-7, 15-8

types 15-3

support summary 15-3

web clients 25-7

ABR

definition of 11-7

Access Group panel 12-2

description 12-2

fields 12-2

access lists

commitment 21-2

downloadable 25-11

expanded 21-3

implicit deny 21-2

inbound 21-3

IP address guidelines with NAT 21-5

maximum rules 21-3

memory limits 21-3

memory partitions 10-10

NAT addresses 21-5

outbound 21-3

overview 21-1

ACEs

expanded 21-3

maximum 21-3

Active/Active failover

about 14-2

command replication 14-2

configuration synchronization 14-2

Active/Standby failover 14-2

adaptive security algorithm 1-8

Add/Edit Access Group dialog box 12-3

description 12-3

fields 12-3

Add/Edit Filtering Entry dialog box 11-14

description 11-14

fields 11-14

Add/Edit IGMP Join Group dialog box 12-4

description 12-4

fields 12-4

Add/Edit IGMP Static Group dialog box 12-7

description 12-7

fields 12-7

Add/Edit Multicast Group dialog box 12-16

description 12-16

fields 12-16

Add/Edit Multicast Route dialog box

description 12-8

fields 12-8

Add/Edit OSPF Area dialog box 11-10

description 11-10

fields 11-11

Add/Edit OSPF Neighbor Entry dialog box 11-22

description 11-22

fields 11-23

Restrictions 11-22

Add/Edit Periodic Time Range dialog box 20-15

Add/Edit Redistribution dialog box 11-21

description 11-21

fields 11-21

Add/Edit Rendezvous Point dialog box 12-14

description 12-14

fields 12-15

restrictions 12-15

Add/Edit Route Summarization dialog box 11-13

about 11-13

fields 11-13

Add/Edit Summary Address dialog box

description 11-24

fields 11-24

Add/Edit Time Range dialog box 20-14

Add/Edit Virtual Link dialog box 11-25

description 11-25

fields 11-25

Addresses tab 20-2

admin context

overview 10-2

administrative distance 11-44

Advanced DHCP Options dialog box 13-6

description 13-6

fields 13-7

Advanced OSPF Interface Properties dialog box 11-19

description 11-19

fields 11-19

Advanced OSPF Virtual Link Properties dialog box 11-26

description 11-26

fields 11-26

alternate address, ICMP message 16-8

APN, GTP application inspection 24-84

APPE command, denied request 24-79

application firewall 24-87

application inspection

about 24-2

applying 24-4

configuring 24-4

described 24-58

enabling for different protocols 24-27

Apply button 3-9

Area/Networks tab 11-10

description 11-10

fields 11-10

area border router 11-7

ARP inspection

configuring 28-1

ARP spoofing 28-2

ARP table

monitoring 31-1

static entry 28-3

ASBR

definition of 11-7

ASDM

maximum connections 2-5

version 3-13

authenticating a certificate 18-1

authentication

CLI access 16-25

FTP 25-3

HTTP 25-2

network access 25-1

overview 15-2

Telnet 25-2

web clients 25-7

Authentication tab 11-15

description 11-15

fields 11-15

authorization

command 16-26

downloadable access lists 25-11

network access 25-9

overview 15-2

autostate messaging 5-15

B

bandwidth 3-14

limiting 10-17

maximum 2-4

BGP

monitoring 11-45

booting

from the switch 5-17

boot partitions 5-16

BPDUs

forwarding on the switch 5-14

bridge groups

overview 1-7

bridging

MAC address table

learning, disabling 28-6

overview 28-4

static entry 28-6

management IP address 8-1

building blocks 20-1

bypassing the firewall, in the switch 5-9

C

CA certificate 18-1

call agents

MGCP application inspection 24-101, 24-102

Cancel button 3-9

CDUP command, denied request 24-80

CEF 2-4

certificate

exporting 18-14

fingerprint 18-2

importing 18-15

installing 18-15

managing 18-5

certificate authentication 18-1

certificate enrollment 18-2

Cisco IOS versions 2-3

Cisco IP Phones, application inspection 24-21

