Table Of Contents
A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U -
Index
A
AAA
accounting configuration, displaying 2-52
accounting log information, displaying 2-53
accounting method, defining default 2-48
authentication configuration, displaying 2-54
groups, displaying 2-49
LDAP server, configuring for 2-36
LDAP server configuration, displaying 2-52
local and remote support 2-4
login authentication method, defining 2-46
overview 2-2
quick start 2-8
RADIUS server, configuring for 2-24
RADIUS server configuration, displaying 2-49
server, adding 2-23
server groups, configuring 2-39
status and statistics 2-49
TACACS+ server, configuring for 2-31
TACACS+ server configuration, displaying 2-51
user accounts, creating 2-22
accounting
configuration, displaying 2-52
default method, defining 2-48
log information, displaying 2-53
RADIUS server accounting settings, configuring 2-15
TACACS+ server accounting settings, configuring 2-11
ACLs
alternate address, ICMP message 1-14
BPDU 1-16
clearing statistics 1-32
comments in extended ACLs 1-15
configuration information, displaying 1-31
dynamic NAT 5-10
EtherType, configuring 1-16
EtherType examples 1-30
extended, configuring 1-6
extended examples 1-21
guidelines 1-3
ICMP 1-7
implicit deny 1-3
inbound 1-23
IP extended ACL 1-7
IPs with NAT 1-26
maximum entries 1-4
merged 1-2
order of entries 1-3
outbound 1-23
overview 1-1
quick start 1-4
resequencing entries 1-18
static NAT 5-18
statistics, displaying 1-31
TCP 1-7
types 1-2
UDP 1-7
application protocol inspection
class map overview 3-6
Layer 3 and 4 HTTP parameter map 3-72
Layer 3 and 4 quick start 3-22
Layer 3 and 4 traffic policy configuration 3-60
Layer 7 FTP command inspection class map 3-54
Layer 7 FTP command inspection configuration 3-53
Layer 7 FTP command inspection quick start 3-19
Layer 7 HTTP deep packet inspection class map 3-25
Layer 7 HTTP deep packet inspection configuration 3-24
Layer 7 HTTP deep packet inspection policy map 3-46
Layer 7 HTTP deep packet inspection quick start 3-15
limitations 3-3
NAT and PAT support 3-3
overview 3-2
policy map overview 3-6
process flow diagram 3-7
protocol inspection overview 3-2
service policy, defining 3-75
service policy, displaying 3-77
standards 3-3
statistics 3-77
supported protocols 3-3
assistance, technical xxii
audience xiv
authentication
configuration, displaying 2-54
local and remote support 2-4
local database 2-5
login method, defining 2-46
overview 2-7
RADIUS server authentication settings, configuring 2-14
TACACS+ server accounting settings, configuring 2-10
B
BPDU, in ACL 1-16
buffer size, for connection parameter map 4-7
C
class map
associating with Layer 7 policy map 3-59
associating with policy map 3-50, 3-67
dynamic NAT 5-12
Layer 3 and 4 access list match criteria 3-63
Layer 3 and 4 class map, associating with policy map 4-27
Layer 3 and 4 class map, creating 3-61
Layer 3 and 4 description 3-62
Layer 3 and 4 port range criteria 3-64
Layer 4, creating 4-23
Layer 4 description 4-24
Layer 4 IP address criteria 4-24
Layer 4 port number criteria 4-25
Layer 7 FTP command inspection, configuring 3-54
Layer 7 FTP command inspection description 3-55
Layer 7 FTP request methods 3-55
Layer 7 HTTP deep packet inspection, configuring 3-25
Layer 7 HTTP deep packet inspection description 3-27
overview in application protocol inspection process 3-6
static NAT 5-19
connection
clearing 4-49
embryonic, handling timeout of 4-13
half-closed, handling timeout of 4-14
inactive, handling timeout of 4-14
statistics, clearing 4-52
connection parameter map
action for segment overrun 4-10
associating with policy map 4-28
buffer size setting 4-7
configuring for TCP/IP normalization 4-6
creating for TCP/IP, UDP, and ICMP 4-7
embryonic connection timeout 4-13
half-closed connection timeout 4-14
inactive connection timeout 4-14
Nagle's algorithm 4-11
out-of-order segments, limiting 4-10
random TCP sequence numbers 4-12
reserved bit handling 4-12
segment size setting 4-8
slow start algorithm 4-16
TCP options, handling 4-17
TCP SYN retries, limiting 4-11
TCP SYN segments with data, handling 4-17
type of service 4-22
urgent pointer policy 4-21
content type verification, HTTP message 3-49
D
dead-time
RADIUS server group setting 2-42
RADIUS server setting 2-28
TACACS+ server group setting 2-41
TACACS+ server setting 2-34
destination NAT 5-2, 5-5, 5-16, 5-22, 5-29
DNS 3-70
application protocol inspection, configuring 3-70
application protocol support 3-3
inspection oveview 3-9
documentation
additional xxiv
audience xiv
chapter contents 1-xiv
feedback xx
obtaining xix
related xv
set xv
symbols and conventions xvii
Don't Fragment bit, handling 4-32
dynamic NAT
E
embryonic connection, handling timeout of 4-13
EtherType ACL
configuring 1-16
examples 1-30
extended ACL
comments in 1-15
configuring 1-6
examples 1-21
F
feedback, documentation xx
fixups
See application protocol inspection
fragment reassembly parameters
See IP fragment reassembly parameters
FTP
application protocol support 3-3, 3-4
associating class map with policy map 3-59
class map 3-54
inline match commands in policy map 3-58
inspection overview 3-10
Layer 3 and 4 FTP application protocol inspection, configuring 3-70
Layer 7 FTP command inspection, configuring 3-53
policy actions 3-59
request methods, defining for command inspection 3-55
G
global addresses, guidelines for NAT 5-6
H
header value string expressions 3-33
HTTP
application protocol support 3-4
associating class map with policy map 3-50
class map 3-25
content length, defining 3-29
content match criteria, defining 3-28
content type verification match criteria, defining 3-49
header for inspection 3-30
header value string expressions 3-33
HTTP/1/1 header fields, supported 3-31
inline match commands in policy map 3-48
inspection overview 3-8
internal compliance checks 3-50
Layer 3 and 4 HTTP application protocol inspection, configuring 3-70
Layer 7 HTTP deep packet inspection, configuring 3-24
Layer 7 HTTP deep packet inspection policy map 3-46
maximum header length for inspection 3-35
MIME type for inspection 3-37
parameter map 3-72
policy actions 3-51
policy map 3-47
request method for inspection 3-41
restricted category, defining (port misuse) 3-40
statistics from inspection 3-77
strict HTTP match criteria, defining 3-50
transfer encoding type for inspection 3-42
URL for inspection 3-44
URL length for inspection 3-45
HTTP/1/1 header fields, supported 3-31
I
ICMP
ACL 1-7
application protocol inspection, configuring 3-71
application protocol support 3-4, 3-5
conversion-error, ICMP message 1-14
echo, ICMP message 1-14
echo reply, ICMP message 1-14
information reply, ICMP message 1-14
information request, ICMP message 1-14
inspection overview 3-11
mask reply, ICMP message 1-14
mask request, ICMP message 1-14
mobile redirect, ICMP message 1-14
NAT of ICMP error messages 3-71
parameter-problem, ICMP message 1-14
redirect, ICMP message 1-14
router-advertisement, ICMP message 1-14
router-solicitation, ICMP message 1-14
security, disabling 4-31
source quench, ICMP message 1-14
time-exceeded, ICMP message 1-14
timestamp-reply, ICMP message 1-14
timestamp-request, ICMP message 1-14
traceroute, ICMP message 1-14
types 1-14
unreachable, ICMP message 1-14
inbound ACLs 1-23
inline match commands
content type verification for HTTP inspection 3-49
in Layer 7 FTP command inspection policy map 3-58
in Layer 7 HTTP deep packet inspection policy map 3-48
strict HTTP for HTTP inspection 3-50
inspection engines
See application protocol inspection
IP
ACL 1-7
address pool, for dynamic NAT 5-10
for ACL with NAT 1-26
normalization, overview 4-3
options, handling 4-33
IP fragment reassembly parameters
configuring 4-35
maximum fragment size setting 4-38
maximum fragments setting 4-37
MTU setting 4-37
quick start 4-35
reassembly timeout setting 4-38
L
Layer 3 and 4 application protocol inspection, configuring
associating class map with policy map 3-67
class map 3-61
policy actions 3-69
policy map 3-66
LDAP server
ACE configuration 2-36
configuration, displaying 2-52
configuration overview 2-18
directory server overview 2-6
parameters, setting 2-36
port, setting 2-37
search filter configuration 2-45
server group, creating 2-39
timeout, setting 2-38
user profile attribute type configuration 2-43
virtualization attributes, defining 2-12, 2-16, 2-19
local database authentication 2-5
login authentication method, defining 2-46
M
merged ACLs 1-2
MIME type, supported for HTTP inspection 3-37
MTU, in IP fragment reassembly configuration 4-37
N
Nagle's algorithm 4-11
NAT
ACL configuration, dynamic 5-10
ACL configuration, static 5-18
application protocol inspection support 3-3
as policy map action, dynamic 5-14
as policy map action, static 5-20
class map configuration, dynamic 5-12
class map configuration, static 5-19
destination 5-2, 5-5, 5-16, 5-22, 5-29
dynamic NAT, overview 5-3
dynamic NAT and PAT, configuring 5-7
dynamic PAT, overview 5-4
global address guidelines 5-6
global IP address pool 5-10
idle timeout, configuring 5-7
IPs in ACLs 1-26
maximum number of statements 5-5
overview 5-1
policy map configuration, dynamic 5-13
policy map configuration, static 5-19
quick start, dynamic NAT and PAT 5-8
quick start, static NAT 5-16
service policy, global dynamic 5-15
service policy, local dynamic 5-15
service policy, static 5-23
static NAT, overview 5-5
static NAT and port redirection, configuring 5-16
static port redirection 5-5
network address translation
normalization parameters
configuring 4-30
Don't Fragment bit, handling 4-32
ICMP security, disabling 4-31
IP options, handling 4-33
packet TTL setting 4-33
TCP normalization, disabling 4-30
unicast reverse-path forwarding, configuring 4-34
O
order of ACL entries 1-3
outbound ACLs 1-23
P
packet TTL setting 4-33
parameter map
associating with Layer 3 and 4 policy map 3-74
case sensitivity, disabling 3-73
configuring for Layer 3 and 4 HTTP inspection 3-72
maximum content bytes setting 3-74
maximum header bytes setting 3-73
PAT
configuring 5-7
overview 5-4
policy map
actions, defining 3-51, 3-59, 3-69
associating with connection parameter map 4-28
dynamic NAT 5-13
dynamic NAT as policy map action 5-14
Layer 3 and 4, associating with class map 3-67
Layer 3 and 4, associating with parameter map 3-74
Layer 3 and 4, associating with service policy 4-29
Layer 3 and 4, configuring HTTP parameter map 3-72
Layer 3 and 4, creating 3-66, 4-27
Layer 3 and 4, defining 3-66
Layer 3 and 4, description 3-67
Layer 3 and 4 policy map, associating with class map 4-27
Layer 7 FTP command inspection, adding description 3-57
Layer 7 FTP command inspection, associating with class map 3-59
Layer 7 FTP command inspection, creating 3-57
Layer 7 FTP command inspection, defining 3-56
Layer 7 FTP command inspection, inline match commands 3-58
Layer 7 HTTP deep packet inspection, adding description 3-47
Layer 7 HTTP deep packet inspection, associating with class map 3-50
Layer 7 HTTP deep packet inspection, creating 3-47
Layer 7 HTTP deep packet inspection, inline match commands 3-48
overview in application protocol inspection process 3-6
static NAT 5-19
static NAT as policy map action 5-20
port
for LDAP server 2-37
number or range for Layer 3 and 4 application protocol inspection 3-64
port redirection, configuring 5-16
port redirection
configuring 5-16
overview 5-5
preshared key
RADIUS, setting for 2-27
TACACS+, setting for 2-33
product security xxi
Q
quick start
AAA configuration 2-8
ACL configuration 1-4
dynamic NAT and PAT configuration 5-8
IP fragment reassembly configuration 4-35
Layer 3 and 4 application protocol inspection 3-22
Layer 7 FTP command inspection 3-19
Layer 7 HTTP deep packet inspection 3-15
static NAT configuration 5-16
TCP/IP normalization 4-3
R
RADIUS server
ACE configuration 2-24
adding 2-23
authentication settings, configuring 2-14
configuration, displaying 2-49
dead-time setting 2-28
global preshared key setting 2-27
NAS-IP-Address attribute setting 2-27
number of retransmissions, setting 2-29
parameters, setting 2-24
server accounting settings, configuring 2-15
server group, creating 2-39
server group dead-time setting 2-42
server overview 2-6
timeout setting 2-30
remarks in extended ACLs 1-15
reordering ACL entries 1-18
request methods
FTP command inspection, defining for 3-55
HTTP inspection, defining for 3-41
resequencing ACL entries 1-18
reserved bits, handling in connection parameter map 4-12
restricted category, defining for HTTP inspection (port misuse) 3-40
reverse-path forwarding, configuring 4-34
RTSP
application protocol inspection, configuring 3-71
application protocol support 3-5
inspection overview 3-13
restrictions 3-14
rules, maximum in ACL 1-4
S
security, product xxi
segments, limiting out-of-order 4-10
segment size
action for overrun 4-10
for connection parameter map 4-8
server groups
configuring 2-39
creating 2-39
LDAP 2-39
RADIUS 2-39
TACACS+ 2-39
service policy
applying to VLAN interfaces 3-75
associating with Layer 3 and 4 policy map 4-29
configuration information 3-78
dynamic NAT, global 5-15
dynamic NAT, local 5-15
static NAT, local 5-23
slow start algorithm, enabling in connection parameter map 4-16
static NAT
statistics
AAA 2-49
ACL, clearing 1-32
ACL, displaying 1-31
connection, clearing 4-52
HTTP inspection 3-77
IP, clearing 4-50
IP fragmentation and reassembly, clearing 4-51
IP fragmentation and reassembly, displaying 4-45
IP traffic 4-42
service policy 4-48
TCP, clearing 4-50
TCP, displaying 4-46
TCP/IP and UDP connections 4-40
TCP/IP connections and IP reassembly, clearing 4-50
TCP/IP connections and IP reassembly, displaying 4-39
UDP, clearing 4-51
UDP, displaying 4-47
T
TACACS+ server
accounting settings, configuring 2-11
ACE configuration 2-31
adding 2-23
Cisco Secure Access Control Server (ACS) 2-10, 2-11
configuration, displaying 2-51
dead-time setting 2-34
global preshared key setting 2-33
parameters, setting 2-31
server authentication settings, configuring 2-10
server group, creating 2-39
server group dead-time setting 2-41
server overview 2-5
timeout setting 2-35
TCP
ACL 1-7
normalization, disabling 4-30
normalization, overview 4-2
options, handling in connection parameter map 4-17
port numbers and key words 1-9
sequence numbers, randomizing 4-12
slow start algorithm, enabling in connection parameter map 4-16
SYN retries, limiting in connection parameter map 4-11
SYN segments with data, handling in connection parameter map 4-17
TCP/IP and UDP configurations, displaying 4-39
TCP/IP normalization
clearing connections 4-49
connection parameter map, configuring 4-6
IP fragment reassembly parameters, configuring 4-35
Layer 3 and 4 policy map, configuring 4-27
Layer 4 class map, configuring 4-23
normalization parameters, configuring 4-30
overview 4-2
quick start 4-3
statistics, clearing 4-50, 4-51
statistics, displaying 4-39
statistics, IP fragmentation and reassembly 4-45
statistics, IP traffic 4-42
statistics, service policy 4-48
statistics, TCP 4-46
statistics, TCP/IP connections 4-40
statistics, UDP 4-47
TCP/IP and UDP configurations, displaying 4-39
traffic policy, configuring 4-23
technical assistance xxii
traffic class
traffic policy, TCP/IP normalization 4-23
transfer encoding, defining for HTTP inspection 3-42
TTL setting 4-33
type of service, setting in connection parameter map 4-22
U
UDP
ACL 1-7
port numbers and key words 1-11
UDP and TCP/IP configurations, displaying 4-39
unicast reverse-path forwarding, configuring 4-34
urgent pointer policy, setting in connection parameter map 4-21
URL
defining for HTTP deep packet inspection 3-44
length, defining for HTTP deep packet inspection 3-45
regular expressions 3-44
URL request logging 3-71