-
Cisco IOS Security Configuration Guide, Release 12.1
-
About the Cisco IOS Software Documentation
-
Using Cisco IOS Software
-
Security Overview
- Part 1: Authentication, Authorization, and Accounting (AAA)
- Part 2: Security Server Protocols
-
Part 3: Traffic Filtering and Firewalls
-
Access Control Lists: Overview and Guidelines
-
Cisco IOS Firewall Overview
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
-
Configuring Context-Based Access Control
-
Configuring Cisco IOS Firewall Intrusion Detection System
-
Configuring Authentication Proxy
-
Configuring Port to Application Mapping
-
-
Index
-
Table Of Contents
Index: Cisco IOS Security Configuration Guide, Release 12.1
Symbols A C D E F G H I J K L M N O P Q R S T U
Symbols
? command xiii
A
AAA
accounting SC-81
AV pairs SC-96
command type SC-91
configuration (example) SC-96
connection type SC-86
enabling SC-92
EXEC type SC-89
interim records SC-95
method lists (example) SC-81
methods (table) SC-93
monitoring SC-96
network configuration (figure) SC-83
network type SC-84
prerequisites SC-91
server groups SC-82
suppress records SC-94 to SC-95
system type SC-90
ARA authentication SC-32 to SC-35
authorized guest logins SC-33
guest logins SC-34
line password SC-34
local password SC-34
methods (table) SC-33
TACACS+ SC-35
authentication
configuration (examples) SC-53
configuration procedure SC-24
double authentication SC-41 to SC-44
enable default SC-39
methods SC-24
network configuration (figure) SC-22
server groups SC-22
authentication method lists SC-21
authorization
AV pairs SC-75
configuration (examples) SC-76 to SC-80
configuring SC-73
description SC-69
for global configuration commands SC-74
network configuration (figure) SC-71
prerequisites SC-72
RADIUS SC-74
reverse telnet SC-75
server groups SC-71
TACACS+ SC-74
types SC-72
configuration process SC-19
disabling SC-19
enable default authentication SC-39
methods (table) SC-39
enabling SC-19
login authentication SC-25 to SC-27
enable password SC-26
Kerberos SC-27
line password SC-27
local password SC-27
methods (table) SC-26
RADIUS SC-27, SC-31, SC-35, SC-37
TACACS+ SC-28, SC-31, SC-35, SC-38
message banners
configuring a failed-login banner SC-40
configuring a login banner SC-40
examples SC-57
method lists
accounting SC-81
authentication SC-21
description SC-17
NASI authentication SC-35 to SC-38
enable password SC-37
line password SC-37
local password SC-37
methods SC-36
TACACS+ SC-38
PPP authentication SC-28 to SC-30
Kerberos SC-30
local password SC-30
RADIUS
accounting SC-111
authentication SC-110
authorization SC-111
server groups
accounting SC-82
authentication SC-22
authorization SC-71
RADIUS, configuring SC-108
TACACS+, configuring SC-125
aaa authentication ppp command
undefined list name (caution) SC-50
AAA scalability
configuration example SC-56
abbreviating commands
context-sensitive help xiii
access-enable command SC-181
access-list (encryption) command SC-337, SC-378
access-list (IP extended) command SC-180
access-list command SC-179
access lists
applying to interfaces SC-166
CBAC
basic configuration SC-218
configuring SC-217
how it works SC-210
creating SC-163
criteria statements, order of SC-165
description SC-161
dynamic
entries, deleting SC-184
IP
See also Reflexive Access Lists
numeric ranges for protocols (table) SC-164
reflexive SC-187
specifying
by name (table) SC-164
by number (table) SC-164
See also IPSec, crypto access lists
accounting
address command SC-419
addressed-key command SC-403, SC-419
AH
description SC-371
algorithms
encryption
hash
anti-replay
attack signatures
audit rule
See Cisco Secure IS IDS, audit rule
audit trail
CBAC messages SC-234
DNSIX facility SC-450
authentication
CAs SC-401
for encryption SC-323
benefits SC-441
configuration information for protocols SC-445
key chains SC-444
process SC-442
protocols SC-442
types SC-442
non-AAA methods SC-46
static login SC-46
username SC-47
route SC-12
route authentication SC-441
user
overview SC-11
Authentication, Authorization, and Accounting
authentication command SC-416
authentication header
authentication proxy SC-275
applying SC-280
CBAC requirement SC-285
comparison with Lock-and-Key feature SC-283
compatibility
CBAC SC-282
NAT SC-282
VPN SC-283
configuration tasks SC-285
deleting cache entries SC-292
denial-of-service attack protection SC-283
description SC-275
displaying dynamic ACL entries SC-291
AAA server user profile SC-302
IPSec, NAT, and CBAC SC-298
IPSec and CBAC SC-294
feature overview SC-3
HTTP trigger SC-276
login page (figure) SC-276
login status message (figure) SC-277
maintaining SC-291
monitoring SC-291
one-time passwords SC-280, SC-282
operation SC-276
operation with JavaScript SC-278
operation without JavaScript SC-278
prerequisites
AAA SC-284
access control lists SC-284
browser SC-284
CBAC SC-284
restrictions SC-284
risk of spoofing SC-283
secure authentication SC-277
using SC-279
verifying configuration SC-285, SC-288
authorization
autocommand command SC-181
C
CA interoperability
description SC-320
CAs
authenticating SC-401
certificates
revoked SC-398
declaring SC-400
(example) SC-405
description SC-395
identity
deleting SC-404
IPSec
LDAP
support SC-400
public keys SC-401
purpose SC-395
URLs
specifying SC-400
See also certification authority interoperability
cautions
authenticating keys SC-442
crypto engines, switching SC-345, SC-346
DSS keys SC-349
Java blocking SC-224
lock-and-key SC-179
neighbor authentication SC-442
passwords
encrypting (caution) SC-429
Unicast RPF
BGP optional attributes SC-458
usage in text vii
CBAC
access lists
configuring SC-217
how it works SC-210
application-layer protocols
configuring SC-222
audit trail SC-225
audit trail messages
(example) SC-234
enabling SC-231
authentication proxy compatibility SC-285
configuration
guidelines SC-226
viewing SC-227
verifying SC-227
denial-of-service attacks
detection SC-220
error messages SC-233
indications SC-221
description SC-205
disabling SC-235
displaying access list contents SC-227
error messages
audit trail SC-234
denial-of-service attacks SC-233
FTP attacks SC-234
Java blocking SC-234
SMTP attacks SC-233
filtering
Java blocking SC-206
TCP traffic SC-206
UDP traffic SC-206
filtering, traffic SC-206
firewall
configuration, guidelines SC-226
FTP attacks
error messages SC-234
FTP traffic SC-215
H.323 inspection
configuring SC-222
multimedia support SC-213
half-open sessions
deleting SC-221
description SC-221
how it works SC-208
inspection rules
applying SC-225
description SC-222
viewing SC-227
interfaces
choosing SC-216
external, tips SC-219
internal, tips SC-220
intrusion detection
SMTP attacks SC-207
IP packet fragmentation
inspection SC-224
IPSec compatibility SC-215
Java
blocking (caution) SC-224
blocking, messages SC-234
inspection, configuring SC-223
limitations SC-207
logging SC-225
memory usage SC-215
multimedia support
protocol inspection SC-213
packet inspection SC-209
PAM operation SC-310
process SC-211
protocol support (table) SC-212
restrictions SC-214
RPC inspection
configuring SC-222
RTSP inspection SC-213
session information
viewing SC-227
SMTP attacks
error messages SC-233
state tables SC-210
TCP inspection
configuring SC-224
thresholds
configuring SC-220
default values SC-220
modifying SC-220
timeouts
configuring SC-220
default values SC-220
modifying SC-220
UDP inspection
configuring SC-224
UDP sessions SC-210
verifying configuration SC-227
when to use SC-210
CCO
accessing viii
definition viii
certificate chain configuration mode
enabling SC-404
certificate command SC-404
certificate revocation lists
certificates
deleting SC-404
requesting SC-401
requests
resending, number of times SC-400
resending, wait period SC-400
requirements
RSA keys SC-399
saving SC-399
storing SC-398
viewing SC-404
certification authorities
certification authority interoperability
CA authentication SC-401
configuration
(example) SC-405
saving your configuration SC-402
description SC-393
domain names
configuration (example) SC-405
configuring SC-399
host names
configuration (example) SC-405
configuring SC-399
NVRAM memory usage SC-399
prerequisites SC-395
restrictions SC-394
supported standards SC-394
CET
access lists, encryption SC-337
(example) SC-356
authenticating peer routers SC-323
Cisco IOS implementation SC-322
connection problems SC-350
crypto engines SC-328
Cisco IOS SC-329
ESA SC-330
VIP2 SC-329
crypto maps SC-336
applying to interfaces SC-339
example 1
defining SC-339
example 1
data encryption
introduction SC-12
DES algorithms SC-326
defaults (global) SC-336
enabling, globally SC-336
enabling, globally (example) SC-356
enabling in crypto maps SC-338
types SC-336
description SC-317
DH SC-325
exchanging numbers SC-325
generating the DES key SC-326
pregenerating numbers SC-347
dropped packets SC-351
DSS keys SC-325
deleting SC-349
(examples) 1
(example) 1
generating SC-333
(example) 1
saving SC-333
encapsulation SC-330
ESA
(examples) SC-363
Cisco 7200 SC-342
VIP2 SC-341
fragmentation, IP SC-331
GRE tunnels SC-340
(example) SC-360
IPSec
comparison (table) SC-319
using with SC-320
multicast SC-331
network topology SC-328
number of sessions SC-332
passwords (ESA) SC-352
peer encrypting routers SC-323, SC-328
performance impacts SC-332
prework SC-328
process SC-324
purpose SC-322
session keys SC-326
session times SC-347
standards implemented SC-323
switching types SC-332
tasks, basic SC-332
testing and troubleshooting SC-350
testing connections
(example) SC-366
turning off SC-349
which packets are encrypted SC-323
Challenge Handshake Authentication Protocol
CHAP
common password SC-50
delay authentication SC-51
description SC-47
enable authentication SC-49
refuse authentication requests SC-51
Cisco Connection Online
Cisco Encryption Technology
Cisco IOS
saving configuration changes xvi
Cisco Secure IDS
See Cisco Secure IS IDS, compatibility
Cisco Secure Integrated Software
Cisco Secure IS
authentication proxy SC-275
context-based access control (CBAC) SC-205
description SC-169
dynamic access lists SC-177
feature set SC-170
firewall solution SC-169
Intrusion Detection System (IDS) SC-255
port to application mapping (PAM) SC-307
reflexive access lists SC-187
See also reflexive access lists
TCP intercept SC-199
Cisco Secure IS IDS
audit rule SC-257
compatibility SC-256
configuration (examples) SC-270 to SC-273
applying audit rules SC-267
initializing, IDS SC-264
verifying SC-269
configuring, initializing, post office SC-265
event logging SC-256
monitoring and maintaining SC-269
performance impact SC-258
process SC-257
response to threats SC-256
sensor SC-256
signature list SC-258 to SC-263
signature types
attack atomic SC-258
attack compound SC-258
info atomic SC-258
info compound SC-258
threat response SC-256
usage scenarios SC-258
when to use SC-257
clear access-template command SC-184
clear crypto isakmp command SC-423
clear crypto sa command SC-391
command modes
summary (table) xii
command syntax conventions
Cisco IOS documentation vii
config-isakmp command mode
enabling SC-416
configuration
Context-based Access Control
crl optional command SC-400
CRLs
downloading SC-402
missing SC-400
requesting SC-402
saving SC-399
storing SC-398
crypto
crypto ca authenticate command SC-401
crypto ca certificate chain command SC-404
crypto ca certificate query command SC-399
crypto ca crl request command SC-402
crypto ca enroll command SC-401
crypto ca identity command SC-400, SC-404
crypto card clear-latch command SC-341, SC-343
crypto card command SC-346
crypto card enable command SC-344
crypto cisco algorithm 40-bit-des command SC-336
crypto cisco algorithm des command SC-336
crypto cisco connections command SC-349
crypto cisco entities command SC-349
crypto cisco key-timeout command SC-347
crypto cisco pregen-dh-pairs command SC-347, SC-349
crypto dynamic-map command SC-389, SC-422
crypto ipsec security-association lifetime command SC-376
crypto ipsec transform-set command SC-382
crypto isakmp enable command SC-413, SC-416
crypto isakmp identity command SC-418
crypto isakmp key command SC-420
crypto key exchange dss command SC-334
crypto key exchange dss passive command SC-334
crypto key generate dss command SC-333
crypto key generate rsa command SC-400, SC-418
crypto key pubkey-chain rsa command SC-403, SC-419
crypto key zeroize dss command SC-342, SC-344, SC-346, SC-349
crypto key zeroize rsa command SC-403
crypto map command SC-339, SC-385, SC-386
D
data authentication
description SC-371
data confidentiality
description SC-371
Data Encryption Standard
data flow
description SC-371
debug crypto isakmp command SC-423
debug ip inspect command SC-231
default form of a command
using xv
denial-of-service attacks
CBAC detection SC-220
half-open sessions SC-221
deploying Unicast RPF SC-459
detection
authentication proxy SC-283
using Cisco Secure IS IDS SC-259
mitigating IP address spoofing SC-459
preventing
reflexive access lists SC-188
using TCP Intercept SC-199
error messages
See also CBAC, error messages attacks
Department of Defense Intelligence Information System Network Security for Information Exchange
DES
IKE policy parameter SC-414
DH
Dialed Number Identification Service
Diffie-Hellman
Digital Signature Standard
DMDP
definition SC-451
DNIS
selecting server groups SC-109, SC-126
DNSIX
audit trail facility SC-450
DMDP SC-451
enabling SC-451
extended IPSO fields SC-449
hosts to receive messages SC-451
Network Audit Trail Protocol SC-451
transmission parameters SC-451
dnsix-dmdp retries command SC-451
DNSIX Message Deliver Protocol
dnsix-nat authorized-redirection command SC-451
dnsix-nat primary command SC-451
dnsix-nat secondary command SC-451
dnsix-nat source command SC-451
dnsix-nat transmit-count command SC-451
documentation conventions
Cisco IOS vi
domain names
certification authority interoperability
configuration (example) SC-405
configuring SC-399
double authentication
access user profile SC-43
operation SC-41
DSS
dynamic crypto maps
E
encapsulating security payload
encapsulations
IPSec supported SC-373
encrypted nonces
encryption
encryption algorithm
encryption command SC-416
enrollment mode ra command SC-400
enrollment retry-count command SC-400
enrollment retry-period command SC-400
enrollment url command SC-400
ESP
description SC-371
examples
CAs
declaring SC-405
CBAC configuration SC-235 to SC-253
certification authority interoperability
configuration SC-405
domain names, configuring SC-405
host names, configuration SC-405
Cisco Secure IS IDS SC-270 to SC-273
IKE
configuration SC-423
IPSec
transform set, configuring SC-405
IPSec configuration SC-392
PAM configuration SC-312 to SC-313
pre-shared keys
configuration SC-423
F
filtering
firewalls
CBAC guidelines SC-226
Cisco Secure IS
feature set SC-170
solution SC-169
configuring as SC-169
creating SC-170
description SC-169
guidelines SC-174
FTP attacks
CBAC error messages SC-234
G
global configuration mode
summary xii
group command SC-416
H
H.323 inspection
multimedia protocol support SC-213
hash algorithm
hash command SC-416
help command xiii
hijacking
preventing SC-12
hostname command SC-399
host names
certification authority interoperability
configuration (example) SC-405
configuring SC-399
I
identification support
configuring SC-437
IDS
IKE
access lists
configuration SC-413
algorithms
encryption, specifying SC-416
hash, specifying SC-416
options SC-415
anti-replay
description SC-411
authentication
methods SC-415
methods, specifying SC-416
connections
clearing SC-423
debug messages SC-423
description SC-320
feature SC-409
DH
description SC-411
group identifier, specifying SC-416
IKE policy parameter SC-414
disabling SC-413
enabling SC-413
group identifier
specifying SC-416
ISAKMP identity
configuring SC-418
keys
mode configuration SC-420
configuring SC-421
restrictions SC-421
types SC-420
negotiations
successful SC-415
unsuccessful SC-415
policies
configuration (example) SC-423
configuration, required SC-417
configuring SC-416
defaults, viewing SC-417
identifying SC-416
multiple SC-416
parameters SC-414
parameters, choosing SC-415
parameters, viewing SC-423
purpose SC-414
requirements SC-413
viewing SC-416
requirements
access lists SC-413
policies SC-413
RSA encrypted nonces method SC-417
RSA signatures method SC-417
SAs SC-412
supported standards SC-410
troubleshooting SC-423
tunnel endpoint discovery SC-421
restrictions SC-422
inspection rules
interface command SC-180
interface configuration mode
summary xii
internet key exchange mode configuration SC-420
Internet Key Exchange Security Protocol
intrusion detection
intrusion detection system
IP
access lists
dynamic, deleting SC-184
reflexive SC-187
encryption
introduction SC-12
security
session filtering
ip access-group command SC-180
ip domain-name command SC-399
ip inspect audit