classes

See resource management

command authorization

about 16-26

configuring 16-26

multiple contexts 16-28

Compact Flash 5-16

Configure IGMP Parameters dialog box 12-5

description 12-5

fields 12-5

connection

deleting 2-6

connection limits

TCP and UDP 27-1

connections per second 3-14

context mode

viewing 3-13

contexts

See security contexts

control plane path 1-8

conversion error, ICMP message 16-8

CPU usage 3-13

CRL

cache refresh time 18-13

checking 18-13

enforce next update 18-13

retrieval method 18-12

retrieval policy 18-11

CTIQBE

application inspection, enabling 24-27

cut-through proxy 25-1

D

default class 10-19

default policy 23-2

default routes

defining equal cost routes 11-42

definition of 11-42

device ID, including in messages 17-8

DHCP

configuring 13-4

monitoring

interface lease 31-2

IP addresses 31-2

server 31-2

statistics 31-3

services 13-1

statistics 31-3

transparent firewall 21-8

DHCP relay

overview 13-1

DHCP Relay - Add/Edit DHCP Server dialog box 13-3

description 13-3, 13-4

fields 13-4

restrictions 13-3

DHCP Relay panel

description 13-1

fields 13-2

prerequisites 13-1

restrictions 13-1

DHCP Server panel 13-4

description 13-4

fields 13-5

DHCP services 13-1, 14-1

digital certificates 18-1

DMZ, definition 1-1

DNS

application inspection, enabling 24-27

inspection

about 24-7

managing 24-6

rewrite, about 24-7

DNS and NAT 22-15

DNS client 13-8

downloadable access lists

configuring 25-11

converting netmask expressions 25-15

DSCP bits 1-9

dynamic NAT

See NAT

E

ECMP 11-42

Edit DHCP Relay Agent Settings dialog box 13-3

description 13-3

fields 13-3

prerequisites 13-3

restrictions 13-3

Edit DHCP Server dialog box 13-6

description 13-6

fields 13-6

Edit OSPF Interface Authentication dialog box 11-16

description 11-16

fields 11-16

Edit OSPF Interface Properties dialog box 11-18

fields 11-18

Edit OSPF Process Advanced Properties dialog box 11-8

description 11-8

fields 11-8

Edit PIM Protocol dialog box 12-10

description 12-10

fields 12-10

EIGRP 21-8

enrolling

certificate 18-2

ESMTP

application inspection, enabling 24-27

established command

maximum rules 2-8

security level requirements 9-1

EtherChannel, backplane

load-balancing 5-14

overview 5-14

Ethernet

MTU 9-3, 9-7

EtherType access list

applying in both directions 21-8

compatibilty with extended access lists 21-2

implicit deny 21-2

MPLS, allowing 21-9

supported EtherTypes 21-8

exporting a certificate 18-14

external filtering server 26-7

F

failover

criteria 14-16, 14-22

defining standby IP addresses 14-14, 14-15

enable 14-20

enabling Active/Standby 14-12

enabling Stateful Failover 14-12

graphs 30-4

in multiple context mode 14-20

key 14-12, 14-20

make active 30-4

make standby 30-4

monitoring 30-1

PISA 27-7

reload standby 30-4

reset 30-4, 30-8

stateful 14-3

Stateful Failover 14-21

stateless 14-3

status 30-1

switch configuration 5-14

trunk 5-14

failover groups

about 14-23

adding 14-24

editing 14-24

monitoring 30-8

reset 30-10

filtering

benefits of 26-7

maximum rules 2-8

overview 26-1

rules 26-8

security level requirements 9-1

servers supported 26-2

URLs 26-2

Filtering panel 11-13

benefits 11-13

description 11-13

fields 11-14

restrictions 11-13

fingerprint

certificate 18-2

firewall mode

configuring 19-1

overview 19-1

viewing 3-13

Flash memory

overview 5-16

partitions 5-16

size 2-4

fragments 1-4

FTP

application inspection

enabling 24-27

viewing 24-60, 24-62, 24-69, 24-70, 24-76, 24-77, 24-85, 24-88, 24-95, 24-98, 24-101, 24-105, 24-107, 24-108, 24-112

filtering option 26-10

FTP inspection

about 24-8

configuring 24-8

G

gateways

MGCP application inspection 24-103

global addresses

guidelines 22-15

GRE tagging with PISA 27-6

GTP

application inspection

enabling 24-27

viewing 24-80

GTP inspection

configuring 24-10

H

H.323

transparent firewall guidelines 19-4

H.323 inspection

about 24-12

configuring 24-11

limitations 24-13

H225

application inspection, enabling 24-27

H323 RAS

application inspection, enabling 24-28

Help button 3-9

HELP command, denied request 24-80

Help menu 3-6

history metrics 8-2

HSRP 19-3

HTTP

application inspection

enabling 24-28

viewing 24-87

filtering

configuring 26-9

HTTP(S)

filtering 26-2

maximum connections 2-5

maximum rules 2-8

HTTP inspection

configuring 24-13

HTTPS

filtering option 26-10

HTTPS/Telnet/SSH

allowing network or host access to ASDM 16-1

I

ICMP

application inspection, enabling 24-28

maximum rules 2-8

ICMP Error

application inspection, enabling 24-28

IGMP

access groups 12-2

configuring interface parameters 12-5

group membership 12-3

interface parameters 12-5

static group assignment 12-6

IGMP panel

IGMP

overview 12-2

ILS

application inspection, enabling 24-28

ILS inspection 24-14

IM 24-20

import certificate panel 18-3

importing a certificate 18-15

inbound access lists 21-3

information reply, ICMP message 16-8

information request, ICMP message 16-8

inside, definition 1-1

inspection engines

security level requirements 9-1

See application inspection

installation

module verification 5-3

installing a certificate 18-15

Instant Messaging inspection 24-20

interface

MTU 9-3, 9-7

status 3-13

throughput 3-14

Interface panel 11-15

interfaces

maximum 2-5

monitoring 31-5

See also switch ports.

shared 10-6

IOS

upgrading 5-2

IOS versions 2-3

IP address 8-1

management, transparent firewall 8-1

IP addresses

overlapping between contexts 10-4

IP fragment database, editing 27-12

IPv6

duplicate address detection 9-8

ipv6

access rules 21-9

ipv6 addresses

about 9-8

configuring 9-7

link-local 9-11

IPX 5-9

ISNs, randomizing

using Modular Policy Framework 27-1

J

Java applet filtering 26-2

Java console 4-8

Join Group panel 12-3

description 12-3

fields 12-4

K

Kerberos

configuring 15-7

support 15-6

key pair panel

key-pair name 18-4

size 18-4

usage 18-4

key pairs 18-4

adding 18-4

showing details 18-5

L

Layer 2 firewall

See transparent firewall

Layer 3/4

matching multiple policy maps 23-4

LDAP

application inspection 24-14

attribute mapping 15-16

configuring 15-7

support 15-6

load-balancing, backplane EtherChannel 5-14

local user database

support 15-6

lockout recovery 16-35

logging

viewing last 10 messages 3-14

login

FTP 25-3

loops, avoiding 5-14

LSA

about Type 1 32-3

about Type 2 32-4

about Type 3 32-4

about Type 4 32-5

about Type 5 32-6

about Type 7 32-6

M

MAC address table 28-4

built-in-switch 28-5

learning, disabling 28-6

monitoring 31-4

overview 28-4

static entry 28-6

managing

certificates 18-5

man-in-the-middle attack 28-2

mask reply, ICMP message 16-8

mask request, ICMP message 16-8

memory

access list use of 21-3

Flash 2-4

RAM 2-4

rules use of 21-3

memory partitions 10-10

reallocating rules 10-15

setting the total number 10-11

sizes 10-12

memory usage 3-13

menus 3-4

MGCP

application inspection

configuring 24-103

enabling 24-28

viewing 24-101

MGCP inspection

configuring 24-15

MIBs

supported 16-10

mobile redirection, ICMP message 16-8

mode

context 10-9

Modular Policy Framework

See MPF

monitoring

ARP table 31-1

DHCP

interface lease 31-2

IP addresses 31-2

server 31-2

statistics 31-3

failover 30-1, 30-5

failover groups 30-8

history metrics 8-2

interfaces 31-5

MAC address table 31-4

routes 32-9

SNMP 16-10

MPF

about 23-1

default policy 23-2

features 23-1

flows 23-4

matching multiple policy maps 23-4

MPLS

LDP 21-9

router-id 21-9

TDP 21-9

MRoute panel 12-9

description 12-7

fields 12-7

MSFC

definition 2-2

overview 1-6

SVIs 5-9

MTU 9-3, 9-7

Multicast panel

description 12-1

fields 12-1

Multicast Route panel 12-9

multicast traffic 19-3

Multilayer Switch Feature Card

See MSFC

multiple mode, enabling 10-9

multiple SVIs 5-8

N

N2H2 filtering server 26-7

name resolution 13-8

NAT

application inspection 24-58

bypassing NAT

overview 22-10

DNS 22-15

dynamic NAT

configuring 22-24

implementation 22-18

overview 22-6

exemption from NAT

overview 22-10

identity NAT

overview 22-10

order of statements 22-14

overview 22-1

PAT

configuring 22-24

implementation 22-18

overview 22-8

policy NAT

maximum rules 2-8

overview 22-10

RPC not supported with 24-24

same security level 22-14

security level requirements 9-1

static NAT

configuring 22-28

overview 22-8

static PAT

overview 22-9

transparent mode 22-4

types 22-6

xlate bypass

overview 22-13

NETBIOS

application inspection, enabling 24-28

network objects 20-1

network processors 1-8

NPs 1-8

NTLM support 15-5

NT server

configuring 15-7

support 15-5

O

object groups

expanded 21-3

Options menu 3-5

OSPF

about 11-6

adding an LSA filter 11-14

authentication settings 11-15

authentication support 11-7

configuring authentication 11-16

defining a static neighbor 11-22

defining interface properties 11-18

interaction with NAT 11-7

interface properties 11-15, 11-17

LSA filtering 11-13

LSAs 11-7

LSA types 32-3

monitoring LSAs 32-3

neighbor states 32-7

route map 11-1

route redistribution 11-19

static neighbor 11-22

summary address 11-23

virtual links 11-24

OSPF area

defining 11-10

OSPF Neighbors panel 32-7

description 32-7

fields 32-7

OSPF parameters

dead interval 11-19

hello interval 11-19

retransmit interval 11-19

transmit delay 11-19

OSPF route summarization

about 11-12

defining 11-13

outbound access lists 21-3

outside, definition 1-1

oversubscribing resources 10-18

P

packet

classifier 10-3

parameter problem, ICMP message 16-8

partitions

application 5-16

boot 5-16

crash dump 5-16

Flash memory 5-16

maintenance 5-16

network configuration 5-16

PAT

See NAT

PDP context, GTP application inspection 24-83

PIM

interface parameters 12-9

overview 12-9

register message filter 12-16

rendezvous points 12-14

shortest path tree settings 12-18

PISA integration 27-5

policy map

Layer 3/4

flows 23-4

policy NAT

about 22-10

PortFast 5-5

PPTP

application inspection, enabling 24-28

Process Instances tab 11-8

description 11-8

fields 11-8

Properties tab 11-17

description 11-17

fields 11-17

Protocol panel (IGMP) 12-5

description 12-5

fields 12-5

Protocol panel (PIM) 12-9

description 12-9

fields 12-10

proxy ARP, disabling 11-48

proxy servers

SIP and 24-19

Q

QoS compatibility 1-9

R

RADIUS

configuring a server 15-7

downloadable access lists 25-11

network access authentication 25-3

network access authorization 25-11

support 15-4

RAM, amount

memory, amount

RAM 3-13

rapid link failure detection 5-15

RealPlayer 24-18

rebooting

from the switch 5-17

redirect, ICMP message 16-8

Redistribution panel 11-19

description 11-19

fields 11-20

Related Documentation 1-xxviii

reloading

from the switch 5-17

Rendezvous Points panel 12-14

description 12-14

fields 12-14

Request Filter panel 12-16

description 12-16

fields 12-16

requirements 2-2

Reset button 3-9

resetting

from the switch 5-17

resource management

default class 10-19

oversubscribing 10-18

overview 10-18

unlimited 10-18

RIP

authentication 11-27

definition of 11-27

support for 11-27

RIP panel 11-27

fields 11-28

limitations 11-27

RIP Version 2 Notes 11-27

RNFR command, denied request 24-80

RNTO command, denied request 24-80

route maps

uses 11-1

router advertisement, ICMP message 16-8

router solicitation, ICMP message 16-8

Routes panel 32-9

description 32-9

fields 32-9

Route Summarization tab 11-12

about 11-12

fields 11-12

Route Tree panel 12-18

description 12-18

fields 12-18

routing

other protocols 21-7

RPC

application inspection, enabling 24-28

RSH

application inspection, enabling 24-28

RSH connections 2-6

RTSP

application inspection, enabling 24-28

RTSP inspection

about 24-18

configuring 24-18

rules

default allocation 2-8

filtering 26-7

ICMP 16-7

maximum 21-3

memory partitions 10-10

pools for contexts 2-8

reallocating memory 2-8

reallocating memory per partition 10-15

S

same security level communication

configuring 9-12

NAT 22-14

SCCP (Skinny) inspection

about 24-21

configuration 24-21

configuring 24-21

SDI

configuring 15-7

support 15-5

secure computing smartfilter 26-2

security contexts

admin context

overview 10-2

classifier 10-3

command authorization 16-28

memory partitions 10-10

MSFC compatibility 1-7

multiple mode, enabling 10-9

overview 10-1

resource management 10-18

unsupported features 10-2

segment size

maximum and minimum 27-12

session management path 1-8

Setup panel 11-7

about 11-7

shared interfaces 10-6

shared VLANs 10-6

single mode

backing up configuration 10-9

configuration 10-9

enabling 10-9

restoring 10-9

SIP

application inspection, enabling 24-28

SIP inspection

about 24-19

configuring 24-19

instant messaging 24-20

SITE command, denied request 24-80

Skinny

application inspection, enabling 24-28

SMTP inspection 24-22

SNMP

application inspection

enabling 24-28

viewing 24-118

MIBs 16-10

overview 16-10

traps 16-22

software

version 3-13

source quench, ICMP message 16-8

SPAN session 5-2

specifications 2-1

spoofing, preventing 27-12

SQLNET

application inspection, enabling 24-28

SSH

maximum rules 2-8

stateful application inspection 24-58

Stateful Failover 14-3

enabling 14-12

Logical Updates Statistics 30-7, 30-9

settings 14-21

stateful inspection

overview 1-8

stateless failover 14-3

Static Group panel 12-6

description 12-6

fields 12-6

static NAT

See NAT

Static Neighbor panel 11-22

description 11-22

fields 11-22

static PAT

See NAT

static routes

about 11-41

floating 11-41

status bar 3-8

stealth firewall

See transparent firewall

STOU command, denied request 24-80

subordinate certificate 18-1

Summary Address panel 11-23

description 11-23

fields 11-23

Sun RPC inspection

about 24-24

configuring 24-24

supervisor engine versions 2-3

supervisor IOS 2-2

SVIs

configuring 5-10

dummy 5-15

multiple 5-8

overview 5-8

switch

ASDM

prerequisite configuration 5-3

supported features 5-1

assigning VLANs to FWSM 5-11

autostate messaging 5-15

BPDU forwarding 5-14

connecting to 5-4

failover compatibility with transparent firewall 5-14

failover configuration 5-14

maximum modules 2-4

resetting the module 5-17

SNMP 5-3

SSH 5-3

supported hardware and software 5-2

system requirements 2-2

trunk for failover 5-14

verifying module installation 5-3

VLAN addition 5-10

switched virtual interfaces

See SVIs

Switch Fabric Module 2-4

switch MAC address table 28-5

switch port

secured 5-6

switch ports

administrative state 5-5

mode 5-5

overview 5-5

PortFast 5-5

speed 5-5

VLAN assignment 5-6

system configuration

overview 10-2

system messages

device ID, including 17-8

viewing last 10 3-14

system requirements 2-2

T

TACACS+

command authorization, configuring 16-30

configuring a server 15-7

network access authorization 25-9

support 15-4

TCP

application inspection 24-58

back-to-back connections 2-6

connection, deleting 2-6

maximum segment size 27-12

sequence randomization 27-4

Telnet

maximum rules 2-8

TFTP

application inspection, enabling 24-28

time exceeded, ICMP message 16-8

timestamp reply, ICMP message 16-8

timestamp request, ICMP message 16-8

Tools menu 3-5

traffic usage 3-14

transparent firewall

DHCP packets, allowing 21-8

guidelines 19-5

H.323 guidelines 19-4

HSRP 19-3

MAC address table

learning, disabling 28-6

overview 28-4

static entry 28-6

management IP address 8-1

multicast traffic 19-3

overview 19-1

packet handling 21-7

unsupported features 19-6

VRRP 19-3

transparent mode

NAT 22-4

traps, SNMP 16-22

trustpoint

definition 18-7

trustpoint configuration panel 18-7

advanced options 18-13

CA certificate subject 18-8

certificate parameters 18-9

CRL retrieval method 18-12

CRL retrieval policy 18-11

device certificate subject 18-8

editing DN 18-10

enrollment settings 18-8

request CRL 18-8

trustpoint name 18-7

trustpoint export panel 18-14

trustpoint import panel 18-15

Type 1 panel 32-3

description 32-3

fields 32-3

Type 2 panel 32-4

description 32-4

fields 32-4

Type 3 panel 32-4

description 32-4

fields 32-5

Type 4 panel 32-5

description 32-5

fields 32-5

Type 5 panel 32-6

description 32-6

fields 32-6

Type 7 panel 32-6

description 32-6

fields 32-6

U

UDP

application inspection 24-58

connection state information 1-9

Unicast Reverse Path Forwarding 27-12

unreachable messages

ICMP type 16-7

required for MTU discovery 16-7

upgrading

IOS 5-2

uptime 3-13

URL

filtering

configuring 26-9

URLs

filtering 26-2

filtering, configuration 26-6

V

version

ASDM 3-13

platform software 3-13

virtual firewalls

See security contexts

Virtual Link panel 11-24

description 11-24

fields 11-24

virtual reassembly 1-4

VLAN groups

adding 5-12

assign to FWSM 5-12

guidelines 5-11

maximum 5-12

VLANs

adding to the switch 5-10

assigning to FWSM 5-11

firewall groups 5-11

guidelines 5-7

maximum 2-5

shared 10-6

switch port assignment 5-6

VoIP

proxy servers 24-19

VPN management connection 16-5

VRRP 19-3

W

WAN ports 2-2

web clients, secure authentication 25-7

Websense filtering server 26-7

Window menu 3-6

Wizards menu 3-6

X

XDMCP

application inspection, enabling 24-28

xlate bypass

overview 22-13