Cisco PIX Firewall and VPN Configuration Guide, Version 6.3
Index
Downloads: This chapterpdf (PDF - 597.0KB) The complete bookPDF (PDF - 11.78MB) | Feedback

Index

Table Of Contents

A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - R - S - T - U - V - W - X -

Index

A

AAA

configuring3-8

exemption for MAC addresses3-13

support for1-6

with web clients3-10

abbreviating commands1-27

access control

example3-14

features1-6

services3-16

access control lists

See ACLs

access modes1-25

ACLs

applying to object groups3-27

comments3-18

conversion tool1-7

downloading3-20

ICMP2-22

instead of conduits and outbounds1-7

IPSec6-17

named3-21

TurboACL

configuring3-18

description1-7

active state, failover10-3

ActiveX controls

blocking1-10

ACT light10-21

Adaptive Security Algorithm

See ASA

addresses

global2-11

IP2-5

IP classes2-5

Address Resolution Protocol

See ARP

address translation

See NAT

See PAT

AES1-16, 6-3

AH

configuring6-27

standardE-1

application inspection

configuring5-1to 5-31

feature1-11

ARP

clearing2-4

packet capture, example9-30

ARP test10-8

ASA1-3, 5-1

attacks

protection from1-8

authenticating web clients3-10

authentication, accounting, and authorization

See AAA

Authentication Header

See AH

Auto-Update

configuring9-25to 9-27

description1-22

B

backing up configurations1-27

Baltimore Technologies

CA server support6-9

blocking

ActiveX controls1-10

Java applets1-10

boot diskette

creating11-12

Broadcast Ping test10-8

broadcasts

See multicasts

buffer usage

SNMP9-42

C

CA

configuring in-house7-13

configuring VeriSign7-7

CRs. and6-9

defined1-16

public key cryptography6-8

revoked certificates6-9

supported servers6-9

validating signature6-8

cable-based failover

See failover

capturing packets

feature1-22

procedure9-27

CBCE-2

certificate enrollment protocol6-9

Certificate Revocation Lists

See CRLs

certification authority

See CA

CHAP8-20

Cipher Block Chaining

See CBC

Cisco Catalyst 6500 VPN Service Module7-25

Cisco Intrusion Detection System

See IDS

Cisco IOS CLI1-25

Cisco IP Phones

AAA exemption3-13

application inspection5-20

with DHCP4-19

Cisco Secure Intrusion Detection System

See IDS

Cisco Secure VPN Client

configuringB-16to B-20

using with Telnet9-19

Cisco VPN 3000 Client

configuring8-19

downloading network parameters to8-8

Cisco Works for Windows9-45

CLI

abbreviating commands1-27

configuration mode1-26

editing with1-27

paging1-29

using PIX Firewall1-25

client mode

configuring4-4

description4-3

clients

Cisco Secure VPN ClientB-19

Cisco VPN 3000 Client8-19

Easy VPN Remote device4-1

Windows 2000B-11

clock, system9-15

Command Authorization9-5to 9-7

caution when using9-6

description1-21

recovering from lockout9-9

command line interface

See CLI

commands

command line editing1-28

command output paging1-29

configuring privilege levels9-2to 9-3

creating comments1-29

displaying1-29

commenting

ACLs3-18

compiling MIBs9-45

Computer Telephony Interface Quick Buffer Encoding

See CTIQBE

conduits

converting to ACLs1-8

defined1-8

using ACLs instead1-8

Configurable Proxy Pinging

description1-11

configuration examples

See examples

configuration file, failover

See failover

configuration mode1-26

configurations1-29

backing up1-27

comments1-29

copying with HTTP11-5

maximum size1-29

saving2-3, 2-24

connection states1-4

connectivity

inbound3-2

outbound3-4

testing2-22

conversion tool

conduits to ACLs1-7

copying

configurations11-5

software11-5

CPU utilization

SNMP9-42

CRLs

time restrictions6-9

crypto maps

applying to interfaces6-17

entries6-15

load sharing6-28

See also dynamic crypto maps

CTIQBE1-12, 5-14

CU-SeeMe application inspection5-15

cut-through proxy1-6

D

database application inspection5-27

Data Encryption Standard

See DES

debug failover command10-21

debugging

IPSecB-15

SMR2-47

default configurations1-30

default routes2-3

demilitarized zone

See DMZ

denial of service attacks

protection from1-9

DES

descriptionE-2

IKE policy keywords (table)6-3

DHCP clients

configuration4-21to 4-22

