Security Guide vA4(1.0) and A4(2.0), Cisco ACE 4700 Series Application Control Engine Appliance - Index [Cisco ACE 4700 Series Application Control Engine Appliances]

Table Of Contents

A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - W -

Index

A

AAA

accounting configuration, displaying 2-50

accounting log information, displaying 2-50

accounting method, defining default 2-45

authentication configuration, displaying 2-53

groups, displaying 2-47

LDAP server, configuring for 2-34

LDAP server configuration, displaying 2-49

local and remote support 2-3

login authentication method, defining 2-43

overview 2-2

quick start 2-8

RADIUS server, configuring for 2-23

RADIUS server configuration, displaying 2-47

server, adding 2-22

server groups, configuring 2-36

status and statistics 2-46

TACACS+ server, configuring for 2-29

TACACS+ server configuration, displaying 2-48

user accounts, creating 2-21

accounting

configuration, displaying 2-50

default method, defining 2-45

log information, displaying 2-50

RADIUS server accounting settings, configuring 2-15

TACACS+ server accounting settings, configuring 2-11

ACLs

alternate address, ICMP message 1-15

BPDU 1-18

clearing statistics 1-44

comments in extended ACLs 1-17

configuration information, displaying 1-42

dynamic NAT 5-11

EtherType, configuring 1-18

EtherType examples 1-41

expanded 1-4

extended, configuring 1-6

extended examples 1-33

guidelines 1-3

ICMP 1-7

implicit deny 1-4

inbound 1-34

IP extended ACL 1-7

IPs with NAT 1-37

maximum entries 1-4

merged 1-2

object groups1-20to 1-30

order of entries 1-3

outbound 1-34

overview 1-2

quick start 1-5

resequencing entries 1-20

static NAT 5-24, 5-34

statistics, displaying 1-42

types 1-3

application protocol inspection

class map overview 3-6

configuration examples 3-126, 3-128, 3-129

DNS 3-9, 3-102

FTP 3-10, 3-102

HTTP 3-12, 3-103

ICMP 3-15, 3-103

ILS 3-5, 3-16, 3-102, 3-104

Layer 3 and 4 HTTP parameter map 3-109

Layer 3 and 4 quick start 3-29

Layer 3 and 4 traffic policy configuration 3-90

Layer 7 FTP command inspection class map 3-31

Layer 7 FTP command inspection configuration 3-30

Layer 7 FTP command inspection quick start 3-23

Layer 7 HTTP deep packet inspection class map 3-39

Layer 7 HTTP deep packet inspection configuration 3-38

Layer 7 HTTP deep packet inspection policy map 3-63

Layer 7 HTTP deep packet inspection quick start 3-25

limitations 3-3

NAT and PAT support 3-3

overview 3-2

policy map overview 3-6

process flow diagram 3-8

protocol inspection overview 3-2

RTSP 3-18, 3-104

SCCP 3-6, 3-19, 3-70, 3-97, 3-102, 3-104, 3-112

service policy, defining 3-124

service policy, displaying 3-130

SIP 3-6, 3-19, 3-73, 3-97, 3-102, 3-104, 3-116

standards 3-3

statistics 3-130

supported protocols 3-3

authentication

configuration, displaying 2-53

local and remote support 2-3

local database 2-5

login method, defining 2-43

overview 2-7

RADIUS server authentication settings, configuring 2-14

TACACS+ server accounting settings, configuring 2-10

B

bandwidth rate limiting 4-8

BPDU, in ACL 1-18

buffer size

for connection parameter map 4-9

receive or transmit data for each TCP connection 4-10

C

class map

associating with Layer 7 policy map 3-37

associating with policy map 3-67, 3-99

description, entering 3-106, 3-113, 3-118, 4-8

dynamic NAT 5-15

Layer 3 and 4 access list match criteria 3-95

Layer 3 and 4 class map, associating with policy map 4-32

Layer 3 and 4 class map, creating 3-92

Layer 3 and 4 description 3-94

Layer 3 and 4 port range criteria 3-96

Layer 4, creating 4-26

Layer 4 description 4-28

Layer 4 IP address criteria 4-28

Layer 4 port number criteria 4-29

Layer 7 FTP command inspection, configuring 3-31

Layer 7 FTP command inspection description 3-32

Layer 7 FTP request methods 3-33

Layer 7 HTTP deep packet inspection, configuring 3-40

Layer 7 HTTP deep packet inspection description 3-42

overview in application protocol inspection process 3-6

static NAT 5-29, 5-35

configurational examples

application protocol inspection 3-129

FTP 3-128

HTTP 3-126

TCP/IP normalization 4-49

connection parameter map

action for segment overrun 4-12

associating with policy map 4-33

buffer size setting 4-9

configuring for TCP/IP normalization 4-5

creating for TCP/IP, UDP, and ICMP 4-7

embryonic connection timeout 4-15

half-closed connection timeout 4-15

inactive connection timeout 4-17

Nagle's algorithm 4-13

random TCP sequence numbers 4-13

reserved bit handling 4-14

segment size setting 4-10

slow start algorithm 4-20

TCP options, handling 4-21

TCP SYN retries, limiting 4-12

TCP SYN segments with data, handling 4-21

type of service 4-26

urgent pointer policy 4-25

connections

clearing 4-66

embryonic, handling timeout of 4-15

half-closed, handling timeout of 4-15

inactive, handling timeout of 4-17

rate limiting 4-8

statistics, clearing 4-66

content type verification

HTTP message 3-66

D

DDoS 4-37

dead-time

RADIUS server group setting 2-40

RADIUS server setting 2-27

TACACS+ server group setting 2-39

TACACS+ server setting 2-32

denial of service. See DoS

destination NAT 5-2, 5-6, 5-7, 5-29, 5-32, 5-39, 5-47

distributed denial of service. See DDoS

DNS 3-102

application protocol inspection, configuring 3-102

application protocol support 3-3

configuration example 3-129

inspection overview 3-9

Don't Fragment bit, handling 4-40

DoS protection, SYN cookie 4-37

dynamic NAT

See NAT

E

embryonic connection, handling timeout of 4-15

EtherType ACL

configuring 1-18

examples 1-41

extended ACL

comments in 1-17

configuring 1-6

examples 1-33

F

fixups

See application protocol inspection

fragment reassembly parameters

See IP fragment reassembly parameters

FTP

application protocol support 3-3, 3-4

associating class map with policy map 3-37

class map 3-31

configuration examples 3-128

inline match commands in policy map 3-35

inspection overview 3-10

Layer 3 and 4 FTP application protocol inspection, configuring 3-102

Layer 7 FTP command inspection, configuring 3-30

passive with source NAT 5-16

policy actions 3-37

policy map 3-34

request methods, defining for command inspection 3-33

strict 3-11, 3-102

G

global addresses, guidelines for NAT 5-7

H

header value string expressions 3-51

HTTP

application protocol support 3-4

associating class map with policy map 3-67

class map 3-39

configuration examples 3-126

content length, defining 3-43

content match criteria, defining 3-42

content type verification match criteria, defining 3-66

header for inspection 3-48

header value string expressions 3-51

HTTP/1/1 header fields, supported 3-49

inline match commands in policy map 3-65

inspection overview 3-12

internal compliance checks 3-67

Layer 3 and 4 HTTP application protocol inspection, configuring 3-103

Layer 7 HTTP deep packet inspection, configuring 3-38

Layer 7 HTTP deep packet inspection policy map 3-63

maximum header length for inspection 3-52

MIME type for inspection 3-53

parameter map 3-109

policy actions 3-68

policy map 3-63

request method for inspection 3-57

restricted category, defining (port misuse) 3-56

statistics from inspection 3-130

strict HTTP match criteria, defining 3-67

transfer encoding type for inspection 3-59

URL for inspection 3-60

URL length for inspection 3-62

HTTP/1/1 header fields, supported 3-49

I

ICMP

ACL 1-7

application protocol inspection, configuring 3-103

application protocol support 3-4, 3-5

conversion-error, ICMP message 1-15

echo, ICMP message 1-15

echo reply, ICMP message 1-14

information reply, ICMP message 1-15

information request, ICMP message 1-15

inspection overview 3-15

mask reply, ICMP message 1-15

mask request, ICMP message 1-15

mobile redirect, ICMP message 1-15

NAT of ICMP error messages 3-104

parameter-problem, ICMP message 1-15

redirect, ICMP message 1-14, 1-15

router-advertisement, ICMP message 1-15

router-solicitation, ICMP message 1-15

security, disabling 4-36

source quench, ICMP message 1-14

time-exceeded, ICMP message 1-15

timestamp-reply, ICMP message 1-15

timestamp-request, ICMP message 1-15

traceroute, ICMP message 1-15

types 1-14

unreachable, ICMP message 1-14

ILS inspection 3-5, 3-16, 3-102, 3-104

implicit PAT 5-2

inbound ACLs 1-34

inline match commands

content type verification for HTTP inspection 3-66

in Layer 7 FTP command inspection policy map 3-35

in Layer 7 HTTP deep packet inspection policy map 3-65

strict HTTP for HTTP inspection 3-67

inspection engines

See application protocol inspection

Internet Locator Service. See ILS

IP

ACL 1-7

address pool, for dynamic NAT 5-12, 5-24

for ACL with NAT 1-37

normalization, overview 4-3

options, handling 4-41

IP fragment reassembly parameters

configurational example 4-49

configuring 4-43

maximum fragment size setting 4-46

maximum fragments setting 4-45

MTU setting 4-45

quick start 4-43

reassembly timeout setting 4-46

L

Layer 3 and 4 application protocol inspection, configuring

associating class map with policy map 3-99

class map 3-92

policy actions 3-101

policy map 3-98

LDAP server

ACE configuration 2-34

configuration, displaying 2-49

configuration overview 2-18

directory server overview 2-6

parameters, setting 2-34

port, setting 2-35

search filter configuration 2-42

server group, creating 2-37

timeout, setting 2-36

user profile attribute type configuration 2-40

virtualization attributes, defining 2-12, 2-16, 2-19

local database authentication 2-5

login authentication method, defining 2-43

M

merged ACLs 1-2

MIME type, supported for HTTP inspection 3-53

MPLS, in ACL 1-18, 1-19

MTU

in IP fragment reassembly configuration 4-45

N

Nagle's algorithm 4-13

NAT

ACL configuration, dynamic 5-11

ACL configuration, static 5-24, 5-34

application protocol inspection support 3-3

as policy map action, dynamic 5-17

as policy map action, static 5-28, 5-37

class map configuration, dynamic 5-15

class map configuration, static 5-29, 5-35

destination 5-2, 5-6, 5-7, 5-29, 5-32, 5-39, 5-47

dynamic NAT, overview 5-3

dynamic NAT and PAT, configuring 5-8

dynamic PAT, overview 5-4

global address guidelines 5-7

global IP address pool 5-12, 5-24

idle timeout, configuring 5-8

IPs in ACLs 1-37

maximum number of statements 5-7

overview 5-1

policy map configuration, dynamic 5-16

policy map configuration, static 5-30, 5-36

quick start, dynamic NAT and PAT 5-9

quick start, static NAT 5-20, 5-32

service policy, global dynamic 5-19

service policy, local dynamic 5-18

service policy, static 5-31, 5-39

source 5-2, 5-3, 5-4, 5-8

static NAT, overview 5-6

static NAT and port redirection, configuring 5-32

static port redirection 5-7

network address translation

See NAT

normalization parameters

configuring 4-34

Don't Fragment bit, handling 4-40

ICMP security, disabling 4-36

IP options, handling 4-41

normalization send-reset, enabling 4-36

packet TTL setting 4-41

TCP normalization, disabling 4-34

unicast reverse-path forwarding, configuring 4-42

O

object groups

expanded 1-4

network 1-9

overview 1-21

service 1-14

order of ACL entries 1-3

outbound ACLs 1-34

P

packet TTL setting 4-41

parameter map

associating with Layer 3 and 4 policy map 3-108, 3-111, 3-115, 3-124

case sensitivity, disabling 3-109

configuring for Layer 3 and 4 HTTP inspection 3-109

maximum content bytes setting 3-110

maximum header bytes setting 3-110

passive FTP with source NAT 5-16

PAT

configuring 5-8

implicit 5-2

overview 5-4

policy map

actions, defining 3-37, 3-68, 3-101

associating with connection parameter map 4-33

dynamic NAT 5-16

dynamic NAT as policy map action 5-17

Layer 3 and 4, associating with class map 3-99

Layer 3 and 4, associating with parameter map 3-108, 3-111, 3-115, 3-124

Layer 3 and 4, associating with service policy 4-33

Layer 3 and 4, configuring HTTP parameter map 3-109

Layer 3 and 4, creating 3-98, 4-31

Layer 3 and 4, defining 3-98

Layer 3 and 4, description 3-99

Layer 3 and 4 policy map, associating with class map 4-32

Layer 7 FTP command inspection, adding description 3-35

Layer 7 FTP command inspection, associating with class map 3-37

Layer 7 FTP command inspection, creating 3-34

Layer 7 FTP command inspection, defining 3-34

Layer 7 FTP command inspection, inline match commands 3-35

Layer 7 HTTP deep packet inspection, adding description 3-64

Layer 7 HTTP deep packet inspection, associating with class map 3-67

Layer 7 HTTP deep packet inspection, creating 3-63

Layer 7 HTTP deep packet inspection, inline match commands 3-65

overview in application protocol inspection process 3-6

static NAT 5-30, 5-36

static NAT as policy map action 5-28, 5-37

port

for LDAP server 2-35

number or range for Layer 3 and 4 application protocol inspection 3-96

port redirection, configuring 5-32

port redirection

configuring 5-32

overview 5-7

preshared key

RADIUS, setting for 2-27

TACACS+, setting for 2-31

Q

quick start

AAA configuration 2-8

ACL configuration 1-5

dynamic NAT and PAT configuration 5-9

IP fragment reassembly configuration 4-43

Layer 3 and 4 application protocol inspection 3-29

Layer 7 FTP command inspection 3-23

Layer 7 HTTP deep packet inspection 3-25

static NAT configuration 5-20, 5-32

TCP/IP normalization 4-3

R

RADIUS server

ACE configuration 2-23

adding 2-22

authentication settings, configuring 2-14

configuration, displaying 2-47

dead-time setting 2-27

global preshared key setting 2-27

NAS-IP-Address attribute setting 2-26

number of retransmissions, setting 2-28

parameters, setting 2-23

server accounting settings, configuring 2-15

server group, creating 2-37

server group dead-time setting 2-40

server overview 2-5

timeout setting 2-29

rate limiting

bandwidth 4-8

connection 4-8

remarks in extended ACLs 1-17

reordering ACL entries 1-20

request methods

FTP command inspection, defining for 3-33

HTTP inspection, defining for 3-57

resequencing ACL entries 1-20

reserved bits, handling in connection parameter map 4-14

restricted category, defining for HTTP inspection (port misuse) 3-56

reverse-path forwarding, configuring 4-42

RTSP

application protocol inspection, configuring 3-104

application protocol support 3-6

inspection overview 3-18

restrictions 3-18

rules, maximum in ACL 1-4

S

SCCP

inspection 3-6, 3-19, 3-70, 3-97, 3-102, 3-104, 3-112

segment size

action for overrun 4-12

for connection parameter map 4-10

server groups

configuring 2-36

creating 2-37

LDAP 2-37

RADIUS 2-37

TACACS+ 2-37

service policy

applying to VLAN interfaces 3-124

associating with Layer 3 and 4 policy map 4-33

configuration information 3-131

dynamic NAT, global 5-19

dynamic NAT, local 5-18

static NAT, local 5-31, 5-39

Session Initiation Protocol. See SIP

SIP

inspection 3-6, 3-19, 3-73, 3-97, 3-102, 3-104, 3-116

inspection, enabling logging of packets 3-123

Skinny Client Control Protocol. See SCCP

slow start algorithm, enabling in connection parameter map 4-20

source NAT 5-2, 5-3, 5-4, 5-8

static NAT

See NAT

statistics

AAA 2-46

ACL, clearing 1-44

ACL, displaying 1-42

connection, clearing 4-66

HTTP inspection 3-130

IP, clearing 4-67

IP fragmentation and reassembly, clearing 4-68

IP fragmentation and reassembly, displaying 4-60

IP traffic 4-57

service policy 4-63

TCP, clearing 4-67

TCP, displaying 4-61

TCP/IP and UDP connections 4-54

TCP/IP connections and IP reassembly, clearing 4-67

TCP/IP connections and IP reassembly, displaying 4-50

UDP, clearing 4-68

UDP, displaying 4-62

switch mode, configuring 4-47

SYN cookie

configurational and operational considerations 4-38

configuring on an interface 4-40

displaying statistics 4-64

overview 4-37

SYN flood attack 4-37

T

TACACS+ server

accounting settings, configuring 2-11

ACE configuration 2-29

adding 2-22

Cisco Secure Access Control Server (ACS) 2-10, 2-11

configuration, displaying 2-48

dead-time setting 2-32

global preshared key setting 2-31

parameters, setting 2-30

server authentication settings, configuring 2-10

server group, creating 2-37

server group dead-time setting 2-39

server overview 2-5

timeout setting 2-33

TCP

connection, receive or transmit buffer size 4-10

normalization, disabling 4-34

normalization, overview 4-2

normalization send-reset, enabling 4-36

options, handling in connection parameter map 4-21

port numbers and key words 1-10

sequence numbers, randomizing 4-13

slow start algorithm, enabling in connection parameter map 4-20

SYN retries, limiting in connection parameter map 4-12

SYN segments with data, handling in connection parameter map 4-21

WAN optimization 4-17

TCP/IP and UDP configurations, displaying 4-51

TCP/IP normalization

clearing connections 4-66

configuration example 4-49

connection parameter map, configuring 4-5

IP fragment reassembly parameters, configuring 4-43

Layer 3 and 4 policy map, configuring 4-31

Layer 4 class map, configuring 4-26

normalization parameters, configuring 4-34

overview 4-2

quick start 4-3

statistics, clearing 4-67, 4-68

statistics, displaying 4-50

statistics, IP fragmentation and reassembly 4-60

statistics, IP traffic 4-57

statistics, service policy 4-63

statistics, TCP 4-61

statistics, TCP/IP connections 4-54

statistics, UDP 4-62

TCP/IP and UDP configurations, displaying 4-51

traffic policy, configuring 4-26

traffic class

See class map

traffic policies

TCP/IP normalization 4-26

transfer encoding, defining for HTTP inspection 3-59

TTL setting 4-41

type of service, setting in connection parameter map 4-26

U

UDP

port numbers and key words 1-12

UDP and TCP/IP configurations, displaying 4-51

unicast reverse-path forwarding, configuring 4-42

urgent pointer policy, setting in connection parameter map 4-25

URL

defining for HTTP deep packet inspection 3-60

length, defining for HTTP deep packet inspection 3-62

regular expressions 3-61

URL request logging 3-103

W

WAN optimization 4-17

	Security Guide vA4(1.0) and A4(2.0), Cisco ACE 4700 Series Application Control Engine Appliance
	Index
Security Guide vA4(1.0) and A4(2.0), Cisco ACE 4700 Series Application Control Engine Appliance Index Preface Configuring Security Access Control Lists Configuring Authentication and Accounting Services Configuring Application Protocol Inspection Configuring TCP/IP Normalization and IP Reassembly Parameters Configuring Network Address Translation	Download this chapter Index Download the complete book Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide, Book-Length PDF (Software Versions A4(1.0) and A4(2.0)) (PDF - 2 MB) Feedback Table Of Contents A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - W - Index A AAA accounting configuration, displaying 2-50 accounting log information, displaying 2-50 accounting method, defining default 2-45 authentication configuration, displaying 2-53 groups, displaying 2-47 LDAP server, configuring for 2-34 LDAP server configuration, displaying 2-49 local and remote support 2-3 login authentication method, defining 2-43 overview 2-2 quick start 2-8 RADIUS server, configuring for 2-23 RADIUS server configuration, displaying 2-47 server, adding 2-22 server groups, configuring 2-36 status and statistics 2-46 TACACS+ server, configuring for 2-29 TACACS+ server configuration, displaying 2-48 user accounts, creating 2-21 accounting configuration, displaying 2-50 default method, defining 2-45 log information, displaying 2-50 RADIUS server accounting settings, configuring 2-15 TACACS+ server accounting settings, configuring 2-11 ACLs alternate address, ICMP message 1-15 BPDU 1-18 clearing statistics 1-44 comments in extended ACLs 1-17 configuration information, displaying 1-42 dynamic NAT 5-11 EtherType, configuring 1-18 EtherType examples 1-41 expanded 1-4 extended, configuring 1-6 extended examples 1-33 guidelines 1-3 ICMP 1-7 implicit deny 1-4 inbound 1-34 IP extended ACL 1-7 IPs with NAT 1-37 maximum entries 1-4 merged 1-2 object groups1-20to 1-30 order of entries 1-3 outbound 1-34 overview 1-2 quick start 1-5 resequencing entries 1-20 static NAT 5-24, 5-34 statistics, displaying 1-42 types 1-3 application protocol inspection class map overview 3-6 configuration examples 3-126, 3-128, 3-129 DNS 3-9, 3-102 FTP 3-10, 3-102 HTTP 3-12, 3-103 ICMP 3-15, 3-103 ILS 3-5, 3-16, 3-102, 3-104 Layer 3 and 4 HTTP parameter map 3-109 Layer 3 and 4 quick start 3-29 Layer 3 and 4 traffic policy configuration 3-90 Layer 7 FTP command inspection class map 3-31 Layer 7 FTP command inspection configuration 3-30 Layer 7 FTP command inspection quick start 3-23 Layer 7 HTTP deep packet inspection class map 3-39 Layer 7 HTTP deep packet inspection configuration 3-38 Layer 7 HTTP deep packet inspection policy map 3-63 Layer 7 HTTP deep packet inspection quick start 3-25 limitations 3-3 NAT and PAT support 3-3 overview 3-2 policy map overview 3-6 process flow diagram 3-8 protocol inspection overview 3-2 RTSP 3-18, 3-104 SCCP 3-6, 3-19, 3-70, 3-97, 3-102, 3-104, 3-112 service policy, defining 3-124 service policy, displaying 3-130 SIP 3-6, 3-19, 3-73, 3-97, 3-102, 3-104, 3-116 standards 3-3 statistics 3-130 supported protocols 3-3 authentication configuration, displaying 2-53 local and remote support 2-3 local database 2-5 login method, defining 2-43 overview 2-7 RADIUS server authentication settings, configuring 2-14 TACACS+ server accounting settings, configuring 2-10 B bandwidth rate limiting 4-8 BPDU, in ACL 1-18 buffer size for connection parameter map 4-9 receive or transmit data for each TCP connection 4-10 C class map associating with Layer 7 policy map 3-37 associating with policy map 3-67, 3-99 description, entering 3-106, 3-113, 3-118, 4-8 dynamic NAT 5-15 Layer 3 and 4 access list match criteria 3-95 Layer 3 and 4 class map, associating with policy map 4-32 Layer 3 and 4 class map, creating 3-92 Layer 3 and 4 description 3-94 Layer 3 and 4 port range criteria 3-96 Layer 4, creating 4-26 Layer 4 description 4-28 Layer 4 IP address criteria 4-28 Layer 4 port number criteria 4-29 Layer 7 FTP command inspection, configuring 3-31 Layer 7 FTP command inspection description 3-32 Layer 7 FTP request methods 3-33 Layer 7 HTTP deep packet inspection, configuring 3-40 Layer 7 HTTP deep packet inspection description 3-42 overview in application protocol inspection process 3-6 static NAT 5-29, 5-35 configurational examples application protocol inspection 3-129 FTP 3-128 HTTP 3-126 TCP/IP normalization 4-49 connection parameter map action for segment overrun 4-12 associating with policy map 4-33 buffer size setting 4-9 configuring for TCP/IP normalization 4-5 creating for TCP/IP, UDP, and ICMP 4-7 embryonic connection timeout 4-15 half-closed connection timeout 4-15 inactive connection timeout 4-17 Nagle's algorithm 4-13 random TCP sequence numbers 4-13 reserved bit handling 4-14 segment size setting 4-10 slow start algorithm 4-20 TCP options, handling 4-21 TCP SYN retries, limiting 4-12 TCP SYN segments with data, handling 4-21 type of service 4-26 urgent pointer policy 4-25 connections clearing 4-66 embryonic, handling timeout of 4-15 half-closed, handling timeout of 4-15 inactive, handling timeout of 4-17 rate limiting 4-8 statistics, clearing 4-66 content type verification HTTP message 3-66 D DDoS 4-37 dead-time RADIUS server group setting 2-40 RADIUS server setting 2-27 TACACS+ server group setting 2-39 TACACS+ server setting 2-32 denial of service. See DoS destination NAT 5-2, 5-6, 5-7, 5-29, 5-32, 5-39, 5-47 distributed denial of service. See DDoS DNS 3-102 application protocol inspection, configuring 3-102 application protocol support 3-3 configuration example 3-129 inspection overview 3-9 Don't Fragment bit, handling 4-40 DoS protection, SYN cookie 4-37 dynamic NAT See NAT E embryonic connection, handling timeout of 4-15 EtherType ACL configuring 1-18 examples 1-41 extended ACL comments in 1-17 configuring 1-6 examples 1-33 F fixups See application protocol inspection fragment reassembly parameters See IP fragment reassembly parameters FTP application protocol support 3-3, 3-4 associating class map with policy map 3-37 class map 3-31 configuration examples 3-128 inline match commands in policy map 3-35 inspection overview 3-10 Layer 3 and 4 FTP application protocol inspection, configuring 3-102 Layer 7 FTP command inspection, configuring 3-30 passive with source NAT 5-16 policy actions 3-37 policy map 3-34 request methods, defining for command inspection 3-33 strict 3-11, 3-102 G global addresses, guidelines for NAT 5-7 H header value string expressions 3-51 HTTP application protocol support 3-4 associating class map with policy map 3-67 class map 3-39 configuration examples 3-126 content length, defining 3-43 content match criteria, defining 3-42 content type verification match criteria, defining 3-66 header for inspection 3-48 header value string expressions 3-51 HTTP/1/1 header fields, supported 3-49 inline match commands in policy map 3-65 inspection overview 3-12 internal compliance checks 3-67 Layer 3 and 4 HTTP application protocol inspection, configuring 3-103 Layer 7 HTTP deep packet inspection, configuring 3-38 Layer 7 HTTP deep packet inspection policy map 3-63 maximum header length for inspection 3-52 MIME type for inspection 3-53 parameter map 3-109 policy actions 3-68 policy map 3-63 request method for inspection 3-57 restricted category, defining (port misuse) 3-56 statistics from inspection 3-130 strict HTTP match criteria, defining 3-67 transfer encoding type for inspection 3-59 URL for inspection 3-60 URL length for inspection 3-62 HTTP/1/1 header fields, supported 3-49 I ICMP ACL 1-7 application protocol inspection, configuring 3-103 application protocol support 3-4, 3-5 conversion-error, ICMP message 1-15 echo, ICMP message 1-15 echo reply, ICMP message 1-14 information reply, ICMP message 1-15 information request, ICMP message 1-15 inspection overview 3-15 mask reply, ICMP message 1-15 mask request, ICMP message 1-15 mobile redirect, ICMP message 1-15 NAT of ICMP error messages 3-104 parameter-problem, ICMP message 1-15 redirect, ICMP message 1-14, 1-15 router-advertisement, ICMP message 1-15 router-solicitation, ICMP message 1-15 security, disabling 4-36 source quench, ICMP message 1-14 time-exceeded, ICMP message 1-15 timestamp-reply, ICMP message 1-15 timestamp-request, ICMP message 1-15 traceroute, ICMP message 1-15 types 1-14 unreachable, ICMP message 1-14 ILS inspection 3-5, 3-16, 3-102, 3-104 implicit PAT 5-2 inbound ACLs 1-34 inline match commands content type verification for HTTP inspection 3-66 in Layer 7 FTP command inspection policy map 3-35 in Layer 7 HTTP deep packet inspection policy map 3-65 strict HTTP for HTTP inspection 3-67 inspection engines See application protocol inspection Internet Locator Service. See ILS IP ACL 1-7 address pool, for dynamic NAT 5-12, 5-24 for ACL with NAT 1-37 normalization, overview 4-3 options, handling 4-41 IP fragment reassembly parameters configurational example 4-49 configuring 4-43 maximum fragment size setting 4-46 maximum fragments setting 4-45 MTU setting 4-45 quick start 4-43 reassembly timeout setting 4-46 L Layer 3 and 4 application protocol inspection, configuring associating class map with policy map 3-99 class map 3-92 policy actions 3-101 policy map 3-98 LDAP server ACE configuration 2-34 configuration, displaying 2-49 configuration overview 2-18 directory server overview 2-6 parameters, setting 2-34 port, setting 2-35 search filter configuration 2-42 server group, creating 2-37 timeout, setting 2-36 user profile attribute type configuration 2-40 virtualization attributes, defining 2-12, 2-16, 2-19 local database authentication 2-5 login authentication method, defining 2-43 M merged ACLs 1-2 MIME type, supported for HTTP inspection 3-53 MPLS, in ACL 1-18, 1-19 MTU in IP fragment reassembly configuration 4-45 N Nagle's algorithm 4-13 NAT ACL configuration, dynamic 5-11 ACL configuration, static 5-24, 5-34 application protocol inspection support 3-3 as policy map action, dynamic 5-17 as policy map action, static 5-28, 5-37 class map configuration, dynamic 5-15 class map configuration, static 5-29, 5-35 destination 5-2, 5-6, 5-7, 5-29, 5-32, 5-39, 5-47 dynamic NAT, overview 5-3 dynamic NAT and PAT, configuring 5-8 dynamic PAT, overview 5-4 global address guidelines 5-7 global IP address pool 5-12, 5-24 idle timeout, configuring 5-8 IPs in ACLs 1-37 maximum number of statements 5-7 overview 5-1 policy map configuration, dynamic 5-16 policy map configuration, static 5-30, 5-36 quick start, dynamic NAT and PAT 5-9 quick start, static NAT 5-20, 5-32 service policy, global dynamic 5-19 service policy, local dynamic 5-18 service policy, static 5-31, 5-39 source 5-2, 5-3, 5-4, 5-8 static NAT, overview 5-6 static NAT and port redirection, configuring 5-32 static port redirection 5-7 network address translation See NAT normalization parameters configuring 4-34 Don't Fragment bit, handling 4-40 ICMP security, disabling 4-36 IP options, handling 4-41 normalization send-reset, enabling 4-36 packet TTL setting 4-41 TCP normalization, disabling 4-34 unicast reverse-path forwarding, configuring 4-42 O object groups expanded 1-4 network 1-9 overview 1-21 service 1-14 order of ACL entries 1-3 outbound ACLs 1-34 P packet TTL setting 4-41 parameter map associating with Layer 3 and 4 policy map 3-108, 3-111, 3-115, 3-124 case sensitivity, disabling 3-109 configuring for Layer 3 and 4 HTTP inspection 3-109 maximum content bytes setting 3-110 maximum header bytes setting 3-110 passive FTP with source NAT 5-16 PAT configuring 5-8 implicit 5-2 overview 5-4 policy map actions, defining 3-37, 3-68, 3-101 associating with connection parameter map 4-33 dynamic NAT 5-16 dynamic NAT as policy map action 5-17 Layer 3 and 4, associating with class map 3-99 Layer 3 and 4, associating with parameter map 3-108, 3-111, 3-115, 3-124 Layer 3 and 4, associating with service policy 4-33 Layer 3 and 4, configuring HTTP parameter map 3-109 Layer 3 and 4, creating 3-98, 4-31 Layer 3 and 4, defining 3-98 Layer 3 and 4, description 3-99 Layer 3 and 4 policy map, associating with class map 4-32 Layer 7 FTP command inspection, adding description 3-35 Layer 7 FTP command inspection, associating with class map 3-37 Layer 7 FTP command inspection, creating 3-34 Layer 7 FTP command inspection, defining 3-34 Layer 7 FTP command inspection, inline match commands 3-35 Layer 7 HTTP deep packet inspection, adding description 3-64 Layer 7 HTTP deep packet inspection, associating with class map 3-67 Layer 7 HTTP deep packet inspection, creating 3-63 Layer 7 HTTP deep packet inspection, inline match commands 3-65 overview in application protocol inspection process 3-6 static NAT 5-30, 5-36 static NAT as policy map action 5-28, 5-37 port for LDAP server 2-35 number or range for Layer 3 and 4 application protocol inspection 3-96 port redirection, configuring 5-32 port redirection configuring 5-32 overview 5-7 preshared key RADIUS, setting for 2-27 TACACS+, setting for 2-31 Q quick start AAA configuration 2-8 ACL configuration 1-5 dynamic NAT and PAT configuration 5-9 IP fragment reassembly configuration 4-43 Layer 3 and 4 application protocol inspection 3-29 Layer 7 FTP command inspection 3-23 Layer 7 HTTP deep packet inspection 3-25 static NAT configuration 5-20, 5-32 TCP/IP normalization 4-3 R RADIUS server ACE configuration 2-23 adding 2-22 authentication settings, configuring 2-14 configuration, displaying 2-47 dead-time setting 2-27 global preshared key setting 2-27 NAS-IP-Address attribute setting 2-26 number of retransmissions, setting 2-28 parameters, setting 2-23 server accounting settings, configuring 2-15 server group, creating 2-37 server group dead-time setting 2-40 server overview 2-5 timeout setting 2-29 rate limiting bandwidth 4-8 connection 4-8 remarks in extended ACLs 1-17 reordering ACL entries 1-20 request methods FTP command inspection, defining for 3-33 HTTP inspection, defining for 3-57 resequencing ACL entries 1-20 reserved bits, handling in connection parameter map 4-14 restricted category, defining for HTTP inspection (port misuse) 3-56 reverse-path forwarding, configuring 4-42 RTSP application protocol inspection, configuring 3-104 application protocol support 3-6 inspection overview 3-18 restrictions 3-18 rules, maximum in ACL 1-4 S SCCP inspection 3-6, 3-19, 3-70, 3-97, 3-102, 3-104, 3-112 segment size action for overrun 4-12 for connection parameter map 4-10 server groups configuring 2-36 creating 2-37 LDAP 2-37 RADIUS 2-37 TACACS+ 2-37 service policy applying to VLAN interfaces 3-124 associating with Layer 3 and 4 policy map 4-33 configuration information 3-131 dynamic NAT, global 5-19 dynamic NAT, local 5-18 static NAT, local 5-31, 5-39 Session Initiation Protocol. See SIP SIP inspection 3-6, 3-19, 3-73, 3-97, 3-102, 3-104, 3-116 inspection, enabling logging of packets 3-123 Skinny Client Control Protocol. See SCCP slow start algorithm, enabling in connection parameter map 4-20 source NAT 5-2, 5-3, 5-4, 5-8 static NAT See NAT statistics AAA 2-46 ACL, clearing 1-44 ACL, displaying 1-42 connection, clearing 4-66 HTTP inspection 3-130 IP, clearing 4-67 IP fragmentation and reassembly, clearing 4-68 IP fragmentation and reassembly, displaying 4-60 IP traffic 4-57 service policy 4-63 TCP, clearing 4-67 TCP, displaying 4-61 TCP/IP and UDP connections 4-54 TCP/IP connections and IP reassembly, clearing 4-67 TCP/IP connections and IP reassembly, displaying 4-50 UDP, clearing 4-68 UDP, displaying 4-62 switch mode, configuring 4-47 SYN cookie configurational and operational considerations 4-38 configuring on an interface 4-40 displaying statistics 4-64 overview 4-37 SYN flood attack 4-37 T TACACS+ server accounting settings, configuring 2-11 ACE configuration 2-29 adding 2-22 Cisco Secure Access Control Server (ACS) 2-10, 2-11 configuration, displaying 2-48 dead-time setting 2-32 global preshared key setting 2-31 parameters, setting 2-30 server authentication settings, configuring 2-10 server group, creating 2-37 server group dead-time setting 2-39 server overview 2-5 timeout setting 2-33 TCP connection, receive or transmit buffer size 4-10 normalization, disabling 4-34 normalization, overview 4-2 normalization send-reset, enabling 4-36 options, handling in connection parameter map 4-21 port numbers and key words 1-10 sequence numbers, randomizing 4-13 slow start algorithm, enabling in connection parameter map 4-20 SYN retries, limiting in connection parameter map 4-12 SYN segments with data, handling in connection parameter map 4-21 WAN optimization 4-17 TCP/IP and UDP configurations, displaying 4-51 TCP/IP normalization clearing connections 4-66 configuration example 4-49 connection parameter map, configuring 4-5 IP fragment reassembly parameters, configuring 4-43 Layer 3 and 4 policy map, configuring 4-31 Layer 4 class map, configuring 4-26 normalization parameters, configuring 4-34 overview 4-2 quick start 4-3 statistics, clearing 4-67, 4-68 statistics, displaying 4-50 statistics, IP fragmentation and reassembly 4-60 statistics, IP traffic 4-57 statistics, service policy 4-63 statistics, TCP 4-61 statistics, TCP/IP connections 4-54 statistics, UDP 4-62 TCP/IP and UDP configurations, displaying 4-51 traffic policy, configuring 4-26 traffic class See class map traffic policies TCP/IP normalization 4-26 transfer encoding, defining for HTTP inspection 3-59 TTL setting 4-41 type of service, setting in connection parameter map 4-26 U UDP port numbers and key words 1-12 UDP and TCP/IP configurations, displaying 4-51 unicast reverse-path forwarding, configuring 4-42 urgent pointer policy, setting in connection parameter map 4-25 URL defining for HTTP deep packet inspection 3-60 length, defining for HTTP deep packet inspection 3-62 regular expressions 3-61 URL request logging 3-103 W WAN optimization 4-17
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks