Table Of Contents
A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - W -
Index
A
AAA
accounting configuration, displaying 2-52
accounting log information, displaying 2-53
accounting method, defining default 2-48
authentication configuration, displaying 2-54
groups, displaying 2-49
LDAP server, configuring for 2-35
LDAP server configuration, displaying 2-52
local and remote support 2-4
login authentication method, defining 2-46
overview 2-2
quick start 2-8
RADIUS server, configuring for 2-25
RADIUS server configuration, displaying 2-49
server, adding 2-24
server groups, configuring 2-38
status and statistics 2-49
TACACS+ server, configuring for 2-31
TACACS+ server configuration, displaying 2-51
user accounts, creating 2-23
accounting
configuration, displaying 2-52
default method, defining 2-48
log information, displaying 2-53
RADIUS server accounting settings, configuring 2-16
TACACS+ server accounting settings, configuring 2-12
ACLs
alternate address, ICMP message 1-14
BPDU 1-17
clearing statistics 1-44
comments in extended ACLs 1-16
configuration information, displaying 1-42
dynamic NAT 5-12
EtherType, configuring 1-17
EtherType examples 1-41
expanded 1-4
extended, configuring 1-6
extended examples 1-32
guidelines 1-3
ICMP 1-7
implicit deny 1-4
inbound 1-34
IP extended ACL 1-7
IPs with NAT 1-37
maximum entries 1-4
merged 1-2
order of entries 1-3
outbound 1-34
overview 1-2
quick start 1-4
resequencing entries 1-18
statistics, displaying 1-42
types 1-3
application protocol inspection
class map overview 3-7
configuration examples 3-124, 3-125, 3-127
Layer 3 and 4 HTTP parameter map 3-108
Layer 3 and 4 quick start 3-27
Layer 3 and 4 traffic policy configuration 3-90
Layer 7 FTP command inspection class map 3-30
Layer 7 FTP command inspection configuration 3-29
Layer 7 FTP command inspection quick start 3-20
Layer 7 HTTP deep packet inspection class map 3-38
Layer 7 HTTP deep packet inspection configuration 3-37
Layer 7 HTTP deep packet inspection policy map 3-62
Layer 7 HTTP deep packet inspection quick start 3-23
limitations 3-4
NAT and PAT support 3-4
overview 3-2
policy map overview 3-7
process flow diagram 3-8
protocol inspection overview 3-2
SCCP 3-6, 3-16, 3-69, 3-96, 3-102, 3-104, 3-111
service policy, defining 3-122
service policy, displaying 3-128
SIP 3-6, 3-17, 3-73, 3-96, 3-102, 3-104, 3-115
standards 3-4
statistics 3-128
supported protocols 3-3
authentication
configuration, displaying 2-54
local and remote support 2-4
local database 2-5
login method, defining 2-46
overview 2-7
RADIUS server authentication settings, configuring 2-15
TACACS+ server accounting settings, configuring 2-11
B
bandwidth rate limiting 4-8
BPDU, in ACL 1-17
buffer size
for connection parameter map 4-9
receive or transmit data for each TCP connection 4-9
C
class map
associating with Layer 7 policy map 3-35
associating with policy map 3-66, 3-99
dynamic NAT 5-15
Layer 3 and 4 access list match criteria 3-94
Layer 3 and 4 class map, associating with policy map 4-31
Layer 3 and 4 class map, creating 3-92
Layer 3 and 4 description 3-93
Layer 3 and 4 port range criteria 3-95
Layer 4, creating 4-26
Layer 4 description 4-27
Layer 4 IP address criteria 4-28
Layer 4 port number criteria 4-29
Layer 7 FTP command inspection, configuring 3-30
Layer 7 FTP command inspection description 3-31
Layer 7 FTP request methods 3-31
Layer 7 HTTP deep packet inspection, configuring 3-38
Layer 7 HTTP deep packet inspection description 3-40
overview in application protocol inspection process 3-7
configurational examples
application protocol inspection 3-127
FTP 3-125
HTTP 3-124
TCP/IP normalization 4-46
connection parameter map
action for segment overrun 4-12
associating with policy map 4-32
buffer size setting 4-9
configuring for TCP/IP normalization 4-6
creating for TCP/IP, UDP, and ICMP 4-7
embryonic connection timeout 4-14
half-closed connection timeout 4-15
inactive connection timeout 4-16
Nagle's algorithm 4-13
random TCP sequence numbers 4-13
reserved bit handling 4-14
segment size setting 4-10
slow start algorithm 4-19
TCP options, handling 4-20
TCP SYN retries, limiting 4-12
TCP SYN segments with data, handling 4-20
type of service 4-25
urgent pointer policy 4-24
connections
clearing 4-64
embryonic, handling timeout of 4-14
half-closed, handling timeout of 4-15
inactive, handling timeout of 4-16
rate limiting 4-8
statistics, clearing 4-65
content type verification
HTTP message 3-65
D
DDoS 4-36
dead-time
RADIUS server group setting 2-42
RADIUS server setting 2-29
TACACS+ server group setting 2-41
TACACS+ server setting 2-34
destination NAT 5-2, 5-7, 5-30, 5-33, 5-40, 5-50
distributed denial of service. See DDoS
DNS 3-102
application protocol inspection, configuring 3-102
application protocol support 3-4
configuration example 3-127
inspection overview 3-9
Don't Fragment bit, handling 4-39
DoS protection, SYN cookie 4-36
dynamic NAT
E
embryonic connection, handling timeout of 4-14
EtherType ACL
configuring 1-17
examples 1-41
extended ACL
comments in 1-16
configuring 1-6
examples 1-32
F
fixups
See application protocol inspection
fragment reassembly parameters
See IP fragment reassembly parameters
FTP
application protocol support 3-4
associating class map with policy map 3-35
class map 3-30
configuration examples 3-125
inline match commands in policy map 3-34
inspection overview 3-10
Layer 3 and 4 FTP application protocol inspection, configuring 3-102
Layer 7 FTP command inspection, configuring 3-29
passive with source NAT 5-16
policy actions 3-36
request methods, defining for command inspection 3-31
G
global addresses, guidelines for NAT 5-8
H
header value string expressions 3-50
HTTP
application protocol support 3-4
associating class map with policy map 3-66
class map 3-38
configuration examples 3-124
content length, defining 3-42
content match criteria, defining 3-41
content type verification match criteria, defining 3-65
header for inspection 3-47
header value string expressions 3-50
HTTP/1/1 header fields, supported 3-47
inline match commands in policy map 3-64
inspection overview 3-12
internal compliance checks 3-66
Layer 3 and 4 HTTP application protocol inspection, configuring 3-103
Layer 7 HTTP deep packet inspection, configuring 3-37
Layer 7 HTTP deep packet inspection policy map 3-62
maximum header length for inspection 3-51
MIME type for inspection 3-52
parameter map 3-108
policy actions 3-67
policy map 3-62
request method for inspection 3-57
restricted category, defining (port misuse) 3-55
statistics from inspection 3-128
strict HTTP match criteria, defining 3-66
transfer encoding type for inspection 3-58
URL for inspection 3-59
URL length for inspection 3-61
HTTP/1/1 header fields, supported 3-47
I
ICMP
ACL 1-7
application protocol inspection, configuring 3-103
application protocol support 3-4, 3-5
conversion-error, ICMP message 1-15
echo, ICMP message 1-14
echo reply, ICMP message 1-14
information reply, ICMP message 1-14
information request, ICMP message 1-14
inspection overview 3-12
mask reply, ICMP message 1-14
mask request, ICMP message 1-14
mobile redirect, ICMP message 1-15
NAT of ICMP error messages 3-103
parameter-problem, ICMP message 1-14
redirect, ICMP message 1-14
router-advertisement, ICMP message 1-14
router-solicitation, ICMP message 1-14
security, disabling 4-35
source quench, ICMP message 1-14
time-exceeded, ICMP message 1-14
timestamp-reply, ICMP message 1-14
timestamp-request, ICMP message 1-14
traceroute, ICMP message 1-14
types 1-14
unreachable, ICMP message 1-14
ILS inspection 3-5, 3-14, 3-101, 3-103
implicit PAT 5-2
inbound ACLs 1-34
inline match commands
content type verification for HTTP inspection 3-65
in Layer 7 FTP command inspection policy map 3-34
in Layer 7 HTTP deep packet inspection policy map 3-64
strict HTTP for HTTP inspection 3-66
inspection engines
See application protocol inspection
Internet Locator Service. See ILS
IP
ACL 1-7
address pool, for dynamic NAT 5-13, 5-25
for ACL with NAT 1-37
normalization, overview 4-3
options, handling 4-40
IP fragment reassembly parameters
configurational example 4-46
configuring 4-42
maximum fragment size setting 4-45
maximum fragments setting 4-44
MTU setting 4-44
quick start 4-42
reassembly timeout setting 4-45
L
Layer 3 and 4 application protocol inspection, configuring
associating class map with policy map 3-99
class map 3-92
policy actions 3-101
policy map 3-98
LDAP server
ACE configuration 2-35
configuration, displaying 2-52
configuration overview 2-19
directory server overview 2-6
parameters, setting 2-36
port, setting 2-37
search filter configuration 2-45
server group, creating 2-39
timeout, setting 2-38
user profile attribute type configuration 2-43
virtualization attributes, defining 2-13, 2-17, 2-20
local database authentication 2-5
login authentication method, defining 2-46
M
merged ACLs 1-2
MIME type, supported for HTTP inspection 3-52
MTU
in IP fragment reassembly configuration 4-44
N
Nagle's algorithm 4-13
NAT
ACL configuration, dynamic 5-12
ACL configuration, static 5-25, 5-36
application protocol inspection support 3-4
as policy map action, dynamic 5-18
as policy map action, static 5-29, 5-38
class map configuration, dynamic 5-15
class map configuration, static 5-30, 5-36
creating over 8 K static configurations 5-41
destination 5-2, 5-7, 5-30, 5-33, 5-40, 5-50
dynamic NAT, overview 5-4
dynamic NAT and PAT, configuring 5-9
dynamic PAT, overview 5-5
global address guidelines 5-8
global IP address pool 5-13, 5-25
idle timeout, configuring 5-9
IPs in ACLs 1-37
maximum number of statements 5-8
overview 5-2
policy map configuration, dynamic 5-16
policy map configuration, static 5-31, 5-37
quick start, dynamic NAT and PAT 5-10
quick start, static NAT 5-21, 5-33
service policy, global dynamic 5-19
service policy, local dynamic 5-19
service policy, static 5-32, 5-40
static NAT, overview 5-7
static NAT and port redirection, configuring 5-33
static port redirection 5-7
network address translation
normalization parameters
configuring 4-34
Don't Fragment bit, handling 4-39
ICMP security, disabling 4-35
IP options, handling 4-40
packet TTL setting 4-40
TCP normalization, disabling 4-34
unicast reverse-path forwarding, configuring 4-41
O
object groups
expanded 1-4
network 1-9
overview 1-19
service 1-14
order of ACL entries 1-3
outbound ACLs 1-34
P
packet TTL setting 4-40
parameter map
associating with Layer 3 and 4 policy map 3-107, 3-110, 3-114, 3-121
case sensitivity, disabling 3-109
configuring for Layer 3 and 4 HTTP inspection 3-108
maximum content bytes setting 3-110
maximum header bytes setting 3-109
passive FTP with source NAT 5-16
PAT
configuring 5-9
implicit 5-2
overview 5-5
policy map
actions, defining 3-36, 3-67, 3-101
associating with connection parameter map 4-32
Layer 3 and 4, associating with class map 3-99
Layer 3 and 4, associating with parameter map 3-107, 3-110, 3-114, 3-121
Layer 3 and 4, associating with service policy 4-33
Layer 3 and 4, configuring HTTP parameter map 3-108
Layer 3 and 4, creating 3-98, 4-31
Layer 3 and 4, defining 3-98
Layer 3 and 4, description 3-99
Layer 3 and 4 policy map, associating with class map 4-31
Layer 7 FTP command inspection, adding description 3-33
Layer 7 FTP command inspection, associating with class map 3-35
Layer 7 FTP command inspection, creating 3-33
Layer 7 FTP command inspection, defining 3-32
Layer 7 FTP command inspection, inline match commands 3-34
Layer 7 HTTP deep packet inspection, adding description 3-63
Layer 7 HTTP deep packet inspection, associating with class map 3-66
Layer 7 HTTP deep packet inspection, creating 3-62
Layer 7 HTTP deep packet inspection, inline match commands 3-64
overview in application protocol inspection process 3-7
static NAT as policy map action 5-29, 5-38
port
for LDAP server 2-37
number or range for Layer 3 and 4 application protocol inspection 3-95
port redirection, configuring 5-33
port redirection
configuring 5-33
overview 5-7
preshared key
RADIUS, setting for 2-28
TACACS+, setting for 2-33
Q
quick start
AAA configuration 2-8
ACL configuration 1-4
dynamic NAT and PAT configuration 5-10
IP fragment reassembly configuration 4-42
Layer 3 and 4 application protocol inspection 3-27
Layer 7 FTP command inspection 3-20
Layer 7 HTTP deep packet inspection 3-23
static NAT configuration 5-21, 5-33
TCP/IP normalization 4-3
R
RADIUS server
ACE configuration 2-25
adding 2-24
authentication settings, configuring 2-15
configuration, displaying 2-49
dead-time setting 2-29
global preshared key setting 2-28
NAS-IP-Address attribute setting 2-28
number of retransmissions, setting 2-30
parameters, setting 2-25
server accounting settings, configuring 2-16
server group, creating 2-39
server group dead-time setting 2-42
server overview 2-6
timeout setting 2-31
rate limiting
bandwidth 4-8
connection 4-8
remarks in extended ACLs 1-16
reordering ACL entries 1-18
request methods
FTP command inspection, defining for 3-31
HTTP inspection, defining for 3-57
resequencing ACL entries 1-18
reserved bits, handling in connection parameter map 4-14
restricted category, defining for HTTP inspection (port misuse) 3-55
reverse-path forwarding, configuring 4-41
RTSP
application protocol inspection, configuring 3-103
application protocol support 3-6
inspection overview 3-15
rules, maximum in ACL 1-4
S
SCCP
inspection 3-6, 3-16, 3-69, 3-96, 3-102, 3-104, 3-111
segment size
action for overrun 4-12
for connection parameter map 4-10
server groups
configuring 2-38
creating 2-39
LDAP 2-39
RADIUS 2-39
TACACS+ 2-39
service policy
applying to VLAN interfaces 3-122
associating with Layer 3 and 4 policy map 4-33
configuration information 3-129
dynamic NAT, global 5-19
dynamic NAT, local 5-19
Session Initiation Protocol. See SIP
SIP
inspection 3-6, 3-17, 3-73, 3-96, 3-102, 3-104, 3-115
Skinny Client Control Protocol. See SCCP
slow start algorithm, enabling in connection parameter map 4-19
static NAT
statistics
AAA 2-49
ACL, clearing 1-44
ACL, displaying 1-42
connection, clearing 4-65
HTTP inspection 3-128
IP, clearing 4-65
IP fragmentation and reassembly, clearing 4-67
IP fragmentation and reassembly, displaying 4-58
IP traffic 4-55
service policy 4-61
TCP, clearing 4-66
TCP, displaying 4-59
TCP/IP and UDP connections 4-52
TCP/IP connections and IP reassembly, clearing 4-65
TCP/IP connections and IP reassembly, displaying 4-48
UDP, clearing 4-66
UDP, displaying 4-60
SYN cookie
configurational and operational considerations 4-38
configuring on an interface 4-38
displaying statistics 4-62
overview 4-36
SYN flood attack 4-36
T
TACACS+ server
accounting settings, configuring 2-12
ACE configuration 2-31
adding 2-24
Cisco Secure Access Control Server (ACS) 2-11, 2-12
configuration, displaying 2-51
dead-time setting 2-34
global preshared key setting 2-33
parameters, setting 2-32
server authentication settings, configuring 2-11
server group, creating 2-39
server group dead-time setting 2-41
server overview 2-5
timeout setting 2-35
TCP
connection, receive or transmit buffer size 4-9
normalization, disabling 4-34
normalization, overview 4-2
options, handling in connection parameter map 4-20
port numbers and key words 1-9
sequence numbers, randomizing 4-13
slow start algorithm, enabling in connection parameter map 4-19
SYN retries, limiting in connection parameter map 4-12
SYN segments with data, handling in connection parameter map 4-20
WAN optimization 4-16
TCP/IP and UDP configurations, displaying 4-48
TCP/IP normalization
clearing connections 4-64
configuration example 4-46
connection parameter map, configuring 4-6
IP fragment reassembly parameters, configuring 4-42
Layer 3 and 4 policy map, configuring 4-31
Layer 4 class map, configuring 4-26
normalization parameters, configuring 4-34
overview 4-2
quick start 4-3
statistics, clearing 4-65, 4-67
statistics, displaying 4-48
statistics, IP fragmentation and reassembly 4-58
statistics, IP traffic 4-55
statistics, service policy 4-61
statistics, TCP 4-59
statistics, TCP/IP connections 4-52
statistics, UDP 4-60
TCP/IP and UDP configurations, displaying 4-48
traffic policy, configuring 4-26
traffic class
traffic policies
TCP/IP normalization 4-26
transfer encoding, defining for HTTP inspection 3-58
TTL setting 4-40
type of service, setting in connection parameter map 4-25
U
UDP
port numbers and key words 1-12
UDP and TCP/IP configurations, displaying 4-48
unicast reverse-path forwarding, configuring 4-41
urgent pointer policy, setting in connection parameter map 4-24
URL
defining for HTTP deep packet inspection 3-59
length, defining for HTTP deep packet inspection 3-61
regular expressions 3-60
URL request logging 3-103
W
WAN optimization 4-16