Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 3.2
Index
Downloads: This chapterpdf (PDF - 812.0KB) The complete bookPDF (PDF - 16.1MB) | Feedback

Index

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X -

Index

Symbols

/bits subnet masks E-3

?

command string C-4

help C-4

A

AAA

accounting 15-13

authentication

CLI access 21-11

CLI access, system 21-12

network access 15-1

privileged EXEC mode 21-13

authentication directly with the FWSM 15-3

authorization

commands 21-14

downloadable access lists 15-10

network access 15-9

clearing settings 24-6

local database support 14-6

maximum rules A-7

overview 14-1

password management 15-6

performance 15-1

prompts 15-6

server

adding 14-9

types 14-3

support summary 14-3

with web clients 15-6

abbreviating commands C-3

access lists

ACE logging, configuring 10-21

ACE order 10-2

comments 10-18

commitment 10-5

deny flows, managing 10-22

downloadable 15-10

EtherType, adding 10-10

expanded 10-6

extended, adding 10-6

extended, overview 10-6

implicit deny 10-3

inbound 11-1

interface, applying 11-4

IP address guidelines with NAT 10-3

logging 10-20

maximum rules 10-6

memory limits 10-6

memory partitions 4-17

NAT addresses 10-3

object grouping 10-11

outbound 11-1

overview 10-1

remarks 10-18

standard access lists, adding 10-11

accounting 15-13

ACEs

expanded 10-6

logging 10-20

maximum 10-6

order 10-2

Active/Active failover

about 13-13

actions 13-16

active state 13-13

command replication 13-14

configuration synchronization 13-13

configuring

failover 13-26

failover group preemption 13-29

HTTP replication 13-29

interface poll time 13-29

unit poll time 13-29

criteria for failover 13-30

device initialization 13-13

failover groups 13-13

primary status 13-13

saving the configuration 13-15

secondary status 13-13

standby state 13-13

status 13-34

synchronizing the configurations 13-15

triggers 13-15

Active/Standby failover

about 13-9

actions 13-11

active state 13-9

command replication 13-10

configuration synchronization 13-9

configuring

failover 13-21

HTTP replication 13-24

interface poll time 13-24

unit poll time 13-24

criteria for failover 13-25

device initializtion 13-9

primary status 13-9

saving the configuration 13-10

secondary status 13-9

standby state 13-9

status 13-31

synchronizing the configurations 13-10

triggers 13-11

Active Directory, password management 15-6

adaptive security algorithm 1-8

admin context

changing 4-24

overview 4-3

alternate-address (ICMP message) E-15

application inspection

applying 20-7

configuring 20-1

map, using 20-7

overview 20-2

security level requirements 6-1

supported protocols 20-4

application partition passwords, clearing 24-6

ARP inspection

configuring 17-1

enabling 17-2

overview 17-1

static entry 17-2

ARP spoofing 17-2

ARP table, static entry 17-2

ASDM

allowing access 21-4

installation 22-9

maximum connections A-4

ASR 8-29

asymmetric routing support 8-29

AUS 22-19

authentication

CLI access 21-11

CLI access, system 21-12

FTP 15-3

HTTP 15-2

network access 15-1

overview 14-2

privileged EXEC mode 21-13

Telnet 15-2

web clients 15-6

authorization

commands 21-14

downloadable access lists 15-10

network access 15-9

overview 14-2

autostate messaging 2-9

Auto Update

configuring 22-18

status 22-20

B

bandwidth

limiting 4-11

maximum A-3

basic settings 7-1

BGP

configuring 8-5

limitations 8-5

monitoring 8-6

restarting 8-7

support for 8-4

bits subnet masks E-3

booting

from the FWSM 24-6

from the switch 2-11

boot partitions 2-10

BPDUs

access list, EtherType 10-10

forwarding on the switch 2-9

bridge groups

IP addresses, assigning 6-5

overview 1-7

bridge table

See MAC address table

bufferwraps

save to interal Flash 23-10

send to FTP server 23-10

bypassing firewall checks 19-4

bypassing the firewall, in the switch 2-6

C

capturing packets 24-8

Catalyst 6500

See switch

Catalyst OS

upgrading 2-1

CEF A-3

changing between contexts 4-23

Cisco 7600

See switch

Cisco IOS versions A-2

Cisco IP Phones

application inspection 20-79

with DHCP 8-34

Cisco VPN Client 21-6

Class A, B, and C addresses E-2

