Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 3.1
Index
Downloads: This chapterpdf (PDF - 611.0KB) The complete bookPDF (PDF - 7.77MB) | Feedback

Index

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W -

Index

Symbols

/bits subnet masks D-3

?

command string C-4

help C-4

A

AAA

accounting 15-10

authentication

CLI access 21-11

network access 15-1

privileged EXEC mode 21-12

authorization

commands 21-13

downloadable access lists 15-7

network access 15-6

clearing settings 24-7

local database support 14-8

maximum rules A-5

overview 14-1

performance 15-1

server

adding 14-11

types 14-3

support summary 14-3

with web clients 15-4

abbreviating commands C-3

access lists

ACE logging, configuring 10-20

ACE order 10-2

comments 10-16

commitment 10-5

deny flows, managing 10-21

downloadable 15-8

EtherType, adding 10-9

EtherType, overview 10-8

expanded 10-5

extended, adding 10-5

extended, overview 10-6

implicit deny 10-3

inbound 11-1

interface, applying 11-4

IP address guidelines with NAT 10-3

logging 10-18

maximum rules 10-5

memory limits 10-5

memory partitions 4-16

NAT addresses 10-3

object grouping 10-10

outbound 11-1

overview 10-1

remarks 10-16

standard access lists, adding 10-10

accounting 15-10

ACEs

expanded 10-5

logging 10-18

maximum 10-5

order 10-2

Active/Active failover

about 13-12

actions 13-14

active state 13-12

command replication 13-13

configuration synchronization 13-12

configuring

failover 13-23

failover group preemption 13-26

HTTP replication 13-26

interface poll time 13-27

unit poll time 13-27

criteria for failover 13-27

device initialization 13-12

failover groups 13-12

primary status 13-12

saving the configuration 13-14

secondary status 13-12

standby state 13-12

status 13-32

synchronizing the configurations 13-13

triggers 13-14

Active/Standby failover

about 13-9

actions 13-11

active state 13-9

command replication 13-10

configuration synchronization 13-9

configuring

failover 13-19

HTTP replication 13-22

interface poll time 13-22

unit poll time 13-22

criteria for failover 13-22

device initializtion 13-9

primary status 13-9

saving the configuration 13-10

secondary status 13-9

standby state 13-9

status 13-28

synchronizing the configurations 13-10

triggers 13-10

adaptive security algorithm 1-6

admin context

changing 4-23

overview 1-7, 4-2

alternate address, ICMP message D-15

application inspection

applying 20-6

configuring 20-1

map, using 20-7

overview 20-2

security level requirements 6-1

supported protocols 20-4

application partition passwords, clearing 24-7

ARP inspection

configuring 17-1

enabling 17-2

overview 17-1

static entry 17-2

ARP spoofing 17-2

ARP table, static entry 17-2

ASDM

allowing access 21-4

installation 22-8

maximum connections A-4

ASR 8-26

asymmetric routing support 8-26

AUS 22-17

authentication

CLI access 21-11

FTP 15-2

HTTP 15-2

network access 15-1

overview 14-2

privileged EXEC mode 21-12

Telnet 15-2

web clients 15-4

authorization

commands 21-13

downloadable access lists 15-7

network access 15-6

overview 14-2

Auto Update

configuring 22-17

status 22-18

B

bandwidth

limiting 4-11

maximum A-2

basic settings 7-1

BGP 10-6

bits subnet masks D-3

booting

from the FWSM 24-6

from the switch 2-13

boot partitions 2-13

BPDUs

access list, EtherType 10-9

forwarding on the switch 2-12

bridge groups

IP addresses, assigning 6-5

overview 1-5

bridge table

See MAC address table

bufferwraps

save to Flash 23-5

save to interal Flash 23-13

send to FTP server 23-13

bypassing the firewall 2-7

C

capturing packets 24-8

Catalyst 6500

See switch

Catalyst OS versions A-2

CEF A-2

changing between contexts 4-22

Cisco 7600

See switch

Cisco IOS versions A-2

Cisco IP Phones

application inspection 20-66

with DHCP 8-31

Cisco VPN Client 21-6

class

filtering messages by 23-15

message class variables 23-15

types 23-15

Class A, B, and C addresses D-2

classes

See resource management

clearing configuration settings 23-20

CLI

abbreviating commands C-3

adding comments C-5

authenticating access 21-11

command line editing C-3

command output paging C-5

displaying C-5

help C-4

paging C-5

syntax formatting C-3

command authorization

configuring 21-13

multiple contexts 21-14

overview 21-11

command prompts

configuring 7-4

overview C-2

comments

access lists 10-16

configuration C-5

Compact Flash 2-12

configuration 23-16

clearing 3-5

clearing settings 23-20

comments C-5

minimum 1-xxvii

saving 3-3

switch 2-1

text file 3-6

URL for a context 4-19

viewing 3-5

configuration mode

accessing 3-2

prompt C-2

configuration mode prompt C-2

connection

deleting A-4

connection limits

per context 4-15

console port, external 3-1

contexts

See security contexts

control plane path 1-6

conversion error, ICMP message D-15

crash dump 24-8

CTIQBE inspection

enabling 20-9

limitations and restrictions 20-8

monitoring 20-10

overview 20-8

cut-through proxy 15-1

D

data flow

routed firewall 5-3

transparent firewall 5-13

debug messages 24-8

failover 13-39

default class 4-12

deny flows, logging 10-21

device ID, including in messages 23-18

DHCP

Cisco IP Phones 8-31

configuring 8-28

relay 8-32

server 8-31

transparent firewall 10-6

disabling messages, specific message IDs 23-19

DMZ, definition 1-1

DNS and NAT 12-14

DNS inspection

configuring 20-20

managing 20-13

rewrite 20-14

domain name, setting 7-4

DoS attack, preventing 7-6, 12-24

dotted decimal subnet masks D-3

downloadable access lists 15-8

DSCP bits 1-7

dual IP stack 9-4

dynamic NAT

See NAT

E

echo reply, ICMP message D-15

editing command lines C-3

EIGRP 10-6

EMBLEM format, using in logs 23-19

ESMTP inspection

configuring 20-72

overview 20-71

established command

maximum rules A-6

security level requirements 6-1

EtherChannel, backplane

load-balancing 2-11

overview 2-11

EtherType access list

adding 10-9

overview 10-8

EtherType assigned numbers 10-9

F

facility

setting 23-8

failover

about 13-1

Active/Active

See Active/Active failover

Active/Standby

See Active/Standby failover

configuring

Active/Active 13-23

Active/Standby 13-18

debug messages 13-39

disabling 13-37

displaying the configuration 13-36

forcing 13-37

interface health monitoring 13-17

link

about 13-2

securing 13-27

module placement

inter-chassis 13-5

intra-chassis 13-3

requirements

license 13-2

software 13-2

restoring a failed unit 13-38

SNMP traps 13-39

Stateful

See Stateful Failover

switch configuration 2-11

system messages 13-39

testing 13-36

transparent firewall considerations 13-7

trunk 2-12

unit health monitoring 13-17

failover groups

assigning contexts to 13-24

creating 13-24

definition of 13-12

preempt command 13-26

restoring to an unfailed state 13-38

fast path 1-6

filtering

ActiveX 16-1

exempting 16-7

FTP 16-8

HTTP 16-6

HTTPS 16-7

Java applets 16-3

long HTTP URLs

setting the size 16-7

truncating 16-7

maximum rules A-6

overview 16-1

security level requirements 6-1

servers supported 16-4

show command output C-4

URLs 16-4

firewall mode

configuring 5-1

overview 5-1

Flash memory

overview 2-12

partitions 2-12

size A-2

format of messages 23-22

FTP filtering 16-8

FTP inspection

configuring 20-24

overview 20-22

FWSM

connecting to 3-1

resetting 2-13

G

global addresses

guidelines 12-13

specifying 12-25

GTP inspection

configuring 20-29

overview 20-27

H

H.225, configuring 20-34

H.245

monitoring 20-38

troubleshooting 20-38

H.323

transparent firewall guidelines 5-10

H.323 inspection

configuring 20-35

limitations 20-33

overview 20-32

troubleshooting 20-38

help, command line C-4

hostname, setting 7-3

hosts, subnet masks for D-3

HSRP 5-9

HTTP(S)

