Table Of Contents

Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W -

Symbols

/bits subnet masks D-3

?

command string C-4

help C-4

Numerics

4GE SSM

connector types 4-1

fiber 4-3

SFP 4-3

A

A 25-7

AAA

accounting 16-12

addressing, configuring 27-2

authentication

CLI access 33-5

network access 16-1

privileged EXEC mode 33-6

authorization

command 33-7

downloadable access lists 16-7

network access 16-6

local database support 10-11

overview 10-1

performance 16-1

server

adding 10-14

types 10-3

support summary 10-3

with web clients 16-4

abbreviating commands C-3

access hours

username attribute 26-54

access list

use in classifying QoS traffic 21-4

access lists

ACE logging, configuring 13-18

comments 13-16

deny flows, managing 13-20

downloadable 16-8

EtherType, adding 13-7

extended, adding 13-6

extended, overview 13-5

implicit deny 13-3

inbound 15-1

interface, applying 15-4

IP address guidelines 13-3

logging 13-18

logging activity 13-18

NAT addresses 13-3

NAT guidelines 13-3

object grouping 13-9

object groups 13-16

outbound 15-1

overview 13-1

remarks 13-16

scheduling activation 13-16

standard, adding 13-9

types 13-2

accessing the VPN Concentrator using SSL 30-3

accessing the VPN Concentrator using TKS1 30-3

ACEs

logging 13-18

ACL

group policy WebVPN filter 26-45

WebVPN username connections 26-63

ACL filter

username attribute 26-55

ACLs

IPSec 24-20

Active Directory procedures E-19- E-23

Active/Active failover

about 11-9

actions 11-12

avoiding duplicate MAC addresses 11-10, 11-31

command replication 11-11

configuration synchronization 11-10

configuring

asymmetric routing support 11-31

cable-based failover 11-23

failover criteria 11-30

failover group preemption 11-29

HTTP replication 11-29

interface monitoring 11-30

interface poll times 11-30

LAN-based failover 11-25

prerequisites 11-23

unit poll times 11-30

virtual MAC addresses 11-30

device initialization 11-10

primary status 11-10

secondary status 11-10

triggers 11-11

Active/Standby failover

about 11-6

actions 11-8

command replication 11-7

configuration synchronization 11-6

configuring

cable-based 11-16

failover criteria 11-22

HTTP replication 11-21

interface monitoring 11-21

interface poll times 11-22

LAN-based 11-18

prerequisites 11-16

unit poll times 11-22

virtual MAC addresses 11-22

device initialization 11-6

primary unit 11-6

secondary unit 11-6

triggers 11-8

address

pool, configuring 28-4

range, subnets D-4

admin context

changing 5-5

overview 1-6, 3-1

administrative distance

about 8-2

Advanced Encryption Standard (AES) 24-3

AIP SSM

checking status 19-1, 19-13

configuration 19-2

initial setup 19-4

loading an image 19-14

overview 19-1

sending traffic to 19-2

alternate address, ICMP message D-15

application access

and e-mail proxy 30-50

and hosts file errors 30-18

and Web Access 30-50

configuring client applications 30-49

enabling cookies on browser 30-49

group policy WebVPN attribute 26-47

privileges 30-49

quitting properly 30-19, 30-49

re-enabling 30-19

setting up on client 30-49

username WebVPN attribute 26-64

using e-mail 30-50

with IMAP client 30-50

Application Access Panel, WebVPN 30-33

application inspection

applying 22-5

configuring 22-1, ??- 22-51

security level requirements 6-1

Application Profile Customization Framework 30-29

ARP

inspection

enabling 23-2

overview 23-1

static entry 23-2

test, failover 11-15

ARP inspection

configuring 23-1

overview 23-1

static ARP entry, adding 23-2

ARP spoofing 23-2

ASA 1-4

ASDM software

installing 34-3

ASR 11-31

See asymmetric routing support

asymmetric routing support 11-31

attributes

LDAP E-5

policy E-2

RADIUS E-26

username 26-53

attribute-value pairs (AVP) 26-19

authenticating

WebVPN users with digital certificates 30-15

authentication

FTP 16-2

HTTP 16-2

network access 16-1

overview 10-2

Telnet 16-2

web clients 16-4

authentication restrictions, WebVPN 30-4

authorization

network access 16-6

overview 10-2

Auto-MDI/MDIX 4-1

auto-signon

group policy WebVPN attribute 26-44

username WebVPN attribute 26-65

Auto-Update

configuring 34-9-??

B

backup device

load balancing 25-5

backup server attributes, group policy 26-35

Baltimore Technologies

CA server support 32-4

Bandwidth Limiting Traffic stream (BLT) 21-6

banner message, group policy 26-28

basic settings 7-1

BGP 13-6

bits subnet masks D-3

BPDUs

ACL, EtherType 13-8

bridge

entry timeout 23-3

table

See MAC address table

broadcast Ping test 11-15

C

CA

CRs. and 32-2

public key cryptography 32-1

revoked certificates 32-2

server support 32-4

supported servers 32-4

CA certificate validation, not done in WebVPN 30-2

caching 30-27

capturing packets 36-10

cascading ACLs 24-15

certificate authentication

e-mail proxy 30-26

certificate enrollment protocol 32-7

certificate group matching

configuring 24-9

rule and policy, creating 24-10

Certificate Revocation Lists

See CRLs

certification authority

See CA

changing between contexts 5-6

Cisco 32-4

Cisco IP Phones

application inspection 22-44

with DHCP 8-27

Cisco LDAP attributes E-5

Cisco-AV-Pair LDAP attributes E-14

Class A, B, and C addresses D-2

classification policy, traffic 21-2

classifying traffic for QoS 21-4

CLI

abbreviating commands C-3

adding comments C-5

command line editing C-3

command output paging C-5

displaying C-5

help C-4

paging C-5

syntax formatting C-3

client

VPN 3002 hardware, forcing client update 25-3

Windows, client update notification 25-3

client access rules, group policy 26-38

client firewall, group policy 26-36

client update, performing 25-3

cluster

load balancing configurations 25-7

mixed scenarios 25-8

cluster IP address, load balancing 25-6

cluster, virtual 25-5

command authorization

configuring 33-7

overview 33-7

command prompts C-2

comments

access lists 13-16

configuration C-5

configuration

clearing 2-4

comments C-5

context files 3-2

saving 2-3

text file 2-5

URL for a context 5-3

viewing 2-4

configuration mode

accessing 2-2

prompt C-2

connect time, maximum, username attribute 26-55

connection

blocking 20-6

connection limits

configuring 20-4

content transformation, WebVPN 30-28

contexts

resource usage 5-10

See security contexts

conversion error, ICMP message D-16

cookies, enabling for WebVPN 30-5

crash dump 36-10

crypto map

ACLs 24-20

applying to interfaces 24-20, 29-7

clearing configurations 24-28

creating an entry to use the dynamic crypto map 28-7

definition 24-12

dynamic 24-25

dynamic, creating 28-6

entries 24-12

examples 24-21

policy 24-13

crypto show commands 24-27

CSC SSM

checking status 19-1, 19-13

failover 19-7

getting started 19-7

loading an image 19-14

overview 19-5

sending traffic to 19-11

what to scan 19-9

CSD support A-8

customization

group policy WebVPN attribute 26-42

username WebVPN attribute 26-62

customizing login windows for WebVPN users 26-18

cut-through proxy 16-1

D

data flow

routed firewall 12-3

transparent firewall 12-12

debug messages 36-10

default

DefaultL2Lgroup 26-1

DefaultRAgroup 26-1

queue 21-2

tunnel group 24-11

default domain name, group policy 26-31

default group policy 26-1, 26-19

default LAN-to-LAN tunnel group 26-10

default remote access tunnel group, configuring 26-5

default routes

configuring 8-3

defining equal cost routes 8-3

overview 8-3

default tunnel group 26-2

delay-sensitive traffic, priority 21-6

deny flows, logging 13-20

deny in a crypto map 24-15

deny-message

group policy WebVPN attribute 26-42

username WebVPN attribute 26-62

DES

IKE policy keywords (table) 24-3

DfltGrpPolicy 26-20

DHCP

addressing, configuring 27-3

relay 8-28

server

Cisco IP Phones 8-27

configuring 8-24

overview 8-24

transparent firewall 13-6

Diffie-Hellman

Group 5 24-4

groups supported 24-4

digital certificates

authenticating WebVPN users 30-15

SSL 30-4

WebVPN authentication restrictions 30-4

directory hierarchy search E-4

disabling content rewrite 30-28

DMZ, definition 1-1

DNS

NAT effect on 14-14

DNS inspection

managing 22-10

overview 22-10

rewrite, configuring 22-12

rewrite, overview 22-11

DNS server, configuring 26-23

DNS, configuring for WebVPN 30-15

domain attributes, group policy 26-31

domain name 7-2

dotted decimal subnet masks D-3

downloadable access lists

configuring 16-8

converting netmask expressions 16-11

DSA keys

generating 32-5

dual IP stack

configuring 9-7

duplex, configuring 4-1

dynamic crypto map 24-25

creating 28-6

See also crypto map

dynamic NAT

See NAT

E

echo reply, ICMP message D-15

ECMP 8-2

editing command lines C-3

EIGRP 13-6

e-mail

closing the Outlook connection 30-27

configuring for WebVPN 30-25

proxies, WebVPN 30-25

WebVPN, configuring 30-25

e-mail proxy

and WebVPN 30-50

certificate authentication 30-26

enable

accessing 2-2

end-user interface, WebVPN, defining 30-32

Entrust

CA server support 32-4

ESP security protocol 24-2

established command

security level requirements 6-2

Ethernet

Auto-MDI/MDIX 4-1

duplex 4-1

speed 4-1

EtherType

assigned numbers 13-8

external group policy, configuring 26-21

F

failover

Active/Active, configuring 11-23

Active/Active, See Active/Active failover

Active/Standby, configuring 11-16

Active/Standby, See Active/Standby failover

configuration file

terminal messages 11-7

configuring 11-16

contexts 11-6

controlling 11-42

debug messages 11-44

disabling 11-43

displaying commands 11-41

encrypting failover communication 11-32

Ethernet failover cable 11-3

examples

Active/Active LAN-based failover 11-48

Active/Standby cable-based failover 11-45

Active/Standby LAN-based failover 11-46

failover link 11-3

forcing 11-42

health monitoring 11-14

interface health 11-15

interface monitoring 11-15

interface tests 11-15

licenses 11-2

link communications 11-3

MAC addresses 11-6

monitoring 11-14, 11-42

network tests 11-15

overview 11-1

primary unit 11-6

restoring a failed group 11-43

restoring a failed unit 11-43

secondary unit 11-6

serial cable 11-4

SNMP syslog traps 11-44

software versions 11-2

state link 11-4

Stateful Failover, See Stateful Failover

system messages 11-44

system requirements 11-2

testing 11-42

type selection 11-13

understanding 11-1

unit health 11-14

verifying the configuration 11-33

fast path 1-4

fiber interfaces 4-3

filter (ACL)

group policy WebVPN attribute 26-45

username WebVPN attribute 26-63

filtering

ActiveX 17-1

overview 17-1

security level requirements 6-1

servers supported 17-4

show command output C-4

URLs 17-4

firewall mode

configuring 2-2

overview 12-1

firewall policy, group policy 26-36

FO (failover) license 11-2

FO_AA license 11-2

fragment size

configuring 20-6

fragmentation policy, IPSec 24-8

FTP inspection

configuring 22-18

overview 22-18

functions

username WebVPN attribute 26-59

WebVPN group policy attribute 26-41

G

general attributes, tunnel group 26-2

general parameters, tunnel group 26-2

general tunnel-group connection parameters 26-2

generating

DSA keys 32-5

RSA keys 32-5

global addresses

recommendations 14-13

specifying 14-24

global e-mail proxy attributes 30-25

global IPSec SA lifetimes, changing 24-22

group policy

attributes 26-23

backup server attributes 26-35

client access rules 26-38

configuring 26-21

default domain name for tunneled packets 26-31

definition 26-1, 26-19

domain attributes 26-31

external, configuring 26-21

firewall policy 26-36

hardware client user idle timeout 26-33

internal, configuring 26-22

IP phone bypass 26-33

IPSec over UDP attributes 26-28

LEAP Bypass 26-34

network extension mode 26-34

security attributes 26-26

split tunneling attributes 26-29

split-tunneling domains 26-31

user authentication 26-32

VPN attributes 26-24

VPN hardware client attributes 26-32

webvpn attributes 26-40

WINS and DNS servers 26-23

group policy WebVPN attributes

application access 26-47

auto-signon 26-44

customization 26-42

deny-message 26-42

filter 26-45

home page 26-44

html-content filter 26-43

keep-alive-ignore 26-48

port forward 26-47

port-forward-name 26-47

sso-server 26-48

svc 26-48

url-list 26-45

group policy, default 26-19

group policy, secure unit authentication 26-32

group-lock

username attribute 26-57

GTP inspection

configuring 22-21

overview 22-21

H

H.225

timeouts 22-28

H.245

troubleshooting 22-29

H.323

troubleshooting 22-29, 22-30

H.323 inspection

configuring 22-27

limitations 22-28

overview 22-27

hairpinning 24-20

hardware client

group policy attributes 26-32

help, command line C-4

HMAC hashing method 24-3

homepage

group policy WebVPN attribute 26-44

username WebVPN attribute 26-61

hostname

configuring 7-2

hosts file

errors 30-18

WebVPN 30-18

hosts file, reconfiguring 30-19

hosts, subnet masks for D-3

HSRP 12-9

html-content-filter

group policy WebVPN attribute 26-43

username WebVPN attribute 26-61

HTTP

authentication 33-5

filtering 17-4

HTTP inspection

configuring 22-30

overview 22-30

HTTP/HTTPS Web VPN proxy, setting 30-5

HTTPS

for WebVPN sessions 30-3

hub-and-spoke 24-20

I

ICMP

testing connectivity 36-1

type numbers D-15

ID method for ISAKMP peers, determining 24-6

idle timeout

hardware client user, group policy 26-33

username attribute 26-55

IKE

benefits 24-3

creating policies 24-4

See also ISAKMP

IKE keepalive setting

tunnel group 26-3

ILS

application inspection 22-34

IM 22-42

inbound access lists 15-1

information

reply, ICMP message D-16

request, ICMP message D-16

inheritance

tunnel group 26-1

username attribute 26-54

inside, definition 1-1

inspection engines

overview 22-2

See application inspection

Instant Messaging

See IM

interfaces

configuring for remote access 28-2

configuring IPv6 on 9-2

duplex 4-1

enabled status 4-1, 4-2, 6-2

enabling 4-1, 4-2

failover monitoring 11-15

fiber 4-3

global addresses 14-24

IDs 4-2

naming 6-3

SFP 4-3

shared 3-6

speed 4-1

subinterfaces 4-3

viewing monitored interface status 11-41

internal group policy, configuring 26-22

Internet Security Association and Key Management Protocol

See ISAKMP

intrusion prevention configuration 19-2

IP addresses

classes D-2

configuring an assignment method 27-1

configuring for VPNs 27-1

configuring local IP address pools 27-2

management, transparent firewall 7-5

overlapping between contexts 3-4

private D-2

subnet mask D-4

IP phone bypass, group policy 26-33

IP spoofing

preventing 20-5

IPS configuration 19-2

IPSec

ACLs 24-20

basic configuration with static crypto maps 24-23

Cisco VPN Client 24-2

configuring 24-1, 24-11

crypto map entries 24-12

fragmentation policy 24-8

LAN-to-LAN configurations 24-2

over NAT-T, enabling 24-7

over TCP, enabling 24-8

overview 24-2

remote access configurations 24-2

SA lifetimes, changing 24-22

setting maximum active VPN sessions 25-3

tunnel 24-11

viewing configuration 24-27

IPSec over UDP, group policy, configuring attributes 26-28

IPSec parameters, tunnel group 26-3

IPSec remote-access tunnel group 26-6

IPv6

access lists 9-4

commands 9-1

configuring alongside IPv4 9-7

default route 9-4

dual IP stack 9-7

enabling 9-2

static routes 9-4

verifying 9-5

IPv6 addresses

anycast D-9

command support for 9-1

format D-5

multicast D-8

prefixes D-10

required D-10

types of D-6

unicast D-6

ISAKMP

configuring 24-1, 24-2

determining an ID method for peers 24-6

disabling in aggressive mode 24-6

enabling on the outside interface 24-6, 28-3

overview 24-3

policies, configuring 24-5

See also IKE

ISAKMP keepalive setting

tunnel group 26-3

J

Java applets

filtering 17-2

K

keep-alive-ignore

group policy WebVPN attribute 26-48

username WebVPN attribute 26-65

Kerberos

configuring 10-14

support 10-7

L

LAN-to-LAN tunnel group, configuring 26-10

latency 21-1, 21-8

reducing 21-9

Layer 2

forwarding table

See MAC address table

Layer 2 firewall

See transparent firewall

LDAP

AAA support 10-8

application inspection 22-34

attribute mapping 10-10

Cisco attributes E-5

Cisco-AV-pair E-14

configuring 10-14

configuring a AAA server E-2- E-18

directory overview E-3

directory search E-4

example configuration procedures E-19- E-23

hierarchy example E-3

permissions policy E-2

SASL 10-8

schema example E-15

schema loading E-18

schema planning E-3- E-5

server configuration overview E-3

server type 10-9

user authentication 10-8

user authorization 10-9

user permissions E-18

LEAP Bypass, group policy 26-34

licenses

FO 11-2

FO_AA 11-2

managing 34-1

UR 11-2

link up/down test 11-15

LLQ

See low-latency queue

load balancing

cluster configurations 25-7

concepts 25-5

eligible clients 25-7

eligible platforms 25-7

implementing 25-6

mixed cluster scenarios 25-8

platforms 25-7

prerequisites 25-6

local user database

adding a user 10-13

configuring 10-13

logging in 33-6

support 10-11

lockout

recovery 33-15

logging

access lists 13-18

login

FTP 16-2

local user 33-6

login banner

configuring 33-16

login windows, customizing for WebVPN users 26-18

logins, simultaneous, username attribute 26-54

low-latency queue 21-2

applying 21-8

M

MAC address table 23-3

entry timeout 23-3

MAC learning, disabling 23-4

overview 12-12

static entry 23-3

MAC addresses, failover 11-6

MAC learning, disabling 23-4

management IP address, transparent firewall 7-5

man-in-the-middle attack 23-2

MAPI, configuring 30-26

mapped interface name 5-2

mask

reply, ICMP message D-16

request, ICMP message D-16

matching

command criteria for QoS 21-5

matching, certificate group 24-9

maximum active IPSec VPN sessions, setting 25-3

maximum connect time,username attribute 26-55

maximum object size to ignore username WebVPN attribute 26-65

maximum sessions

IPSec 25-11

MD5

IKE policy keywords (table) 24-3

message-of-the-day banner 33-16

MGCP inspection

configuring 22-35

overview 22-36

MIBs 35-1

Microsoft Windows 2000 CA

supported 32-4

mixed cluster scenarios, load balancing 25-8

mobile redirection, ICMP message D-16

mode

context 3-10

monitoring

failover 11-14

OSPF 8-15

SNMP 35-1

More prompt C-5

MPLS

LDP 13-8

router-id 13-8

TDP 13-8

multicast traffic 12-9

multiple context mode 5-1

multiple mode, enabling 3-10

N

N2H2 filtering server

supported 17-4

URL for website 17-4

naming an interface 6-3

NAT

bypassing NAT

configuration 14-29

overview 14-9

DNS 14-14

dynamic NAT

configuring 14-22

implementation 14-16

overview 14-5

examples 14-32

exemption from NAT

configuration 14-31

overview 14-9

identity NAT

configuration 14-29

overview 14-9

NAT ID 14-16

order of statements 14-13

overlapping addresses 14-33

overview 14-1, 14-2

PAT

configuring 14-22

implementation 14-16

overview 14-6

policy NAT

overview 14-9

port redirection 14-34

RPC not supported with 22-49

same security level 14-12

security level requirements 6-2

static identify, configuring 14-30

static NAT

configuring 14-25

overview 14-7

static PAT

configuring 14-26

overview 14-7

transparent firewall 12-11

types 14-5

NAT-T

enabling IPSec over NAT-T 24-7

using 24-7

Netscape CMS

CA server support 32-4

Network Activity test 11-15

Network Address Translation

See NAT

network extension mode, group policy 26-34

networks, overlapping 14-33

NT server

configuring 10-14

support 10-7

NTLM support 10-7

O

object groups

nesting 13-13

removing 13-15

open ports D-14

OSPF

area authentication 8-10

area MD5 authentication 8-10

area parameters 8-10

authentication key 8-8

cost 8-8

dead interval 8-8

default route 8-13

displaying update packet pacing 8-14

enabling 8-5

hello interval 8-8

interface parameters 8-8

link-state advertisement 8-4

logging neighbor states 8-14

MD5 authentication 8-8

monitoring 8-15

NSSA 8-11

overview 8-4

packet pacing 8-14

processes 8-4

redistributing routes 8-5

route calculation timers 8-13

route map 8-6

route summarization 8-12

stub area 8-10

summary route cost 8-10

outbound access lists 15-1

Outlook connection, closing 30-27

Outlook Exchange proxy, configuring 30-26

Outlook Web Access (OWA) and WebVPN 30-50

outside, definition 1-1

P

packet

capture 36-10

classifier 3-3

flow, transparent firewall 12-12

packet flow

routed firewall 12-3

paging screen displays C-5

parameter problem, ICMP message D-15

password

username, setting 26-52

WebVPN 30-44

passwords

changing 7-1

recovery 36-6

password-storage, username attribute 26-57

PAT

static 14-26

PAT (Port Address Translation)

limitations 22-41

See also NAT

PDA support for WebVPN 30-24

peers

alerting before disconnecting 24-9

ISAKMP, determining ID method 24-6

performance, optimizing for WebVPN 30-27

permit in a crypto map 24-15

ping

See ICMP

PKI protocol 32-7

policing

flow within a tunnel 21-4

QoS 21-2

strict 21-6

verifying the configuration 21-13

policy NAT

dynamic, configuring 14-23

overview 14-9

static PAT, configuring 14-27

static, configuring 14-25

policy, QoS 21-1

policy-map

defining for QoS 21-5

use in QoS 21-7

pools

address

global NAT 14-24

pools, address

DHCP 8-25

Port Forwarding

configuring client applications 30-49

port forwarding

automatic applet download 30-17

port-forward