-
Cisco IOS Security Configuration Guide, Release 12.2
-
About the Cisco IOS Software Documentation
-
Using Cisco IOS Software
-
Security Overview
- Part 1: Authentication, Authorization, and Accounting (AAA)
- Part 2: Security Server Protocols
- Part 3: Traffic Filtering and Firewalls
- Part 4: IP Security and Encryption
- Part 5: Other Security Features
- Part 6: RADIUS Attributes
- Part 7: Appendixes
-
Index
-
Installation and Configuration for Common Criteria EAL4 Evaluated Cisco IOS IPSec
-
Table Of Contents
Symbols - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - X -
index
Symbols
<cr> xxxvii
? command xxxvi
A
AAA (authentication, authorization, and accounting)
accounting
AV pairs SC-102
broadcasting SC-94
command type SC-91
compatibility with authentication proxy SC-299
configuring (example) SC-102
connection type SC-87
enabling SC-96
EXEC type SC-89
interim records SC-99
method lists (example) SC-81
methods (table) SC-97
monitoring SC-102
network configuration (figure) SC-83
network type SC-84
prerequisites SC-95
resource type SC-91
system type SC-90
verifying SC-102
ARAP authentication
authorized guest logins SC-34
guest logins SC-34
line password SC-34
local password SC-34
methods (table) SC-33
TACACS+ SC-35
authentication
configuring SC-24
(examples) 1
default, enable SC-39
double authenticationSC-42to SC-45
methods SC-24
network configuration (figure) SC-22
server groups SC-22
authentication, two-way, restrictions SC-126
authorization SC-69
AV pairs SC-75
configuring SC-73
configuring (examples)SC-76to SC-80
for global configuration commands SC-74
network configuration (figure) SC-71
prerequisites SC-72
RADIUS SC-74
reverse telnet SC-75
server groups SC-71
TACACS+ SC-74
types SC-72
broadcast accounting SC-94
configuring SC-19
disabling SC-20
DNIS SC-119
enable default authentication, methods (table) SC-39
enabling SC-19
login authentication
enable password SC-27
Kerberos SC-27
line password SC-27
local password SC-27
methods (table) SC-26
RADIUS SC-28, SC-31, SC-35, SC-38
TACACS+ SC-28, SC-31, SC-35, SC-38
message banners
(examples) SC-58
failed-login banner, configuring SC-41
login banner, configuring SC-41
accounting SC-81
NASI authentication
enable password SC-37
line password SC-37
local password SC-37
methods SC-36
TACACS+ SC-38
POD (packet of disconnect) SC-42
configuration SC-42
example SC-59
PPP authentication SC-30
preauthentication SC-121
RADIUS
accounting SC-127
authentication SC-127
authorization SC-127
resource accounting SC-93
configuring SC-100
resource failure stop accounting SC-91
configuring SC-100
server groups
authentication SC-22
authorization SC-71
broadcast accounting SC-94
RADIUS, configuring SC-117
TACACS+, configuring SC-145
session MIB SC-94
configuration SC-102
example SC-106
SNMP SC-94
aaa accounting resource start-stop group command SC-100
aaa accounting resource stop-failure group command SC-100
aaa authentication ppp command: undefined list-name
(caution) SC-51
aaa preauth command SC-121
access-enable command SC-197
access-list (encryption) command SC-345
access-list (IP extended) command SC-197
access-list command SC-195
access lists
applying to interfaces SC-182
CBAC
basic configuration SC-234
configuring SC-234
how it works SC-226
creating SC-179
criteria statements, order of SC-181
dynamic entries, deleting SC-201
IP
See Reflexive Access Lists
numeric ranges for protocols (table) SC-180
overview SC-177
specifying
by name SC-180
by number (table) SC-180
See also IKE; IPSec, access lists; IPSec, crypto access lists
address command SC-390
addressed-key command SC-374, SC-390
AH (authentication header) SC-337
algorithms
See IKE, algorithms
antireplay security service SC-337, SC-381
attack signatures
See Cisco IOS Firewall IDS
audit rule
See Cisco IOS Firewall IDS, audit rule
audit trails
CBAC messages SC-251
DNSIX facility SC-428
See also CBAC, audit trail
authentication
CAs SC-371
benefits SC-419
configuration information for protocols SC-423
key chains SC-422
process SC-420
protocols SC-420
types SC-420
route SC-12
route authentication SC-419
user, overview SC-11
See also IKE, extended authentication; lock-and-key
authentication command SC-387
authentication proxy SC-3, SC-291
accounting SC-299
applying SC-297
cache entries, deleting SC-308
CBAC requirement SC-301
comparison with Lock-and-Key feature SC-300
compatibility
with CBAC SC-299
with NAT SC-298
with VPN SC-299
configuration tasks SC-301
denial-of-service attack protection SC-300
dynamic ACL entries, displaying SC-307
HTTP trigger SC-292
login page (figure) SC-293
login status message (figure) SC-294
maintaining SC-307
monitoring SC-307
operation
with JavaScript SC-294
without JavaScript SC-294
passwords, one-time SC-297, SC-298
prerequisites SC-301
restrictions SC-301
secure authentication SC-294
spoofing, risk of SC-300
using SC-295
verifying configuration SC-301, SC-304
authentication proxy operation using one-time passwords SC-298
autocommand command SC-197
B
broadcast accounting SC-94
C
carriage return (<cr>) xxxvii
CAs (certification authorities)
authenticating SC-371
certificate revocation SC-366
configuration, saving SC-372
configuring (example) SC-376
declaring SC-369
(example) SC-376
description SC-363
domain names, configuring (example) SC-368, SC-376
host names SC-368
configuring (example) SC-376
identity, deleting SC-375
interoperability SC-334
IPSec, implementingSC-364to SC-366
LDAP support SC-369
NVRAM memory usage SC-367
prerequisites SC-363
public keys SC-371
purpose SC-363
restrictions SC-363
supported standards SC-362
URLs, specifying SC-369
See also certificates; CRLs; IPSec; RAs
cautions
access lists SC-195
authenticating keys SC-421
Java blocking SC-240
lock-and-key SC-196
neighbor authentication SC-421
passwords, encrypting SC-407
ppp, disabling with undefined list-name SC-51
Unicast RPF
BGP optional attributes SC-437
logging impact SC-435
cautions, usage in text xxx
CBAC (Context-based Access Control)
limitations
See also CBAC, restrictions
access lists
configuring SC-234
contents, displaying SC-244
how it works SC-226
application-layer protocols, configuring SC-239
audit trail SC-242
audit trail messages
(example) SC-251
enabling SC-248
authentication proxy compatibility SC-301
guidelines SC-243
verifying SC-244
viewing SC-244
denial-of-service attacks
detection SC-236
error messages SC-250
indications SC-238
disabling SC-252
error messages
audit trail SC-251
denial-of-service attacks SC-250
FTP attacks SC-251
Java blocking SC-251
SMTP attacks SC-250
firewall, configuring SC-243
FTP attacks, error messages SC-251
FTP traffic SC-231
H.323 inspection
configuring SC-239
multimedia support SC-229
half-open sessions SC-238
how it works SC-224
inspection rules
applying SC-242
viewing SC-244
interfaces
choosing SC-232
external, tips SC-236
internal, tips SC-236
intrusion detection SC-223
IP packet fragmentation SC-240
inspection SC-240
IPSec compatibility SC-231
Java
(caution) SC-240
inspection, configuring SC-240
messages SC-251
logging SC-242
memory usage SC-231
multimedia support protocol inspection SC-229
packet inspection SC-225
PAM operation SC-326
process SC-227
protocol support (table) SC-228
restrictions SC-231
See also CBAC limitations
RPC inspection, configuring SC-239
RTSP inspection SC-229
session information, viewing SC-244
SMTP attacks
error messages SC-250
state tables SC-226
TCP inspection, configuring SC-241
traffic filtering SC-222
UDP inspection, configuring SC-241
UDP sessions SC-226
when to use SC-227
certificate chain configuration mode, enabling SC-374
certificate command SC-374
deleting SC-374
requests SC-371
resending SC-369
RSA key requirements SC-369
saving SC-368
storing SC-367
viewing SC-375
See also CAs; CRLs; RSA keys
changed information in this release xxix
CHAP (Challenge Handshake Authentication Protocol)
common password SC-52
delay authentication SC-53
description SC-49
enable authentication SC-50
refuse authentication requests SC-52
Cisco IOS configuration changes, saving xl
Cisco IOS Firewall
authentication proxy SC-291
description SC-185
dynamic access lists SC-193
feature set SC-186
firewall solution SC-185
reflexive access lists SC-203
See also authentication proxy; CBAC; PAM; TCP intercept
TCP intercept SC-215
Cisco IOS Firewall IDS SC-271, SC-273
audit rule SC-274
configuration (examples)SC-286to SC-289
configuring, initializing, post office SC-281
event logging SC-272
monitoring and maintaining SC-285
performance impact SC-275
process SC-274
sensor SC-272
signature types SC-275
threats, response to SC-272
usage scenarios SC-274
when to use SC-274
Cisco Secure IDS
See Cisco IOS Firewall IDS, compatibility
clear access-template command SC-201
clear crypto isakmp command SC-398
clear crypto sa command SC-358
command modes, understandingxxxvto xxxvi
commands
context-sensitive help for abbreviating xxxvi
default form, using xxxix
no form, using xxxix
command syntax
conventions xxix
displaying (example) xxxvii
config-isakmp command mode, enabling SC-387
configurations, saving xl, SC-372
crl optional command SC-370
crl query command SC-370, SC-373
CRLs (certificate revocation lists)
missing SC-370
requesting SC-372
saving SC-368
storing SC-367
crypto ca authenticate command SC-371
crypto ca certificate chain command SC-374
crypto ca certificate query command SC-368
crypto ca crl request command SC-373
crypto ca enroll command SC-372
crypto ca identity command SC-369, SC-375
crypto ca trusted-root command SC-370
crypto dynamic-map command SC-356, SC-397
crypto ipsec security-association lifetime command SC-343
crypto ipsec transform-set command SC-349
crypto isakmp enable command SC-384, SC-387
crypto isakmp identity command SC-389
crypto isakmp key command SC-391
crypto key generate rsa command SC-369, SC-389
crypto key pubkey-chain rsa command SC-374, SC-390
crypto key zeroize rsa command SC-373
crypto map client authentication list command SC-395
crypto map command SC-352, SC-353
crypto map configuration, viewing SC-398
crypto map isakmp authorization list command SC-393
D
data authentication SC-337
data confidentiality SC-338
data flow SC-338
debug crypto isakmp command SC-398
debug ip inspect command SC-248
denial-of-service attacks
CBAC detection SC-236
half-open sessions SC-238
detection of
authentication proxy SC-300
using Cisco IOS Firewall IDS SC-275
IP address spoofing, mitigating SC-438
preventing
reflexive access lists SC-204
using TCP Intercept SC-215
Unicast RPF, deploying SC-438
DES (Data Encryption Standard) SC-337, SC-381
IKE policy parameter SC-385
DH (Diffie-Hellman)
See IKE, DH (Diffie-Hellman)
DMDP (DNSIX Message Deliver Protocol) definition SC-429
DNIS (Dialed Number Identification Service)
DNIS number SC-146
preauthentication, configuring SC-121
server groups, selecting SC-119, SC-146
DNSIX (Department of Defense Intelligence Information System Network Security for Information Exchange)
audit trail facility SC-428
DMDP SC-429
enabling SC-429
hosts to receive messages SC-429
IPSO fields, extended SC-427
Network Audit Trail Protocol SC-429
transmission parameters SC-429
dnsix-dmdp retries command SC-429
dnsix-nat authorized-redirection command SC-429
dnsix-nat primary command SC-429
dnsix-nat secondary command SC-429
dnsix-nat source command SC-429
dnsix-nat transmit-count command SC-429
documentation
conventions xxix
feedback, providing xxxi
online, accessing xxx
ordering xxxi
Documentation CD-ROM xxxi
documents and resources, supporting xxviii
domain names
certification authority interoperability
(example) SC-376
certification authority interoperability, configuring SC-368
double authentication
access user profile SC-44
operation SC-42
dynamic crypto maps
See IPSec, crypto maps
E
encapsulations, IPSec-supported SC-340
encrypted nonces
See RSA encrypted nonces
encryption algorithm
See IKE, algorithms
encryption command SC-387
enrollment mode ra command SC-369
enrollment retry-count command SC-369
enrollment retry-period command SC-369
enrollment url command SC-369
ESP (encapsulating security payload) SC-337
F
Feature Navigator
See platforms, supported
filtering
See access lists
filtering output, show and more commands xl
firewalls SC-185
CBAC guidelines for SC-243
Cisco IOS Firewall
feature set SC-186
solution SC-185
configuring SC-185
creating SC-186
guidelines SC-190
See also CBAC; Cisco IOS Firewall
FTP attacks
CBAC error messages SC-251
G
global configuration mode, summary of xxxvi
group command SC-387
H
H.323 inspection
multimedia protocol support SC-229
See also CBAC, H.323 inspection
hardware platforms
See platforms, supported
hash algorithm
See IKE, algorithms
hash command SC-387
help command xxxvi
hijacking, preventing SC-12
hostname command SC-368
host names
certification authority interoperability
configuring (example) SC-376
certification authority interoperability, configuring (examples) SC-368
I
identification support, configuring SC-415
IDS
See Cisco IOS Firewall IDS
IKE (Internet Key Exchange) security protocol
access lists, configuring SC-384
algorithms
encryption SC-387
hash SC-387
options SC-386
anti-replay SC-381
authentication
connections, clearing SC-398
debug messages SC-398
description SC-334
DH (Diffie-Hellman) SC-381
group identifier, specifying SC-387
IKE policy parameter SC-385
disabling SC-384
enabling SC-384
extended authentication SC-394
configuring (examples) SC-394
purpose SC-394
feature SC-379
group identifier, specifying SC-387
ISAKMP identity, configuring SC-389
keys
See keys, preshared
See keys, preshared; keys, preshared using AAA server; RSA keys
mode configuration SC-393, SC-394
negotiations SC-385
policies
configuring (example) SC-399
defaults, viewing SC-387
identifying SC-387
multiple SC-387
parameters SC-385, SC-386, SC-398
purpose SC-384
requirements SC-384
viewing SC-387
preshared keys using AAA server, configuring (example) SC-399
requirements
access lists SC-384
policies SC-384
RSA encrypted nonces method SC-388
RSA signatures method SC-388
SAs SC-382
supported standards SC-380
troubleshooting SC-398
tunnel endpoint discovery (TED)
description SC-395
restrictions SC-397
versions SC-396
See also IPSec; RSA encrypted nonces; SAs
indexes, master xxviii
inspection rules SC-238
See CBAC, inspection rules
interface command SC-197
interface configuration mode, summary of xxxvi
intrusion detection
See Cisco IOS Firewall IDS
IP
access lists
dynamic, deleting SC-201
reflexive SC-203
encryption SC-12
security
See also lock-and-key; TCP Intercept SC-194
session filtering
See Reflexive Access Lists
ip access-group command SC-197
ip domain-name command SC-368
ip inspect audit trail command SC-248
ip inspect command SC-242
ip inspect dns-timeout command SC-237
ip inspect max-incomplete high command SC-237
ip inspect max-incomplete low command SC-237
ip inspect name command SC-239
ip inspect one-minute high command SC-237
ip inspect one-minute low command SC-237
ip inspect tcp finwait-time command SC-237
ip inspect tcp idle-time command SC-237
ip inspect tcp max-incomplete host command SC-237
ip inspect tcp synwait-time command SC-237
ip inspect udp idle-time command SC-237
IP packet fragmentation
See CBAC, IP packet fragmentation
ip port-map command SC-327
IPSec (IPSec network security protocol)
access lists SC-341
requirements SC-343
benefits SC-333
CAs
implementing with SC-365, SC-366
implementing without SC-364, SC-366
CBAC compatibility SC-231
configuration
(example) SC-359
configuring SC-358
crypto access lists SC-344
any keyword, using SC-348
creating SC-345
manually established SAs SC-346
mirror images SC-347
purpose SC-345
tips SC-345
crypto maps
applying SC-357
dynamic
adding 1
definition 1
entries, creatingSC-350to SC-357
purpose SC-350
quantity SC-351
encapsulations supported SC-340
feature SC-335
hardware supported SC-339
how it works SC-341
monitoring SC-358
multiple peers SC-342
NAT, configuring SC-341
network services SC-12, SC-335
prerequisites SC-342
protocol SC-336
requirements for SAs SC-382
restrictions SC-340
SAs
clearing SC-349
IKE negotiations SC-341, SC-353
manual negotiations SC-341, SC-352
supported standards SC-336
switching paths supported SC-339
traffic protected, defining SC-341
transforms SC-338
transform sets SC-348
configuring (example) SC-376
tunnel endpoint discovery
See IKE, tunnel endpoint discovery
ip security add command SC-426
ip security aeso command SC-428
ip security dedicated command SC-426
ip security eso-info command SC-428
ip security eso-max command SC-428
ip security eso-min command SC-428
ip security extended-allowed command SC-426
ip security first command SC-427
ip security ignore-authorities command SC-426
ip security implicit-labelling command SC-426
ip security multilevel command SC-426
ip security reserved-allowed command SC-427
ip security strip command SC-426
IPSO (IP Security Option)
(examples) SC-430
basic SC-426
basic security classifications SC-426
AESOs, attaching SC-428
configuration tasks SC-428
ESOs, attaching SC-428
global defaults SC-428
ip tcp intercept connection-timeout command SC-218
ip tcp intercept drop-mode command SC-217
ip tcp intercept finrst-timeout command SC-218
ip tcp intercept list command SC-216
ip tcp intercept max-incomplete high command SC-219
ip tcp intercept max-incomplete low command SC-219
ip tcp intercept mode command SC-217
ip tcp intercept one-minute high command SC-219
ip tcp intercept one-minute low command SC-219
ip tcp intercept watch-timeout command SC-217
ISAKMP SC-380
See also IKE SC-379
J
Java blocking
See CBAC, Java
K
Kerberos
authentication SC-161
login SC-27
PPP SC-30
configuring
credential forwarding SC-161
instance mapping SC-163
KDC (key distribution center) SC-157
database 1
mandatory authentication SC-163
network access server communication SC-159
realms SC-160
SRVTABs, creating SC-158
SRVTABs, extracting SC-159
SRVTABs files, copying SC-160
Encrypted Kerberized Telnet SC-162
maintaining SC-164
monitoring SC-164
Telnet to router SC-162
terms (table) SC-154
keys
chains SC-422
management SC-422
preshared
configuring (example) SC-391, SC-399
IKE policy parameter SC-385
ISAKMP identity, configuring SC-389
masks SC-391
specifying SC-391
preshared using AAA server SC-392
configuring SC-393
key-string command SC-390
L
LDAP (Lightweight Directory Access Protocol) support, specifying SC-369
lifetime command SC-387
line vty command SC-197
lock-and-key SC-194
benefits SC-194
guidelines SC-198
prerequisites SC-196
verification SC-200
maintenance tasks SC-200
performance impacts SC-196
process SC-195
spoofing, risk of SC-196
when to use SC-194
logging
See CBAC logging and audit trail
login local command SC-197
login tacacs command SC-197
M
mask preshared keys SC-391
match address command SC-353, SC-356
MD5 (Message Digest 5) algorithm SC-337, SC-381
IKE policy parameter SC-385
neighbor router authentication SC-421
memory usage and certification authority interoperability SC-367
method lists
(example) SC-18
AAA
accounting SC-81
authentication SC-21
description SC-17
MIB, descriptions online xxviii
modes
certificate chain configuration, enabling SC-374
public key configuration, enabling SC-374
query, enabling SC-368
RA, enabling SC-369
See command modes
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
configuration example SC-67
feature summary SC-53
multimedia application protocol support
H.323 SC-230
protocols (table) SC-228
RTSP SC-229
N
named-key command SC-374, SC-390
NAT, configuring IPSec for SC-341
neighbor router authentication
See authentication, neighbor router
new information in this release xxix
no ip inspect command SC-252
nonces
See RSA encrypted nonces
nonrepudiation SC-382
notes, usage in text xxx
O
Oakley key exchange protocol SC-380
See also IKE
P
packet fragmentation
See CBAC, IP packet fragmentation
PAM (port to application mapping)
CBAC operation SC-324
configuration examplesSC-328to SC-329
configuring
access lists SC-327
port mapping SC-327
verifying SC-327
default port mapping SC-324
host-defined mapping SC-324
host-specific mapping SC-326
how PAM works SC-323
mapping information, saving SC-325
mapping types
system-defined SC-324
monitoring and maintaining SC-328
operation with CBAC SC-324, SC-326
port range, defining SC-325
registered ports SC-324
deleting SC-324
port numbers (table) SC-324
registered ports SC-324
table SC-324
well-known ports SC-324
table SC-324
user-defined mapping SC-324, SC-325
verifying SC-327
well-known ports SC-324
when to use SC-326
PAP (Password Authentication Protocol)
description SC-49
enable authentication SC-50
outbound authentication SC-51
refuse authentication request SC-52
password command SC-197
passwords
configuration (examples)SC-416to SC-418
configuring
enable password SC-406
enable secret SC-406
line password SC-407
static enable password SC-406
encrypting SC-407
(caution) SC-407
recovering lost enable passwords
procedure 1 SC-411
procedure 2 SC-412
procedures (tables) SC-410
process SC-410
recovering lost line passwords
diagnostic mode settings (table) SC-415
peer description SC-338
PFS (perfect forward secrecy) SC-338, SC-382
plain text authentication
See authentication, neighbor router
platforms, supported
Feature Navigator, identify using xli
release notes, identify using xli
POD (packet of disconnect)
See AAA, POD
PPP
enable encapsulation SC-50
inbound authentication SC-51
outbound authentication SC-51
preauthentication, configuring SC-137
preshared keys
See keys, preshared; keys, preshared using AAA server
privileged EXEC mode, summary of xxxvi
privileges
changing default SC-409
configuring SC-408
displaying current level SC-409
logging in SC-409
prompts, system xxxvi
protocol support, CBAC (table) SC-228
provide SC-203
public key configuration mode, enabling SC-374, SC-390
Q