authentication 21-11

filtering 16-4

maximum connections A-4

maximum rules A-6

HTTP inspection

configuring 20-43

overview 20-42

HTTP replication

configuring in Active/Active failover 13-26

configuring in Active/Standby failover 13-22

I

ICMP

management access 21-10

maximum rules A-6

testing connectivity 24-1

type numbers D-15

IGMP 8-20

IKE 21-5

ILS application inspection 20-45

IM 20-58

inbound access lists 11-1

information

reply, ICMP message D-15

request, ICMP message D-15

inside, definition 1-1

inspection

See application inspection

installation

module verification 2-2

software to any partition 22-5

software to current partition 22-3, 22-8

Instant Messaging 20-58

interfaces

configuring poll times 13-22, 13-27

global addresses 12-25

health monitoring 13-17

maximum A-3

naming 6-2, 6-4

shared 4-6

turning off 6-6

turning on 6-6

viewing monitored interface status 13-36

IOS versions A-2

IP addresses

classes D-2

interface 6-3

overlapping between contexts 4-4

private D-2

routed mode 6-3

subnet mask D-4

transparent mode 6-3

VPN client 21-8

IPSec

basic settings 21-5

client 21-6

management access 21-4

transforms 21-6

IPv6

access lists 9-5

default and static routes 9-5

dual IP stack, configuring 9-4

duplicate address detection 9-4

enabled commands 9-1

neighbor discovery 9-6

router advertisement messages 9-8

static neighbor 9-10

verifying configuration 9-10

viewing routes 9-11

IPX 2-7

ISAKMP 21-5

ISNs, randomizing

transparent firewall 7-6

J

Java applet filtering 16-2

K

Kerberos

configuring 14-11

support 14-7

L

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

LDAP

application inspection 20-45

configuring 14-11

support 14-7

licenses 22-1

load-balancing, backplane EtherChannel 2-11

local user database

adding a user 14-9

configuring 14-9

logging in 21-12

support 14-8

lockout recovery 21-22

log bufferwraps

save to internal Flash 23-13

send to FTP server 23-13

logging

access lists 10-18

class

filtering messages by 23-15

types 23-15

device-id, including in system messages 23-18

email

configuring as output destination 23-8

destination address 23-9

source address 23-9

EMBLEM format 23-19

facility option 23-8

filtering

by message list 23-16

by severity level 23-5

filtering messages

by message class 23-15

logging queue, configuring 23-18

output destinations

ASDM 23-9

email address 23-8, 23-9

internal buffer 23-5

syslog server 23-7

Telnet or SSH session 23-5

queue

changing the size of 23-18

configuring 23-18

viewing queue statistics 23-18

severity level

changing 23-20

timestamp, including 23-18

logging queue

configuring 23-18

login

FTP 15-2

local user 21-12

session 3-2

SSH 3-2

Telnet 3-2

login banner 7-5

log output destinations

ASDM 23-9

email address 23-8

internal buffer 23-5

syslog server 23-5

Telnet or SSH session 23-5

loops, avoiding 2-12

M

MAC address table

adding an address 17-3

entry timeout 17-3

MAC learning, disabling 17-4

overview 5-13, 17-3

resource management 4-14

static entry 17-3

viewing 17-4

MAC learning, disabling 17-4

maintenance partition

installing application software 22-5

installing maintenance software 22-5

password

clearing 24-7

setting 7-2

software installation 22-10

management IP address, transparent firewall 6-3

man-in-the-middle attack 17-2

mapped interface name 4-19

mask

reply, ICMP message D-15

request, ICMP message D-15

memory

access lists 10-5

Flash A-2

partitions 4-16

RAM A-2

rules 10-5

message classes

about 23-15

list of 23-15

message list

creating 23-16

filtering by 23-16

message severity levels, list of 23-22

MGCP inspection

configuring 20-48

overview 20-46

MIBs 23-1

minimum configuration 1-xxvii

mobile redirection, ICMP message D-15

mode

context 4-10

firewall 5-1

monitoring

OSPF 8-17

resource management 4-27

SNMP 23-1

more prompt C-5

MPLS

LDP 10-9

router-id 10-9

TDP 10-9

MSFC

definition A-1

overview 1-4

SVIs 2-7

multicast routing 8-19

multicast traffic 5-9

Multilayer Switch Feature Card

See MSFC

multiple context mode

See security contexts

multiple SVIs 2-6

N

N2H2 filtering server

supported 16-4

URL for website 16-4

naming an interface 6-2, 6-4

NAT

bypassing NAT

configuration 12-31

overview 12-9

DNS 12-14

dynamic NAT

configuring 12-23

implementation 12-17

overview 12-5

examples 12-34

exemption from NAT

configuration 12-33

overview 12-9

identity NAT

configuration 12-31

overview 12-9

NAT ID 12-17

order of statements 12-13

overlapping addresses 12-35

overview 12-1

PAT

configuring 12-23

implementation 12-17

overview 12-7

policy NAT

maximum rules A-6

overview 12-9

port redirection 12-36

RPC not supported with 20-76

same security level 12-12

security level requirements 6-1

static identity, configuring 12-32

static NAT

configuring 12-26

overview 12-7

static PAT

configuring 12-28

overview 12-7

transparent firewall 5-12

types 12-5

Network Address Translation

See NAT

network processors 1-6

networks, overlapping 12-35

NPs 1-6

NTLM support 14-7

NT server

configuring 14-11

support 14-7

O

object groups

expanded 10-5

nesting 10-14

removing 10-16

open ports D-14

OSPF

area authentication 8-11

area MD5 authentication 8-11

area parameters 8-11

authentication key 8-9

cost 8-9

dead interval 8-9

default route 8-15

displaying update packet pacing 8-16

enabling 8-6

hello interval 8-9

interface parameters 8-9

link-state advertisement 8-5

logging neighbor states 8-16

MD5 authentication 8-9

monitoring 8-17

NSSA 8-12

overview 8-5

packet pacing 8-16

processes 8-5

redistributing routes 8-6

route calculation timers 8-15

route map 8-7

route summarization 8-14

stub area 8-11

summary route cost 8-11

outbound access lists 11-1

output destinations 23-5

e-mail address 23-5, 23-8

internal buffer 23-5

SNMP management station 23-5

specifying 23-8

syslog server 23-5, 23-7

Telnet or SSH session 23-5

viewing logs 23-6

outside, definition 1-1

oversubscribing resources 4-11

P

packet

capture 24-8

classifier 4-3

flow

routed firewall 5-3

transparent firewall 5-13

paging screen displays C-5

parameter problem, ICMP message D-15

partitions

application 2-12

boot 2-13

crash dump 2-12

Flash memory 2-12

maintenance 2-12

network configuration 2-12

passwords

changing 7-1

clearing

application 24-7

maintenance 24-7

recovery 24-6

troubleshooting 24-7

PAT (Port Address Translation)

