Security Guide vA5(1.0), Cisco ACE Application Control Engine - Index [Cisco Services Modules]

Table Of Contents

A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - W -

Index

A

AAA

accounting configuration, displaying 2-50

accounting log information, displaying 2-50

accounting method, defining default 2-45

authentication configuration, displaying 2-53

groups, displaying 2-47

LDAP server, configuring for 2-33

LDAP server configuration, displaying 2-49

local and remote support 2-4

login authentication method, defining 2-43

overview 2-2

quick start 2-8

RADIUS server, configuring for 2-23

RADIUS server configuration, displaying 2-47

server, adding 2-22

server groups, configuring 2-36

status and statistics 2-46

TACACS+ server, configuring for 2-29

TACACS+ server configuration, displaying 2-48

user accounts, creating 2-21

accounting

configuration, displaying 2-50

default method, defining 2-45

log information, displaying 2-50

RADIUS server accounting settings, configuring 2-15

TACACS+ server accounting settings, configuring 2-11

ACLs

alternate address, ICMP message 1-17

BPDU 1-20

clearing statistics 1-50

comments in extended ACLs 1-19

configuration information, displaying 1-48

dynamic NAT 5-12

EtherType, configuring 1-20

EtherType examples 1-47

expanded 1-4

extended, configuring 1-7

extended examples 1-38

guidelines 1-3

ICMP 1-8, 1-9

implicit deny 1-4

inbound 1-40

IP extended ACL 1-7, 1-8

IPs with NAT 1-43

maximum entries 1-4

merged 1-2

object groups1-22to 1-35

order of entries 1-4

outbound 1-40

overview 1-2

quick start 1-5

resequencing entries 1-22

static NAT 5-32, 5-46

statistics, displaying 1-48

types 1-3

application protocol inspection

class map overview 3-6

configuration examples 3-128, 3-129, 3-131

DNS 3-9, 3-104

FTP 3-10, 3-104

HTTP 3-12, 3-105

ICMP 3-15, 3-105

ILS 3-5, 3-16, 3-103, 3-105

Layer 3 and 4 HTTP parameter map 3-110

Layer 3 and 4 quick start 3-29

Layer 3 and 4 traffic policy configuration 3-91

Layer 7 FTP command inspection class map 3-32

Layer 7 FTP command inspection configuration 3-31

Layer 7 FTP command inspection quick start 3-22

Layer 7 HTTP deep packet inspection class map 3-40

Layer 7 HTTP deep packet inspection configuration 3-39

Layer 7 HTTP deep packet inspection policy map 3-64

Layer 7 HTTP deep packet inspection quick start 3-25

limitations 3-4

NAT and PAT support 3-4

overview 3-2

policy map overview 3-6

process flow diagram 3-8

protocol inspection overview 3-2

RTSP 3-17, 3-105

SCCP 3-6, 3-19, 3-71, 3-98, 3-104, 3-106, 3-113

service policy, defining 3-126

service policy, displaying 3-132

SIP 3-6, 3-19, 3-75, 3-98, 3-103, 3-106, 3-118

standards 3-4

statistics 3-132

supported protocols 3-4

authentication

configuration, displaying 2-53

local and remote support 2-4

local database 2-5

login method, defining 2-43

overview 2-7

RADIUS server authentication settings, configuring 2-14

TACACS+ server accounting settings, configuring 2-10

B

bandwidth rate limiting 4-9

BPDU, in ACL 1-20

buffer size

for connection parameter map 4-10

receive or transmit data for each TCP connection 4-10

C

class map

associating with Layer 7 policy map 3-37

associating with policy map 3-68, 3-101

description, entering 3-108, 3-115, 3-119, 4-9

dynamic NAT 5-18

Layer 3 and 4 access list match criteria 3-96

Layer 3 and 4 class map, associating with policy map 4-33

Layer 3 and 4 class map, creating 3-94

Layer 3 and 4 description 3-96

Layer 3 and 4 port range criteria 3-97

Layer 4, creating 4-27

Layer 4 description 4-28

Layer 4 IP address criteria 4-29

Layer 4 port number criteria 4-30

Layer 7 FTP command inspection, configuring 3-32

Layer 7 FTP command inspection description 3-33

Layer 7 FTP request methods 3-34

Layer 7 HTTP deep packet inspection, configuring 3-40

Layer 7 HTTP deep packet inspection description 3-42

overview in application protocol inspection process 3-6

static NAT 5-38, 5-47

configurational examples

application protocol inspection 3-131

FTP 3-129

HTTP 3-128

TCP/IP normalization 4-55

connection parameter map

action for segment overrun 4-13

associating with policy map 4-34

buffer size setting 4-10

configuring for TCP/IP normalization 4-7

creating for TCP/IP, UDP, and ICMP 4-8

embryonic connection timeout 4-16

half-closed connection timeout 4-16

inactive connection timeout 4-17

Nagle's algorithm 4-14

random TCP sequence numbers 4-14

reserved bit handling 4-15