default route4-21

described1-20

PAT global address4-21

DHCP leases

renewing4-22

viewing4-22

DHCP Relay1-20, 4-20

DHCP servers1-19, 4-15

configuring4-17

with Cisco IP Phones4-19

Diffie-Hellman

definedE-2

groups supported6-3

directory application inspection5-27

DMZ

configuration example2-29

DNS

application inspection5-6

inbound access3-4

protection from attacks1-10

downgrading software11-13

downloading

ACLs3-20

IP addresses to VPN Clients8-7

network parameters to Cisco VPN 3000 Client8-8

dynamic crypto maps

adding to crypto maps6-23

entries6-23

referencing6-23

See also crypto maps6-24

sets6-23

Dynamic Host Configuration Protocol

See DHCP clients

See DHCP leases

See DHCP servers

dynamic NAT2-8

dynamic PAT2-8

E

Easy VPN Remote device

configuring4-1to 4-5

described1-18

Easy VPN Server8-1to 8-6

described1-18

identifying4-4

load balancing1-18

using PIX Firewall with4-2, 8-3

editing command lines1-28

EIGRP

not supportedB - 2

Encapsulating Security Payload

See ESP

Enhanced Interior Gateway Routing Protocol

See EIGRP

Entrust VPN Connector CA7-14

ESP

configuring6-28

standardE-2

examples

access control3-14

Cisco Catalyst 6500 VPN Service Module7-25

crypto maps6-18

IKE Mode ConfigB-16

IPSec with manual keys7-35

OSPF2-17

outside NAT2-38

outside NAT with overlapping networks2-39

packet capture9-30

port redirection3-6

pre-shared keys7-2

RADIUS authorization8-8

three interfaces with NAT and PAT2-31

three interfaces without NAT2-29

two interfaces with NAT and PAT2-27

two interfaces without NAT2-25

VeriSign CA7-7

VLANs2-35

VPN with manual keys7-35

wildcard pre-shared keyB-16

Windows 2000 VPN clientB-12

XauthB-16

Extended Authentication

see Xauth

F

factory defaults

See default configurations1-30

failover

active state10-3

cable-based10-9

changing from cable to LAN-based10-12

changing from LAN to cable-based10-20

configuration file

console messages10-7

Flash memory10-6

LAN-based differences10-6

replication10-6

running memory10-6

debugging10-21

disabling10-20

display10-17

enabling10-11

encrypting communications10-15

Ethernet failover cable10-5

Ethernet interface settings10-9

examples10-24

FAQs10-21

forcing10-20

interface tests10-7

IP addresses10-3

LAN-based10-11

link communications10-4

MAC addresses10-6

models, supported10-2

models supporting1-24

network connections10-4

network tests10-8

power loss10-7

prerequisites10-8

primary unit10-6

secondary unit10-6

serial cable10-5

software versions10-2

standby state10-3

Stateful Failover10-3

identifying the link10-11

overview10-3

state information10-3

state link requirements10-5

statistics10-19

switch configuration10-8

syslog messages10-21

syslog messages, SNMP9-42

system requirements10-2

testing10-19

triggers10-7

verifying10-17

File Transfer Protocol

See FTP

filtering

ActiveX controls1-10

FTP3-34

HTTPS3-34

Java applets1-10

servers supported1-10

show command output1-28

URLs1-10

fixup

See application inspection

Flood Defender1-9

Flood Guard1-9

FO license10-2

FragGuard1-10

FTP

application inspection5-7

downloading software using11-8

filtering3-34

logging1-23

packet capture, example9-30

redirecting3-7

secondary ports1-12

full duplex2-6

G

gateway addresses2-12

generating RSA keys6-10

global addresses

specifying2-11

global lifetimes

changing6-19

Group 5

Diffie Hellman6-3

H

H.245 tunneling5-16

H.3235-10, 5-16

changing default port assignments5-7

hardware clients

See Easy VPN Remote device

using in SOHO networks4-3

hardware speed

requirements for Stateful Failover2-6

help, command line1-30

home offices

See SOHO networks

HTTP

application inspection5-9

copying configurations11-5

copying software11-5

filtering1-10, 3-34

filtering HTTPS3-34

packet capture, example9-30

redirecting3-7

server access3-1

Hyptertext Translation Protocol

See HTTP

I

IANA URLD - 5

ICMP

application inspection5-9, 5-31

Configurable Proxy Pinging1-11

configuring object groups3-29

message reassembly1-10

testing connectivity2-21

testing default routes2-24

ICMP-type object groups

configuring3-29

IDS

support for1-23

using9-39to 9-41

IGMP

support for1-14

IKE

benefits6-2

creating policies6-4

description1-16

disabling6-6

policy parameters6-3

policy priority numbers6-4

using with pre-shared keys6-6

Xauth8-5, 8-6, 8-17, B-17

IKE Mode Config

exceptions for security gatewaysB-21

standardE-2

IKE Mode Configuration

See IKE Mode Config

ILS

application inspection5-28

feature1-14

IM 5-24

images, software

See also software images

upgrading1-24, 11-5to 11-16

inbound connectivity3-2

Individual user authentication

See IUA

in-house CA, configuring7-13

Instant Messaging

See IM

interfaces

assigning names2-5

changing names2-6

configuring2-4

global address2-11

logical2-34

perimeter2-10

security levels and1-4

speed2-6

Internet Group Management Protocol

See IGMP

Internet Key Exchange

See IKE

Internet Locator Service

See ILS

Internet Security Association and Key Management Protocol

See ISAKMP

Intrusion Detection System

See IDS

IOS

See Cisco IOS CLI

IP

datagramsB-9

viewing configuration2-5

IP addresses

configuring

address, IP addresses2-5

IP Phones

See Cisco IP Phones

IPSec

ACLs6-17

clearing SAs6-29

configuring6-13

crypto map entries6-15

crypto map load sharing6-28

defined1-15

enabling debugB-15

manual6-19

manual SAs using pre-shared keys6-15

modesB-9

proxiesB-9

viewing configuration6-29

viewing information6-29

IP Security Protocol

See IPSec

IP spoofing

protection from1-9

ISAKMPE-2

IUA

described1-18

Easy VPN Remote device4-8

enabled on Easy VPN Server8-4

J

Java applets

filtering1-10, 3-31

L

L2TP

configuringB-10

configuring Windows 2000 clientB-11, B-14

descriptionB-9

transport modeB-10

LAN-based failover

See failover

LAN-to-LAN VPNs

See site-to-site VPNs

Layer 2 Tunneling Protocol

See L2TPB-9

LDAP

application inspection5-28

ILS1-14

lease

releasing DHCP4-22

renewing DHCP4-22

licenses, software

See also UR licenses

upgrading1-24, 11-2to 11-5

Link Up/Down test10-7

link up and link down, SNMP9-42

load sharing with crypto maps6-28

LOCAL database

Command Authorization with9-6

user authentication to the PIX Firewall with9-3

lockout

recovering from9-9

logging

ACL activity9-35

FTP1-23

Syslog9-33

URLs1-23

logical interfaces2-34

M

MAC addresses, failover10-6

MAC-based AAA exemption3-13

manual configuration of SAs6-26

MD56-3

descriptionE-1, E-2

IKE policy keywords (table)6-3

Message Digest 5

See MD5

MIBs9-41

MIB II groups9-41

updating file9-45

Microsoft Challenge Handshake Authentication Protocol

See MS-CHAP

Microsoft Exchange

configuringC - 1

Microsoft Remote Procedure Call

See MSRPC

Microsoft Windows 2000 CA

supported6-9, 7-14

modes

See access modes

monitor mode

description1-26

using11-9

More prompt1-29

MS-CHAP8-20

MSRPC

See also RPC

multicasts

forwarding2-46

receiving2-44

support for1-14

multimedia applications

supported1-13, D - 6

multiple interfaces

configuring, example of2-29

security levels with1-4

N

N2H2 filtering server

identifying3-32

supported1-10

URL for website1-10

named ACLs

downloading3-21

NAT

application inspection1-11

configuring2-9

description1-5

dynamic2-8

function2-7

outside2-37, 2-38

overlapping networks2-39

policy2-40

RCP not supported with5-29

RTSP not supported with1-14

server access3-1

static2-8

three interfaces2-31

two interfaces (figure)2-27

NAT Traversal6-25

nesting object groups3-29

NetBIOS

support for1-14

netmask

See subnet mask

Netshow

application inspection5-25

Network Activity test10-8

Network Address Translation

See NAT

network extension mode

configuring4-4

description4-3

Network File System

See NFS

network object groups

configuring3-28

Network Time Protocol

See NTP

NFS

access5-29

application inspection5-29

testing with showmount5-29

NT

See Windows NT

NTP

configuring9-11to 9-15

feature1-22

O

Oakley key exchange protocolE-2

object groups

applying ACLs to3-27

configuring3-24to 3-30

feature1-8

ICMP-type3-29

nesting3-29

network3-28

port3-28

protocols3-28

removing3-30

service3-28

subcommand mode3-25

verifying3-27

OSPF2-14to 2-21

outbound connectivity3-4

outside NAT

configuring2-37to 2-40

example2-38

overlapping networks

configuring2-39

example2-39

P

packet capture

configuring9-27to 9-31

feature1-22

formats (table)9-29

viewing buffer9-28

paging screen displays1-29

PAP

supported8-20

Password Authentication Protocol

See PAP

PAT

addresses2-11

application inspection1-11

configuring2-9

DHCP clients and4-21

dynamic2-8

function2-3, 2-7

RTSP5-26

server access3-1

static2-8

three interfaces2-31

two interfaces2-27

PCNFSD, tracking activity5-29

perimeter interfaces2-10

perimeter networks

See DMZ

per-user access lists1-7

PFSS

executable file11-7

phases, of IPSec1-16

ping

See ICMP

PIX 501

DHCP client configuration4-21

DHCP client feature support1-20

failover not supported1-24

using as Easy VPN Remote device4-2, 8-3

PIX 506/506E

DHCP client configuration4-21

DHCP client feature support1-20

failover not supported1-24

using as Easy VPN Remote device4-2, 8-3

PIX 520

backing up configuration1-27

PIX Firewall Syslog Server

See PFSS

PIX Firewall VPN Client4-3

See Easy VPN Remote device

PKCSE-3

PKI protocol6-9

Point-to-Point Tunneling Protocol

See PPTP

policy NAT2-40

Port Address Translation

See PAT1-32, 2-11

PORT command, FTP5-7

port redirection3-5

ports

object groups3-28

PPPoE

configuring4-11to 4-15

description1-19

packet capture, example9-31

PPTP

inbound access3-4

VPNs8-20

pre-shared keys

configuring7-1

description1-16

example7-2

using with IKE6-6

primary Easy VPN Server4-4

primary unit, failover10-6

Private Certificate Services (PCS)7-14

privilege levels

configuring9-2to 9-3

description1-21

viewing9-5

protocols

object groups3-28

packet capture formats (table)9-29

port numbersD - 5

supported1-11

proxy servers

SIP and5-23

public key cryptography6-8

Public-Key Cryptography Standard

See PKCS

Public Key Infrastructure Protocol

See PKI protocol

R

RADIUS

configuring3-9

support for1-6

viewing user accounts for Command Authorization9-5

VPN example8-8

Xauth8-5

RAS

support for1-13

Real Time Streaming Protocol

See RTSP

recovering from lockout9-9

redirecting service requests3-5

redundancy

See failover

Registration, Adminission, and Status

See RAS

Registration Authority

description6-9

releasing DHCP lease4-22

remote access VPN

configuring8-1to 8-21

description1-18

Remote Authentication Dial-In User Server

See RADIUS

Remote Procedure Call

See RPC

renewing DHCP lease4-22

reverse route lookup

See Unicast RPF

revoked certificates6-9

RFC 26378-20

RIP

PIX Firewall listening2-12

support for1-6

routing

default routes2-3

enabling SMR2-43

simplifying with outside NAT2-38

static routes2-12

Routing Information Protocol

See RIP

RPC

application inspection5-29

Sun5-29

testing with rpcinfo5-29

See also MSRPC

RS-232 cable

See failover10-5

RSA keys

describedE-3

generating6-10

RSA signatures

IKE authentication method6-8, E-2

RTSP

changing default port assignments5-26

restrictions5-26

support for1-14

S

SAs

clearing IPSec6-29

description1-16

establishing manual with pre-shared keys6-15

lifetimes6-19

saving configurations2-3, 2-24

Command Authorization (caution)9-6

upgrading versions (caution)11-1

SCCP

support for1-13

secondary Easy VPN Server4-4

secondary unit, failover10-6

Secure Hash Algorithm

See SHA

Secure Shell

See SSH

Secure unit authentication

See SUA

security associations

See SAs

security gateways

exceptions to IKE Mode ConfigB-21

exception to XauthB-21

security levels1-4

interfaces2-6

values2-7

serial cable

See failover

server access3-1

services

access control3-16

object groups3-28

Session Initiation Protocol

See SIP

SHA

IKE policy keywords (table)6-3

show command

filtering output1-28

show commands6-29

show failover command10-17

showmount command

application inspection with5-29

Simple Client Control Protocol

See SCCP

Simple Mail Transfer Protocol

See SMTP

Simple Network Management Protocol

See SNMP

SIP 1-13, 5-22

application inspection5-22

site-to-site VPNs

description1-17

examples7-1to 7-38

exception to IKE Mode ConfigB-21

exception to XauthB-21

redundancy6-25

See also VPNs

Skeme key exchange protocolE-2

Skinny Client Control Protocol

See SCCP

small office, home office networks

See SOHO networks

SMR

description1-14

enabling2-43

SMTP

application inspection5-11

protection from attacks1-9

sniffing packets

See packet capture

SNMP

Cisco syslog MIB9-45

read-only (RO) values9-41

SNMPc (Cisco Works for Windows)9-45

support for1-22

traps9-41

using9-41to 9-51

software

copying with HTTP11-5

downgrading11-13

downloading11-6

downloading with FTP11-8

downloading with HTTP11-7

upgrading system1-24

SOHO networks

configuring4-1to 4-22

features1-19

SSH9-21to 9-25

standby state, failover10-3

Stateful Failover1-3

See failover

state information1-4, 10-3

state link10-5

static

NAT for server access3-1

translation1-5

static NAT

description2-8

static PAT

description2-8

static routes

configuring2-13

stub multicast routing

See SMR

SUA

described1-18

Easy VPN Remote device4-6

subcommand mode1-26

subnet masksD - 8

configuring2-5

subnets2-11

Sun RPC5-29

switch configuration, failover10-8

SYN packet attack

protection from1-9

syslog

Cisco MIB9-45

MIB files9-45

SNMP9-42

SNMP traps9-44

support for1-23

system clock9-15

system recovery11-12

T

TACACS+

caution when using with Command Authorization9-8

inbound access3-4

using with Command Authorization9-8

viewing user accounts for Command Authorization9-5

Xauth8-5

TCP

Intercept feature1-9

Telephony API

See CTIQBE

Telnet

configuring9-16to 9-21

interfaces1-22

outside interfaces9-18

redirecting3-7

Terminal Access Controller Access Control System Plus

See TACACS+

testing connectivity2-3, 2-22

TFTP servers

downloading with HTTP11-7

using to download software1-24

time, setting system9-15

tools

conversion for conduits to ACLs1-8

Trace Channel

description9-21

disadvantages (note)9-21

transform sets

configuring6-26

description6-15

transport mode

descriptionB-9

traps, SNMP9-41

Triple DES

descriptionE-2

IKE policy keyword (table)6-3

Trivial File Transfer Protocol servers

See TFTP servers

troubleshooting

connectivity2-3, 2-22

license upgrades11-4

See also packet capture

tunnel modeB-9

TurboACL1-7, 3-18

configuring3-18to 3-20

viewing configuration3-20

U

UDP

connection state information1-4

Unicast Reverse Path Forwarding

See Unicast RPF

Unicast RPF1-9

UniCERT Certificate Management System

configuring, example7-14

supported6-9

Universal Resource Locators

See URLs

unprivileged mode1-25

upgrading

feature licenses1-24

image11-6to 11-16

images1-24

UR license10-2

URLs

filtering1-10

filtering, configuration3-39

logging1-23

user authentication

See also Xauth

to the PIX Firewall9-3

User Datagram Protocol

See UDP

V

validating CAs6-8

VDO LIVE5-27

VeriSign

CA7-7

CA example7-7

configuring CAs, example6-9

video conferencing applications, supportedD - 6

viewing

Command Authorization settings9-7

default configurations1-30

IPSec configuration6-29

NTP9-12

privilege levels9-5

RMS9-26

SMR configuration2-47

SSH9-24

user accounts for Command Authorization9-5

Virtual Private Networks

See VPNs

Virtual Re-assembly1-10

VLANs

configuration2-33to 2-37

defined1-8

Voice over IP

See VoIP

VOIP

SCCP1-13

VoIP

application inspection5-14, 5-23

gateways and gatekeepers5-16

proxy servers5-23

SIP

description1-13

VPN clients

Easy VPN Remote device4-1

modes4-3

SOHO networks and4-1

VPNs

configuration examples7-35

Easy VPN Remote device in4-1

overview1-15to 1-18

peer identity6-7

PPTP8-20

remote access8-1to 8-21

site-to-site1-17, 7-1to 7-38

split tunnel8-7, 8-9

Windows 2000 clientB-11

VPN Service Module7-25

W

web clients

secure authentication3-10

Websense filtering server1-10

web server access3-1

Windows 2000 VPN client

configuringB-11

write standby command10-7

X

X.509v3 certificatesE-3

Xauth

configuring8-5, 8-6

configuring Cisco VPN client, exampleB-17

enabling8-17

exception for security gatewaysB-21

IKE8-5, E-2

X Display Manager Control Protocol

See XDMCP

XDMCP

application inspection5-31

support for1-23