limitations 20-55

static 12-28

See also NAT

PIM features, configuring 8-24

ping

See ICMP

policy NAT

dynamic, configuring 12-24

maximum rules A-6

overview 12-9

static, configuring 12-27

static PAT, configuring 12-28

pools, addresses

DHCP 8-29

global NAT 12-25

VPN 21-8

PORT command, FTP 20-23

ports

open on device D-14

redirection, NAT 12-36

private networks D-2

privileged EXEC mode

accessing 3-2

authentication 21-12

prompt C-2

prompts

command C-2

more C-5

setting 7-4

protocol numbers and literal values D-11

proxy servers, SIP 20-57

Q

QoS compatibility 1-7

question mark

command string C-4

help C-4

queue, logging

changing the size of 23-18

viewing statistics 23-18

quick start 1-xxvii

R

RADIUS

configuring a server 14-11

downloadable access lists 15-8

network access authentication 15-2

network access authorization 15-7

support 14-4

RAS H.323 troubleshooting 20-39

RealPlayer 20-54

rebooting

from the FWSM CLI 24-6

from the switch 2-13

redirect, ICMP message D-15

Related Documentation 1-xxvi

reloading

contexts 4-24

from the FWSM CLI 24-6

from the switch 2-13

remarks

access lists 10-16

configuration C-5

remote management

ASDM 21-4

SSH 21-2

Telnet 21-1

VPN 21-4

requirements A-1

resetting

from the FWSM CLI 24-6

from the switch 2-13

resource management

assigning a context 4-21

class 4-14

configuring 4-11

default class 4-12

monitoring 4-27

oversubscribing 4-11

overview 4-11

resource types 4-14

unlimited 4-12

resource usage 4-29

RIP

default route updates 8-18

enabling 8-18

overview 8-18

passive 8-18

routed firewall

data flow 5-3

interfaces, configuring 6-2

setting 5-16

router

advertisement, ICMP message D-15

solicitation, ICMP message D-15

routes

configuring 8-2

generating a default 8-15

logging neighbors 8-16

monitoring OSPF 8-17

summarization 8-14

routing

OSPF 8-18

other protocols 10-6

RIP 8-19

RSA keys, generating 21-3

RSH connections A-4

RTSP inspection

configuring 20-55

overview 20-54

rules

maximum 10-5

running configuration

backing up 22-15

clearing 3-5

downloading 22-14

saving 3-3

viewing 3-5

S

same security level communication

configuring 6-5

NAT 12-12

SCCP (Skinny) inspection

Cisco IP Phones, supporting 20-66

configuration 20-66

SDI

configuring 14-11

support 14-6

security contexts

adding 4-18

admin context

changing 4-23

overview 1-7, 4-2

assigning to a resource class 4-21

changing between 4-22

classifier 4-3

command authorization 21-14

configuration

URL, changing 4-24

URL, setting 4-19

logging in 4-9

managing 4-22

mapped interface name 4-19

monitoring 4-25

MSFC compatibility 1-5

multiple mode, enabling 4-10

overview 4-1

prompt C-2

reloading 4-24

removing 4-23

resource management 4-11

resource usage 4-29

saving all configurations 3-4

unsupported features 4-2

VLAN allocation 4-18

security level

configuring 6-2

overview 6-1

sessioning from the switch 3-1

session management path 1-6

severity levels, of system messages

changing 23-5

definition 23-22

filtering by 23-5

list of 23-22

shared interfaces 4-6

shared VLANs 4-6

show command, filtering output C-4

single mode

backing up configuration 4-10

configuration 4-10

enabling 4-10

restoring 4-10

SIP inspection

configuring 20-59

instant messaging 20-58

overview 20-58

timeout values, configuring 20-61

troubleshooting 20-61

site-to-site tunnel 21-9

SMTP inspection

configuring 20-72

overview 20-71

SNMP

management station 23-5

MIBs 23-1

overview 23-1

traps 23-2

software installation

any partition 22-5

current partition 22-3

maintenance 22-10

source quench, ICMP message D-15

SPAN session 2-1

specifications A-1

SSH

authentication 21-11

concurrent connections 21-2

login 21-3

maximum rules A-6

RSA key 21-3

username 21-4

startup configuration

backing up 22-15

copying to the running configuration 3-5

downloading 22-14

saving 3-3

viewing 3-5

Stateful Failover

overview 13-16

state information passed 13-16

state link 13-3

stateful inspection 1-6

state link

See Stateful Failover

static ARP entry 17-2

static MAC address entry 17-3

static NAT

See NAT

static PAT

See NAT

stealth firewall

See transparent firewall

Stub Multicast Routing 8-23

subnet masks

/bits D-3

address range D-4

dotted decimal D-3

number of hosts D-3

overview D-2

Sun RPC inspection

configuring 20-76

overview 20-76

supervisor engine versions A-2

supervisor IOS A-1

SVIs

configuring 2-8

multiple 2-6

overview 2-6

switch

assigning VLANs to module 2-2

BPDU forwarding 2-12

configuration 2-1

failover compatibility with transparent firewall 2-12

failover configuration 2-11

maximum modules A-2

resetting the module 2-13

sessioning to the module 3-1

system requirements A-1

trunk for failover 2-12

verifying module installation 2-2

switched virtual interfaces

See SVIs

Switch Fabric Module A-2

SYN attacks, monitoring 4-31

SYN cookies 4-31

syntax formatting C-3

syslog server

as output destination 23-7

designating 23-7

designating more than one 23-7

EMBLEM format

configuring 23-19

enabling 23-7

system configuration

overview 4-2

system messages

classes of 23-15

list of classes 23-15

configuring in groups

by message list 23-16

by severity level 23-5

creating lists of 23-14

device ID, including 23-18

disabling logging of 23-5

failover 13-39

filtering

by message class 23-14

format of 23-22

managing in groups

by message class 23-15

creating a message list 23-14

output destinations 23-5

email address 23-8

internal buffer 23-5

syslog message server 23-5

Telnet or SSH session 23-5

severity levels 23-22

changing the severity level of a message 23-5

list of 23-22

timestamp, including 23-18

system requirements A-1

T

TACACS+

command authorization 21-17

configuring a server 14-11

network access authorization 15-6

support 14-5

TCP

back-to-back connections A-4

connection, deleting A-4

connection limits per context 4-15

ports and literal values D-11

TCP Intercept

configuring for transparent mode 7-6, 12-24

monitoring 4-31

Telnet

authentication 21-11

concurrent connections 21-1

maximum rules A-6

testing configuration 24-1

time exceeded, ICMP message D-15

time ranges, access lists 10-17

timestamp

reply, ICMP message D-15

request, ICMP message D-15

timestamp, including in system messages 23-18

traffic flow

routed firewall 5-3

transparent firewall 5-13

transparent firewall

ARP inspection

enabling 17-2

overview 17-1

static entry 17-2

data flow 5-13

DHCP packets, allowing 10-6

failover considerations 13-7

guidelines 5-11

H.323 guidelines 5-10

HSRP 5-9

interfaces, configuring 6-3

MAC address timeout 17-3

MAC learning, disabling 17-4

management IP address 6-3

multicast traffic 5-9

NAT 5-12

overview 5-8

packet handling 10-6

setting 5-16

static MAC address entry 17-3

unsupported features 5-12

VRRP 5-9

traps, SNMP 23-2

troubleshooting

capturing packets 24-8

common problems 24-8

configuration 24-1

crash dump 24-8

debug messages 24-8

H.323 20-38

H.323 RAS 20-39

password recovery 24-6

SIP 20-61

tunnels

basic settings, configuring 21-5

site-to-site, configuring 21-9

VPN client access, configuring 21-6

U

UDP

connection limits per context 4-15

connection state information 1-6

ports and literal values D-11

unit health monitoring 13-17

unit poll time, configuring 13-22, 13-27

unprivileged mode

accessing 3-2

prompt C-2

unreachable, ICMP message D-15

URLs

context configuration, changing 4-24

context configuration, setting 4-19

filtering 16-4

V

viewing logs 23-6

virtual firewalls

See security contexts

VLANs

allocating to a context 4-18

assigning to FWSM 2-2

interfaces 2-2

mapped interface name 4-19

maximum A-3

shared 4-6

VoIP

proxy servers 20-57

troubleshooting 20-38

VPN

basic settings 21-5

client tunnel 21-6

management access 21-4

site-to-site tunnel 21-9

transforms 21-6

VRRP 5-9

W

WAN ports A-1

web clients, secure authentication 15-4