Security Guide vA2(3.0), Cisco ACE Application Control Engine Module - Index [Cisco Services Modules]

Table Of Contents

A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - W -

Index

A

AAA

accounting configuration, displaying 2-52

accounting log information, displaying 2-53

accounting method, defining default 2-48

authentication configuration, displaying 2-54

groups, displaying 2-49

LDAP server, configuring for 2-35

LDAP server configuration, displaying 2-52

local and remote support 2-4

login authentication method, defining 2-46

overview 2-2

quick start 2-8

RADIUS server, configuring for 2-25

RADIUS server configuration, displaying 2-49

server, adding 2-24

server groups, configuring 2-38

status and statistics 2-49

TACACS+ server, configuring for 2-31

TACACS+ server configuration, displaying 2-51

user accounts, creating 2-23

accounting

configuration, displaying 2-52

default method, defining 2-48

log information, displaying 2-53

RADIUS server accounting settings, configuring 2-16

TACACS+ server accounting settings, configuring 2-12

ACLs

alternate address, ICMP message 1-14

BPDU 1-17

clearing statistics 1-44

comments in extended ACLs 1-16

configuration information, displaying 1-42

dynamic NAT 5-12

EtherType, configuring 1-17

EtherType examples 1-41

expanded 1-4

extended, configuring 1-6

extended examples 1-32

guidelines 1-3

ICMP 1-7

implicit deny 1-4

inbound 1-34

IP extended ACL 1-7

IPs with NAT 1-37

maximum entries 1-4

merged 1-2

object groups1-19to 1-29

order of entries 1-3

outbound 1-34

overview 1-2

quick start 1-4

resequencing entries 1-18

static NAT 5-24, 5-35

statistics, displaying 1-42

types 1-3

application protocol inspection

class map overview 3-7

configuration examples 3-127, 3-128, 3-130

DNS 3-9, 3-105

FTP 3-10, 3-105

HTTP 3-12, 3-106

ICMP 3-15, 3-106

ILS 3-5, 3-16, 3-105, 3-106

Layer 3 and 4 HTTP parameter map 3-111

Layer 3 and 4 quick start 3-30

Layer 3 and 4 traffic policy configuration 3-93

Layer 7 FTP command inspection class map 3-33

Layer 7 FTP command inspection configuration 3-32

Layer 7 FTP command inspection quick start 3-23

Layer 7 HTTP deep packet inspection class map 3-41

Layer 7 HTTP deep packet inspection configuration 3-40

Layer 7 HTTP deep packet inspection policy map 3-65

Layer 7 HTTP deep packet inspection quick start 3-26

limitations 3-4

NAT and PAT support 3-4

overview 3-2

policy map overview 3-7

process flow diagram 3-8

protocol inspection overview 3-2

RTSP 3-17, 3-107

SCCP 3-6, 3-19, 3-72, 3-99, 3-105, 3-107, 3-114

service policy, defining 3-125

service policy, displaying 3-131

SIP 3-6, 3-20, 3-76, 3-99, 3-105, 3-107, 3-118

standards 3-4

statistics 3-131

supported protocols 3-3

authentication

configuration, displaying 2-54

local and remote support 2-4

local database 2-5

login method, defining 2-46

overview 2-7

RADIUS server authentication settings, configuring 2-15

TACACS+ server accounting settings, configuring 2-11

B

bandwidth rate limiting 4-8

BPDU, in ACL 1-17

buffer size

for connection parameter map 4-9

receive or transmit data for each TCP connection 4-9

C

class map

associating with Layer 7 policy map 3-38

associating with policy map 3-69, 3-102

dynamic NAT 5-15

Layer 3 and 4 access list match criteria 3-97

Layer 3 and 4 class map, associating with policy map 4-30

Layer 3 and 4 class map, creating 3-95

Layer 3 and 4 description 3-96

Layer 3 and 4 port range criteria 3-98

Layer 4, creating 4-25

Layer 4 description 4-26

Layer 4 IP address criteria 4-27

Layer 4 port number criteria 4-28

Layer 7 FTP command inspection, configuring 3-33

Layer 7 FTP command inspection description 3-34

Layer 7 FTP request methods 3-34

Layer 7 HTTP deep packet inspection, configuring 3-41

Layer 7 HTTP deep packet inspection description 3-43

overview in application protocol inspection process 3-7

static NAT 5-29, 5-35

configurational examples

application protocol inspection 3-130

FTP 3-128

HTTP 3-127

TCP/IP normalization 4-46

connection parameter map

action for segment overrun 4-11

associating with policy map 4-31

buffer size setting 4-9

configuring for TCP/IP normalization 4-6

creating for TCP/IP, UDP, and ICMP 4-7

embryonic connection timeout 4-14

half-closed connection timeout 4-15

inactive connection timeout 4-15

Nagle's algorithm 4-12

random TCP sequence numbers 4-13

reserved bit handling 4-13

segment size setting 4-10

slow start algorithm 4-18

TCP options, handling 4-20

TCP SYN retries, limiting 4-12

TCP SYN segments with data, handling 4-19

type of service 4-24

urgent pointer policy 4-23

connections

clearing 4-64

embryonic, handling timeout of 4-14

half-closed, handling timeout of 4-15

inactive, handling timeout of 4-15

rate limiting 4-8

statistics, clearing 4-65

content type verification

HTTP message 3-69

D

DDoS 4-35

dead-time

RADIUS server group setting 2-42

RADIUS server setting 2-29

TACACS+ server group setting 2-41

TACACS+ server setting 2-34

denial of service. See DoS

destination NAT 5-2, 5-7, 5-29, 5-32, 5-39, 5-49

distributed denial of service. See DDoS

DNS 3-105

application protocol inspection, configuring 3-105

application protocol support 3-4

configuration example 3-130

inspection overview 3-9

Don't Fragment bit, handling 4-38

DoS protection, SYN cookie 4-35

dynamic NAT

See NAT

E

embryonic connection, handling timeout of 4-14

EtherType ACL

configuring 1-17

examples 1-41

extended ACL

comments in 1-16

configuring 1-6

examples 1-32

F

fixups

See application protocol inspection

fragment reassembly parameters

See IP fragment reassembly parameters

FTP

application protocol support 3-4

associating class map with policy map 3-38

class map 3-33

configuration examples 3-128

inline match commands in policy map 3-37

inspection overview 3-10

Layer 3 and 4 FTP application protocol inspection, configuring 3-105

Layer 7 FTP command inspection, configuring 3-32

passive with source NAT 5-16

policy actions 3-39

policy map 3-35, 3-36

request methods, defining for command inspection 3-34

strict 3-11, 3-105

G

global addresses, guidelines for NAT 5-8

H

header value string expressions 3-53

HTTP

application protocol support 3-4

associating class map with policy map 3-69

class map 3-41

configuration examples 3-127

content length, defining 3-45

content match criteria, defining 3-44

content type verification match criteria, defining 3-69

header for inspection 3-50

header value string expressions 3-53

HTTP/1/1 header fields, supported 3-50

inline match commands in policy map 3-67

inspection overview 3-12

internal compliance checks 3-69

Layer 3 and 4 HTTP application protocol inspection, configuring 3-106

Layer 7 HTTP deep packet inspection, configuring 3-40

Layer 7 HTTP deep packet inspection policy map 3-65

maximum header length for inspection 3-54

MIME type for inspection 3-55

parameter map 3-111

policy actions 3-71

policy map 3-66

request method for inspection 3-60

restricted category, defining (port misuse) 3-58

statistics from inspection 3-131

strict HTTP match criteria, defining 3-69

transfer encoding type for inspection 3-61

URL for inspection 3-63

URL length for inspection 3-64

HTTP/1/1 header fields, supported 3-50

I

ICMP

ACL 1-7

application protocol inspection, configuring 3-106

application protocol support 3-4, 3-5

conversion-error, ICMP message 1-15

echo, ICMP message 1-14

echo reply, ICMP message 1-14

information reply, ICMP message 1-14

information request, ICMP message 1-14

inspection overview 3-15

mask reply, ICMP message 1-14

mask request, ICMP message 1-14

mobile redirect, ICMP message 1-15

NAT of ICMP error messages 3-106

parameter-problem, ICMP message 1-14

redirect, ICMP message 1-14

router-advertisement, ICMP message 1-14

router-solicitation, ICMP message 1-14

security, disabling 4-34

source quench, ICMP message 1-14

time-exceeded, ICMP message 1-14

timestamp-reply, ICMP message 1-14

timestamp-request, ICMP message 1-14

traceroute, ICMP message 1-14

types 1-14

unreachable, ICMP message 1-14

ILS inspection 3-5, 3-16, 3-105, 3-106

implicit PAT 5-2

inbound ACLs 1-34

inline match commands

content type verification for HTTP inspection 3-69

in Layer 7 FTP command inspection policy map 3-37

in Layer 7 HTTP deep packet inspection policy map 3-67

strict HTTP for HTTP inspection 3-69

inspection engines

See application protocol inspection

Internet Locator Service. See ILS

IP

ACL 1-7

address pool, for dynamic NAT 5-13, 5-24

for ACL with NAT 1-37

normalization, overview 4-3

options, handling 4-39

IP fragment reassembly parameters

configurational example 4-46

configuring 4-41

maximum fragment size setting 4-44

maximum fragments setting 4-43

MTU setting 4-43

quick start 4-41

reassembly timeout setting 4-44

L

Layer 3 and 4 application protocol inspection, configuring

associating class map with policy map 3-102

class map 3-95

policy actions 3-104

policy map 3-101

LDAP server

ACE configuration 2-35

configuration, displaying 2-52

configuration overview 2-19

directory server overview 2-6

parameters, setting 2-36

port, setting 2-37

search filter configuration 2-45

server group, creating 2-39

timeout, setting 2-38

user profile attribute type configuration 2-43

virtualization attributes, defining 2-13, 2-17, 2-20

local database authentication 2-5

login authentication method, defining 2-46

M

merged ACLs 1-2

MIME type, supported for HTTP inspection 3-55

MPLS, in ACL 1-17, 1-18

MTU

in IP fragment reassembly configuration 4-43

N

Nagle's algorithm 4-12

NAT

ACL configuration, dynamic 5-12

ACL configuration, static 5-24, 5-35

application protocol inspection support 3-4

as policy map action, dynamic 5-17

as policy map action, static 5-28, 5-37

class map configuration, dynamic 5-15

class map configuration, static 5-29, 5-35

creating over 8 K static configurations 5-40

destination 5-2, 5-7, 5-29, 5-32, 5-39, 5-49

dynamic NAT, overview 5-4

dynamic NAT and PAT, configuring 5-9

dynamic PAT, overview 5-5

global address guidelines 5-8

global IP address pool 5-13, 5-24

idle timeout, configuring 5-9

IPs in ACLs 1-37

maximum number of statements 5-8

overview 5-2

policy map configuration, dynamic 5-16

policy map configuration, static 5-30, 5-36

quick start, dynamic NAT and PAT 5-10

quick start, static NAT 5-20, 5-32

service policy, global dynamic 5-19

service policy, local dynamic 5-18

service policy, static 5-31, 5-39

source 5-2, 5-4, 5-5, 5-9

static NAT, overview 5-7

static NAT and port redirection, configuring 5-32

static port redirection 5-7

network address translation

See NAT

normalization parameters

configuring 4-33

Don't Fragment bit, handling 4-38

ICMP security, disabling 4-34

IP options, handling 4-39

packet TTL setting 4-39

TCP normalization, disabling 4-33

unicast reverse-path forwarding, configuring 4-40

O

object groups

expanded 1-4

network 1-9

overview 1-20

service 1-14

order of ACL entries 1-3

outbound ACLs 1-34

P

packet TTL setting 4-39

parameter map

associating with Layer 3 and 4 policy map 3-110, 3-113, 3-117, 3-124

case sensitivity, disabling 3-112

configuring for Layer 3 and 4 HTTP inspection 3-111

maximum content bytes setting 3-113

maximum header bytes setting 3-112

passive FTP with source NAT 5-16

PAT

configuring 5-9

implicit 5-2

overview 5-5

policy map

actions, defining 3-39, 3-71, 3-104

associating with connection parameter map 4-31

dynamic NAT 5-16

dynamic NAT as policy map action 5-17

Layer 3 and 4, associating with class map 3-102

Layer 3 and 4, associating with parameter map 3-110, 3-113, 3-117, 3-124

Layer 3 and 4, associating with service policy 4-32

Layer 3 and 4, configuring HTTP parameter map 3-111

Layer 3 and 4, creating 3-101, 4-30

Layer 3 and 4, defining 3-101

Layer 3 and 4, description 3-102

Layer 3 and 4 policy map, associating with class map 4-30

Layer 7 FTP command inspection, adding description 3-36

Layer 7 FTP command inspection, associating with class map 3-38

Layer 7 FTP command inspection, creating 3-36

Layer 7 FTP command inspection, defining 3-35

Layer 7 FTP command inspection, inline match commands 3-37

Layer 7 HTTP deep packet inspection, adding description 3-66

Layer 7 HTTP deep packet inspection, associating with class map 3-69

Layer 7 HTTP deep packet inspection, creating 3-66

Layer 7 HTTP deep packet inspection, inline match commands 3-67

overview in application protocol inspection process 3-7

static NAT 5-30, 5-36

static NAT as policy map action 5-28, 5-37

port

for LDAP server 2-37

number or range for Layer 3 and 4 application protocol inspection 3-98

port redirection, configuring 5-32

port redirection

configuring 5-32

overview 5-7

preshared key

RADIUS, setting for 2-28

TACACS+, setting for 2-33

Q

quick start

AAA configuration 2-8

ACL configuration 1-4

dynamic NAT and PAT configuration 5-10

IP fragment reassembly configuration 4-41

Layer 3 and 4 application protocol inspection 3-30

Layer 7 FTP command inspection 3-23

Layer 7 HTTP deep packet inspection 3-26

static NAT configuration 5-20, 5-32

TCP/IP normalization 4-3

R

RADIUS server

ACE configuration 2-25

adding 2-24

authentication settings, configuring 2-15

configuration, displaying 2-49

dead-time setting 2-29

global preshared key setting 2-28

NAS-IP-Address attribute setting 2-28

number of retransmissions, setting 2-30

parameters, setting 2-25

server accounting settings, configuring 2-16

server group, creating 2-39

server group dead-time setting 2-42

server overview 2-6

timeout setting 2-31

rate limiting

bandwidth 4-8

connection 4-8

remarks in extended ACLs 1-16

reordering ACL entries 1-18

request methods

FTP command inspection, defining for 3-34

HTTP inspection, defining for 3-60

resequencing ACL entries 1-18

reserved bits, handling in connection parameter map 4-13

restricted category, defining for HTTP inspection (port misuse) 3-58

reverse-path forwarding, configuring 4-40

RTSP

application protocol inspection, configuring 3-107

application protocol support 3-6

inspection overview 3-17

restrictions 3-18

rules, maximum in ACL 1-4

S

SCCP

inspection 3-6, 3-19, 3-72, 3-99, 3-105, 3-107, 3-114

segment size

action for overrun 4-11

for connection parameter map 4-10

server groups

configuring 2-38

creating 2-39

LDAP 2-39

RADIUS 2-39

TACACS+ 2-39

service policy

applying to VLAN interfaces 3-125

associating with Layer 3 and 4 policy map 4-32

configuration information 3-132

dynamic NAT, global 5-19

dynamic NAT, local 5-18

static NAT, local 5-31, 5-39

Session Initiation Protocol. See SIP

SIP

inspection 3-6, 3-20, 3-76, 3-99, 3-105, 3-107, 3-118

Skinny Client Control Protocol. See SCCP

slow start algorithm, enabling in connection parameter map 4-18

source NAT 5-2, 5-4, 5-5, 5-9

static NAT

See NAT

statistics

AAA 2-49

ACL, clearing 1-44

ACL, displaying 1-42

connection, clearing 4-65

HTTP inspection 3-131

IP, clearing 4-65

IP fragmentation and reassembly, clearing 4-67

IP fragmentation and reassembly, displaying 4-58

IP traffic 4-55

service policy 4-61

TCP, clearing 4-66

TCP, displaying 4-59

TCP/IP and UDP connections 4-52

TCP/IP connections and IP reassembly, clearing 4-65

TCP/IP connections and IP reassembly, displaying 4-48

UDP, clearing 4-66

UDP, displaying 4-60

SYN cookie

configurational and operational considerations 4-36

configuring on an interface 4-37

displaying statistics 4-62

overview 4-35

SYN flood attack 4-35

T

TACACS+ server

accounting settings, configuring 2-12

ACE configuration 2-31

adding 2-24

Cisco Secure Access Control Server (ACS) 2-11, 2-12

configuration, displaying 2-51

dead-time setting 2-34

global preshared key setting 2-33

parameters, setting 2-32

server authentication settings, configuring 2-11

server group, creating 2-39

server group dead-time setting 2-41

server overview 2-5

timeout setting 2-35

TCP

connection, receive or transmit buffer size 4-9

normalization, disabling 4-33

normalization, overview 4-2

options, handling in connection parameter map 4-20

port numbers and key words 1-9

sequence numbers, randomizing 4-13

slow start algorithm, enabling in connection parameter map 4-18

SYN retries, limiting in connection parameter map 4-12

SYN segments with data, handling in connection parameter map 4-19

WAN optimization 4-16

TCP/IP and UDP configurations, displaying 4-48

TCP/IP normalization

clearing connections 4-64

configuration example 4-46

connection parameter map, configuring 4-6

IP fragment reassembly parameters, configuring 4-41

Layer 3 and 4 policy map, configuring 4-30

Layer 4 class map, configuring 4-25

normalization parameters, configuring 4-33

overview 4-2

quick start 4-3

statistics, clearing 4-65, 4-67

statistics, displaying 4-48

statistics, IP fragmentation and reassembly 4-58

statistics, IP traffic 4-55

statistics, service policy 4-61

statistics, TCP 4-59

statistics, TCP/IP connections 4-52

statistics, UDP 4-60

TCP/IP and UDP configurations, displaying 4-48

traffic policy, configuring 4-25

traffic class

See class map

traffic policies

TCP/IP normalization 4-25

transfer encoding, defining for HTTP inspection 3-61

TTL setting 4-39

type of service, setting in connection parameter map 4-24

U

UDP

port numbers and key words 1-12

UDP and TCP/IP configurations, displaying 4-48

unicast reverse-path forwarding, configuring 4-40

urgent pointer policy, setting in connection parameter map 4-23

URL

defining for HTTP deep packet inspection 3-63

length, defining for HTTP deep packet inspection 3-64

regular expressions 3-63

URL request logging 3-106

W

WAN optimization 4-16

	Security Guide vA2(3.0), Cisco ACE Application Control Engine Module
	Index
Security Guide vA2(3.0), Cisco ACE Application Control Engine Module Index Preface Configuring Security Access Control Lists Configuring Authentication and Accounting Services Configuring Application Protocol Inspection Configuring TCP/IP Normalization and IP Reassembly Parameters Configuring Network Address Translation	Download this chapter Index Download the complete book Cisco Application Control Engine Module Security Configuration Guide Book-Length PDF (Software Version A2(3.0)) (PDF - 2 MB) Feedback Table Of Contents A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - W - Index A AAA accounting configuration, displaying 2-52 accounting log information, displaying 2-53 accounting method, defining default 2-48 authentication configuration, displaying 2-54 groups, displaying 2-49 LDAP server, configuring for 2-35 LDAP server configuration, displaying 2-52 local and remote support 2-4 login authentication method, defining 2-46 overview 2-2 quick start 2-8 RADIUS server, configuring for 2-25 RADIUS server configuration, displaying 2-49 server, adding 2-24 server groups, configuring 2-38 status and statistics 2-49 TACACS+ server, configuring for 2-31 TACACS+ server configuration, displaying 2-51 user accounts, creating 2-23 accounting configuration, displaying 2-52 default method, defining 2-48 log information, displaying 2-53 RADIUS server accounting settings, configuring 2-16 TACACS+ server accounting settings, configuring 2-12 ACLs alternate address, ICMP message 1-14 BPDU 1-17 clearing statistics 1-44 comments in extended ACLs 1-16 configuration information, displaying 1-42 dynamic NAT 5-12 EtherType, configuring 1-17 EtherType examples 1-41 expanded 1-4 extended, configuring 1-6 extended examples 1-32 guidelines 1-3 ICMP 1-7 implicit deny 1-4 inbound 1-34 IP extended ACL 1-7 IPs with NAT 1-37 maximum entries 1-4 merged 1-2 object groups1-19to 1-29 order of entries 1-3 outbound 1-34 overview 1-2 quick start 1-4 resequencing entries 1-18 static NAT 5-24, 5-35 statistics, displaying 1-42 types 1-3 application protocol inspection class map overview 3-7 configuration examples 3-127, 3-128, 3-130 DNS 3-9, 3-105 FTP 3-10, 3-105 HTTP 3-12, 3-106 ICMP 3-15, 3-106 ILS 3-5, 3-16, 3-105, 3-106 Layer 3 and 4 HTTP parameter map 3-111 Layer 3 and 4 quick start 3-30 Layer 3 and 4 traffic policy configuration 3-93 Layer 7 FTP command inspection class map 3-33 Layer 7 FTP command inspection configuration 3-32 Layer 7 FTP command inspection quick start 3-23 Layer 7 HTTP deep packet inspection class map 3-41 Layer 7 HTTP deep packet inspection configuration 3-40 Layer 7 HTTP deep packet inspection policy map 3-65 Layer 7 HTTP deep packet inspection quick start 3-26 limitations 3-4 NAT and PAT support 3-4 overview 3-2 policy map overview 3-7 process flow diagram 3-8 protocol inspection overview 3-2 RTSP 3-17, 3-107 SCCP 3-6, 3-19, 3-72, 3-99, 3-105, 3-107, 3-114 service policy, defining 3-125 service policy, displaying 3-131 SIP 3-6, 3-20, 3-76, 3-99, 3-105, 3-107, 3-118 standards 3-4 statistics 3-131 supported protocols 3-3 authentication configuration, displaying 2-54 local and remote support 2-4 local database 2-5 login method, defining 2-46 overview 2-7 RADIUS server authentication settings, configuring 2-15 TACACS+ server accounting settings, configuring 2-11 B bandwidth rate limiting 4-8 BPDU, in ACL 1-17 buffer size for connection parameter map 4-9 receive or transmit data for each TCP connection 4-9 C class map associating with Layer 7 policy map 3-38 associating with policy map 3-69, 3-102 dynamic NAT 5-15 Layer 3 and 4 access list match criteria 3-97 Layer 3 and 4 class map, associating with policy map 4-30 Layer 3 and 4 class map, creating 3-95 Layer 3 and 4 description 3-96 Layer 3 and 4 port range criteria 3-98 Layer 4, creating 4-25 Layer 4 description 4-26 Layer 4 IP address criteria 4-27 Layer 4 port number criteria 4-28 Layer 7 FTP command inspection, configuring 3-33 Layer 7 FTP command inspection description 3-34 Layer 7 FTP request methods 3-34 Layer 7 HTTP deep packet inspection, configuring 3-41 Layer 7 HTTP deep packet inspection description 3-43 overview in application protocol inspection process 3-7 static NAT 5-29, 5-35 configurational examples application protocol inspection 3-130 FTP 3-128 HTTP 3-127 TCP/IP normalization 4-46 connection parameter map action for segment overrun 4-11 associating with policy map 4-31 buffer size setting 4-9 configuring for TCP/IP normalization 4-6 creating for TCP/IP, UDP, and ICMP 4-7 embryonic connection timeout 4-14 half-closed connection timeout 4-15 inactive connection timeout 4-15 Nagle's algorithm 4-12 random TCP sequence numbers 4-13 reserved bit handling 4-13 segment size setting 4-10 slow start algorithm 4-18 TCP options, handling 4-20 TCP SYN retries, limiting 4-12 TCP SYN segments with data, handling 4-19 type of service 4-24 urgent pointer policy 4-23 connections clearing 4-64 embryonic, handling timeout of 4-14 half-closed, handling timeout of 4-15 inactive, handling timeout of 4-15 rate limiting 4-8 statistics, clearing 4-65 content type verification HTTP message 3-69 D DDoS 4-35 dead-time RADIUS server group setting 2-42 RADIUS server setting 2-29 TACACS+ server group setting 2-41 TACACS+ server setting 2-34 denial of service. See DoS destination NAT 5-2, 5-7, 5-29, 5-32, 5-39, 5-49 distributed denial of service. See DDoS DNS 3-105 application protocol inspection, configuring 3-105 application protocol support 3-4 configuration example 3-130 inspection overview 3-9 Don't Fragment bit, handling 4-38 DoS protection, SYN cookie 4-35 dynamic NAT See NAT E embryonic connection, handling timeout of 4-14 EtherType ACL configuring 1-17 examples 1-41 extended ACL comments in 1-16 configuring 1-6 examples 1-32 F fixups See application protocol inspection fragment reassembly parameters See IP fragment reassembly parameters FTP application protocol support 3-4 associating class map with policy map 3-38 class map 3-33 configuration examples 3-128 inline match commands in policy map 3-37 inspection overview 3-10 Layer 3 and 4 FTP application protocol inspection, configuring 3-105 Layer 7 FTP command inspection, configuring 3-32 passive with source NAT 5-16 policy actions 3-39 policy map 3-35, 3-36 request methods, defining for command inspection 3-34 strict 3-11, 3-105 G global addresses, guidelines for NAT 5-8 H header value string expressions 3-53 HTTP application protocol support 3-4 associating class map with policy map 3-69 class map 3-41 configuration examples 3-127 content length, defining 3-45 content match criteria, defining 3-44 content type verification match criteria, defining 3-69 header for inspection 3-50 header value string expressions 3-53 HTTP/1/1 header fields, supported 3-50 inline match commands in policy map 3-67 inspection overview 3-12 internal compliance checks 3-69 Layer 3 and 4 HTTP application protocol inspection, configuring 3-106 Layer 7 HTTP deep packet inspection, configuring 3-40 Layer 7 HTTP deep packet inspection policy map 3-65 maximum header length for inspection 3-54 MIME type for inspection 3-55 parameter map 3-111 policy actions 3-71 policy map 3-66 request method for inspection 3-60 restricted category, defining (port misuse) 3-58 statistics from inspection 3-131 strict HTTP match criteria, defining 3-69 transfer encoding type for inspection 3-61 URL for inspection 3-63 URL length for inspection 3-64 HTTP/1/1 header fields, supported 3-50 I ICMP ACL 1-7 application protocol inspection, configuring 3-106 application protocol support 3-4, 3-5 conversion-error, ICMP message 1-15 echo, ICMP message 1-14 echo reply, ICMP message 1-14 information reply, ICMP message 1-14 information request, ICMP message 1-14 inspection overview 3-15 mask reply, ICMP message 1-14 mask request, ICMP message 1-14 mobile redirect, ICMP message 1-15 NAT of ICMP error messages 3-106 parameter-problem, ICMP message 1-14 redirect, ICMP message 1-14 router-advertisement, ICMP message 1-14 router-solicitation, ICMP message 1-14 security, disabling 4-34 source quench, ICMP message 1-14 time-exceeded, ICMP message 1-14 timestamp-reply, ICMP message 1-14 timestamp-request, ICMP message 1-14 traceroute, ICMP message 1-14 types 1-14 unreachable, ICMP message 1-14 ILS inspection 3-5, 3-16, 3-105, 3-106 implicit PAT 5-2 inbound ACLs 1-34 inline match commands content type verification for HTTP inspection 3-69 in Layer 7 FTP command inspection policy map 3-37 in Layer 7 HTTP deep packet inspection policy map 3-67 strict HTTP for HTTP inspection 3-69 inspection engines See application protocol inspection Internet Locator Service. See ILS IP ACL 1-7 address pool, for dynamic NAT 5-13, 5-24 for ACL with NAT 1-37 normalization, overview 4-3 options, handling 4-39 IP fragment reassembly parameters configurational example 4-46 configuring 4-41 maximum fragment size setting 4-44 maximum fragments setting 4-43 MTU setting 4-43 quick start 4-41 reassembly timeout setting 4-44 L Layer 3 and 4 application protocol inspection, configuring associating class map with policy map 3-102 class map 3-95 policy actions 3-104 policy map 3-101 LDAP server ACE configuration 2-35 configuration, displaying 2-52 configuration overview 2-19 directory server overview 2-6 parameters, setting 2-36 port, setting 2-37 search filter configuration 2-45 server group, creating 2-39 timeout, setting 2-38 user profile attribute type configuration 2-43 virtualization attributes, defining 2-13, 2-17, 2-20 local database authentication 2-5 login authentication method, defining 2-46 M merged ACLs 1-2 MIME type, supported for HTTP inspection 3-55 MPLS, in ACL 1-17, 1-18 MTU in IP fragment reassembly configuration 4-43 N Nagle's algorithm 4-12 NAT ACL configuration, dynamic 5-12 ACL configuration, static 5-24, 5-35 application protocol inspection support 3-4 as policy map action, dynamic 5-17 as policy map action, static 5-28, 5-37 class map configuration, dynamic 5-15 class map configuration, static 5-29, 5-35 creating over 8 K static configurations 5-40 destination 5-2, 5-7, 5-29, 5-32, 5-39, 5-49 dynamic NAT, overview 5-4 dynamic NAT and PAT, configuring 5-9 dynamic PAT, overview 5-5 global address guidelines 5-8 global IP address pool 5-13, 5-24 idle timeout, configuring 5-9 IPs in ACLs 1-37 maximum number of statements 5-8 overview 5-2 policy map configuration, dynamic 5-16 policy map configuration, static 5-30, 5-36 quick start, dynamic NAT and PAT 5-10 quick start, static NAT 5-20, 5-32 service policy, global dynamic 5-19 service policy, local dynamic 5-18 service policy, static 5-31, 5-39 source 5-2, 5-4, 5-5, 5-9 static NAT, overview 5-7 static NAT and port redirection, configuring 5-32 static port redirection 5-7 network address translation See NAT normalization parameters configuring 4-33 Don't Fragment bit, handling 4-38 ICMP security, disabling 4-34 IP options, handling 4-39 packet TTL setting 4-39 TCP normalization, disabling 4-33 unicast reverse-path forwarding, configuring 4-40 O object groups expanded 1-4 network 1-9 overview 1-20 service 1-14 order of ACL entries 1-3 outbound ACLs 1-34 P packet TTL setting 4-39 parameter map associating with Layer 3 and 4 policy map 3-110, 3-113, 3-117, 3-124 case sensitivity, disabling 3-112 configuring for Layer 3 and 4 HTTP inspection 3-111 maximum content bytes setting 3-113 maximum header bytes setting 3-112 passive FTP with source NAT 5-16 PAT configuring 5-9 implicit 5-2 overview 5-5 policy map actions, defining 3-39, 3-71, 3-104 associating with connection parameter map 4-31 dynamic NAT 5-16 dynamic NAT as policy map action 5-17 Layer 3 and 4, associating with class map 3-102 Layer 3 and 4, associating with parameter map 3-110, 3-113, 3-117, 3-124 Layer 3 and 4, associating with service policy 4-32 Layer 3 and 4, configuring HTTP parameter map 3-111 Layer 3 and 4, creating 3-101, 4-30 Layer 3 and 4, defining 3-101 Layer 3 and 4, description 3-102 Layer 3 and 4 policy map, associating with class map 4-30 Layer 7 FTP command inspection, adding description 3-36 Layer 7 FTP command inspection, associating with class map 3-38 Layer 7 FTP command inspection, creating 3-36 Layer 7 FTP command inspection, defining 3-35 Layer 7 FTP command inspection, inline match commands 3-37 Layer 7 HTTP deep packet inspection, adding description 3-66 Layer 7 HTTP deep packet inspection, associating with class map 3-69 Layer 7 HTTP deep packet inspection, creating 3-66 Layer 7 HTTP deep packet inspection, inline match commands 3-67 overview in application protocol inspection process 3-7 static NAT 5-30, 5-36 static NAT as policy map action 5-28, 5-37 port for LDAP server 2-37 number or range for Layer 3 and 4 application protocol inspection 3-98 port redirection, configuring 5-32 port redirection configuring 5-32 overview 5-7 preshared key RADIUS, setting for 2-28 TACACS+, setting for 2-33 Q quick start AAA configuration 2-8 ACL configuration 1-4 dynamic NAT and PAT configuration 5-10 IP fragment reassembly configuration 4-41 Layer 3 and 4 application protocol inspection 3-30 Layer 7 FTP command inspection 3-23 Layer 7 HTTP deep packet inspection 3-26 static NAT configuration 5-20, 5-32 TCP/IP normalization 4-3 R RADIUS server ACE configuration 2-25 adding 2-24 authentication settings, configuring 2-15 configuration, displaying 2-49 dead-time setting 2-29 global preshared key setting 2-28 NAS-IP-Address attribute setting 2-28 number of retransmissions, setting 2-30 parameters, setting 2-25 server accounting settings, configuring 2-16 server group, creating 2-39 server group dead-time setting 2-42 server overview 2-6 timeout setting 2-31 rate limiting bandwidth 4-8 connection 4-8 remarks in extended ACLs 1-16 reordering ACL entries 1-18 request methods FTP command inspection, defining for 3-34 HTTP inspection, defining for 3-60 resequencing ACL entries 1-18 reserved bits, handling in connection parameter map 4-13 restricted category, defining for HTTP inspection (port misuse) 3-58 reverse-path forwarding, configuring 4-40 RTSP application protocol inspection, configuring 3-107 application protocol support 3-6 inspection overview 3-17 restrictions 3-18 rules, maximum in ACL 1-4 S SCCP inspection 3-6, 3-19, 3-72, 3-99, 3-105, 3-107, 3-114 segment size action for overrun 4-11 for connection parameter map 4-10 server groups configuring 2-38 creating 2-39 LDAP 2-39 RADIUS 2-39 TACACS+ 2-39 service policy applying to VLAN interfaces 3-125 associating with Layer 3 and 4 policy map 4-32 configuration information 3-132 dynamic NAT, global 5-19 dynamic NAT, local 5-18 static NAT, local 5-31, 5-39 Session Initiation Protocol. See SIP SIP inspection 3-6, 3-20, 3-76, 3-99, 3-105, 3-107, 3-118 Skinny Client Control Protocol. See SCCP slow start algorithm, enabling in connection parameter map 4-18 source NAT 5-2, 5-4, 5-5, 5-9 static NAT See NAT statistics AAA 2-49 ACL, clearing 1-44 ACL, displaying 1-42 connection, clearing 4-65 HTTP inspection 3-131 IP, clearing 4-65 IP fragmentation and reassembly, clearing 4-67 IP fragmentation and reassembly, displaying 4-58 IP traffic 4-55 service policy 4-61 TCP, clearing 4-66 TCP, displaying 4-59 TCP/IP and UDP connections 4-52 TCP/IP connections and IP reassembly, clearing 4-65 TCP/IP connections and IP reassembly, displaying 4-48 UDP, clearing 4-66 UDP, displaying 4-60 SYN cookie configurational and operational considerations 4-36 configuring on an interface 4-37 displaying statistics 4-62 overview 4-35 SYN flood attack 4-35 T TACACS+ server accounting settings, configuring 2-12 ACE configuration 2-31 adding 2-24 Cisco Secure Access Control Server (ACS) 2-11, 2-12 configuration, displaying 2-51 dead-time setting 2-34 global preshared key setting 2-33 parameters, setting 2-32 server authentication settings, configuring 2-11 server group, creating 2-39 server group dead-time setting 2-41 server overview 2-5 timeout setting 2-35 TCP connection, receive or transmit buffer size 4-9 normalization, disabling 4-33 normalization, overview 4-2 options, handling in connection parameter map 4-20 port numbers and key words 1-9 sequence numbers, randomizing 4-13 slow start algorithm, enabling in connection parameter map 4-18 SYN retries, limiting in connection parameter map 4-12 SYN segments with data, handling in connection parameter map 4-19 WAN optimization 4-16 TCP/IP and UDP configurations, displaying 4-48 TCP/IP normalization clearing connections 4-64 configuration example 4-46 connection parameter map, configuring 4-6 IP fragment reassembly parameters, configuring 4-41 Layer 3 and 4 policy map, configuring 4-30 Layer 4 class map, configuring 4-25 normalization parameters, configuring 4-33 overview 4-2 quick start 4-3 statistics, clearing 4-65, 4-67 statistics, displaying 4-48 statistics, IP fragmentation and reassembly 4-58 statistics, IP traffic 4-55 statistics, service policy 4-61 statistics, TCP 4-59 statistics, TCP/IP connections 4-52 statistics, UDP 4-60 TCP/IP and UDP configurations, displaying 4-48 traffic policy, configuring 4-25 traffic class See class map traffic policies TCP/IP normalization 4-25 transfer encoding, defining for HTTP inspection 3-61 TTL setting 4-39 type of service, setting in connection parameter map 4-24 U UDP port numbers and key words 1-12 UDP and TCP/IP configurations, displaying 4-48 unicast reverse-path forwarding, configuring 4-40 urgent pointer policy, setting in connection parameter map 4-23 URL defining for HTTP deep packet inspection 3-63 length, defining for HTTP deep packet inspection 3-64 regular expressions 3-63 URL request logging 3-106 W WAN optimization 4-16
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks