Cisco IOS Security Command Reference, Release 12.1 - Index [Cisco IOS Software Releases 12.1 Mainline]

Table Of Contents

Index: Cisco IOS Security Command Reference, Release 12.1

Symbols   A   C   D   E   F   G   H   I   K   L   M   N   O   P   Q   R   S   T   U   Z

Symbols

? command     ix, xv

A

AAA

server groups     SR-92, SR-117

aaa accounting command     SR-70

aaa accounting connection h323 command     SR-73

aaa accounting nested command     SR-74

aaa accounting send stop-record authentication failure command     SR-75

aaa accounting suppress null-username command     SR-76

aaa accounting update command     SR-77

aaa authentication arap command     SR-4

aaa authentication banner command     SR-6

aaa authentication enable default command     SR-8

aaa authentication fail-message command     SR-10

aaa authentication login command     SR-12

aaa authentication nasi command     SR-14

aaa authentication password-prompt command     SR-16

aaa authentication ppp command     SR-17

aaa authentication username-prompt command     SR-19

aaa authorization command     SR-56

aaa authorization config-commands command     SR-60

aaa authorization reverse-access command     SR-61

aaa dnis map accounting network group command     SR-79

aaa dnis map authentication ppp group command     SR-21

aaa group server command     SR-117

aaa group server radius command     SR-92

aaa nas-port extended command     SR-93

aaa new-model command     SR-23

aaa processes command     SR-24

abbreviating commands

context-sensitive help     viii, ix, xv

access-enable command     SR-142

access-list (encryption) command     SR-250

access lists

dynamic

temporary entries, clearing manually     SR-142

See also IPSec

access-profile command     SR-26

replace command form

(caution)     SR-27

using per-user configuration

(caution)     SR-27

access-template command     SR-143

accounting (gatekeeper) command     SR-83

accounting command     SR-81

address command     SR-432

addressed-key command     SR-434

AESOs

attaching to interfaces     SR-500

algorithms

encryption

See IKE, algorithms

hash

See IKE, algorithms

arap authentication command     SR-29

using list-names

(caution)     SR-29

authentication

CAs     SR-406

See also IKE, authentication

authentication (IKE policy) command     SR-436

authentication proxy

commands     SR-229

authorization command     SR-65

Auxiliary Extended Security Options

See AESOs

C

ca-identity mode

enabling     SR-415

CAs

authenticating     SR-406

CEP

support     SR-428

declaring     SR-415, SR-427

enrolling     SR-412

identity

deleting     SR-415

LDAP

support     SR-428

locations

specifying     SR-427

public keys     SR-406

URLs

specifying     SR-427

See also Certification Authority Interoperability

cautions

access lists     SR-254, SR-306, SR-315

access-profile command

replace command form (caution)     SR-27

using per-user configuration (caution)     SR-27

arap authentication command

using list-names (caution)     SR-29

Cisco 7200 series router     SR-293

crypto key zeroize dss command     SR-293

DSS keys     SR-292

enable password command

using encryption-type (caution)     SR-472

enable secret command

using encryption-type (caution)     SR-474

Java blocking     SR-189

key config-key command

unrecoverable DES key (caution)     SR-137

login authentication command

using list-names (caution)     SR-35

nasi authentication command

using list-names (caution)     SR-37

ppp authentication command

using list-names (caution)     SR-40

service password-encryption command

security level (caution)     SR-482

usage in text     ix

CBAC

alert messages

enabling     SR-178

application-layer protocols

configuring     SR-189

audit trail messages

(example)     SR-178

enabling     SR-179

configurations

viewing     SR-205

denial-of-service attacks

detection     SR-199

disabling     SR-204

fragment

inspection, configuring     SR-191

H.323 inspection

configuring     SR-189

half-open sessions

deleting, high threshold     SR-182, SR-193

deleting, low threshold     SR-184, SR-195

description     SR-182

TCP threshold     SR-199

inspection rules

applying     SR-181

applying (example)     SR-181

defining     SR-186

removing     SR-181

viewing     SR-205

Java

blocking     SR-187

blocking (caution)     SR-189

inspection, configuring     SR-189

RPC inspection

configuring     SR-190

session information

(example)     SR-205

viewing     SR-205

SMTP inspection

configuring     SR-190

TCP inspection

configuring     SR-189

timeouts

DNS idle, specifying     SR-180

FIN-exchange, specifying     SR-197

overriding     SR-190

synwait, specifying     SR-201

TCP idle, specifying     SR-198

UDP idle, specifying     SR-202

UDP inspection

configuring     SR-189

CCO

accessing     x

definition     x

CEP

specifying     SR-428

certificate chain configuration mode

enabling     SR-408

certificate command     SR-402

certificate enrollment protocol

See CEP

certificates

accepting     SR-404

adding     SR-402

deleting     SR-402, SR-408

requesting     SR-412

requests

resending, number of times     SR-423

resending, wait period     SR-425

retrieving     SR-410

revoking     SR-412

storing     SR-410

viewing     SR-429

Certification Authority Interoperability

CA authentication     SR-406

CEP

specifying     SR-428

challenge password     SR-412

commands     SR-401

LDAP support

specifying     SR-428

NVRAM memory usage     SR-410

See also CAs

See also certificates

See also CRLs

See also RSA keys

Cisco Connection Online

See CCO

Cisco IOS

saving configuration changes     xviii

clear access-template command     SR-145

clear crypto connection command     SR-258

clear crypto isakmp command     SR-438

clear crypto sa command     SR-354

clear ip audit configuration command     SR-210

clear ip audit statistics command     SR-211

clear ip auth-proxy cache command     SR-230

clear ip trigger-authentication command     SR-31

clear kerberos creds command     SR-126

command modes

summary (table)     xiv

config-isakmp command mode

enabling     SR-445

configuration, saving     xviii

crl optional command     SR-404

CRLs

certificates

accepting     SR-404

revoking     SR-411

checking     SR-404

downloading     SR-411

requesting     SR-411

retrieving     SR-410

storing     SR-410

See also CAs

See also certificates

crypto algorithm 40-bit-des command

See crypto cisco algorithm 40-bit-des command

crypto algorithm des command

See crypto cisco algorithm des command

crypto ca authenticate command     SR-406

crypto ca certificate chain command     SR-408

crypto ca certificate query command     SR-410

crypto ca crl request command     SR-411

crypto ca enroll command     SR-412

crypto ca identity command     SR-415

crypto card clear-latch command     SR-264

crypto card command     SR-262

crypto cisco algorithm 40-bit-des command     SR-266

crypto cisco algorithm des command     SR-268

crypto cisco connections command

crypto cisco entities command     SR-272

crypto cisco key-timeout command     SR-274

crypto cisco pregen-dh-pairs command     SR-275

crypto clear-latch command

See crypto card clear-latch command

crypto dynamic-map command     SR-356

crypto esa command

See crypto card command

crypto gen-signature-keys command

See crypto key generate dss command

crypto ipsec security-association lifetime command     SR-359

crypto ipsec transform-set command     SR-361

crypto isakmp enable command     SR-440

crypto isakmp identity command     SR-441

crypto isakmp key command     SR-443

crypto isakmp policy command     SR-445

crypto key-exchange command

See crypto key exchange dss command

crypto key exchange dss command     SR-281

crypto key exchange dss passive command     SR-283

crypto key-exchange passive command

See crypto key exchange dss passive command

crypto key generate dss command     SR-286

crypto key generate rsa (CA) command     SR-417

crypto key generate rsa (IKE) command     SR-447

crypto key pubkey-chain dss command     SR-289

crypto key pubkey-chain rsa command     SR-450

crypto key-timeout command

See crypto cisco key-timeout command

crypto key zeroize dss command     SR-292

crypto key zeroize rsa command     SR-420

crypto map (CET global) command     SR-294

crypto map (CET interface) command     SR-297

crypto map (IPSec global) command     SR-365

crypto map (IPSec interface) command     SR-370

crypto map local-address command     SR-372

crypto pregen-dh-pairs command

See crypto cisco pregen-dh-pairs command

crypto public-key command

See crypto key pubkey-chain dss command

crypto sdu connections command

See crypto cisco connections command

crypto sdu entities command

See crypto cisco entities command

crypto transform configuration mode

enabling     SR-363

crypto zeroize command

See crypto key zeroize dss command

D

default form of a command

using     xvii

deny (CET) command     SR-303

Diffie-Hellman

See IKE, DH

DNS idle timeout

specifying     SR-180

DNSIX

collection center, specifying     SR-493

enabling     SR-496

hosts that receive messages

alternate     SR-495

primary     SR-494

number of records in a packet, specifying     SR-497

retransmit count     SR-492

dnsix-dmdp retries command     SR-492

dnsix-nat authorized-redirection command     SR-493

dnsix-nat primary command     SR-494

dnsix-nat secondary command     SR-495

dnsix-nat source command     SR-496

dnsix-nat transmit-count command     SR-497

E

enable password command     SR-472

using encryption-type

(caution)     SR-472

enable secret command     SR-474

using encryption-type

(caution)     SR-474

encryption algorithm

See IKE, algorithms

encryption (IKE policy) command     SR-453

enrollment mode ra command     SR-422

enrollment retry-count command     SR-423

enrollment retry-period command     SR-425

enrollment url command     SR-427

evaluate command     SR-148

examples

CBAC

audit trail messages     SR-178

half-open sessions, high threshold     SR-182, SR-193

half-open sessions, low threshold     SR-184, SR-195

half-open sessions, TCP threshold     SR-200

session information, viewing     SR-205

timeouts, synwait     SR-201

timeouts, UDP idle     SR-203

pre-shared keys

specifying     SR-444

F

FIN-exchange timeout

specifying     SR-197

G

gatekeeper

security, enabling     SR-83

global configuration commands

aaa accounting     SR-70

aaa accounting connection h323 command     SR-73

aaa accounting nested     SR-74

aaa accounting send stop-record authentication failure command     SR-75

aaa accounting suppress null-username     SR-76

aaa accounting update     SR-77

aaa authentication arap     SR-4

aaa authentication banner     SR-6

aaa authentication enable default     SR-8

aaa authentication fail-message     SR-10

aaa authentication login     SR-12

aaa authentication nasi     SR-14

aaa authentication password-prompt     SR-16

aaa authentication ppp     SR-17

aaa authentication username-prompt     SR-19

aaa authorization     SR-56

aaa authorization config-commands     SR-60

aaa authorization reverse-access     SR-61

aaa dnis map accounting network group     SR-79

aaa dnis map authentication ppp group     SR-21

aaa group server     SR-117

aaa group server radius command     SR-92

aaa nas-port extended     SR-93

aaa new-model     SR-23

aaa processes     SR-24

ip radius source-interface     SR-95

ip tacacs source-interface     SR-118

ip trigger-authentication (global)     SR-32

kerberos clients mandatory     SR-127

kerberos credentials forward     SR-128

kerberos instance map     SR-129

kerberos local-realm     SR-130

kerberos preauth     SR-131

kerberos realm     SR-132

kerberos server     SR-133

kerberos srvtab entry     SR-134

kerberos srvtab remote     SR-136

key config-key     SR-137

radius-server attribute nas-port extended     SR-97

radius-server configure-nas     SR-98

radius-server deadtime     SR-99

radius-server host     SR-101

radius-server host non-standard     SR-104

radius-server key     SR-105

radius-server optional passwords     SR-107

radius-server retransmit     SR-108

radius-server timeout     SR-109

radius-server vsa     SR-110

tacacs-server directed-request     SR-121

tacacs-server host     SR-122

tacacs-server key     SR-124

global configuration mode

summary     xiv

group (IKE policy) command     SR-454

H

hash (IKE policy) command     SR-455

hash algorithm

See IKE, algorithms

help command     viii, ix, xv

I

IKE

algorithms

encryption, specifying     SR-453

hash, specifying     SR-455

authentication

methods, specifying     SR-436

commands     SR-431

connections

clearing     SR-438

DH

group identifier, specifying     SR-454

disabling     SR-440

enabling     SR-440

group identifier

specifying     SR-454

keys

See keys, pre-shared

negotiations

states     SR-464

policies

multiple     SR-445

parameters, specifying     SR-445

parameters, viewing     SR-462

viewing     SR-462

requirements

IPSec peers     SR-440

See also IPSec

See also SAs

interface configuration commands

ip trigger-authentication (interface)     SR-34

ppp accounting     SR-84

ppp authentication     SR-39

ppp chap hostname     SR-41

ppp chap password     SR-43

ppp chap refuse     SR-45

ppp chap wait     SR-47

ppp pap sent-username     SR-49

interface configuration mode

summary     xiv

Internet Key Exchange Security Protocol

See IKE

IP

See also IPSO

ip access-list extended (encryption) command     SR-308

ip audit attack command     SR-213

ip audit command     SR-212

ip audit info command     SR-214

ip audit name command     SR-215

ip audit notify command     SR-217

ip audit po local command     SR-218

ip audit po max-events command     SR-219

ip audit po protected command     SR-220

ip audit po remote command     SR-221

ip audit signature command     SR-223

ip audit smtp command     SR-224

ip auth-proxy auth-cache-time command     SR-232

ip auth-proxy auth-proxy-banner command     SR-233

ip auth-proxy command     SR-231

ip auth-proxy name command     SR-234

ip inspect (interface configuration) command     SR-181

ip inspect alert-off command     SR-178

ip inspect audit trail command     SR-179

ip inspect dns-timeout command     SR-180

ip inspect max-incomplete high command     SR-182

ip inspect max-incomplete low command     SR-184

ip inspect name command     SR-186

ip inspect one-minute high command     SR-193

ip inspect one-minute low command     SR-195

ip inspect tcp finwait-time command     SR-197

ip inspect tcp idle-time command     SR-198

ip inspect tcp max-incomplete host command     SR-199

ip inspect tcp synwait-time command     SR-201

ip inspect udp idle-time command     SR-202

ip port-map command     SR-240

ip radius source-interface command     SR-95

ip reflexive-list timeout command     SR-150

IPSec

commands     SR-353

crypto access lists

specifying     SR-310, SR-374

crypto map entries

creating     SR-294, SR-365

lifetime values, overriding     SR-384

specifying a peer     SR-378

crypto maps

applying     SR-370

dynamic, creating     SR-356

dynamic, priorities     SR-367

dynamic, viewing     SR-392

interfaces, identifying     SR-372

purpose     SR-366

viewing     SR-398

lifetimes

viewing     SR-396

requirements

IKE     SR-440

SAs

clearing     SR-354

lifetimes, changing     SR-359

requesting     SR-382

viewing     SR-393

session keys

manually specifying     SR-387

transforms

allowed combinations     SR-362

changing     SR-363

selecting     SR-363

transform sets

defining     SR-361

mode, changing     SR-376

specifying     SR-390

viewing     SR-397

ip security add command     SR-498

ip security aeso command     SR-500

ip security allow-reserved command     SR-515

ip security dedicated command     SR-501

ip security eso-info command     SR-503

ip security eso-max command     SR-504

ip security eso-min command     SR-506

ip security extended-allowed command     SR-508

ip security first command     SR-509

ip security ignore-authorities command     SR-510

ip security implicit-labelling command     SR-511

ip security multilevel command     SR-513

IP security option

See IPSO

ip security strip command     SR-517

IPSO

authorities and bit patterns

(table)     SR-502

definition     SR-502

basic

configuring     SR-498

extended

configuring     SR-500

defaults     SR-503

maximum sensitivity levels     SR-504

minimum sensitivity levels     SR-506

labels

definition     SR-502

levels and bit patterns

(table)     SR-501

definition     SR-501

ip tacacs source-interface command     SR-118

ip tcp intercept connection-timeout command     SR-158

ip tcp intercept drop-mode command     SR-159

ip tcp intercept finrst-timeout command     SR-161

ip tcp intercept list command     SR-162

ip tcp intercept max-incomplete high command     SR-163

ip tcp intercept max-incomplete low command     SR-165

ip tcp intercept mode command     SR-167

ip tcp intercept one-minute high command     SR-168

ip tcp intercept one-minute low command     SR-170

ip tcp intercept watch-timeout command     SR-172

ip trigger-authentication (global) command     SR-32

ip trigger-authentication (interface) command     SR-34

ip verify unicast reverse-path command     SR-520

ISAKMP

See also IKE

K

kerberos clients mandatory command     SR-127

kerberos crednetials forward command     SR-128

kerberos instance map command     SR-129

kerberos local-realm command     SR-130

kerberos preauth command     SR-131

kerberos realm command     SR-132

kerberos server command     SR-133

kerberos srvtab entry command     SR-134

kerberos srvtab remote command     SR-136

key config-key command     SR-137

unrecoverable DES key

(caution)     SR-137

keys

pre-shared

deleting     SR-443

specifying     SR-443

specifying (example)     SR-444

key-string (IKE) command     SR-456

L

LDAP protocol support

specifying     SR-428

lifetime (IKE policy) command     SR-458

line configuration commands

accounting     SR-81

arap authentication     SR-29

authorization     SR-65

login authentication     SR-35

nasi authentication     SR-37

timeout login response     SR-54

lock-and-key

idle timeouts     SR-142

temporary entries

clearing manually     SR-142, SR-145

creating manually     SR-143

enabling     SR-142

login authentication command     SR-35

using list-names

(caution)     SR-35

M

match address (CET) command     SR-310

match address (IPSec) command     SR-374

memory usage

Certification Authority Interoperability     SR-410

mode (IPSec) command     SR-376

modes

ca-identity

enabling     SR-415

certificate chain configuration

enabling     SR-408

query

enabling     SR-410

RA

enabling     SR-422

See command modes

N

named-key command     SR-460

nasi authentication command     SR-37

using list-names

(caution)     SR-37

no form of a command

using     xvii

no ip inspect command     SR-204

notes

usage in text     ix

O

Oakley key exchange protocol

See also IKE

online documentation

See CCO

P

PAM

commands     SR-239

password command     SR-476

perfect forward secrecy

See PFS

permit (reflexive) command     SR-152

permit command     SR-312

PFS

specifying     SR-380

PKI protocol

See CEP

ppp accounting command     SR-84

ppp authentication command

using list-names

(caution)     SR-40

ppp chap hostname command     SR-41

ppp chap password command     SR-43

ppp chap refuse command     SR-45

ppp chap wait command     SR-47

ppp pap sent-username command     SR-49

privileged EXEC commands

access-enable command     SR-142

clear ip trigger-authentication     SR-31

clear kerberos creds     SR-126

show accounting     SR-85

show ip trigger-authentication     SR-51

show kerberos creds     SR-138

show ppp queues     SR-52

privileged EXEC mode

summary     xiv

privilege level (global) command     SR-477

privilege level (line) command     SR-480

prompts

system     xiv

public key configuration mode

enabling     SR-450, SR-460

Q

query mode

enabling     SR-410

query url command     SR-428

question command     xv

R

radius-server attribute nas-port extended command     SR-97

radius-server configure-nas command     SR-98

radius-server deadtime command     SR-99

radius-server host command     SR-101

radius-server host non-standard command     SR-104

radius-server key command     SR-105

radius-server optional passwords command     SR-107

radius-server retransmit command     SR-108

radius-server timeout command     SR-109

radius-server vsa send command     SR-110

RA mode

enabling     SR-422

RAs

enabling     SR-422

Reflexive Access Lists

configuring

(examples)     SR-149, SR-154

temporary entries

characteristics     SR-154

timeouts, global

(examples)     SR-150

ROM monitor mode

summary     xiv

RPC inspection

See CBAC, RPC inspection

RSA encrypted nonces

requirements     SR-436

RSA keys

deleting     SR-420

general purpose keys     SR-418, SR-448

generating     SR-417, SR-447

sample times required     SR-418, SR-448

IP address

specifying     SR-432

manually specifying     SR-450

modulus length     SR-418, SR-448

pairs     SR-417, SR-447

public key record     SR-406

remote peer

specifying     SR-456

special usage keys     SR-417, SR-447

generating     SR-447

specifying     SR-434

specifying     SR-434, SR-460

viewing     SR-466, SR-467

RSA signatures

requirements     SR-436

S

SAs

lifetimes

configuring     SR-458

parameters     SR-445

viewing     SR-464

saving configuration changes     xviii

security

H.323 gatekeeper, enabling     SR-83

See also IPSO

See also lock-and-key

security associations

See SAs

server (RADIUS) command     SR-112

server (TACACS+) command     SR-120

server groups     SR-92, SR-117

server hosts

RADIUS     SR-92

TACACS+     SR-117

service password-encryption command     SR-482

security level

(caution)     SR-482

set algorithm 40-bit-des command     SR-317

set algorithm des command     SR-319

set peer (CET) command     SR-321

set peer (IPSec) command     SR-378

set peer command     SR-378

set pfs command     SR-380

set security-association level per-host command     SR-382

set security-association lifetime command     SR-384

set session-key command     SR-387

set transform-set command     SR-390

show accounting command     SR-85

show crypto algorithms command

See show crypto cisco algorithms command

show crypto ca certificates command     SR-429

show crypto card command     SR-323

show crypto cisco algorithms command     SR-325

show crypto cisco connections command     SR-326

show crypto cisco key-timeout command     SR-328

show crypto cisco pregen-dh-pairs command     SR-329

show crypto connections command

See show crypto cisco connections command

show crypto dynamic- map command     SR-392

show crypto engine brief command     SR-332

show crypto engine configuration command     SR-334

show crypto engine connections active command     SR-336

show crypto engine connections dropped-packets command     SR-338

show crypto ipsec sa command     SR-393, SR-396

show crypto ipsec security-association lifetime command     SR-396

show crypto ipsec transform-set command     SR-397

show crypto isakmp policy command     SR-462

show crypto isakmp sa command     SR-464

show crypto key mypubkey dss command     SR-339

show crypto key mypubkey rsa command     SR-466

show crypto key pubkey-chain dss command     SR-340

show crypto key pubkey-chain rsa command     SR-467

show crypto key-timeout command

See show crypto cisco key-timeout command

show crypto map (CET) command     SR-343

show crypto map (IPSec) command     SR-398

show crypto mypubkey command

See show crypto key mypubkey command

show crypto pregen-dh-pairs command

See show crypto cisco pregen-dh-pairs command

show crypto pubkey command

See show crypto key pubkey-chain dss command

show crypto pubkey name command

See show crypto key pubkey-chain dss name command

show crypto pubkey serial command

See show crypto key pubkey-chain dss serial command

show dnsix command     SR-518

show ip audit configuration command     SR-225

show ip audit interface command     SR-226

show ip audit statistics command     SR-227

show ip auth-proxy command     SR-236

show ip inspect command     SR-205

show ip port-map command     SR-244

show ip trigger-authentication command     SR-51

show kerberos creds command     SR-138

show ppp queues command     SR-52

show privilege command     SR-484

show tcp intercept connections command     SR-173

show tcp intercept statistics command     SR-175

Skeme key exchange protocol

See also IKE

subinterface configuration mode

summary     xiv

T

Tab key

command completion     xv

TACACS+

command comparison

(table)     SR-115

server hosts     SR-117

tacacs-server directed request command     SR-121

tacacs-server host command     SR-122

tacacs-server key command     SR-124

TCP idle timeout

specifying     SR-198

TCP Intercept

enabling     SR-162

modes

intercept mode     SR-167

watch mode     SR-167

timeouts     SR-161

test crypto initiate-session command     SR-351

thresholds

See also CBAC, thresholds

timeout intervals

See also CBAC, timeouts

timeout login response command     SR-54

transport mode     SR-377

tunnel mode     SR-376

U

UDP idle timeout

specifying     SR-202

Unicast RPF

commands     SR-520

user EXEC commands

access-profile     SR-26

user EXEC mode

summary     xiv

username command     SR-485

Z

access lists

See also IPSec

	Cisco IOS Security Command Reference, Release 12.1
	Index
Cisco IOS Security Command Reference, Release 12.1 About the Cisco IOS Software Documentation Using Cisco IOS Software Part 1: Authentication, Authorization, and Accounting Authentication Commands Authorization Commands Accounting Commands Part 2: Security Server Protocols RADIUS Commands TACACS+ Commands Kerberos Commands Part 3: Traffic Filtering and Firewalls Lock-and-Key Commands Reflexive Access List Commands TCP Intercept Commands Context-Based Access Control Commands Cisco IOS Firewall Intrusion Detection System Authentication Proxy Commands Port to Application Mapping Commands Part 4: IP Security and Encryption Cisco Encryption Technology Commands IPSec Network Security Commands Certification Authority Interoperability Commands Internet Key Exchange Security Protocol Commands Part 5: Other Security Features Passwords and Privileges Commands IP Security Options Commands Unicast Reverse Path Forwarding Commands Index	Download this chapter Index Table Of Contents Index: Cisco IOS Security Command Reference, Release 12.1 Symbols A C D E F G H I K L M N O P Q R S T U Z Symbols ? command ix, xv A AAA server groups SR-92, SR-117 aaa accounting command SR-70 aaa accounting connection h323 command SR-73 aaa accounting nested command SR-74 aaa accounting send stop-record authentication failure command SR-75 aaa accounting suppress null-username command SR-76 aaa accounting update command SR-77 aaa authentication arap command SR-4 aaa authentication banner command SR-6 aaa authentication enable default command SR-8 aaa authentication fail-message command SR-10 aaa authentication login command SR-12 aaa authentication nasi command SR-14 aaa authentication password-prompt command SR-16 aaa authentication ppp command SR-17 aaa authentication username-prompt command SR-19 aaa authorization command SR-56 aaa authorization config-commands command SR-60 aaa authorization reverse-access command SR-61 aaa dnis map accounting network group command SR-79 aaa dnis map authentication ppp group command SR-21 aaa group server command SR-117 aaa group server radius command SR-92 aaa nas-port extended command SR-93 aaa new-model command SR-23 aaa processes command SR-24 abbreviating commands context-sensitive help viii, ix, xv access-enable command SR-142 access-list (encryption) command SR-250 access lists dynamic temporary entries, clearing manually SR-142 See also IPSec access-profile command SR-26 replace command form (caution) SR-27 using per-user configuration (caution) SR-27 access-template command SR-143 accounting (gatekeeper) command SR-83 accounting command SR-81 address command SR-432 addressed-key command SR-434 AESOs attaching to interfaces SR-500 algorithms encryption See IKE, algorithms hash See IKE, algorithms arap authentication command SR-29 using list-names (caution) SR-29 authentication CAs SR-406 See also IKE, authentication authentication (IKE policy) command SR-436 authentication proxy commands SR-229 authorization command SR-65 Auxiliary Extended Security Options See AESOs C ca-identity mode enabling SR-415 CAs authenticating SR-406 CEP support SR-428 declaring SR-415, SR-427 enrolling SR-412 identity deleting SR-415 LDAP support SR-428 locations specifying SR-427 public keys SR-406 URLs specifying SR-427 See also Certification Authority Interoperability cautions access lists SR-254, SR-306, SR-315 access-profile command replace command form (caution) SR-27 using per-user configuration (caution) SR-27 arap authentication command using list-names (caution) SR-29 Cisco 7200 series router SR-293 crypto key zeroize dss command SR-293 DSS keys SR-292 enable password command using encryption-type (caution) SR-472 enable secret command using encryption-type (caution) SR-474 Java blocking SR-189 key config-key command unrecoverable DES key (caution) SR-137 login authentication command using list-names (caution) SR-35 nasi authentication command using list-names (caution) SR-37 ppp authentication command using list-names (caution) SR-40 service password-encryption command security level (caution) SR-482 usage in text ix CBAC alert messages enabling SR-178 application-layer protocols configuring SR-189 audit trail messages (example) SR-178 enabling SR-179 configurations viewing SR-205 denial-of-service attacks detection SR-199 disabling SR-204 fragment inspection, configuring SR-191 H.323 inspection configuring SR-189 half-open sessions deleting, high threshold SR-182, SR-193 deleting, low threshold SR-184, SR-195 description SR-182 TCP threshold SR-199 inspection rules applying SR-181 applying (example) SR-181 defining SR-186 removing SR-181 viewing SR-205 Java blocking SR-187 blocking (caution) SR-189 inspection, configuring SR-189 RPC inspection configuring SR-190 session information (example) SR-205 viewing SR-205 SMTP inspection configuring SR-190 TCP inspection configuring SR-189 timeouts DNS idle, specifying SR-180 FIN-exchange, specifying SR-197 overriding SR-190 synwait, specifying SR-201 TCP idle, specifying SR-198 UDP idle, specifying SR-202 UDP inspection configuring SR-189 CCO accessing x definition x CEP specifying SR-428 certificate chain configuration mode enabling SR-408 certificate command SR-402 certificate enrollment protocol See CEP certificates accepting SR-404 adding SR-402 deleting SR-402, SR-408 requesting SR-412 requests resending, number of times SR-423 resending, wait period SR-425 retrieving SR-410 revoking SR-412 storing SR-410 viewing SR-429 Certification Authority Interoperability CA authentication SR-406 CEP specifying SR-428 challenge password SR-412 commands SR-401 LDAP support specifying SR-428 NVRAM memory usage SR-410 See also CAs See also certificates See also CRLs See also RSA keys Cisco Connection Online See CCO Cisco IOS saving configuration changes xviii clear access-template command SR-145 clear crypto connection command SR-258 clear crypto isakmp command SR-438 clear crypto sa command SR-354 clear ip audit configuration command SR-210 clear ip audit statistics command SR-211 clear ip auth-proxy cache command SR-230 clear ip trigger-authentication command SR-31 clear kerberos creds command SR-126 command modes summary (table) xiv config-isakmp command mode enabling SR-445 configuration, saving xviii crl optional command SR-404 CRLs certificates accepting SR-404 revoking SR-411 checking SR-404 downloading SR-411 requesting SR-411 retrieving SR-410 storing SR-410 See also CAs See also certificates crypto algorithm 40-bit-des command See crypto cisco algorithm 40-bit-des command crypto algorithm des command See crypto cisco algorithm des command crypto ca authenticate command SR-406 crypto ca certificate chain command SR-408 crypto ca certificate query command SR-410 crypto ca crl request command SR-411 crypto ca enroll command SR-412 crypto ca identity command SR-415 crypto card clear-latch command SR-264 crypto card command SR-262 crypto cisco algorithm 40-bit-des command SR-266 crypto cisco algorithm des command SR-268 crypto cisco connections command crypto cisco entities command SR-272 crypto cisco key-timeout command SR-274 crypto cisco pregen-dh-pairs command SR-275 crypto clear-latch command See crypto card clear-latch command crypto dynamic-map command SR-356 crypto esa command See crypto card command crypto gen-signature-keys command See crypto key generate dss command crypto ipsec security-association lifetime command SR-359 crypto ipsec transform-set command SR-361 crypto isakmp enable command SR-440 crypto isakmp identity command SR-441 crypto isakmp key command SR-443 crypto isakmp policy command SR-445 crypto key-exchange command See crypto key exchange dss command crypto key exchange dss command SR-281 crypto key exchange dss passive command SR-283 crypto key-exchange passive command See crypto key exchange dss passive command crypto key generate dss command SR-286 crypto key generate rsa (CA) command SR-417 crypto key generate rsa (IKE) command SR-447 crypto key pubkey-chain dss command SR-289 crypto key pubkey-chain rsa command SR-450 crypto key-timeout command See crypto cisco key-timeout command crypto key zeroize dss command SR-292 crypto key zeroize rsa command SR-420 crypto map (CET global) command SR-294 crypto map (CET interface) command SR-297 crypto map (IPSec global) command SR-365 crypto map (IPSec interface) command SR-370 crypto map local-address command SR-372 crypto pregen-dh-pairs command See crypto cisco pregen-dh-pairs command crypto public-key command See crypto key pubkey-chain dss command crypto sdu connections command See crypto cisco connections command crypto sdu entities command See crypto cisco entities command crypto transform configuration mode enabling SR-363 crypto zeroize command See crypto key zeroize dss command D default form of a command using xvii deny (CET) command SR-303 Diffie-Hellman See IKE, DH DNS idle timeout specifying SR-180 DNSIX collection center, specifying SR-493 enabling SR-496 hosts that receive messages alternate SR-495 primary SR-494 number of records in a packet, specifying SR-497 retransmit count SR-492 dnsix-dmdp retries command SR-492 dnsix-nat authorized-redirection command SR-493 dnsix-nat primary command SR-494 dnsix-nat secondary command SR-495 dnsix-nat source command SR-496 dnsix-nat transmit-count command SR-497 E enable password command SR-472 using encryption-type (caution) SR-472 enable secret command SR-474 using encryption-type (caution) SR-474 encryption algorithm See IKE, algorithms encryption (IKE policy) command SR-453 enrollment mode ra command SR-422 enrollment retry-count command SR-423 enrollment retry-period command SR-425 enrollment url command SR-427 evaluate command SR-148 examples CBAC audit trail messages SR-178 half-open sessions, high threshold SR-182, SR-193 half-open sessions, low threshold SR-184, SR-195 half-open sessions, TCP threshold SR-200 session information, viewing SR-205 timeouts, synwait SR-201 timeouts, UDP idle SR-203 pre-shared keys specifying SR-444 F FIN-exchange timeout specifying SR-197 G gatekeeper security, enabling SR-83 global configuration commands aaa accounting SR-70 aaa accounting connection h323 command SR-73 aaa accounting nested SR-74 aaa accounting send stop-record authentication failure command SR-75 aaa accounting suppress null-username SR-76 aaa accounting update SR-77 aaa authentication arap SR-4 aaa authentication banner SR-6 aaa authentication enable default SR-8 aaa authentication fail-message SR-10 aaa authentication login SR-12 aaa authentication nasi SR-14 aaa authentication password-prompt SR-16 aaa authentication ppp SR-17 aaa authentication username-prompt SR-19 aaa authorization SR-56 aaa authorization config-commands SR-60 aaa authorization reverse-access SR-61 aaa dnis map accounting network group SR-79 aaa dnis map authentication ppp group SR-21 aaa group server SR-117 aaa group server radius command SR-92 aaa nas-port extended SR-93 aaa new-model SR-23 aaa processes SR-24 ip radius source-interface SR-95 ip tacacs source-interface SR-118 ip trigger-authentication (global) SR-32 kerberos clients mandatory SR-127 kerberos credentials forward SR-128 kerberos instance map SR-129 kerberos local-realm SR-130 kerberos preauth SR-131 kerberos realm SR-132 kerberos server SR-133 kerberos srvtab entry SR-134 kerberos srvtab remote SR-136 key config-key SR-137 radius-server attribute nas-port extended SR-97 radius-server configure-nas SR-98 radius-server deadtime SR-99 radius-server host SR-101 radius-server host non-standard SR-104 radius-server key SR-105 radius-server optional passwords SR-107 radius-server retransmit SR-108 radius-server timeout SR-109 radius-server vsa SR-110 tacacs-server directed-request SR-121 tacacs-server host SR-122 tacacs-server key SR-124 global configuration mode summary xiv group (IKE policy) command SR-454 H hash (IKE policy) command SR-455 hash algorithm See IKE, algorithms help command viii, ix, xv I IKE algorithms encryption, specifying SR-453 hash, specifying SR-455 authentication methods, specifying SR-436 commands SR-431 connections clearing SR-438 DH group identifier, specifying SR-454 disabling SR-440 enabling SR-440 group identifier specifying SR-454 keys See keys, pre-shared negotiations states SR-464 policies multiple SR-445 parameters, specifying SR-445 parameters, viewing SR-462 viewing SR-462 requirements IPSec peers SR-440 See also IPSec See also SAs interface configuration commands ip trigger-authentication (interface) SR-34 ppp accounting SR-84 ppp authentication SR-39 ppp chap hostname SR-41 ppp chap password SR-43 ppp chap refuse SR-45 ppp chap wait SR-47 ppp pap sent-username SR-49 interface configuration mode summary xiv Internet Key Exchange Security Protocol See IKE IP See also IPSO ip access-list extended (encryption) command SR-308 ip audit attack command SR-213 ip audit command SR-212 ip audit info command SR-214 ip audit name command SR-215 ip audit notify command SR-217 ip audit po local command SR-218 ip audit po max-events command SR-219 ip audit po protected command SR-220 ip audit po remote command SR-221 ip audit signature command SR-223 ip audit smtp command SR-224 ip auth-proxy auth-cache-time command SR-232 ip auth-proxy auth-proxy-banner command SR-233 ip auth-proxy command SR-231 ip auth-proxy name command SR-234 ip inspect (interface configuration) command SR-181 ip inspect alert-off command SR-178 ip inspect audit trail command SR-179 ip inspect dns-timeout command SR-180 ip inspect max-incomplete high command SR-182 ip inspect max-incomplete low command SR-184 ip inspect name command SR-186 ip inspect one-minute high command SR-193 ip inspect one-minute low command SR-195 ip inspect tcp finwait-time command SR-197 ip inspect tcp idle-time command SR-198 ip inspect tcp max-incomplete host command SR-199 ip inspect tcp synwait-time command SR-201 ip inspect udp idle-time command SR-202 ip port-map command SR-240 ip radius source-interface command SR-95 ip reflexive-list timeout command SR-150 IPSec commands SR-353 crypto access lists specifying SR-310, SR-374 crypto map entries creating SR-294, SR-365 lifetime values, overriding SR-384 specifying a peer SR-378 crypto maps applying SR-370 dynamic, creating SR-356 dynamic, priorities SR-367 dynamic, viewing SR-392 interfaces, identifying SR-372 purpose SR-366 viewing SR-398 lifetimes viewing SR-396 requirements IKE SR-440 SAs clearing SR-354 lifetimes, changing SR-359 requesting SR-382 viewing SR-393 session keys manually specifying SR-387 transforms allowed combinations SR-362 changing SR-363 selecting SR-363 transform sets defining SR-361 mode, changing SR-376 specifying SR-390 viewing SR-397 ip security add command SR-498 ip security aeso command SR-500 ip security allow-reserved command SR-515 ip security dedicated command SR-501 ip security eso-info command SR-503 ip security eso-max command SR-504 ip security eso-min command SR-506 ip security extended-allowed command SR-508 ip security first command SR-509 ip security ignore-authorities command SR-510 ip security implicit-labelling command SR-511 ip security multilevel command SR-513 IP security option See IPSO ip security strip command SR-517 IPSO authorities and bit patterns (table) SR-502 definition SR-502 basic configuring SR-498 extended configuring SR-500 defaults SR-503 maximum sensitivity levels SR-504 minimum sensitivity levels SR-506 labels definition SR-502 levels and bit patterns (table) SR-501 definition SR-501 ip tacacs source-interface command SR-118 ip tcp intercept connection-timeout command SR-158 ip tcp intercept drop-mode command SR-159 ip tcp intercept finrst-timeout command SR-161 ip tcp intercept list command SR-162 ip tcp intercept max-incomplete high command SR-163 ip tcp intercept max-incomplete low command SR-165 ip tcp intercept mode command SR-167 ip tcp intercept one-minute high command SR-168 ip tcp intercept one-minute low command SR-170 ip tcp intercept watch-timeout command SR-172 ip trigger-authentication (global) command SR-32 ip trigger-authentication (interface) command SR-34 ip verify unicast reverse-path command SR-520 ISAKMP See also IKE K kerberos clients mandatory command SR-127 kerberos crednetials forward command SR-128 kerberos instance map command SR-129 kerberos local-realm command SR-130 kerberos preauth command SR-131 kerberos realm command SR-132 kerberos server command SR-133 kerberos srvtab entry command SR-134 kerberos srvtab remote command SR-136 key config-key command SR-137 unrecoverable DES key (caution) SR-137 keys pre-shared deleting SR-443 specifying SR-443 specifying (example) SR-444 key-string (IKE) command SR-456 L LDAP protocol support specifying SR-428 lifetime (IKE policy) command SR-458 line configuration commands accounting SR-81 arap authentication SR-29 authorization SR-65 login authentication SR-35 nasi authentication SR-37 timeout login response SR-54 lock-and-key idle timeouts SR-142 temporary entries clearing manually SR-142, SR-145 creating manually SR-143 enabling SR-142 login authentication command SR-35 using list-names (caution) SR-35 M match address (CET) command SR-310 match address (IPSec) command SR-374 memory usage Certification Authority Interoperability SR-410 mode (IPSec) command SR-376 modes ca-identity enabling SR-415 certificate chain configuration enabling SR-408 query enabling SR-410 RA enabling SR-422 See command modes N named-key command SR-460 nasi authentication command SR-37 using list-names (caution) SR-37 no form of a command using xvii no ip inspect command SR-204 notes usage in text ix O Oakley key exchange protocol See also IKE online documentation See CCO P PAM commands SR-239 password command SR-476 perfect forward secrecy See PFS permit (reflexive) command SR-152 permit command SR-312 PFS specifying SR-380 PKI protocol See CEP ppp accounting command SR-84 ppp authentication command using list-names (caution) SR-40 ppp chap hostname command SR-41 ppp chap password command SR-43 ppp chap refuse command SR-45 ppp chap wait command SR-47 ppp pap sent-username command SR-49 privileged EXEC commands access-enable command SR-142 clear ip trigger-authentication SR-31 clear kerberos creds SR-126 show accounting SR-85 show ip trigger-authentication SR-51 show kerberos creds SR-138 show ppp queues SR-52 privileged EXEC mode summary xiv privilege level (global) command SR-477 privilege level (line) command SR-480 prompts system xiv public key configuration mode enabling SR-450, SR-460 Q query mode enabling SR-410 query url command SR-428 question command xv R radius-server attribute nas-port extended command SR-97 radius-server configure-nas command SR-98 radius-server deadtime command SR-99 radius-server host command SR-101 radius-server host non-standard command SR-104 radius-server key command SR-105 radius-server optional passwords command SR-107 radius-server retransmit command SR-108 radius-server timeout command SR-109 radius-server vsa send command SR-110 RA mode enabling SR-422 RAs enabling SR-422 Reflexive Access Lists configuring (examples) SR-149, SR-154 temporary entries characteristics SR-154 timeouts, global (examples) SR-150 ROM monitor mode summary xiv RPC inspection See CBAC, RPC inspection RSA encrypted nonces requirements SR-436 RSA keys deleting SR-420 general purpose keys SR-418, SR-448 generating SR-417, SR-447 sample times required SR-418, SR-448 IP address specifying SR-432 manually specifying SR-450 modulus length SR-418, SR-448 pairs SR-417, SR-447 public key record SR-406 remote peer specifying SR-456 special usage keys SR-417, SR-447 generating SR-447 specifying SR-434 specifying SR-434, SR-460 viewing SR-466, SR-467 RSA signatures requirements SR-436 S SAs lifetimes configuring SR-458 parameters SR-445 viewing SR-464 saving configuration changes xviii security H.323 gatekeeper, enabling SR-83 See also IPSO See also lock-and-key security associations See SAs server (RADIUS) command SR-112 server (TACACS+) command SR-120 server groups SR-92, SR-117 server hosts RADIUS SR-92 TACACS+ SR-117 service password-encryption command SR-482 security level (caution) SR-482 set algorithm 40-bit-des command SR-317 set algorithm des command SR-319 set peer (CET) command SR-321 set peer (IPSec) command SR-378 set peer command SR-378 set pfs command SR-380 set security-association level per-host command SR-382 set security-association lifetime command SR-384 set session-key command SR-387 set transform-set command SR-390 show accounting command SR-85 show crypto algorithms command See show crypto cisco algorithms command show crypto ca certificates command SR-429 show crypto card command SR-323 show crypto cisco algorithms command SR-325 show crypto cisco connections command SR-326 show crypto cisco key-timeout command SR-328 show crypto cisco pregen-dh-pairs command SR-329 show crypto connections command See show crypto cisco connections command show crypto dynamic- map command SR-392 show crypto engine brief command SR-332 show crypto engine configuration command SR-334 show crypto engine connections active command SR-336 show crypto engine connections dropped-packets command SR-338 show crypto ipsec sa command SR-393, SR-396 show crypto ipsec security-association lifetime command SR-396 show crypto ipsec transform-set command SR-397 show crypto isakmp policy command SR-462 show crypto isakmp sa command SR-464 show crypto key mypubkey dss command SR-339 show crypto key mypubkey rsa command SR-466 show crypto key pubkey-chain dss command SR-340 show crypto key pubkey-chain rsa command SR-467 show crypto key-timeout command See show crypto cisco key-timeout command show crypto map (CET) command SR-343 show crypto map (IPSec) command SR-398 show crypto mypubkey command See show crypto key mypubkey command show crypto pregen-dh-pairs command See show crypto cisco pregen-dh-pairs command show crypto pubkey command See show crypto key pubkey-chain dss command show crypto pubkey name command See show crypto key pubkey-chain dss name command show crypto pubkey serial command See show crypto key pubkey-chain dss serial command show dnsix command SR-518 show ip audit configuration command SR-225 show ip audit interface command SR-226 show ip audit statistics command SR-227 show ip auth-proxy command SR-236 show ip inspect command SR-205 show ip port-map command SR-244 show ip trigger-authentication command SR-51 show kerberos creds command SR-138 show ppp queues command SR-52 show privilege command SR-484 show tcp intercept connections command SR-173 show tcp intercept statistics command SR-175 Skeme key exchange protocol See also IKE subinterface configuration mode summary xiv T Tab key command completion xv TACACS+ command comparison (table) SR-115 server hosts SR-117 tacacs-server directed request command SR-121 tacacs-server host command SR-122 tacacs-server key command SR-124 TCP idle timeout specifying SR-198 TCP Intercept enabling SR-162 modes intercept mode SR-167 watch mode SR-167 timeouts SR-161 test crypto initiate-session command SR-351 thresholds See also CBAC, thresholds timeout intervals See also CBAC, timeouts timeout login response command SR-54 transport mode SR-377 tunnel mode SR-376 U UDP idle timeout specifying SR-202 Unicast RPF commands SR-520 user EXEC commands access-profile SR-26 user EXEC mode summary xiv username command SR-485 Z access lists See also IPSec
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.