classes, logging

filtering messages by 23-12

message class variables 23-12

types 23-12

classes, resource

See resource management

clearing configuration settings 23-17

CLI

abbreviating commands C-3

adding comments C-5

authenticating access 21-11

command line editing C-3

command output paging C-5

displaying C-5

help C-4

paging C-5

syntax formatting C-3

command authorization

configuring 21-14

multiple contexts 21-15

overview 21-11

command prompts

configuring 7-4

overview C-2

comments

access lists 10-18

configuration C-5

Compact Flash 2-10

configuration

clearing 3-5

clearing settings 23-17

comments C-5

minimum 1-xxix

saving 3-3

switch 2-1

text file 3-6

URL for a context 4-21

viewing 3-5

configuration mode

accessing 3-2

prompt C-2

connection

blocking 19-8

deleting A-5

connection limits

per context 4-16

TCP and UDP 19-1

console port, external 3-1

contexts

See security contexts

control plane path 1-8

conversion-error (ICMP message) E-15

crash dump 24-10

CTIQBE inspection

enabling 20-9

limitations and restrictions 20-8

monitoring 20-10

overview 20-8

cut-through proxy 15-1

D

data flow

routed firewall 5-2

transparent firewall 5-12

debug messages

failover 13-41

viewing 24-8

default class 4-13

deny flows, logging 10-22

device ID, including in messages 23-15

DHCP

Cisco IP Phones 8-34

configuring 8-31

relay 8-35

server 8-34

transparent firewall 10-7

disabling messages, specific message IDs 23-16

DMZ, definition 1-1

DNS and NAT 12-15

DNS inspection

configuring 20-21

managing 20-15

rewrite 20-16

domain name, setting 7-4

DoS attack, preventing 12-26

dotted decimal subnet masks E-3

downloadable access lists 15-10

DSCP bits 1-9

dual IP stack 9-4

dynamic NAT

See NAT

E

eBGP 8-5

echo (ICMP message) E-15

echo-reply (ICMP message) E-15

editing command lines C-3

EIGRP 10-7

EMBLEM format, using in logs 23-16

embryonic connection limits 19-3

ESMTP inspection

configuring 20-85

overview 20-84

established command

maximum rules A-7

security level requirements 6-2

EtherChannel, backplane

load-balancing 2-8

overview 2-8

EtherType access list

adding 10-10

applying in both directions 10-9

compatibilty with extended access lists 10-10

implicit deny 10-9

MPLS, allowing 10-10

supported EtherTypes 10-9

EtherType assigned numbers 10-10

F

facility, logging 23-5

failover

about 13-1

Active/Active

See Active/Active failover

Active/Standby

See Active/Standby failover

configuring

Active/Active 13-25

Active/Standby 13-20

debug messages 13-41

disabling 13-40

displaying the configuration 13-38

forcing 13-39

interface health monitoring 13-19

link

about 13-2

securing 13-30

module placement

inter-chassis 13-4

intra-chassis 13-3

requirements

license 13-2

software 13-2

restoring a failed unit 13-40

SNMP traps 13-41

Stateful

See Stateful Failover

switch configuration 2-9

system log messages 13-41

testing 13-39

transparent firewall considerations 13-7

trunk 2-9

unit health monitoring 13-19

upgrading software 22-9

failover groups

assigning contexts to 13-27

creating 13-27

definition of 13-13

preempt command 13-29

restoring to an unfailed state 13-40

filtering

ActiveX 16-1

exempting 16-8

FTP 16-9

HTTP 16-6

HTTPS 16-8

Java applets 16-3

long HTTP URLs

setting the size 16-7

truncating 16-7

maximum rules A-7

overview 16-1

security level requirements 6-1

servers supported 16-4

show command output C-4

URLs 16-4

firewall mode

configuring 5-1

overview 5-1

Flash memory

overview 2-10

partitions 2-10

size A-3

format of messages 23-19

fragments

limitations A-3

fragment size, configuring 19-8

FTP filtering 16-9

FTP inspection

configuring 20-25

overview 20-23

G

global addresses

guidelines 12-15

specifying 12-27

GTP inspection

configuring 20-30

overview 20-28

H

H.225, configuring 20-43

H.245

monitoring 20-47

troubleshooting 20-47

H.323

transparent firewall guidelines 5-9

H.323 inspection

configuring 20-44

limitations 20-42

overview 20-41

troubleshooting 20-47

half-closed connection limits 19-3

help, command line C-4

hostname, setting 7-3

hosts, subnet masks for E-3

HSRP 5-8

HTTP(S)

authentication 21-12

filtering 16-4

maximum connections A-4

maximum rules A-7

HTTP inspection

configuring 20-54

overview 20-53

HTTP replication

configuring in Active/Active failover 13-29

configuring in Active/Standby failover 13-24

I

iBGP 8-5

ICMP

management access 21-10

maximum rules A-7

testing connectivity 24-1

type numbers E-15

IGMP 8-23

IKE 21-5

ILS application inspection 20-56

IM 20-68

inbound access lists 11-1

information-reply (ICMP message) E-15

information-request (ICMP message) E-15

inside, definition 1-1

inspection

See application inspection

installation

ASDM 22-9

maintenance software 22-12

module verification 2-2

software, using the CLI 22-4

software, using the maintenance partition 22-5

Instant Messaging 20-68

interfaces

configuring poll times 13-24, 13-29

global addresses 12-27

health monitoring 13-19

maximum A-4

naming 6-2, 6-4

shared 4-7

turning off 6-6

turning on 6-6

viewing monitored interface status 13-38

IOS

upgrading 2-1

IOS versions A-2

IP addresses

classes E-2

interface 6-3

overlapping between contexts 4-5

private E-2

routed mode 6-3

subnet mask E-4

translating 12-1

transparent mode 6-3

VPN client 21-8

IPSec

basic settings 21-5

client 21-6

management access 21-4

transforms 21-6

IP spoofing, preventing 19-7

IPv6

access lists 9-5

default and static routes 9-5

dual IP stack, configuring 9-4

duplicate address detection 9-4

enabled commands 9-1

neighbor discovery 9-6

router advertisement messages 9-8

static neighbor 9-10

verifying configuration 9-10

viewing routes 9-11

IPX 2-6

ISAKMP 21-5

ISNs, randomizing

using Modular Policy Framework 19-1

J

Java applet filtering 16-2

K

Kerberos

configuring 14-9

support 14-6

L

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

LDAP

application inspection 20-56

configuring 14-9

support 14-6

licenses 22-1

load-balancing, backplane EtherChannel 2-8

local user database

adding a user 14-7

configuring 14-7

logging in 21-14

support 14-6

system execution space 21-14

lockout recovery 21-24

log bufferwraps

save to internal Flash 23-10

send to FTP server 23-10

logging

access lists 10-20

class

filtering messages by 23-12

types 23-12

device-id, including in system log messages 23-15

email

configuring as output destination 23-5

destination address 23-6

source address 23-6

EMBLEM format 23-16

facility option 23-5

filtering messages

by message class 23-12

by message list 23-13

logging queue, configuring 23-15

multiple context mode 23-2

output destinations

ASDM 23-6

email address 23-5

internal buffer 23-8

SNMP 23-24

SSH 23-7

switch session 23-7

syslog server 23-4

Telnet 23-7

queue

changing the size of 23-15

configuring 23-15

viewing queue statistics 23-15

severity level

changing 23-17

severity level, changing 23-17

timestamp, including 23-15

logging queue

configuring 23-15

login

banner 7-5

command 21-14

FTP 15-3

local user 21-14

session 3-2

SSH 3-2

system execution space 21-14

Telnet 3-2

loops, avoiding 2-9

M

MAC address table

adding an address 17-3

entry timeout 17-3

MAC learning, disabling 17-4

overview 5-12, 17-3

resource management 4-16

static entry 17-3

viewing 17-4

MAC learning, disabling 17-4

maintenance partition

installing application software from 22-5

IP address 22-7

password

clearing 24-7

setting 7-2

software installation 22-12

management IP address, transparent firewall 6-3

man-in-the-middle attack 17-2

mapped interface name 4-20

mapping

MIBs to CLIs D-1

mask-reply (ICMP message) E-15

mask-request (ICMP message) E-15

memory

access list use of 10-6

Flash A-3

partitions 4-17

RAM A-3

rules use of 10-6

message classes

about 23-12

list of 23-12

message list

creating 23-13

filtering by 23-13

message severity levels, list of 23-19

MGCP inspection

configuring 20-59

overview 20-57

MIBs

supported 23-20

minimum configuration 1-xxix

mobile-redirect (ICMP message) E-15

mode

CLI C-2

context 4-10

firewall 5-1

monitoring

OSPF 8-19

resource management 4-28

SNMP 23-20

more prompt

disabling 21-1

overview C-5

MPLS

LDP 10-10

router-id 10-10

TDP 10-10

MSFC

definition A-1

overview 1-6

SVIs 2-6

multicast routing 8-21

multicast traffic 5-8

Multilayer Switch Feature Card

See MSFC

multiple context mode

See security contexts

multiple SVIs 2-5

N

naming an interface 6-2, 6-4

NAT

bypassing NAT

configuration 12-33

overview 12-10

DNS 12-15

dynamic NAT

configuring 12-25

implementation 12-19

overview 12-6

examples 12-36

exemption from NAT

configuration 12-35

overview 12-10

identity NAT

configuration 12-33

overview 12-10

NAT ID 12-19

order of statements 12-14

overlapping addresses 12-37

overview 12-1

PAT

configuring 12-25

implementation 12-19

overview 12-8

static 12-30

policy NAT

dynamic, configuring 12-25

maximum rules A-7

overview 12-10

static, configuring 12-29

static PAT, configuring 12-31

port redirection 12-38

RPC not supported with 20-89

same security level 12-14

security level requirements 6-1

static identity, configuring 12-33

static NAT

configuring 12-28

overview 12-8

static PAT

configuring 12-30

overview 12-9

transparent mode 12-4

types 12-6

xlate bypass

configuring 12-18

overview 12-13

network processors 1-8

networks, overlapping 12-37

NPs 1-8

NTLM support 14-5

NT server

configuring 14-9

support 14-5

O

object groups

expanded 10-6

nesting 10-15

removing 10-17

open ports E-14

OSPF

area authentication 8-13

area MD5 authentication 8-14

area parameters 8-13

authentication key 8-11

cost 8-11

dead interval 8-12

default route 8-17

displaying update packet pacing 8-19

enabling 8-8

hello interval 8-12

interface parameters 8-11

link-state advertisement 8-8

logging neighbor states 8-18

MD5 authentication 8-12

monitoring 8-19

NSSA 8-14

overview 8-7

packet pacing 8-19

processes 8-8

redistributing routes 8-9

route calculation timers 8-18

route map 8-9

route summarization 8-16

stub area 8-14

summary route cost 8-14

outbound access lists 11-1

outside, definition 1-1

oversubscribing resources 4-12

P

packet

capture 24-8

classifier 4-3

flow

routed firewall 5-2

transparent firewall 5-12

paging screen displays C-5

parameter-problem (ICMP message) E-15

parameter problem, ICMP message E-15

partitions

application 2-10

boot 2-10

crash dump 2-10

Flash memory 2-10

maintenance 2-10

network configuration 2-10

password management, AAA 15-6

passwords

changing 7-1

clearing

application 24-6

maintenance 24-7

recovery 24-6

troubleshooting 24-6

PAT

See NAT

PIM features, configuring 8-26

ping

See ICMP

policy NAT

about 12-10

See NAT

pools, addresses

DHCP 8-32

global NAT 12-27

VPN 21-8

PORT command, FTP 20-24

ports

open on device E-14

redirection, NAT 12-38

private networks E-2

privileged EXEC mode

accessing 3-2

authentication 21-13

prompt C-2

prompts

command C-2

more C-5

setting 7-4

protocol numbers and literal values E-11

proxy servers, SIP 20-67

Q

QoS compatibility 1-9

question mark

command string C-4

help C-4

queue, logging

changing the size of 23-15

viewing statistics 23-15

quick start 1-xxix

R

RADIUS

configuring a server 14-9

downloadable access lists 15-10

network access authentication 15-3

network access authorization 15-10

password management 15-6

support 14-4

rapid link failure detection 2-9

RAS H.323 troubleshooting 20-48

RealPlayer 20-64

rebooting

from the FWSM CLI 24-6

from the switch 2-11

redirect (ICMP message) E-15

redirect, ICMP message E-15

Related Documentation 1-xxviii

reloading

contexts 4-25

from the FWSM CLI 24-6

from the switch 2-11

remarks

access lists 10-18

configuration C-5

remote management

ASDM 21-4

SSH 21-2

Telnet 21-1

VPN 21-4

requirements A-1

resetting

from the FWSM CLI 24-6

from the switch 2-11

resource management

assigning a context to a class 4-22

class 4-14

configuring 4-11

default class 4-13

monitoring 4-28

oversubscribing 4-12

overview 4-12

resource types 4-16

unlimited 4-12

resource usage 4-30

RIP

default route updates 8-20

enabling 8-21

overview 8-20

passive 8-20

routed firewall

data flow 5-2

interfaces, configuring 6-2

setting 5-17

router

advertisement, ICMP message E-15

solicitation, ICMP message E-15

router-advertisement (ICMP message) E-15

router-solicitation (ICMP message) E-15

routes

configuring 8-2

generating a default 8-17

logging neighbors 8-18

monitoring OSPF 8-19

summarization 8-17

routing

BGP stub 8-4

OSPF 8-20

other protocols 10-7

RIP 8-21

RSA keys, generating 21-3

RSH connections A-5

RTSP inspection

configuring 20-66

overview 20-64

rules

maximum 10-6

pools for contexts A-7

running configuration

backing up 22-17

clearing 3-5

downloading 22-16

saving 3-3

viewing 3-5

S

same security level communication

configuring 6-5

NAT 12-14

SCCP (Skinny) inspection

Cisco IP Phones, supporting 20-79

configuration 20-79

SDI

configuring 14-9

support 14-5

secure computing smartfilter 16-4

security contexts

adding 4-19

admin context

changing 4-24

overview 4-3

assigning to a resource class 4-22

changing between 4-23

classifier 4-3

command authorization 21-15

configuration

URL, changing 4-25

URL, setting 4-21

logging 23-2

logging in 4-9

managing 4-24

mapped interface name 4-20

monitoring 4-26

MSFC compatibility 1-7

multiple mode, enabling 4-10

overview 4-1

prompt C-2

reloading 4-25

removing 4-24

resource management 4-12

resource usage 4-30

saving all configurations 3-4

unsupported features 4-2

VLAN allocation 4-20

security level

configuring 6-3

overview 6-1

sessioning from the switch 3-1

session management path 1-8

severity levels of system log messages

definition 23-19

list of 23-19

shared interfaces 4-7

shared VLANs 4-7

show command, filtering output C-4

shunning 19-8

single mode

backing up configuration 4-10

configuration 4-11

enabling 4-10

restoring 4-11

SIP inspection

configuring 20-69

instant messaging 20-68

overview 20-68

timeout values, configuring 20-71

troubleshooting 20-74

site-to-site tunnel 21-9

SMTP inspection

configuring 20-85

overview 20-84

SNMP

MIBs 23-20

overview 23-20

traps 23-22

software installation

any partition 22-5

current partition 22-4

maintenance 22-12

source-quench (ICMP message) E-15

source quench, ICMP message E-15

SPAN session 2-2

specifications A-1

SSH

authentication 21-12

concurrent connections 21-2

login 21-3

maximum rules A-7

RSA key 21-3

username 21-4

startup configuration

backing up 22-17

copying to the running configuration 3-5

downloading 22-16

saving 3-3

viewing 3-5

Stateful Failover

overview 13-17

state information passed 13-17

state link 13-3

stateful inspection

bypassing 19-4

overview 1-8

state link

See Stateful Failover

static ARP entry 17-2

static MAC address entry 17-3

static NAT

See NAT

static PAT

See NAT

stealth firewall

See transparent firewall

Stub Multicast Routing 8-26

subnet masks

/bits E-3

address range E-4

dotted decimal E-3

number of hosts E-3

overview E-2

Sun RPC inspection

configuring 20-89

overview 20-89

supervisor engine versions A-2

supervisor IOS A-1

SVIs

configuring 2-7

multiple 2-5

overview 2-5

switch

assigning VLANs to module 2-2

autostate messaging 2-9

BPDU forwarding 2-9

configuration 2-1

failover compatibility with transparent firewall 2-9

failover configuration 2-9

maximum modules A-3

resetting the module 2-11

sessioning to the module 3-1

system requirements A-1

trunk for failover 2-9

verifying module installation 2-2

switched virtual interfaces

See SVIs

Switch Fabric Module A-3

SYN attacks, monitoring 4-32

SYN cookies 4-32

syntax formatting C-3

syslog server

as output destination 23-4

designating 23-4

designating more than one 23-4

EMBLEM format

configuring 23-16

enabling 23-4

system execution space

configuration 4-2

local user database 14-7

login command 21-14

session authentication 21-12

username command 14-7

system log messages

classes 23-13

classes of

list of classes 23-12

configuring in groups

by message list 23-13

creating lists of 23-11

device ID, including 23-15

failover 13-41

filtering

by list 23-13

by message class 23-11

format of 23-19

managing in groups

by message class 23-12

creating a message list 23-11

multiple context mode 23-2

severity levels 23-19

timestamp, including 23-15

variables used in 23-19

system requirements A-1

T

TACACS+

command authorization 21-19

configuring a server 14-9

network access authorization 15-9

support 14-4

TCP

back-to-back connections A-5

connection, deleting A-5

connection limits 19-3

connection limits per context 4-16

ports and literal values E-11

sequence number randomization

disabling using Modular Policy Framework 19-2

sequence randomization 19-1

TCP Intercept

configuring for transparent mode 12-26

monitoring 4-32

TCP state bypass 19-4

Telnet

authentication

enabling 21-12

session from switch 21-12

system execution space 21-12

concurrent connections 21-1

maximum rules A-7

testing configuration 24-1

time-exceeded (ICMP message) E-15

time exceeded, ICMP message E-15

time ranges, access lists 10-18

timestamp

reply, ICMP message E-15

timestamp, including in system log messages 23-15

timestamp-reply (ICMP message) E-15

traffic flow

routed firewall 5-2

transparent firewall 5-12

transparent firewall

ARP inspection

enabling 17-2

overview 17-1

static entry 17-2

data flow 5-12

DHCP packets, allowing 10-7

failover considerations 13-7

guidelines 5-10

H.323 guidelines 5-9

HSRP 5-8

interfaces, configuring 6-3

MAC address timeout 17-3

MAC learning, disabling 17-4

management IP address 6-3

multicast traffic 5-8

overview 5-7

packet handling 10-7

setting 5-17

static MAC address entry 17-3

unsupported features 5-11

VRRP 5-8

transparent mode

NAT 12-4

traps, SNMP 23-22

troubleshooting

capturing packets 24-8

common problems 24-10

configuration 24-1

crash dump 24-10

debug messages 24-8

H.323 20-47

H.323 RAS 20-48

password recovery 24-6

SIP 20-74

tunnels

basic settings, configuring 21-5

site-to-site, configuring 21-9

VPN client access, configuring 21-6

U

UDP

connection limits 19-3

connection limits per context 4-16

connection state information 1-8

ports and literal values E-11

Unicast Reverse Path Forwarding 19-7

unit health monitoring 13-19

unit poll time, configuring

Active/Active 13-29

Active/Standby 13-24

unprivileged mode

accessing 3-2

prompt C-2

unreachable (ICMP message) E-15

upgrading

Catalyst OS 2-1

IOS 2-1

URLs

context configuration, changing 4-25

context configuration, setting 4-21

filtering 16-4

V

viewing logs 23-3

virtual firewalls

See security contexts

virtual HTTP 15-3

virtual SSH 15-3

virtual Telnet 15-3

VLANs

allocating to a context 4-20

assigning to FWSM 2-2

interfaces 2-2

mapped interface name 4-20

maximum A-4

shared 4-7

VoIP

proxy servers 20-67

troubleshooting 20-47

VPN

basic settings 21-5

client tunnel 21-6

management access 21-4

site-to-site tunnel 21-9

transforms 21-6

VRRP 5-8

W

WAN ports A-1

web clients, secure authentication 15-6

X

xlate bypass

configuring 12-18

overview 12-13