segment size setting 4-11

slow start algorithm 4-20

TCP options, handling 4-22

TCP SYN retries, limiting 4-13

TCP SYN segments with data, handling 4-21

type of service 4-26

urgent pointer policy 4-25

connections

clearing 4-78

embryonic, handling timeout of 4-16

half-closed, handling timeout of 4-16

inactive, handling timeout of 4-17

rate limiting 4-9

statistics, clearing 4-78

content type verification

HTTP message 3-68

D

DDoS 4-40

dead-time

RADIUS server group setting 2-39

RADIUS server setting 2-27

TACACS+ server group setting 2-39

TACACS+ server setting 2-32

denial of service. See DoS

destination NAT 5-2, 5-7, 5-38, 5-43, 5-50, 5-61

distributed denial of service. See DDoS

DNS 3-104

application protocol inspection, configuring 3-104

application protocol support 3-4

configuration example 3-131

inspection overview 3-9

Don't Fragment bit, handling 4-44

DoS protection, SYN cookie 4-40

dynamic NAT

See NAT

E

embryonic connection, handling timeout of 4-16

EtherType ACL

configuring 1-20

examples 1-47

extended ACL

comments in 1-19

configuring 1-7

examples 1-38

F

fixups

See application protocol inspection

fragment reassembly parameters

See IP fragment reassembly parameters

FTP

application protocol support 3-4

associating class map with policy map 3-37

class map 3-32

configuration examples 3-129

inline match commands in policy map 3-36

inspection overview 3-10

Layer 3 and 4 FTP application protocol inspection, configuring 3-104

Layer 7 FTP command inspection, configuring 3-31

passive with source NAT 5-19

policy actions 3-38

policy map 3-34, 3-35

request methods, defining for command inspection 3-34

strict 3-11, 3-104

G

global addresses, guidelines for NAT 5-8

H

header value string expressions 3-52

HTTP

application protocol support 3-4

associating class map with policy map 3-68

class map 3-40

configuration examples 3-128

content length, defining 3-44

content match criteria, defining 3-43

content type verification match criteria, defining 3-68

header for inspection 3-48

header value string expressions 3-52

HTTP/1/1 header fields, supported 3-49

inline match commands in policy map 3-66

inspection overview 3-12

internal compliance checks 3-68

Layer 3 and 4 HTTP application protocol inspection, configuring 3-105

Layer 7 HTTP deep packet inspection, configuring 3-39

Layer 7 HTTP deep packet inspection policy map 3-64

maximum header length for inspection 3-53

MIME type for inspection 3-54

parameter map 3-110

policy actions 3-70

policy map 3-65

request method for inspection 3-59

restricted category, defining (port misuse) 3-57

statistics from inspection 3-132

strict HTTP match criteria, defining 3-68

transfer encoding type for inspection 3-60

URL for inspection 3-62

URL length for inspection 3-63

HTTP/1/1 header fields, supported 3-49

I

ICMP

ACL 1-8, 1-9

application protocol inspection, configuring 3-105

application protocol support 3-5

conversion-error, ICMP message 1-17

echo, ICMP message 1-17

echo reply, ICMP message 1-17

information reply, ICMP message 1-17

information request, ICMP message 1-17

inspection overview 3-15

mask reply, ICMP message 1-17

mask request, ICMP message 1-17

mobile redirect, ICMP message 1-17

NAT of ICMP error messages 3-105

parameter-problem, ICMP message 1-17

redirect, ICMP message 1-17

router-advertisement, ICMP message 1-17

router-solicitation, ICMP message 1-17

security, disabling 4-38

source quench, ICMP message 1-17

time-exceeded, ICMP message 1-17

timestamp-reply, ICMP message 1-17

timestamp-request, ICMP message 1-17

traceroute, ICMP message 1-17

types 1-16, 1-17

unreachable, ICMP message 1-17

ILS inspection 3-5, 3-16, 3-103, 3-105

inbound ACLs 1-40

inline match commands

content type verification for HTTP inspection 3-68

in Layer 7 FTP command inspection policy map 3-36

in Layer 7 HTTP deep packet inspection policy map 3-66

strict HTTP for HTTP inspection 3-68

inspection engines

See application protocol inspection

Internet Locator Service. See ILS

IP

ACL 1-7, 1-8

address pool, for dynamic NAT 5-13, 5-32

for ACL with NAT 1-43

normalization, overview 4-3

options, handling 4-45

IP fragment reassembly parameters

configurational example 4-55

configuring 4-47

maximum fragment size setting 4-51

maximum fragments setting 4-50

MTU setting 4-49

quick start 4-48

reassembly timeout setting 4-52

L

Layer 3 and 4 application protocol inspection, configuring

associating class map with policy map 3-101

class map 3-94

policy actions 3-102

policy map 3-100

LDAP server

ACE configuration 2-33

configuration, displaying 2-49

configuration overview 2-18

directory server overview 2-6

parameters, setting 2-34

port, setting 2-35

search filter configuration 2-42

server group, creating 2-37

timeout, setting 2-36

user profile attribute type configuration 2-40

virtualization attributes, defining 2-12, 2-16, 2-19

local database authentication 2-5

login authentication method, defining 2-43

M

merged ACLs 1-2

MIME type, supported for HTTP inspection 3-54

MPLS, in ACL 1-20, 1-21

MTU

in IP fragment reassembly configuration 4-49

N

Nagle's algorithm 4-14

NAT

ACL configuration, dynamic 5-12

ACL configuration, static 5-32, 5-46

application protocol inspection support 3-4

as policy map action, dynamic 5-21

as policy map action, static 5-37, 5-48

class map configuration, dynamic 5-18

class map configuration, static 5-38, 5-47

destination 5-2, 5-7, 5-38, 5-43, 5-50, 5-61

dynamic NAT, overview 5-4

dynamic NAT and PAT, configuring 5-9

dynamic PAT, overview 5-5

global address guidelines 5-8

global IP address pool 5-13, 5-32

idle timeout, configuring 5-9

IPs in ACLs 1-43

maximum number of statements 5-8

overview 5-2

policy map configuration, dynamic 5-19

policy map configuration, static 5-39, 5-47

quick start, dynamic NAT and PAT 5-10

quick start, static NAT 5-27, 5-44

service policy, global dynamic 5-22, 5-23

service policy, local dynamic 5-22

service policy, static 5-40, 5-51

source 5-2, 5-4, 5-5, 5-9

static NAT, overview 5-7

static NAT and port redirection, configuring 5-43

static port redirection 5-7

network address translation

See NAT

normalization parameters

configuring 4-35

Don't Fragment bit, handling 4-44

ICMP security, disabling 4-38

IP options, handling 4-45

normalization send-reset, enabling 4-37

packet TTL setting 4-45

TCP normalization, disabling 4-36

unicast reverse-path forwarding, configuring 4-46

O

object groups

expanded 1-4

network 1-11

overview 1-23

service 1-16

order of ACL entries 1-4

outbound ACLs 1-40

P

packet TTL setting 4-45

parameter map

associating with Layer 3 and 4 policy map 3-110, 3-113, 3-117, 3-125

case sensitivity, disabling 3-111

configuring for Layer 3 and 4 HTTP inspection 3-110

maximum content bytes setting 3-112

maximum header bytes setting 3-112

passive FTP with source NAT 5-19

PAT

configuring 5-9

overview 5-5

policy map

actions, defining 3-38, 3-70, 3-102

associating with connection parameter map 4-34

dynamic NAT 5-19

dynamic NAT as policy map action 5-21

Layer 3 and 4, associating with class map 3-101

Layer 3 and 4, associating with parameter map 3-110, 3-113, 3-117, 3-125

Layer 3 and 4, associating with service policy 4-35

Layer 3 and 4, configuring HTTP parameter map 3-110

Layer 3 and 4, creating 3-100, 4-33

Layer 3 and 4, defining 3-100

Layer 3 and 4, description 3-101

Layer 3 and 4 policy map, associating with class map 4-33

Layer 7 FTP command inspection, adding description 3-36

Layer 7 FTP command inspection, associating with class map 3-37

Layer 7 FTP command inspection, creating 3-35

Layer 7 FTP command inspection, defining 3-34

Layer 7 FTP command inspection, inline match commands 3-36

Layer 7 HTTP deep packet inspection, adding description 3-66

Layer 7 HTTP deep packet inspection, associating with class map 3-68

Layer 7 HTTP deep packet inspection, creating 3-65

Layer 7 HTTP deep packet inspection, inline match commands 3-66

overview in application protocol inspection process 3-6

static NAT 5-39, 5-47

static NAT as policy map action 5-37, 5-48

port

for LDAP server 2-35

number or range for Layer 3 and 4 application protocol inspection 3-97

port redirection, configuring 5-43

port redirection

configuring 5-43

overview 5-7

preshared key

RADIUS, setting for 2-26

TACACS+, setting for 2-31

Q

quick start

AAA configuration 2-8

ACL configuration 1-5

dynamic NAT and PAT configuration 5-10

IP fragment reassembly configuration 4-48

Layer 3 and 4 application protocol inspection 3-29

Layer 7 FTP command inspection 3-22

Layer 7 HTTP deep packet inspection 3-25

static NAT configuration 5-27, 5-44

TCP/IP normalization 4-4

R

RADIUS server

ACE configuration 2-23

adding 2-22

authentication settings, configuring 2-14

configuration, displaying 2-47

dead-time setting 2-27

global preshared key setting 2-26

NAS-IP-Address attribute setting 2-25

number of retransmissions, setting 2-28

parameters, setting 2-23

server accounting settings, configuring 2-15

server group, creating 2-37

server group dead-time setting 2-39

server overview 2-6

timeout setting 2-29

rate limiting

bandwidth 4-9

connection 4-9

remarks in extended ACLs 1-19

reordering ACL entries 1-22

request methods

FTP command inspection, defining for 3-34

HTTP inspection, defining for 3-59

resequencing ACL entries 1-22

reserved bits, handling in connection parameter map 4-15

restricted category, defining for HTTP inspection (port misuse) 3-57

reverse-path forwarding, configuring 4-46

RTSP

application protocol inspection, configuring 3-105

application protocol support 3-6

inspection overview 3-17

restrictions 3-18

rules, maximum in ACL 1-4

S

SCCP

inspection 3-6, 3-19, 3-71, 3-98, 3-104, 3-106, 3-113

segment size

action for overrun 4-13

for connection parameter map 4-11

server groups

configuring 2-36

creating 2-37

LDAP 2-37

RADIUS 2-37

TACACS+ 2-37

service policy

applying to VLAN interfaces 3-126

associating with Layer 3 and 4 policy map 4-35

configuration information 3-133

dynamic NAT, global 5-22, 5-23

dynamic NAT, local 5-22

static NAT, local 5-40, 5-51

Session Initiation Protocol. See SIP

SIP

inspection 3-6, 3-19, 3-75, 3-98, 3-103, 3-106, 3-118

inspection, enabling logging of packets 3-124

Skinny Client Control Protocol. See SCCP

slow start algorithm, enabling in connection parameter map 4-20

source NAT 5-2, 5-4, 5-5, 5-9

static NAT

See NAT

statistics

AAA 2-46

ACL, clearing 1-50

ACL, displaying 1-48

connection, clearing 4-78

HTTP inspection 3-132

IP, clearing 4-79

IP fragmentation and reassembly, clearing 4-80

IP fragmentation and reassembly, displaying 4-68

IP traffic 4-63

service policy 4-72

TCP, clearing 4-79

TCP, displaying 4-70

TCP/IP and UDP connections 4-60

TCP/IP connections and IP reassembly, clearing 4-79

TCP/IP connections and IP reassembly, displaying 4-56

UDP, clearing 4-80

UDP, displaying 4-71

switch mode, configuring 4-53

SYN cookie

configurational and operational considerations 4-41

configuring on an interface 4-43

displaying statistics 4-76

overview 4-40

SYN flood attack 4-40

T

TACACS+ server

accounting settings, configuring 2-11

ACE configuration 2-29

adding 2-22

Cisco Secure Access Control Server (ACS) 2-10, 2-11

configuration, displaying 2-48

dead-time setting 2-32

global preshared key setting 2-31

parameters, setting 2-30

server authentication settings, configuring 2-10

server group, creating 2-37

server group dead-time setting 2-39

server overview 2-5

timeout setting 2-33

TCP

connection, receive or transmit buffer size 4-10

normalization, disabling 4-36

normalization, overview 4-2

normalization send-reset, enabling 4-37

options, handling in connection parameter map 4-22

port numbers and key words 1-11

sequence numbers, randomizing 4-14

slow start algorithm, enabling in connection parameter map 4-20

SYN retries, limiting in connection parameter map 4-13

SYN segments with data, handling in connection parameter map 4-21

WAN optimization 4-18

TCP/IP and UDP configurations, displaying 4-57

TCP/IP normalization

clearing connections 4-78

configuration example 4-55

connection parameter map, configuring 4-7

IP fragment reassembly parameters, configuring 4-47

Layer 3 and 4 policy map, configuring 4-33

Layer 4 class map, configuring 4-27

normalization parameters, configuring 4-35

overview 4-2

quick start 4-4

statistics, clearing 4-79, 4-80

statistics, displaying 4-56

statistics, IP fragmentation and reassembly 4-68

statistics, IP traffic 4-63

statistics, service policy 4-72

statistics, TCP 4-70

statistics, TCP/IP connections 4-60

statistics, UDP 4-71

TCP/IP and UDP configurations, displaying 4-57

traffic policy, configuring 4-27

traffic class

See class map

traffic policies

TCP/IP normalization 4-27

transfer encoding, defining for HTTP inspection 3-60

TTL setting 4-45

type of service, setting in connection parameter map 4-26

U

UDP

port numbers and key words 1-14

UDP and TCP/IP configurations, displaying 4-57

unicast reverse-path forwarding, configuring 4-46

urgent pointer policy, setting in connection parameter map 4-25

URL

defining for HTTP deep packet inspection 3-62

length, defining for HTTP deep packet inspection 3-63

regular expressions 3-62

URL request logging 3-105

W

WAN optimization 4-18

	Security Guide vA5(1.0), Cisco ACE Application Control Engine
	Index
Security Guide vA5(1.0), Cisco ACE Application Control Engine Index Preface Configuring Security Access Control Lists Configuring Authentication and Accounting Services Configuring Application Protocol Inspection Configuring TCP/IP Normalization and IP Reassembly Parameters Configuring Network Address Translation	Download this chapter Index Download the complete book Security Configuration Guide, Cisco Application Control Engine (Software Version A5(1.0), Book-Length PDF) (PDF - 2 MB) Feedback Table Of Contents A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - W - Index A AAA accounting configuration, displaying 2-50 accounting log information, displaying 2-50 accounting method, defining default 2-45 authentication configuration, displaying 2-53 groups, displaying 2-47 LDAP server, configuring for 2-33 LDAP server configuration, displaying 2-49 local and remote support 2-4 login authentication method, defining 2-43 overview 2-2 quick start 2-8 RADIUS server, configuring for 2-23 RADIUS server configuration, displaying 2-47 server, adding 2-22 server groups, configuring 2-36 status and statistics 2-46 TACACS+ server, configuring for 2-29 TACACS+ server configuration, displaying 2-48 user accounts, creating 2-21 accounting configuration, displaying 2-50 default method, defining 2-45 log information, displaying 2-50 RADIUS server accounting settings, configuring 2-15 TACACS+ server accounting settings, configuring 2-11 ACLs alternate address, ICMP message 1-17 BPDU 1-20 clearing statistics 1-50 comments in extended ACLs 1-19 configuration information, displaying 1-48 dynamic NAT 5-12 EtherType, configuring 1-20 EtherType examples 1-47 expanded 1-4 extended, configuring 1-7 extended examples 1-38 guidelines 1-3 ICMP 1-8, 1-9 implicit deny 1-4 inbound 1-40 IP extended ACL 1-7, 1-8 IPs with NAT 1-43 maximum entries 1-4 merged 1-2 object groups1-22to 1-35 order of entries 1-4 outbound 1-40 overview 1-2 quick start 1-5 resequencing entries 1-22 static NAT 5-32, 5-46 statistics, displaying 1-48 types 1-3 application protocol inspection class map overview 3-6 configuration examples 3-128, 3-129, 3-131 DNS 3-9, 3-104 FTP 3-10, 3-104 HTTP 3-12, 3-105 ICMP 3-15, 3-105 ILS 3-5, 3-16, 3-103, 3-105 Layer 3 and 4 HTTP parameter map 3-110 Layer 3 and 4 quick start 3-29 Layer 3 and 4 traffic policy configuration 3-91 Layer 7 FTP command inspection class map 3-32 Layer 7 FTP command inspection configuration 3-31 Layer 7 FTP command inspection quick start 3-22 Layer 7 HTTP deep packet inspection class map 3-40 Layer 7 HTTP deep packet inspection configuration 3-39 Layer 7 HTTP deep packet inspection policy map 3-64 Layer 7 HTTP deep packet inspection quick start 3-25 limitations 3-4 NAT and PAT support 3-4 overview 3-2 policy map overview 3-6 process flow diagram 3-8 protocol inspection overview 3-2 RTSP 3-17, 3-105 SCCP 3-6, 3-19, 3-71, 3-98, 3-104, 3-106, 3-113 service policy, defining 3-126 service policy, displaying 3-132 SIP 3-6, 3-19, 3-75, 3-98, 3-103, 3-106, 3-118 standards 3-4 statistics 3-132 supported protocols 3-4 authentication configuration, displaying 2-53 local and remote support 2-4 local database 2-5 login method, defining 2-43 overview 2-7 RADIUS server authentication settings, configuring 2-14 TACACS+ server accounting settings, configuring 2-10 B bandwidth rate limiting 4-9 BPDU, in ACL 1-20 buffer size for connection parameter map 4-10 receive or transmit data for each TCP connection 4-10 C class map associating with Layer 7 policy map 3-37 associating with policy map 3-68, 3-101 description, entering 3-108, 3-115, 3-119, 4-9 dynamic NAT 5-18 Layer 3 and 4 access list match criteria 3-96 Layer 3 and 4 class map, associating with policy map 4-33 Layer 3 and 4 class map, creating 3-94 Layer 3 and 4 description 3-96 Layer 3 and 4 port range criteria 3-97 Layer 4, creating 4-27 Layer 4 description 4-28 Layer 4 IP address criteria 4-29 Layer 4 port number criteria 4-30 Layer 7 FTP command inspection, configuring 3-32 Layer 7 FTP command inspection description 3-33 Layer 7 FTP request methods 3-34 Layer 7 HTTP deep packet inspection, configuring 3-40 Layer 7 HTTP deep packet inspection description 3-42 overview in application protocol inspection process 3-6 static NAT 5-38, 5-47 configurational examples application protocol inspection 3-131 FTP 3-129 HTTP 3-128 TCP/IP normalization 4-55 connection parameter map action for segment overrun 4-13 associating with policy map 4-34 buffer size setting 4-10 configuring for TCP/IP normalization 4-7 creating for TCP/IP, UDP, and ICMP 4-8 embryonic connection timeout 4-16 half-closed connection timeout 4-16 inactive connection timeout 4-17 Nagle's algorithm 4-14 random TCP sequence numbers 4-14 reserved bit handling 4-15 segment size setting 4-11 slow start algorithm 4-20 TCP options, handling 4-22 TCP SYN retries, limiting 4-13 TCP SYN segments with data, handling 4-21 type of service 4-26 urgent pointer policy 4-25 connections clearing 4-78 embryonic, handling timeout of 4-16 half-closed, handling timeout of 4-16 inactive, handling timeout of 4-17 rate limiting 4-9 statistics, clearing 4-78 content type verification HTTP message 3-68 D DDoS 4-40 dead-time RADIUS server group setting 2-39 RADIUS server setting 2-27 TACACS+ server group setting 2-39 TACACS+ server setting 2-32 denial of service. See DoS destination NAT 5-2, 5-7, 5-38, 5-43, 5-50, 5-61 distributed denial of service. See DDoS DNS 3-104 application protocol inspection, configuring 3-104 application protocol support 3-4 configuration example 3-131 inspection overview 3-9 Don't Fragment bit, handling 4-44 DoS protection, SYN cookie 4-40 dynamic NAT See NAT E embryonic connection, handling timeout of 4-16 EtherType ACL configuring 1-20 examples 1-47 extended ACL comments in 1-19 configuring 1-7 examples 1-38 F fixups See application protocol inspection fragment reassembly parameters See IP fragment reassembly parameters FTP application protocol support 3-4 associating class map with policy map 3-37 class map 3-32 configuration examples 3-129 inline match commands in policy map 3-36 inspection overview 3-10 Layer 3 and 4 FTP application protocol inspection, configuring 3-104 Layer 7 FTP command inspection, configuring 3-31 passive with source NAT 5-19 policy actions 3-38 policy map 3-34, 3-35 request methods, defining for command inspection 3-34 strict 3-11, 3-104 G global addresses, guidelines for NAT 5-8 H header value string expressions 3-52 HTTP application protocol support 3-4 associating class map with policy map 3-68 class map 3-40 configuration examples 3-128 content length, defining 3-44 content match criteria, defining 3-43 content type verification match criteria, defining 3-68 header for inspection 3-48 header value string expressions 3-52 HTTP/1/1 header fields, supported 3-49 inline match commands in policy map 3-66 inspection overview 3-12 internal compliance checks 3-68 Layer 3 and 4 HTTP application protocol inspection, configuring 3-105 Layer 7 HTTP deep packet inspection, configuring 3-39 Layer 7 HTTP deep packet inspection policy map 3-64 maximum header length for inspection 3-53 MIME type for inspection 3-54 parameter map 3-110 policy actions 3-70 policy map 3-65 request method for inspection 3-59 restricted category, defining (port misuse) 3-57 statistics from inspection 3-132 strict HTTP match criteria, defining 3-68 transfer encoding type for inspection 3-60 URL for inspection 3-62 URL length for inspection 3-63 HTTP/1/1 header fields, supported 3-49 I ICMP ACL 1-8, 1-9 application protocol inspection, configuring 3-105 application protocol support 3-5 conversion-error, ICMP message 1-17 echo, ICMP message 1-17 echo reply, ICMP message 1-17 information reply, ICMP message 1-17 information request, ICMP message 1-17 inspection overview 3-15 mask reply, ICMP message 1-17 mask request, ICMP message 1-17 mobile redirect, ICMP message 1-17 NAT of ICMP error messages 3-105 parameter-problem, ICMP message 1-17 redirect, ICMP message 1-17 router-advertisement, ICMP message 1-17 router-solicitation, ICMP message 1-17 security, disabling 4-38 source quench, ICMP message 1-17 time-exceeded, ICMP message 1-17 timestamp-reply, ICMP message 1-17 timestamp-request, ICMP message 1-17 traceroute, ICMP message 1-17 types 1-16, 1-17 unreachable, ICMP message 1-17 ILS inspection 3-5, 3-16, 3-103, 3-105 inbound ACLs 1-40 inline match commands content type verification for HTTP inspection 3-68 in Layer 7 FTP command inspection policy map 3-36 in Layer 7 HTTP deep packet inspection policy map 3-66 strict HTTP for HTTP inspection 3-68 inspection engines See application protocol inspection Internet Locator Service. See ILS IP ACL 1-7, 1-8 address pool, for dynamic NAT 5-13, 5-32 for ACL with NAT 1-43 normalization, overview 4-3 options, handling 4-45 IP fragment reassembly parameters configurational example 4-55 configuring 4-47 maximum fragment size setting 4-51 maximum fragments setting 4-50 MTU setting 4-49 quick start 4-48 reassembly timeout setting 4-52 L Layer 3 and 4 application protocol inspection, configuring associating class map with policy map 3-101 class map 3-94 policy actions 3-102 policy map 3-100 LDAP server ACE configuration 2-33 configuration, displaying 2-49 configuration overview 2-18 directory server overview 2-6 parameters, setting 2-34 port, setting 2-35 search filter configuration 2-42 server group, creating 2-37 timeout, setting 2-36 user profile attribute type configuration 2-40 virtualization attributes, defining 2-12, 2-16, 2-19 local database authentication 2-5 login authentication method, defining 2-43 M merged ACLs 1-2 MIME type, supported for HTTP inspection 3-54 MPLS, in ACL 1-20, 1-21 MTU in IP fragment reassembly configuration 4-49 N Nagle's algorithm 4-14 NAT ACL configuration, dynamic 5-12 ACL configuration, static 5-32, 5-46 application protocol inspection support 3-4 as policy map action, dynamic 5-21 as policy map action, static 5-37, 5-48 class map configuration, dynamic 5-18 class map configuration, static 5-38, 5-47 destination 5-2, 5-7, 5-38, 5-43, 5-50, 5-61 dynamic NAT, overview 5-4 dynamic NAT and PAT, configuring 5-9 dynamic PAT, overview 5-5 global address guidelines 5-8 global IP address pool 5-13, 5-32 idle timeout, configuring 5-9 IPs in ACLs 1-43 maximum number of statements 5-8 overview 5-2 policy map configuration, dynamic 5-19 policy map configuration, static 5-39, 5-47 quick start, dynamic NAT and PAT 5-10 quick start, static NAT 5-27, 5-44 service policy, global dynamic 5-22, 5-23 service policy, local dynamic 5-22 service policy, static 5-40, 5-51 source 5-2, 5-4, 5-5, 5-9 static NAT, overview 5-7 static NAT and port redirection, configuring 5-43 static port redirection 5-7 network address translation See NAT normalization parameters configuring 4-35 Don't Fragment bit, handling 4-44 ICMP security, disabling 4-38 IP options, handling 4-45 normalization send-reset, enabling 4-37 packet TTL setting 4-45 TCP normalization, disabling 4-36 unicast reverse-path forwarding, configuring 4-46 O object groups expanded 1-4 network 1-11 overview 1-23 service 1-16 order of ACL entries 1-4 outbound ACLs 1-40 P packet TTL setting 4-45 parameter map associating with Layer 3 and 4 policy map 3-110, 3-113, 3-117, 3-125 case sensitivity, disabling 3-111 configuring for Layer 3 and 4 HTTP inspection 3-110 maximum content bytes setting 3-112 maximum header bytes setting 3-112 passive FTP with source NAT 5-19 PAT configuring 5-9 overview 5-5 policy map actions, defining 3-38, 3-70, 3-102 associating with connection parameter map 4-34 dynamic NAT 5-19 dynamic NAT as policy map action 5-21 Layer 3 and 4, associating with class map 3-101 Layer 3 and 4, associating with parameter map 3-110, 3-113, 3-117, 3-125 Layer 3 and 4, associating with service policy 4-35 Layer 3 and 4, configuring HTTP parameter map 3-110 Layer 3 and 4, creating 3-100, 4-33 Layer 3 and 4, defining 3-100 Layer 3 and 4, description 3-101 Layer 3 and 4 policy map, associating with class map 4-33 Layer 7 FTP command inspection, adding description 3-36 Layer 7 FTP command inspection, associating with class map 3-37 Layer 7 FTP command inspection, creating 3-35 Layer 7 FTP command inspection, defining 3-34 Layer 7 FTP command inspection, inline match commands 3-36 Layer 7 HTTP deep packet inspection, adding description 3-66 Layer 7 HTTP deep packet inspection, associating with class map 3-68 Layer 7 HTTP deep packet inspection, creating 3-65 Layer 7 HTTP deep packet inspection, inline match commands 3-66 overview in application protocol inspection process 3-6 static NAT 5-39, 5-47 static NAT as policy map action 5-37, 5-48 port for LDAP server 2-35 number or range for Layer 3 and 4 application protocol inspection 3-97 port redirection, configuring 5-43 port redirection configuring 5-43 overview 5-7 preshared key RADIUS, setting for 2-26 TACACS+, setting for 2-31 Q quick start AAA configuration 2-8 ACL configuration 1-5 dynamic NAT and PAT configuration 5-10 IP fragment reassembly configuration 4-48 Layer 3 and 4 application protocol inspection 3-29 Layer 7 FTP command inspection 3-22 Layer 7 HTTP deep packet inspection 3-25 static NAT configuration 5-27, 5-44 TCP/IP normalization 4-4 R RADIUS server ACE configuration 2-23 adding 2-22 authentication settings, configuring 2-14 configuration, displaying 2-47 dead-time setting 2-27 global preshared key setting 2-26 NAS-IP-Address attribute setting 2-25 number of retransmissions, setting 2-28 parameters, setting 2-23 server accounting settings, configuring 2-15 server group, creating 2-37 server group dead-time setting 2-39 server overview 2-6 timeout setting 2-29 rate limiting bandwidth 4-9 connection 4-9 remarks in extended ACLs 1-19 reordering ACL entries 1-22 request methods FTP command inspection, defining for 3-34 HTTP inspection, defining for 3-59 resequencing ACL entries 1-22 reserved bits, handling in connection parameter map 4-15 restricted category, defining for HTTP inspection (port misuse) 3-57 reverse-path forwarding, configuring 4-46 RTSP application protocol inspection, configuring 3-105 application protocol support 3-6 inspection overview 3-17 restrictions 3-18 rules, maximum in ACL 1-4 S SCCP inspection 3-6, 3-19, 3-71, 3-98, 3-104, 3-106, 3-113 segment size action for overrun 4-13 for connection parameter map 4-11 server groups configuring 2-36 creating 2-37 LDAP 2-37 RADIUS 2-37 TACACS+ 2-37 service policy applying to VLAN interfaces 3-126 associating with Layer 3 and 4 policy map 4-35 configuration information 3-133 dynamic NAT, global 5-22, 5-23 dynamic NAT, local 5-22 static NAT, local 5-40, 5-51 Session Initiation Protocol. See SIP SIP inspection 3-6, 3-19, 3-75, 3-98, 3-103, 3-106, 3-118 inspection, enabling logging of packets 3-124 Skinny Client Control Protocol. See SCCP slow start algorithm, enabling in connection parameter map 4-20 source NAT 5-2, 5-4, 5-5, 5-9 static NAT See NAT statistics AAA 2-46 ACL, clearing 1-50 ACL, displaying 1-48 connection, clearing 4-78 HTTP inspection 3-132 IP, clearing 4-79 IP fragmentation and reassembly, clearing 4-80 IP fragmentation and reassembly, displaying 4-68 IP traffic 4-63 service policy 4-72 TCP, clearing 4-79 TCP, displaying 4-70 TCP/IP and UDP connections 4-60 TCP/IP connections and IP reassembly, clearing 4-79 TCP/IP connections and IP reassembly, displaying 4-56 UDP, clearing 4-80 UDP, displaying 4-71 switch mode, configuring 4-53 SYN cookie configurational and operational considerations 4-41 configuring on an interface 4-43 displaying statistics 4-76 overview 4-40 SYN flood attack 4-40 T TACACS+ server accounting settings, configuring 2-11 ACE configuration 2-29 adding 2-22 Cisco Secure Access Control Server (ACS) 2-10, 2-11 configuration, displaying 2-48 dead-time setting 2-32 global preshared key setting 2-31 parameters, setting 2-30 server authentication settings, configuring 2-10 server group, creating 2-37 server group dead-time setting 2-39 server overview 2-5 timeout setting 2-33 TCP connection, receive or transmit buffer size 4-10 normalization, disabling 4-36 normalization, overview 4-2 normalization send-reset, enabling 4-37 options, handling in connection parameter map 4-22 port numbers and key words 1-11 sequence numbers, randomizing 4-14 slow start algorithm, enabling in connection parameter map 4-20 SYN retries, limiting in connection parameter map 4-13 SYN segments with data, handling in connection parameter map 4-21 WAN optimization 4-18 TCP/IP and UDP configurations, displaying 4-57 TCP/IP normalization clearing connections 4-78 configuration example 4-55 connection parameter map, configuring 4-7 IP fragment reassembly parameters, configuring 4-47 Layer 3 and 4 policy map, configuring 4-33 Layer 4 class map, configuring 4-27 normalization parameters, configuring 4-35 overview 4-2 quick start 4-4 statistics, clearing 4-79, 4-80 statistics, displaying 4-56 statistics, IP fragmentation and reassembly 4-68 statistics, IP traffic 4-63 statistics, service policy 4-72 statistics, TCP 4-70 statistics, TCP/IP connections 4-60 statistics, UDP 4-71 TCP/IP and UDP configurations, displaying 4-57 traffic policy, configuring 4-27 traffic class See class map traffic policies TCP/IP normalization 4-27 transfer encoding, defining for HTTP inspection 3-60 TTL setting 4-45 type of service, setting in connection parameter map 4-26 U UDP port numbers and key words 1-14 UDP and TCP/IP configurations, displaying 4-57 unicast reverse-path forwarding, configuring 4-46 urgent pointer policy, setting in connection parameter map 4-25 URL defining for HTTP deep packet inspection 3-62 length, defining for HTTP deep packet inspection 3-63 regular expressions 3-62 URL request logging 3-105 W WAN optimization 4-18
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks