Cisco Security Appliance Command Line Configuration Guide, Version 8.0 - Index [Cisco ASA 5500 Series Adaptive Security Appliances]

Table Of Contents

Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z

Index

Symbols

/bits subnet masks C-3

?

command string B-4

help B-4

Numerics

4GE SSM

connector types 6-2

fiber 6-3

SFP 6-3

support 1-2

802.1Q tagging 5-11

802.1Q trunk 6-7

A

AAA

about 14-1

accounting 21-14

addressing, configuring 33-2

authentication

CLI access 42-5

network access 21-1

privileged EXEC mode 42-6

authorization

command 42-8

downloadable access lists 21-10

network access 21-8

local database support 14-6

performance 21-1

server

adding 14-9

types 14-3

support summary 14-3

web clients 21-5

abbreviating commands B-3

Access Control Server 35-2, 35-5, 35-8

access hours, username attribute 32-77

accessing the security appliance using SSL 39-3

accessing the security appliance using TKS1 39-3

access list filter, username attribute 32-79

access lists

about 18-1

ACE logging, configuring 18-21

comments 18-19

deny flows, managing 18-23

downloadable 21-10

EtherType

adding 18-10

EtherType, adding 18-8

exemptions from posture validation 35-7

extended

about 18-5

adding 18-7

group policy WebVPN filter 32-69

implicit deny 18-3

inbound 20-1

interface, applying 20-2

IP address guidelines 18-3

IPsec 29-19

logging 18-21

NAT guidelines 18-3

Network Admission Control, default 35-6

object groups 18-19

outbound 20-1

phone proxy 27-9

remarks 18-19

scheduling activation 18-19

standard, adding 18-11

types 18-2

username for Clientless SSL VPN 32-85

Webtype

adding 18-11

access ports 5-9

ACEs

See access lists

Active/Active failover

about 15-11

actions 15-14

command replication 15-13

configuration synchronization 15-12

configuring

asymmetric routing support 15-37

cable-based failover 15-29

failover criteria 15-36

failover group preemption 15-35

HTTP replication 15-35

interface monitoring 15-36

LAN-based failover 15-31

prerequisites 15-29

virtual MAC addresses 15-36

device initialization 15-12

duplicate MAC addresses, avoiding 15-11, 15-37

primary status 15-12

secondary status 15-12

triggers 15-14

Active/Standby failover

about 15-7

actions 15-10

command replication 15-8

configuration synchronization 15-8

configuring

cable-based 15-21

failover criteria 15-28

HTTP replication 15-26

interface monitoring 15-27

interface poll times 15-41

LAN-based 15-23

prerequisites 15-21

unit poll times 15-41

virtual MAC addresses 15-28

device initialization 15-8

primary unit 15-7

secondary unit 15-7

triggers 15-10

Active Directory, settings for password management 32-27

Active Directory proceduresD-14to ??

Adaptive Security Algorithm 1-17

admin context

about 4-3

changing 7-16

administrative distance 10-3

Advanced Encryption Standard (AES) 29-3

AIP SSM

about 23-1

checking status 23-18

configuration 23-4

loading an image 23-19

sending traffic to 23-8

sessioning to 23-5

support 1-2

alternate address, ICMP message C-15

Application Access Panel, WebVPN 39-57

application access using Clientless SSL VPN

group policy attribute for Clientless SSL VPN 32-70

username attribute for Clientless SSL VPN 32-86

application access using WebVPN

and e-mail proxy 39-79

and hosts file errors 39-44

and Web Access 39-79

configuring client applications 39-78

enabling cookies on browser 39-78

privileges 39-78

quitting properly 39-45

setting up on client 39-78

using e-mail 39-79

with IMAP client 39-79

application inspection

about 26-2

applying 26-5

configuring 26-5

inspection class map 16-12

inspection policy map 16-9

security level requirements 8-1

special actions 16-8

Application Profile Customization Framework 39-54

ARP inspection

about 28-1

enabling 28-2

static entry 28-2

ARP spoofing 28-2

ARP test, failover 15-19

ASA (Adaptive Security Algorithm) 1-17

ASA 5505

Base license 5-2

client

authentication 36-12

configuration restrictions, table 36-2

device pass-through 36-8

group policy attributes pushed to 36-10

mode 36-3

remote management 36-9

split tunneling 36-8

TCP 36-4

trustpoint 36-7

tunnel group 36-7

tunneling 36-5

Xauth 36-4

interfaces, about 5-1

MAC addresses 5-4

maximum VLANs 5-2

native VLAN support 5-11

non-forwarding interface 5-6

power over Ethernet 5-4

protected switch ports 5-9

Security Plus license 5-2

server (headend) 36-1

SPAN 5-4

Spanning Tree Protocol, unsupported 5-9

VLAN interface configuration 5-5

ASDM software

allowing access 42-3

installing 43-2

ASR 15-37

asymmetric routing support 15-37

attributes

RADIUS D-27

username 32-77

attribute-value pairs

TACACS+ D-35

attribute-value pairs (AVP) 32-36

authentication

about 14-2

ASA 5505 as Easy VPN client 36-12

CLI access 42-5

FTP 21-3

HTTP 21-2

network access 21-1

privileged EXEC mode 42-6

restrictions, WebVPN 39-6

Telnet 21-2

web clients 21-5

WebVPN users with digital certificates 39-21

authorization

about 14-2

command 42-8

downloadable access lists 21-10

network access 21-8

Auto-MDI/MDIX 6-2

auto-signon

group policy attribute for Clientless SSL VPN 32-68

username attribute for Clientless SSL VPN 32-87

Auto-Update, configuring 43-19

B

backup device, load balancing 31-6

backup server attributes, group policy 32-53

Baltimore Technologies, CA server support 41-5

banner message, group policy 32-46

basic threat detection

See threat detection

bits subnet masks C-3

Black Ice firewall 32-62

BPDUs

ACL, EtherType 18-10

BPDUs, EtherType access list 18-10

bridge

entry timeout 28-4

table, See MAC address table

broadcast Ping test 15-19

bypass authentication 36-8

C

CA

certificate validation, not done in WebVPN 39-2

CRs and 41-2

public key cryptography 41-1

revoked certificates 41-2

server support 41-5

supported servers 41-5

caching 39-52

capturing packets 45-12

cascading access lists 29-15

certificate

authentication, e-mail proxy 39-51

Cisco Unified Mobility 27-56

Cisco Unified Presence 27-61

enrollment protocol 41-7

group matching

configuring 29-9

rule and policy, creating 29-9

Certificate Revocation Lists

See CRLs

certificates

phone proxy 27-17

required by phone proxy 27-18

certification authority

See CA

changing between contexts 7-14

Cisco-AV-Pair LDAP attributes D-12

Cisco Integrated Firewall 32-61

Cisco IP Communicator 27-24

Cisco IP Phones

DHCP 11-4

Cisco IP Phones, application inspection 26-75

Cisco Security Agent 32-61

Cisco Trust Agent 35-8

Cisco UMA. See Cisco Unified Mobility.

Cisco Unified Mobility

architecture 27-53

ASA role 27-2, 27-3

certificate 27-56

functionality 27-52

NAT and PAT requirements 27-54, 27-55

sample configuration 27-75

trust relationship 27-56

Cisco Unified Presence

ASA role 27-2, 27-3

configuring the TLS Proxy 27-62

debugging the TLS Proxy 27-64

NAT and PAT requirements 27-60

sample configuration 27-78

trust relationship 27-61

Cisco UP. See Cisco Unified Presence.

Class A, B, and C addresses C-1

class-default class map 16-5

classes, logging

filtering messages by 44-18

message class variables 44-18, E-5

types 44-18, E-5

classes, MPF

See class map

classes, resource

See resource management

class map

inspection 16-12

Layer 3/4

management traffic 16-7

match commands 16-5

through traffic 16-5

regular expression 16-16

CLI

abbreviating commands B-3

adding comments B-7

command line editing B-3

command output paging B-6

displaying B-6

help B-4

paging B-6

syntax formatting B-3

client

VPN 3002 hardware, forcing client update 31-4

Windows, client update notification 31-4

client access rules, group policy 32-63

client firewall, group policy 32-60

clientless authentication 35-8

Clientless SSL VPN

configuring for specific users 32-81

client mode 36-3

client update, performing 31-4

cluster

IP address, load balancing 31-6

load balancing configurations 31-7

mixed scenarios 31-8

virtual 31-6

command authorization

about 42-9

configuring 42-8

multiple contexts 42-10

command prompts B-2

comments

access lists 18-19

configuration B-7

configuration

clearing 2-9

comments B-7

factory default

commands 2-1

restoring 2-2

saving 2-6

text file 2-9

URL for a context 7-9

viewing 2-8

configuration mode

accessing 2-5

prompt B-2

connection blocking 24-22

connection limits

configuring 24-17

per context 7-6

connect time, maximum, username attribute 32-79

console port logging 44-10

content transformation, WebVPN 39-52

contexts

See security contexts

conversion error, ICMP message C-16

cookies, enabling for WebVPN 39-7

CRACK protocol 29-27

crash dump 45-13

crypto map

acccess lists 29-19

applying to interfaces 29-19, 38-7

clearing configurations 29-27

creating an entry to use the dynamic crypto map 34-7

definition 29-12

dynamic 29-24

dynamic, creating 34-6

entries 29-12

examples 29-20

policy 29-13

crypto show commands 29-26

CSC SSM

about 23-10

checking status 23-18

failover 23-11

getting started 23-12

loading an image 23-19

sending traffic to 23-16

support 1-2

what to scan 23-13

custom firewall 32-62

customization, Clientless SSL VPN

group policy attribute 32-66

login windows for users 32-27

username attribute 32-83

username attribute for Clientless SSL VPN 32-23

cut-through proxy 21-1

D

data flow

routed firewall 17-1

transparent firewall 17-11

DDNS 11-6

debugging IPSec 30-9

debug messages 45-12

default

class 7-3

DefaultL2Lgroup 32-1

DefaultRAgroup 32-1

domain name, group policy 32-49

group policy 32-1, 32-36

LAN-to-LAN tunnel group 32-16

remote access tunnel group, configuring 32-7

routes, defining equal cost routes 10-4

tunnel group 29-11, 32-2

default configuration

commands 2-1

restoring 2-2

default policy 16-3

default routes

about 10-4

configuring 10-4

deleting files from Flash 43-2

deny flows, logging 18-23

deny in a crypto map 29-15

deny-message

group policy attribute for Clientless SSL VPN 32-66

username attribute for Clientless SSL VPN 32-84

DES, IKE policy keywords (table) 29-3

device ID, including in messages 44-20

device pass-through, ASA 5505 as Easy VPN client 36-8

DfltGrpPolicy 32-37

DHCP

addressing, configuring 33-3

Cisco IP Phones 11-4

options 11-3

relay 11-5

server 11-1, 11-2

transparent firewall 18-6

DHCP Intercept, configuring 32-50

Diffie-Hellman

Group 5 29-4

groups supported 29-4

DiffServ preservation 25-5

digital certificates

authenticating WebVPN users 39-21

SSL 39-6

WebVPN authentication restrictions 39-6

directory hierarchy search D-4

disabling content rewrite 39-53

disabling messages, specific message IDs 44-22

DMZ, definition 1-14

DNS

dynamic 11-6

inspection

about 26-14

managing 26-14

rewrite, about 26-15

rewrite, configuring 26-16

NAT effect on 19-17

server, configuring 32-40

domain attributes, group policy 32-48

domain name 9-2

dotted decimal subnet masks C-3

downloadable access lists

configuring 21-10

converting netmask expressions 21-14

DSCP preservation 25-5

DUAL 10-25

dual IP stack, configuring 13-4

dual-ISP support 10-5

duplex, configuring 6-2

dynamic crypto map 29-24

creating 34-6

See also crypto map

Dynamic DNS 11-6

dynamic NAT

See NAT

E

Easy VPN

client

authentication 36-12

configuration restrictions, table 36-2

enabling and disabling 36-1

group policy attributes pushed to 36-10

mode 36-3

remote management 36-9

trustpoint 36-7

tunnels 36-9

Xauth 36-4

server (headend) 36-1

Easy VPN client

ASA 5505

device pass-through 36-8

split tunneling 36-8

TCP 36-4

tunnel group 36-7

tunneling 36-5

echo reply, ICMP message C-15

ECMP 10-3

editing command lines B-3

egress VLAN for VPN sessions 32-43

EIGRP 18-6

configuring 10-26

DUAL algorithm 10-25

hello interval 10-30

hello packets 10-25

hold time 10-25, 10-30

neighbor discovery 10-25

Overview 10-25

stub routing 10-27

stuck-in-active 10-25

e-mail

configuring for WebVPN 39-50

proxies, WebVPN 39-50

proxy, certificate authentication 39-51

WebVPN, configuring 39-50

EMBLEM format, using in logs 44-21

enable command 2-5

end-user interface, WebVPN, defining 39-56

Enterprises 11-4

Entrust, CA server support 41-5

established command, security level requirements 8-2

Ethernet

Auto-MDI/MDIX 6-2

duplex 6-2

speed 6-2

EtherType

assigned numbers 18-10

See also access lists

external group policy, configuring 32-38

F

facility, syslog 44-9

factory default configuration

commands 2-1

restoring 2-2

failover

about 15-1

Active/Active, configuring 15-29

Active/Active, See Active/Active failover

Active/Standby, configuring 15-21

Active/Standby, See Active/Standby failover

configuration file

terminal messages, Active/Active 15-12

terminal messages, Active/Standby 15-8

configuring 15-20

contexts 15-7

controlling 15-51

debug messages 15-53

disabling 15-52

displaying commands 15-50

encrypting failover communication 15-41

Ethernet failover cable 15-4

examples

Active/Active LAN-based failover A-25, A-30

Active/Standby cable-based failover A-34, A-35

Active/Standby LAN-based failover A-24, A-28

failover link 15-3

forcing 15-51

health monitoring 15-18

interface health 15-18

interface monitoring 15-18

interface tests 15-18

licenses 15-3

link communications 15-3

MAC addresses

about 15-7

automatically assigning 7-12

monitoring, configuration 15-51

monitoring, health 15-18

network tests 15-19

primary unit 15-7

redundant interfaces 6-5

restoring a failed group 15-52

restoring a failed unit 15-52

secondary unit 15-7

serial cable 15-4

SNMP syslog traps 15-53

software versions 15-3

Stateful Failover, See Stateful Failover

state link 15-5

subsecond 15-41

system log messages 15-53

system requirements 15-2

testing 15-51

type selection 15-15

understanding 15-1

unit health 15-18

verifying the configuration 15-42

fast path 1-18

fiber interfaces 6-3

filter (access list)

group policy attribute for Clientless SSL VPN 32-69

username attribute for Clientless SSL VPN 32-85

filtering

about 22-1

ActiveX 22-2

FTP 22-9

Java applets 22-3

security level requirements 8-2

servers supported 22-4

show command output B-4

URLs 22-4

firewall

Black Ice 32-62

Cisco Integrated 32-61

Cisco Security Agent 32-61

custom 32-62

Network Ice 32-62

none 32-62

Sygate personal 32-62

Zone Labs 32-62

firewall mode

about 17-1

configuring 2-5

firewall policy, group policy 32-60

Flash memory

removing files 43-2

FO (failover) license 15-3

FO_AA license 15-3

format of messages 44-24

fragmentation policy, IPsec 29-7

fragment protection 1-15

fragment size 24-22

FTP inspection

about 26-28

configuring 26-27

G

general attributes, tunnel group 32-3

general parameters, tunnel group 32-3

general tunnel-group connection parameters 32-3

generating RSA keys 41-6

global addresses

recommendations 19-16

specifying 19-26

global e-mail proxy attributes 39-50

global IPsec SA lifetimes, changing 29-21

group-lock, username attribute 32-80

group policy

address pools 32-60

attributes 32-40

backup server attributes 32-53

client access rules 32-63

configuring 32-38

default domain name for tunneled packets 32-49

definition 32-1, 32-36

domain attributes 32-48

Easy VPN client, attributes pushed to ASA 5505 36-10

external, configuring 32-38

firewall policy 32-60

hardware client user idle timeout 32-51

internal, configuring 32-39

IP phone bypass 32-52

IPSec over UDP attributes 32-46

LEAP Bypass 32-52

network extension mode 32-53

security attributes 32-44

split tunneling attributes 32-47

split-tunneling domains 32-49

user authentication 32-51

VPN attributes 32-41

VPN hardware client attributes 32-50

webvpn attributes 32-65

WINS and DNS servers 32-40

group policy, default 32-36

group policy, secure unit authentication 32-50

group policy attributes for Clientless SSL VPN

application access 32-70

auto-signon 32-68

customization 32-66

deny-message 32-66

filter 32-69

home page 32-68

html-content filter 32-67

keep-alive-ignore 32-71

port forward 32-70

port-forward-name 32-71

sso-server 32-72

svc 32-73

url-list 32-69

GTP inspection

about 26-33

configuring 26-33

H

H.225 timeouts 26-44

H.245 troubleshooting 26-45

H.323

transparent firewall guidelines 17-8

H.323 inspection

about 26-39

configuring 26-39

limitations 26-41

troubleshooting 26-45

hairpinning 29-19

hardware client, group policy attributes 32-50

help, command line B-4

HMAC hashing method 29-3

hold-period 35-11

homepage

group policy attribute for Clientless SSL VPN 32-68

username attribute for Clientless SSL VPN 32-83

hostname

configuring 9-2

in banners 9-2

multiple context mode 9-2

hosts, subnet masks for C-3

hosts file

errors 39-44

reconfiguring 39-46

WebVPN 39-45

HSRP 17-8

html-content-filter

group policy attribute for Clientless SSL VPN 32-67

username attribute for Clientless SSL VPN 32-82

HTTP(S)

authentication 42-6

filtering 22-4

HTTP/HTTPS Web VPN proxy, setting 39-7

HTTP compression, Clientless SSL VPN, enabling 32-72, 32-88

HTTP inspection

about 26-46

configuring 26-46

HTTP redirection for login, Easy VPN client on the ASA 5505 36-12

HTTPS for WebVPN sessions 39-3, 39-4

hub-and-spoke VPN scenario 29-19

I

ICMP

testing connectivity 45-1

type numbers C-15

idle timeout

hardware client user, group policy 32-51

username attribute 32-78

ID method for ISAKMP peers, determining 29-6

IKE

benefits 29-2

creating policies 29-4

keepalive setting, tunnel group 32-4

pre-shared key, Easy VPN client on the ASA 5505 36-7

See also ISAKMP

ILS inspection 26-54

IM 26-69

inbound access lists 20-1

Individual user authentication 36-12

information reply, ICMP message C-15

information request, ICMP message C-15

inheritance

tunnel group 32-1

username attribute 32-77

inside, definition 1-14

inspection_default class-map 16-4

inspection engines

See application inspection

Instant Messaging inspection 26-69

intercept DHCP, configuring 32-50

interfaces

ASA 5505

about 5-1

enabled status 5-9

IP address 5-7

MAC addresses 5-4

maximum VLANs 5-2

non-forwarding 5-6

protected switch ports 5-9

switch port configuration 5-9

trunk ports 5-11

VLAN interface configuration 5-5

configuring for remote access 34-2

configuring IPv6 on 13-3

duplex 6-2

enabled status 6-2

enabling 6-3

failover monitoring 15-18

fiber 6-3

global addresses 19-26

IDs 6-2, 8-4

IP address 8-5

MAC addresses

automatically assigning 7-11

manually assigning to interfaces 8-5

mapped name 7-8

naming, physical and subinterface 8-4

naming, VLAN 5-6

redundant 6-4

SFP 6-3

speed 6-2

subinterfaces 6-7

viewing monitored interface status 15-50

internal group policy, configuring 32-39

Internet Security Association and Key Management Protocol

See ISAKMP

intrusion prevention configuration 23-4

IP addresses

ASA 5505 5-7

classes C-1

configuring an assignment method for remote access clients 33-1

configuring for VPNs 33-1

configuring local IP address pools 33-2

interface 8-5

management, transparent firewall 9-5

private C-2

subnet mask C-4

IP phone 36-8

phone proxy provisioning 27-13

IP phone bypass, group policy 32-52

IP phones

addressing requirements for phone proxy 27-11

supported for phone proxy 27-12

IPS configuration 23-4

IPSec

anti-replay window 25-12

enabling debug 30-9

modes 30-2

over UDP, group policy, configuring attributes 32-46

remote-access tunnel group 32-8

setting maximum active VPN sessions 31-3

IPsec

access list 29-19

basic configuration with static crypto maps 29-22

Cisco VPN Client 29-2

configuring 29-1, 29-11

crypto map entries 29-12

fragmentation policy 29-7

over NAT-T, enabling 29-7

over TCP, enabling 29-8

SA lifetimes, changing 29-21

tunnel 29-11

viewing configuration 29-26

IPSec parameters, tunnel group 32-4

ipsec-ra, creating an IPSec remote-access tunnel 32-8

IP spoofing, preventing 24-21

IPv6

access lists 13-6

commands 13-1

configuring alongside IPv4 13-4

default route 13-5

dual IP stack 13-4

duplicate address detection 13-4

enabling 13-3

neighbor discovery 13-7

router advertisement messages 13-9

static neighbor 13-11

static routes 13-5

verifying 13-11

IPv6 addresses

anycast C-9

command support for 13-1

format C-5

multicast C-8

prefixes C-10

required C-10

types of C-6

unicast C-6

IPv6 VPN

access, enabling with CLI 32-12

ISAKMP

about 29-2

configuring 29-1, 29-2

determining an ID method for peers 29-6

disabling in aggressive mode 29-6

enabling on the outside interface 29-6, 34-3

keepalive setting, tunnel group 32-4

policies, configuring 29-5

See also IKE

J

Java applets, filtering 22-2

Java object signing 39-53

java-trustpoint 39-53

jumbo frames

Ethernet

jumbo frames 5-1, 6-1

K

keep-alive-ignore

group policy attribute for Clientless SSL VPN 32-71

username attribute for Clientless SSL VPN 32-87

Kerberos

configuring 14-9

support 14-6

L

L2TP description 30-1

LAN-to-LAN tunnel group, configuring 32-16

latency

about 25-1

configuring 25-2, 25-3

reducing 25-7

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

Layer 2 Tunneling Protocol 30-1

Layer 3/4

matching multiple policy maps 16-21

LCS Federation Scenario 27-60

LDAP

AAA support 14-12

application inspection 26-54

attribute mapping 14-15

Cisco-AV-pair D-12

configuring 14-9

configuring a AAA serverD-3to ??

directory search D-4

example configuration proceduresD-14to ??

hierarchy example D-4

SASL 14-13

server type 14-13

user authentication 14-13

user authorization 14-14

LEAP Bypass, group policy 32-52

licenses

Cisco Unified Communications Proxy features 27-4

FO 15-3

FO_AA 15-3

managing 3-1

UR 15-3

link up/down test 15-18

LLQ

See low-latency queue

load balancing

cluster configurations 31-7

concepts 31-6

eligible clients 31-7

eligible platforms 31-7

implementing 31-6

mixed cluster scenarios 31-8

platforms 31-7

prerequisites 31-7

local user database

adding a user 14-8

configuring 14-7

logging in 42-7

support 14-6

lockout recovery 42-19

log buffer

save to internal Flash 44-15

send to FTP server 44-15

logging

access lists 18-21

classes

filtering messages by 44-17

types 44-18, E-5

device-id, including in system log messages 44-20

e-mail

configuring as output destination 44-10

destination address 44-11

source address 44-11

EMBLEM format 44-21

facility option 44-9

filtering

by message class 44-18

by message list 44-18

by severity level 44-6

logging queue, configuring 44-20

output destinations

ASDM 44-11

console port 44-10

email address 44-10

internal buffer 44-6

SNMP 44-5

syslog serversyslog server

configuring as output destination 1

Telnet or SSH session 44-6

queue

changing the size of 44-20

configuring 44-20

viewing queue statistics 44-20

severity level

changing 44-22

severity level, changing 44-22

timestamp, including 44-20

login

banner, configuring 42-20

console 2-5

enable 2-5

FTP 21-3

global configuration mode 2-5

local user 42-7

password 9-1

simultaneous, username attribute 32-78

SSH 42-3

Telnet 9-1

windows, customizing for users of Clientless SSL VPN sessions 32-27

low-latency queue

applying 25-2, 25-3

M

MAC address

redundant interfaces 6-5

MAC addresses

ASA 5505 5-4

ASA 5505 device pass-through 36-8

automatically assigning 7-11

failover 15-7

manually assigning to interfaces 8-5

security context classification 4-4

MAC address table

about 17-11

built-in-switch 28-3

entry timeout 28-4

MAC learning, disabling 28-4

resource management 7-6

static entry 28-3

MAC learning, disabling 28-4

management IP address, transparent firewall 9-5

man-in-the-middle attack 28-2

mapped interface name 7-8

mask

reply, ICMP message C-16

request, ICMP message C-15

match commands

inspection class map 16-10

Layer 3/4 class map 16-5

matching, certificate group 29-9

maximum active IPSec VPN sessions, setting 31-3

maximum connect time,username attribute 32-79

maximum object size to ignore username attribute for Clientless SSL VPN 32-87

maximum sessions, IPSec 31-13

MD5, IKE policy keywords (table) 29-3

media termination address, criteria 27-9

message list

filtering by 44-18

message-of-the-day banner 42-20

messages, logging

classes

about 44-17

list of 44-18, E-5

component descriptions 44-24

filtering by message list 44-18

format of 44-24

message list, creating 44-18

severity levels 44-25

metacharacters, regular expression 16-13, B-5

MGCP inspection

about 26-55

configuring 26-55

MIBs 44-1

Microsoft Access Proxy 27-59

Microsoft Active Directory, settings for password management 32-27

Microsoft Internet Explorer client parameters, configuring 32-54

Microsoft Windows 2000 CA, supported 41-5

mixed cluster scenarios, load balancing 31-8

mixed-mode Cisco UCM cluster, configuring for phone proxy 27-19

MMP inspection 27-52

mobile redirection, ICMP message C-16

mode

context 4-10

firewall 2-5

Modular Policy Framework

See MPF

monitoring

failover 15-18

OSPF 10-19

resource management 7-19

SNMP 44-1

monitoring devices with CS-MARS E-3

monitoring switch traffic, ASA 5505 5-4

More prompt B-6

MPF

about 16-1

default policy 16-3

examples 16-24

feature directionality 16-18

features 16-1

flows 16-21

matching multiple policy maps 16-21

service policy, applying 16-23

See also class map

See also policy map

MPLS

LDP 18-10

router-id 18-10

TDP 18-10

MSIE client parameters, configuring 32-54

MTU size, Easy VPN client, ASA 5505 36-5

multicast traffic 17-8

multiple context mode

See security contexts

N

NAC

See Network Admission Control

naming an interface

ASA 5505 5-6

other models 8-4

NAT

about 19-1

bypassing NAT

about 19-11

configuration 19-32

DNS 19-17

dynamic NAT

about 19-6

configuring 19-25

implementation 19-19

examples 19-36

exemption from NAT

about 19-11

configuration 19-35

identity NAT

about 19-11

configuration 19-32

NAT ID 19-19

order of statements 19-16

overlapping addresses 19-36

PAT

about 19-8

configuring 19-25

implementation 19-19

policy NAT

about 19-11

port redirection 19-38

RPC not supported with 26-81

same security level 19-15

security level requirements 8-2

static identify, configuring 19-33

static NAT

about 19-9

configuring 19-28

static PAT

about 19-9

configuring 19-29

transparent mode 19-3

types 19-6

native VLAN support 5-11

NAT-T

enabling IPsec over NAT-T 29-7

using 29-7

Netscape CMS, CA server support 41-5

Network Activity test 15-19

Network Admission Control

Access Control Server 35-5

ACL, default 35-6

clientless authentication 35-8

configuring 32-56

exemptions 35-7

port 35-10

retransmission retries 35-11

retransmission retry timer 35-10

revalidation timer 35-6

session reinitialization timer 35-11

uses, requirements, and limitations 35-1

network extension mode 36-3

network extension mode, group policy 32-53

Network Ice firewall 32-62

networks, overlapping 19-36

Nokia VPN Client 29-27

non-secure Cisco UCM cluster, configuring phone proxy 27-13

NTLM support 14-6

NT server

configuring 14-9

support 14-6

O

object groups

nesting 18-16

removing 18-19

open ports C-14

operating systems, posture validation exemptions 35-7

OSPF

about 10-9

area authentication 10-14

area MD5 authentication 10-14

area parameters 10-14

authentication key 10-12

cost 10-12

dead interval 10-12

default route 10-17

displaying update packet pacing 10-19

enabling 10-10

hello interval 10-12

interface parameters 10-12

link-state advertisement 10-9

logging neighbor states 10-18

MD5 authentication 10-12

monitoring 10-19

NSSA 10-15

packet pacing 10-19

processes 10-9

redistributing routes 10-10

route calculation timers 10-18

route map 10-7

route summarization 10-16

stub area 10-14

summary route cost 10-14

outbound access lists 20-1

Outlook Web Access (OWA) and WebVPN 39-79

output destinations 44-6

e-mail address 44-6, 44-10

SNMP management station 44-6

specifying 44-10

syslog server 44-6, 44-8

Telnet or SSH session 44-6

viewing logs 44-8

outside, definition 1-14

oversubscribing resources 7-2

P

packet

capture 45-12

classifier 4-3

packet flow

routed firewall 17-1

transparent firewall 17-11

paging screen displays B-6

parameter problem, ICMP message C-15

password

resetting on SSM hardware module 45-10

password management, Active Directory settings 32-27

passwords

changing 9-1

clientless authentication 35-9

recovery 45-6

security appliance 9-1

username, setting 32-76

WebVPN 39-74

password-storage, username attribute 32-81

PAT

Easy VPN client mode 36-3

See also NAT

static 19-29

PDA support for WebVPN 39-50

peers

alerting before disconnecting 29-9

ISAKMP, determining ID method 29-6

performance, optimizing for WebVPN 39-52

permit in a crypto map 29-15

phone proxy

access lists 27-9

ASA role 27-3

certificates 27-17

Cisco IP Communicator 27-24

Cisco UCM supported versions 27-12

configuration prerequisites 27-9

configuring mixed-mode Cisco UCM cluster 27-19

configuring non-secure Cisco UCM cluster 27-13

event recovery 27-41

IP phone addressing 27-11

IP phone provisioning 27-13

IP phones supported 27-12

Linksys routers, configuring 27-24

NAT and PAT requirements 27-10

ports 27-10

rate limiting 27-25

required certificates 27-18

sample configurations 27-65

SAST keys 27-41

TLS Proxy on ASA, described 27-3

troubleshooting 27-26

ping

See ICMP

PKI protocol 41-7

PoE 5-4

policing

flow within a tunnel 25-9

policy, QoS 25-1

policy map

inspection 16-9

Layer 3/4

about 16-17

adding 16-22

default policy 16-21

feature directionality 16-18

flows 16-21

policy NAT

about 19-11

dynamic, configuring 19-25

static, configuring 19-28

static PAT, configuring 19-30

pools, address

DHCP 11-2

global NAT 19-26

port-forward

group policy attribute for Clientless SSL VPN 32-70

username attribute for Clientless SSL VPN 32-86

port forwarding

configuring client applications 39-78

port-forward-name

group policy attribute for Clientless SSL VPN 32-71

username attribute for Clientless SSL VPN 32-87

ports

open on device C-14

phone proxy 27-10

redirection, NAT 19-38

TCP and UDP C-11

posture validation

exemptions 35-7

port 35-10

revalidation timer 35-6

uses, requirements, and limitations 35-1

power over Ethernet 5-4

PPPoE, configuring37-1to 37-5

pre-shared key, Easy VPN client on the ASA 5505 36-7

primary unit, failover 15-7

printers 36-8

private networks C-2

privileged EXEC mode, accessing 2-5

privileged mode

accessing 2-5

prompt B-2

privilege level, username, setting 32-76

prompts

command B-2

more B-6

protocol numbers and literal values C-11

proxy

See e-mail proxy

proxy bypass 39-53

proxy servers

SIP and 26-69

public key cryptography 41-1

Q

QoS

about 25-1, 25-3

DiffServ preservation 25-5

DSCP preservation 25-5

feature interaction 25-4

policies 25-1

priority queueing

IPSec anti-replay window 25-12

statistics 25-13

token bucket 25-2

traffic shaping

overview 25-4

viewing statistics 25-13

Quality of Service

See QoS

question mark

command string B-4

help B-4

queue, logging

changing the size of 44-20

viewing statistics 44-20

queue, QoS

latency, reducing 25-7

limit 25-2, 25-3

R

RADIUS

attributes D-27

Cisco AV pair D-12

configuring a AAA server D-27

configuring a server 14-9

downloadable access lists 21-10

network access authentication 21-3

network access authorization 21-10

support 14-4

RAS, H.323 troubleshooting 26-45

rate limiting 25-3

rate limiting, phone proxy 27-25

RealPlayer 26-65

reboot, waiting until active sessions end 29-8

redirect, ICMP message C-15

redundancy, in site-to-site VPNs, using crypto maps 29-26

redundant interfaces

configuring 6-6

failover 6-5

MAC address 6-5

setting the active interface 6-7

Registration Authority description 41-2

regular expression 16-13

reloading

context 7-17

security appliance 45-6

remarks 18-19

remote access

configuration summary 34-1

IPSec tunnel group, configuring 32-8

restricting 32-80

tunnel group, configuring default 32-7

user, adding 34-4

VPN, configuring 34-1

remote management, ASA 5505 36-9

resetting the SSM hardware module password 45-10

resource management

about 7-2

assigning a context 7-10

class 7-4

configuring 7-1

default class 7-3

monitoring 7-19

oversubscribing 7-2

resource types 7-6

unlimited 7-2

resource usage 7-22

retransmission retries, Network Admission Control 35-11

retransmission retry timer, Network Admission Control 35-10

revalidation timer, Network Admission Control 35-6

revoked certificates 41-2

rewrite, disabling 39-53

RIP

about 10-20

enabling 10-21

routed mode

about 17-1

setting 2-5

route maps

defining 10-7

uses 10-7

router

advertisement, ICMP message C-15

solicitation, ICMP message C-15

routes

about default 10-4

about static 10-2

configuring default routes 10-4

configuring IPv6 default 13-5

configuring IPv6 static 13-5

configuring static routes 10-3

routing

OSPF 10-20

other protocols 18-6

RS-232 cable

See failover 15-4

RSA

KEON, CA server support 41-5

keys, generating 41-6, 42-2

signatures, IKE authentication method 41-2

RTSP inspection

about 26-65

configuring 26-65

running configuration

copying 43-8

saving 2-6

S

same security level communication

enabling 8-7

NAT 19-15

SAs, lifetimes 29-21

SAST keys 27-41

SCCP (Skinny) inspection

about 26-75

configuration 26-75

configuring 26-75

SDI

configuring 14-9

support 14-5

secondary device, virtual cluster 31-6

secondary unit, failover 15-7

secure unit authentication 36-12

secure unit authentication, group policy 32-50

security, WebVPN 39-2, 39-8

Security Agent, Cisco 32-61

security appliance

CLI B-1

connecting to 2-4

CS-MARS interoperability E-1

managing licenses 3-1

managing the configuration 2-6

reloading 45-6

upgrading software 43-2

viewing files in Flash memory 43-1

security association

clearing 29-26

See also SAs

security attributes, group policy 32-44

security contexts

about 4-1

adding 7-7

admin context

about 4-3

changing 7-16

assigning to a resource class 7-10

cascading 4-8

changing between 7-14

classifier 4-3

command authorization 42-10

configuration

URL, changing 7-16

URL, setting 7-9

logging in 4-9

MAC addresses

automatically assigning 7-11

classifying using 4-4

managing 7-1, 7-15

mapped interface name 7-8

monitoring 7-18

multiple mode, enabling 4-10

nesting or cascading 4-9

prompt B-2

reloading 7-17

removing 7-15

resource management 7-2

resource usage 7-22

saving all configurations 2-7

unsupported features 4-2

VLAN allocation 7-7

security level

about 8-1

interface 8-4

interface, ASA 5505 5-6

serial cable

See failover

server group 35-5

service policy

applying 16-23

default 16-24

global 16-24

interface 16-24

session management path 1-17

session reinitialization timer, Network Admission Control 35-11

severity levels, of system log messages

changing 44-6

filtering by 44-6

list of 44-25

severity levels, of system messages

definition 44-25

SHA, IKE policy keywords (table) 29-3

show command, filtering output B-4

simultaneous logins, username attribute 32-78

single mode

backing up configuration 4-10

configuration 4-10

enabling 4-10

restoring 4-11

single sign-on

See SSO

single-signon

group policy attribute for Clientless SSL VPN 32-72

username attribute for Clientless SSL VPN 32-88

SIP inspection

about 26-69

configuring 26-68

instant messaging 26-69

timeouts 26-74

troubleshooting 26-74

site-to-site VPNs, redundancy 29-26

smart tunnels 39-30

SMTP inspection 26-78

SNMP

about 44-1

management station 44-6

MIBs 44-1

traps 44-2

source quench, ICMP message C-15

SPAN 5-4

Spanning Tree Protocol, unsupported 5-9

speed, configuring 6-2

split tunneling

ASA 5505 as Easy VPN client 36-8

group policy 32-47

group policy, domains 32-49

SSH

authentication 42-6

concurrent connections 42-2

login 42-3

password 9-1

RSA key 42-2

username 42-3

SSL

certificate 39-6

used to access the security appliance 39-3

SSL/TLS encryption protocols

configuring 39-6

WebVPN 39-6

SSL VPN Client

compression 40-14

DPD 40-12

enabling 40-3

address assignment 40-3

permanent installation 40-5

tunnel group 40-4

group policy attribute for Clientless SSL VPN 32-73

installing 40-2

images 40-2

order 40-2

keepalive messages 40-13

logging out sessions 40-15

username attribute for Clientless SSL VPN 32-89

viewing sessions 40-15

SSM

checking status 23-18

configuration

AIP SSM 23-4

CSC SSM 23-12

loading an image 23-19

See also AIP SSM

See also CSC SSM

sso-server

group policy attribute for Clientless SSL VPN 32-72

username attribute for Clientless SSL VPN 32-88

SSO with WebVPN39-8to 39-20

configuring HTTP Basic and NTLM authentication 39-9

configuring HTTP form protocol 39-15

configuring SiteMinder 39-10, 39-12

startup configuration

copying 43-8

saving 2-6

Stateful Failover

about 15-16

state information 15-17

state link 15-5

statistics 15-45, 15-49

stateful inspection 1-17

state information 15-17

state link 15-5

static ARP entry 28-2

static bridge entry 28-3

static NAT

See NAT

static PAT

See PAT

static routes

about 10-2

configuring 10-3

tracking 10-5

statistics, QoS 25-13

stealth firewall

See transparent firewall

stuck-in-active 10-25

subcommand mode prompt B-2

subinterfaces, adding 6-7

subnet masks

/bits C-3

about C-2

address range C-4

determining C-3

dotted decimal C-3

number of hosts C-3

Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 39-40

Sun Microsystems Java Runtime Environment and WebVPN 39-78

Sun RPC inspection

about 26-81

configuring 26-81

SVC

See SSL VPN Client

svc

group policy attribute for Clientless SSL VPN 32-73

username attribute for Clientless SSL VPN 32-89

switch MAC address table 28-3

switch ports

access ports 5-9

default configuration 5-4

protected 5-9

SPAN 5-4

trunk ports 5-11

Sygate Personal Firewall 32-62

SYN attacks, monitoring 7-23

SYN cookies 7-23

syntax formatting B-3

syslog server

as output destination 44-8

designating 44-9

designating more than one 44-9

EMBLEM format

configuring 44-21

enabling 44-9

system configuration 4-3

system log messages

classes 44-18, E-5

classes of 44-17

configuring in groups

by message list 44-18

by severity level 44-6

creating lists of 44-17

device ID, including 44-20

disabling logging of 44-6

filtering by message class 44-17

managing in groups

by message class 44-18

creating a message list 44-17

output destinations 44-6

email address 44-10

SNMP 44-5

syslog message server 44-6

Telnet or SSH session 44-6

severity levels

about 44-25

changing the severity level of a message 44-6

timestamp, including 44-20

T

TACACS+

command authorization, configuring 42-14

configuring a server 14-9

network access authorization 21-8

support 14-5

tail drop 25-3

TCP

ASA 5505 as Easy VPN client 36-4

connection limits per context 7-6

ports and literal values C-11

sequence number randomization

disabling in NAT configuration 19-26

disabling using Modular Policy Framework 24-19

TCP Intercept

enabling using Modular Policy Framework 24-19

enabling using NAT 19-26

monitoring 7-23

TCP normalization 24-12

Telnet

allowing management access 42-1

authentication 42-6

concurrent connections 42-1

password 9-1

testing configuration 45-1

threat detection

basic

drop types 24-2

enabling 24-2

overview 24-2

rate intervals 24-2

rate intervals, setting 24-3

statistics, clearing 24-4

statistics, viewing 24-4

system performance 24-2

scanning

attackers, viewing 24-7

default limits, changing 24-6

enabling 24-5

host database 24-5

overview 24-5

shunned hosts, releasing 24-7

shunned hosts, viewing 24-6

shunning attackers 24-5

system performance 24-5

targets, viewing 24-7

scanning statistics

enabling 24-7

system performance 24-7

viewing 24-8

time exceeded, ICMP message C-15

time ranges, access lists 18-19

timestamp, including in system log messages 44-20

timestamp reply, ICMP message C-15

timestamp request, ICMP message C-15

TLS1, used to access the security appliance 39-3

TLS Proxy

applications supported by ASA 27-3

Cisco Unified Presence architecture 27-59

configuring for Cisco Unified Presence 27-62

debugging for Cisco Unified Presence 27-64

licenses 27-4

tocken bucket 25-2

toolbar, floating, WebVPN 39-58

traffic flow

routed firewall 17-1

transparent firewall 17-11

traffic shaping

overview 25-4

Transform 29-12

transform set

creating 34-4

definition 29-12

transmit queue ring limit 25-2, 25-3

transparent firewall

about 17-7

ARP inspection

about 28-1

enabling 28-2

static entry 28-2

data flow 17-11

DHCP packets, allowing 18-6

guidelines 17-9

H.323 guidelines 17-8

HSRP 17-8

MAC address timeout 28-4

MAC learning, disabling 28-4

Management 0/0 IP address 8-5

management IP address 9-5

multicast traffic 17-8

packet handling 18-6

static bridge entry 28-3

unsupported features 17-10

VRRP 17-8

transparent mode

NAT 19-3

traps, SNMP 44-2

troubleshooting

H.323 26-44

H.323 RAS 26-45

phone proxy 27-26

SIP 26-74

trunk, 802.1Q 6-7

trunk ports 5-11

trustpoint 41-3

trustpoint, ASA 5505 client 36-7

trust relationship

Cisco Unified Mobility 27-56

Cisco Unified Presence 27-61

tunnel

ASA 5505 as Easy VPN client 36-5

IPsec 29-11

security appliance as a tunnel endpoint 29-1

tunnel group

ASA 5505 as Easy VPN client 36-7

configuring 32-6

creating 32-8

default 29-11, 32-1, 32-2

default, remote access, configuring 32-7

default LAN-to-LAN, configuring 32-16

definition 32-1, 32-2

general parameters 32-3

inheritance 32-1

IPSec parameters 32-4

LAN-to-LAN, configuring 32-16

name and type 32-8

remote access, configuring 34-5

remote-access, configuring 32-8

tunnel-group

general attributes 32-3

tunnel-group ISAKMP/IKE keepalive settings 32-4

tunneling, about 29-1

tunnel mode 30-2

tx-ring-limit 25-2, 25-3

U

UDP

connection limits per context 7-6

connection state information 1-18

ports and literal values C-11

unreachable, ICMP message C-15

UR (unrestricted) license 15-3

url-list

group policy attribute for Clientless SSL VPN 32-69

username attribute for Clientless SSL VPN 32-85

URLs

context configuration, changing 7-16

context configuration, setting 7-9

filtering, about 22-4

filtering, configuration 22-6

user, VPN

definition 32-1

remote access, adding 34-4

user access, restricting remote 32-80

user authentication, group policy 32-51

user EXEC mode

accessing 2-5

prompt B-2

username

adding 14-7

clientless authentication 35-9

encrypted 14-8

management tunnels 36-9

password 14-8

WebVPN 39-74

Xauth for Easy VPN client 36-4

username attributes

access hours 32-77

configuring 32-75, 32-77

group-lock 32-80

inheritance 32-77

password, setting 32-76

password-storage 32-81

privilege level, setting 32-76

simultaneous logins 32-78

vpn-filter 32-79

vpn-framed-ip-address 32-79

vpn-idle timeout 32-78

vpn-session-timeout 32-79

vpn-tunnel-protocol 32-80

username attributes for Clientless SSL VPN

auto-signon 32-87

customization 32-83

deny message 32-84

filter (access list) 32-85

homepage 32-83

html-content-filter 32-82

keep-alive ignore 32-87

port-forward 32-86

port-forward-name 32-87

sso-server 32-88

svc 32-89

url-list 32-85

username configuration, viewing 32-76

username webvpn mode 32-81

U-turn 29-19

V

VeriSign, configuring CAs example 41-5

viewing logs 44-8

viewing QoS statistics 25-13

viewing RMS 43-22

virtual cluster 31-6

IP address 31-6

master 31-6

virtual firewalls

See security contexts

virtual HTTP 21-3

virtual reassembly 1-15

VLAN mapping 32-43

VLANs 6-7

802.1Q trunk 6-7

allocating to a context 7-7

ASA 5505

configuring 5-5

MAC addresses 5-4

maximum 5-2

mapped interface name 7-8

subinterfaces 6-7

VoIP

proxy servers 26-69

troubleshooting 26-44

VPN

address pool, configuring 34-4

address pool, configuring (group-policy) 32-60

address range, subnets C-4

parameters, general, setting 31-1

setting maximum number of IPSec sessions 31-3

VPN attributes, group policy 32-41

VPN Client, IPsec attributes 29-2

vpn-filter username attribute 32-79

vpn-framed-ip-address username attribute 32-79

VPN hardware client, group policy attributes 32-50

vpn-idle-timeout username attribute 32-78

vpn load balancing

See load balancing 31-6

vpn-session-timeout username attribute 32-79

vpn-tunnel-protocol username attribute 32-80

VRRP 17-8

W

WCCP 11-9

web browsing with WebVPN 39-77

web caching 11-9

web clients, secure authentication 21-5

web e-Mail (Outlook Web Access), Outlook Web Access 39-51

WebVPN

assigning users to group policies 39-21

authenticating with digital certificates 39-21

CA certificate validation not done 39-2

client application requirements 39-75

client requirements 39-75

for file management 39-77

for network browsing 39-77

for port forwarding 39-78

for using applications 39-78

for web browsing 39-77

start-up 39-76

configuring

e-mail 39-50

configuring WebVPN and ASDM on the same interface 39-4

cookies 39-7

defining the end-user interface 39-56

definition 39-1

digital certificate authentication restrictions 39-6

e-mail 39-50

e-mail proxies 39-50

enable cookies for 39-78

end user set-up 39-56

establishing a session 39-3

floating toolbar 39-58

group policy attributes, configuring 39-22

hosts file 39-45

hosts files, reconfiguring 39-46

HTTP/HTTPS proxy, setting 39-7

Java object signing 39-53

PDA support 39-50

printing and 39-76

remote system configuration and end-user requirements 39-76

security preautions 39-2, 39-8

security tips 39-75

setting HTTP/HTTPS proxy 39-4

SSL/TLS encryption protocols 39-6

supported applications 39-75

supported browsers 39-76

supported types of Internet connections 39-76

troubleshooting 39-44

unsupported features 39-3

URL 39-76

use of HTTPS 39-3

username and password required 39-76

usernames and passwords 39-74

use suggestions 39-56, 39-75

WebVPN, Application Access Panel 39-57

webvpn attributes

group policy 32-65

welcome message, group policy 32-46

WINS server, configuring 32-40

X

Xauth, Easy VPN client 36-4

Z

Zone Labs firewalls 32-62

Zone Labs Integrity Server 14-17

	Cisco Security Appliance Command Line Configuration Guide, Version 8.0
	Index
Cisco Security Appliance Command Line Configuration Guide, Version 8.0 Index About This Guide Getting Started and General Information Introduction to the Security Appliance Getting Started Managing Feature Licenses Enabling Multiple Context Mode Configuring Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Ethernet Settings and Subinterfaces Adding and Managing Security Contexts Configuring Interface Parameters Configuring Basic Settings Configuring IP Routing Configuring Multicast Routing Configuring DHCP, DDNS, and WCCP Services Configuring IPv6 Configuring AAA Servers and the Local Database Configuring Failover Using Modular Policy Framework Configuring the Firewall Firewall Mode Overview Identifying Traffic With Access Lists Configuring NAT Permitting or Denying Network Access Applying AAA for Network Access Applying Filtering Services Managing AIP SSM and CSC SSM Preventing Network Attacks Applying QoS Policies Applying Application Layer Protocol Inspection Configuring Cisco Unified Communications Support Configuring ARP Inspection and Bridging Parameters in Transparent Mode Configuring VPN Configuring IPSec and ISAKMP Configuring L2TP over IPSec Setting General VPN Parameters Configuring Tunnel Groups, Group Policies, and Users Configuring IP Addresses for VPN Configuring Remote Access VPNs Configuring Network Admission Control Configuring Easy VPN on the ASA 5505 Configuring the PPPoE Client Configuring LAN-to-LAN VPNs Configuring Clientless SSL VPN Configuring AnyConnect VPN Client Connections Configuring Certificates System Administration Managing System Access Managing Software, Licenses, and Configurations Monitoring the Security Appliance Troubleshooting the Security Appliance Reference Sample Configurations Using the Command-Line Interface Addresses, Protocols, and Ports Configuring an External Server for Security Appliance User Authorization Configuring the Security Appliance for Use with MARS Glossary	Download this chapter Index Download the complete book Cisco Security Appliance Command Line Configuration Guide, 8.0 -- Whole Book PDF (PDF - 10 MB) Table Of Contents Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z Index Symbols /bits subnet masks C-3 ? command string B-4 help B-4 Numerics 4GE SSM connector types 6-2 fiber 6-3 SFP 6-3 support 1-2 802.1Q tagging 5-11 802.1Q trunk 6-7 A AAA about 14-1 accounting 21-14 addressing, configuring 33-2 authentication CLI access 42-5 network access 21-1 privileged EXEC mode 42-6 authorization command 42-8 downloadable access lists 21-10 network access 21-8 local database support 14-6 performance 21-1 server adding 14-9 types 14-3 support summary 14-3 web clients 21-5 abbreviating commands B-3 Access Control Server 35-2, 35-5, 35-8 access hours, username attribute 32-77 accessing the security appliance using SSL 39-3 accessing the security appliance using TKS1 39-3 access list filter, username attribute 32-79 access lists about 18-1 ACE logging, configuring 18-21 comments 18-19 deny flows, managing 18-23 downloadable 21-10 EtherType adding 18-10 EtherType, adding 18-8 exemptions from posture validation 35-7 extended about 18-5 adding 18-7 group policy WebVPN filter 32-69 implicit deny 18-3 inbound 20-1 interface, applying 20-2 IP address guidelines 18-3 IPsec 29-19 logging 18-21 NAT guidelines 18-3 Network Admission Control, default 35-6 object groups 18-19 outbound 20-1 phone proxy 27-9 remarks 18-19 scheduling activation 18-19 standard, adding 18-11 types 18-2 username for Clientless SSL VPN 32-85 Webtype adding 18-11 access ports 5-9 ACEs See access lists Active/Active failover about 15-11 actions 15-14 command replication 15-13 configuration synchronization 15-12 configuring asymmetric routing support 15-37 cable-based failover 15-29 failover criteria 15-36 failover group preemption 15-35 HTTP replication 15-35 interface monitoring 15-36 LAN-based failover 15-31 prerequisites 15-29 virtual MAC addresses 15-36 device initialization 15-12 duplicate MAC addresses, avoiding 15-11, 15-37 primary status 15-12 secondary status 15-12 triggers 15-14 Active/Standby failover about 15-7 actions 15-10 command replication 15-8 configuration synchronization 15-8 configuring cable-based 15-21 failover criteria 15-28 HTTP replication 15-26 interface monitoring 15-27 interface poll times 15-41 LAN-based 15-23 prerequisites 15-21 unit poll times 15-41 virtual MAC addresses 15-28 device initialization 15-8 primary unit 15-7 secondary unit 15-7 triggers 15-10 Active Directory, settings for password management 32-27 Active Directory proceduresD-14to ?? Adaptive Security Algorithm 1-17 admin context about 4-3 changing 7-16 administrative distance 10-3 Advanced Encryption Standard (AES) 29-3 AIP SSM about 23-1 checking status 23-18 configuration 23-4 loading an image 23-19 sending traffic to 23-8 sessioning to 23-5 support 1-2 alternate address, ICMP message C-15 Application Access Panel, WebVPN 39-57 application access using Clientless SSL VPN group policy attribute for Clientless SSL VPN 32-70 username attribute for Clientless SSL VPN 32-86 application access using WebVPN and e-mail proxy 39-79 and hosts file errors 39-44 and Web Access 39-79 configuring client applications 39-78 enabling cookies on browser 39-78 privileges 39-78 quitting properly 39-45 setting up on client 39-78 using e-mail 39-79 with IMAP client 39-79 application inspection about 26-2 applying 26-5 configuring 26-5 inspection class map 16-12 inspection policy map 16-9 security level requirements 8-1 special actions 16-8 Application Profile Customization Framework 39-54 ARP inspection about 28-1 enabling 28-2 static entry 28-2 ARP spoofing 28-2 ARP test, failover 15-19 ASA (Adaptive Security Algorithm) 1-17 ASA 5505 Base license 5-2 client authentication 36-12 configuration restrictions, table 36-2 device pass-through 36-8 group policy attributes pushed to 36-10 mode 36-3 remote management 36-9 split tunneling 36-8 TCP 36-4 trustpoint 36-7 tunnel group 36-7 tunneling 36-5 Xauth 36-4 interfaces, about 5-1 MAC addresses 5-4 maximum VLANs 5-2 native VLAN support 5-11 non-forwarding interface 5-6 power over Ethernet 5-4 protected switch ports 5-9 Security Plus license 5-2 server (headend) 36-1 SPAN 5-4 Spanning Tree Protocol, unsupported 5-9 VLAN interface configuration 5-5 ASDM software allowing access 42-3 installing 43-2 ASR 15-37 asymmetric routing support 15-37 attributes RADIUS D-27 username 32-77 attribute-value pairs TACACS+ D-35 attribute-value pairs (AVP) 32-36 authentication about 14-2 ASA 5505 as Easy VPN client 36-12 CLI access 42-5 FTP 21-3 HTTP 21-2 network access 21-1 privileged EXEC mode 42-6 restrictions, WebVPN 39-6 Telnet 21-2 web clients 21-5 WebVPN users with digital certificates 39-21 authorization about 14-2 command 42-8 downloadable access lists 21-10 network access 21-8 Auto-MDI/MDIX 6-2 auto-signon group policy attribute for Clientless SSL VPN 32-68 username attribute for Clientless SSL VPN 32-87 Auto-Update, configuring 43-19 B backup device, load balancing 31-6 backup server attributes, group policy 32-53 Baltimore Technologies, CA server support 41-5 banner message, group policy 32-46 basic threat detection See threat detection bits subnet masks C-3 Black Ice firewall 32-62 BPDUs ACL, EtherType 18-10 BPDUs, EtherType access list 18-10 bridge entry timeout 28-4 table, See MAC address table broadcast Ping test 15-19 bypass authentication 36-8 C CA certificate validation, not done in WebVPN 39-2 CRs and 41-2 public key cryptography 41-1 revoked certificates 41-2 server support 41-5 supported servers 41-5 caching 39-52 capturing packets 45-12 cascading access lists 29-15 certificate authentication, e-mail proxy 39-51 Cisco Unified Mobility 27-56 Cisco Unified Presence 27-61 enrollment protocol 41-7 group matching configuring 29-9 rule and policy, creating 29-9 Certificate Revocation Lists See CRLs certificates phone proxy 27-17 required by phone proxy 27-18 certification authority See CA changing between contexts 7-14 Cisco-AV-Pair LDAP attributes D-12 Cisco Integrated Firewall 32-61 Cisco IP Communicator 27-24 Cisco IP Phones DHCP 11-4 Cisco IP Phones, application inspection 26-75 Cisco Security Agent 32-61 Cisco Trust Agent 35-8 Cisco UMA. See Cisco Unified Mobility. Cisco Unified Mobility architecture 27-53 ASA role 27-2, 27-3 certificate 27-56 functionality 27-52 NAT and PAT requirements 27-54, 27-55 sample configuration 27-75 trust relationship 27-56 Cisco Unified Presence ASA role 27-2, 27-3 configuring the TLS Proxy 27-62 debugging the TLS Proxy 27-64 NAT and PAT requirements 27-60 sample configuration 27-78 trust relationship 27-61 Cisco UP. See Cisco Unified Presence. Class A, B, and C addresses C-1 class-default class map 16-5 classes, logging filtering messages by 44-18 message class variables 44-18, E-5 types 44-18, E-5 classes, MPF See class map classes, resource See resource management class map inspection 16-12 Layer 3/4 management traffic 16-7 match commands 16-5 through traffic 16-5 regular expression 16-16 CLI abbreviating commands B-3 adding comments B-7 command line editing B-3 command output paging B-6 displaying B-6 help B-4 paging B-6 syntax formatting B-3 client VPN 3002 hardware, forcing client update 31-4 Windows, client update notification 31-4 client access rules, group policy 32-63 client firewall, group policy 32-60 clientless authentication 35-8 Clientless SSL VPN configuring for specific users 32-81 client mode 36-3 client update, performing 31-4 cluster IP address, load balancing 31-6 load balancing configurations 31-7 mixed scenarios 31-8 virtual 31-6 command authorization about 42-9 configuring 42-8 multiple contexts 42-10 command prompts B-2 comments access lists 18-19 configuration B-7 configuration clearing 2-9 comments B-7 factory default commands 2-1 restoring 2-2 saving 2-6 text file 2-9 URL for a context 7-9 viewing 2-8 configuration mode accessing 2-5 prompt B-2 connection blocking 24-22 connection limits configuring 24-17 per context 7-6 connect time, maximum, username attribute 32-79 console port logging 44-10 content transformation, WebVPN 39-52 contexts See security contexts conversion error, ICMP message C-16 cookies, enabling for WebVPN 39-7 CRACK protocol 29-27 crash dump 45-13 crypto map acccess lists 29-19 applying to interfaces 29-19, 38-7 clearing configurations 29-27 creating an entry to use the dynamic crypto map 34-7 definition 29-12 dynamic 29-24 dynamic, creating 34-6 entries 29-12 examples 29-20 policy 29-13 crypto show commands 29-26 CSC SSM about 23-10 checking status 23-18 failover 23-11 getting started 23-12 loading an image 23-19 sending traffic to 23-16 support 1-2 what to scan 23-13 custom firewall 32-62 customization, Clientless SSL VPN group policy attribute 32-66 login windows for users 32-27 username attribute 32-83 username attribute for Clientless SSL VPN 32-23 cut-through proxy 21-1 D data flow routed firewall 17-1 transparent firewall 17-11 DDNS 11-6 debugging IPSec 30-9 debug messages 45-12 default class 7-3 DefaultL2Lgroup 32-1 DefaultRAgroup 32-1 domain name, group policy 32-49 group policy 32-1, 32-36 LAN-to-LAN tunnel group 32-16 remote access tunnel group, configuring 32-7 routes, defining equal cost routes 10-4 tunnel group 29-11, 32-2 default configuration commands 2-1 restoring 2-2 default policy 16-3 default routes about 10-4 configuring 10-4 deleting files from Flash 43-2 deny flows, logging 18-23 deny in a crypto map 29-15 deny-message group policy attribute for Clientless SSL VPN 32-66 username attribute for Clientless SSL VPN 32-84 DES, IKE policy keywords (table) 29-3 device ID, including in messages 44-20 device pass-through, ASA 5505 as Easy VPN client 36-8 DfltGrpPolicy 32-37 DHCP addressing, configuring 33-3 Cisco IP Phones 11-4 options 11-3 relay 11-5 server 11-1, 11-2 transparent firewall 18-6 DHCP Intercept, configuring 32-50 Diffie-Hellman Group 5 29-4 groups supported 29-4 DiffServ preservation 25-5 digital certificates authenticating WebVPN users 39-21 SSL 39-6 WebVPN authentication restrictions 39-6 directory hierarchy search D-4 disabling content rewrite 39-53 disabling messages, specific message IDs 44-22 DMZ, definition 1-14 DNS dynamic 11-6 inspection about 26-14 managing 26-14 rewrite, about 26-15 rewrite, configuring 26-16 NAT effect on 19-17 server, configuring 32-40 domain attributes, group policy 32-48 domain name 9-2 dotted decimal subnet masks C-3 downloadable access lists configuring 21-10 converting netmask expressions 21-14 DSCP preservation 25-5 DUAL 10-25 dual IP stack, configuring 13-4 dual-ISP support 10-5 duplex, configuring 6-2 dynamic crypto map 29-24 creating 34-6 See also crypto map Dynamic DNS 11-6 dynamic NAT See NAT E Easy VPN client authentication 36-12 configuration restrictions, table 36-2 enabling and disabling 36-1 group policy attributes pushed to 36-10 mode 36-3 remote management 36-9 trustpoint 36-7 tunnels 36-9 Xauth 36-4 server (headend) 36-1 Easy VPN client ASA 5505 device pass-through 36-8 split tunneling 36-8 TCP 36-4 tunnel group 36-7 tunneling 36-5 echo reply, ICMP message C-15 ECMP 10-3 editing command lines B-3 egress VLAN for VPN sessions 32-43 EIGRP 18-6 configuring 10-26 DUAL algorithm 10-25 hello interval 10-30 hello packets 10-25 hold time 10-25, 10-30 neighbor discovery 10-25 Overview 10-25 stub routing 10-27 stuck-in-active 10-25 e-mail configuring for WebVPN 39-50 proxies, WebVPN 39-50 proxy, certificate authentication 39-51 WebVPN, configuring 39-50 EMBLEM format, using in logs 44-21 enable command 2-5 end-user interface, WebVPN, defining 39-56 Enterprises 11-4 Entrust, CA server support 41-5 established command, security level requirements 8-2 Ethernet Auto-MDI/MDIX 6-2 duplex 6-2 speed 6-2 EtherType assigned numbers 18-10 See also access lists external group policy, configuring 32-38 F facility, syslog 44-9 factory default configuration commands 2-1 restoring 2-2 failover about 15-1 Active/Active, configuring 15-29 Active/Active, See Active/Active failover Active/Standby, configuring 15-21 Active/Standby, See Active/Standby failover configuration file terminal messages, Active/Active 15-12 terminal messages, Active/Standby 15-8 configuring 15-20 contexts 15-7 controlling 15-51 debug messages 15-53 disabling 15-52 displaying commands 15-50 encrypting failover communication 15-41 Ethernet failover cable 15-4 examples Active/Active LAN-based failover A-25, A-30 Active/Standby cable-based failover A-34, A-35 Active/Standby LAN-based failover A-24, A-28 failover link 15-3 forcing 15-51 health monitoring 15-18 interface health 15-18 interface monitoring 15-18 interface tests 15-18 licenses 15-3 link communications 15-3 MAC addresses about 15-7 automatically assigning 7-12 monitoring, configuration 15-51 monitoring, health 15-18 network tests 15-19 primary unit 15-7 redundant interfaces 6-5 restoring a failed group 15-52 restoring a failed unit 15-52 secondary unit 15-7 serial cable 15-4 SNMP syslog traps 15-53 software versions 15-3 Stateful Failover, See Stateful Failover state link 15-5 subsecond 15-41 system log messages 15-53 system requirements 15-2 testing 15-51 type selection 15-15 understanding 15-1 unit health 15-18 verifying the configuration 15-42 fast path 1-18 fiber interfaces 6-3 filter (access list) group policy attribute for Clientless SSL VPN 32-69 username attribute for Clientless SSL VPN 32-85 filtering about 22-1 ActiveX 22-2 FTP 22-9 Java applets 22-3 security level requirements 8-2 servers supported 22-4 show command output B-4 URLs 22-4 firewall Black Ice 32-62 Cisco Integrated 32-61 Cisco Security Agent 32-61 custom 32-62 Network Ice 32-62 none 32-62 Sygate personal 32-62 Zone Labs 32-62 firewall mode about 17-1 configuring 2-5 firewall policy, group policy 32-60 Flash memory removing files 43-2 FO (failover) license 15-3 FO_AA license 15-3 format of messages 44-24 fragmentation policy, IPsec 29-7 fragment protection 1-15 fragment size 24-22 FTP inspection about 26-28 configuring 26-27 G general attributes, tunnel group 32-3 general parameters, tunnel group 32-3 general tunnel-group connection parameters 32-3 generating RSA keys 41-6 global addresses recommendations 19-16 specifying 19-26 global e-mail proxy attributes 39-50 global IPsec SA lifetimes, changing 29-21 group-lock, username attribute 32-80 group policy address pools 32-60 attributes 32-40 backup server attributes 32-53 client access rules 32-63 configuring 32-38 default domain name for tunneled packets 32-49 definition 32-1, 32-36 domain attributes 32-48 Easy VPN client, attributes pushed to ASA 5505 36-10 external, configuring 32-38 firewall policy 32-60 hardware client user idle timeout 32-51 internal, configuring 32-39 IP phone bypass 32-52 IPSec over UDP attributes 32-46 LEAP Bypass 32-52 network extension mode 32-53 security attributes 32-44 split tunneling attributes 32-47 split-tunneling domains 32-49 user authentication 32-51 VPN attributes 32-41 VPN hardware client attributes 32-50 webvpn attributes 32-65 WINS and DNS servers 32-40 group policy, default 32-36 group policy, secure unit authentication 32-50 group policy attributes for Clientless SSL VPN application access 32-70 auto-signon 32-68 customization 32-66 deny-message 32-66 filter 32-69 home page 32-68 html-content filter 32-67 keep-alive-ignore 32-71 port forward 32-70 port-forward-name 32-71 sso-server 32-72 svc 32-73 url-list 32-69 GTP inspection about 26-33 configuring 26-33 H H.225 timeouts 26-44 H.245 troubleshooting 26-45 H.323 transparent firewall guidelines 17-8 H.323 inspection about 26-39 configuring 26-39 limitations 26-41 troubleshooting 26-45 hairpinning 29-19 hardware client, group policy attributes 32-50 help, command line B-4 HMAC hashing method 29-3 hold-period 35-11 homepage group policy attribute for Clientless SSL VPN 32-68 username attribute for Clientless SSL VPN 32-83 hostname configuring 9-2 in banners 9-2 multiple context mode 9-2 hosts, subnet masks for C-3 hosts file errors 39-44 reconfiguring 39-46 WebVPN 39-45 HSRP 17-8 html-content-filter group policy attribute for Clientless SSL VPN 32-67 username attribute for Clientless SSL VPN 32-82 HTTP(S) authentication 42-6 filtering 22-4 HTTP/HTTPS Web VPN proxy, setting 39-7 HTTP compression, Clientless SSL VPN, enabling 32-72, 32-88 HTTP inspection about 26-46 configuring 26-46 HTTP redirection for login, Easy VPN client on the ASA 5505 36-12 HTTPS for WebVPN sessions 39-3, 39-4 hub-and-spoke VPN scenario 29-19 I ICMP testing connectivity 45-1 type numbers C-15 idle timeout hardware client user, group policy 32-51 username attribute 32-78 ID method for ISAKMP peers, determining 29-6 IKE benefits 29-2 creating policies 29-4 keepalive setting, tunnel group 32-4 pre-shared key, Easy VPN client on the ASA 5505 36-7 See also ISAKMP ILS inspection 26-54 IM 26-69 inbound access lists 20-1 Individual user authentication 36-12 information reply, ICMP message C-15 information request, ICMP message C-15 inheritance tunnel group 32-1 username attribute 32-77 inside, definition 1-14 inspection_default class-map 16-4 inspection engines See application inspection Instant Messaging inspection 26-69 intercept DHCP, configuring 32-50 interfaces ASA 5505 about 5-1 enabled status 5-9 IP address 5-7 MAC addresses 5-4 maximum VLANs 5-2 non-forwarding 5-6 protected switch ports 5-9 switch port configuration 5-9 trunk ports 5-11 VLAN interface configuration 5-5 configuring for remote access 34-2 configuring IPv6 on 13-3 duplex 6-2 enabled status 6-2 enabling 6-3 failover monitoring 15-18 fiber 6-3 global addresses 19-26 IDs 6-2, 8-4 IP address 8-5 MAC addresses automatically assigning 7-11 manually assigning to interfaces 8-5 mapped name 7-8 naming, physical and subinterface 8-4 naming, VLAN 5-6 redundant 6-4 SFP 6-3 speed 6-2 subinterfaces 6-7 viewing monitored interface status 15-50 internal group policy, configuring 32-39 Internet Security Association and Key Management Protocol See ISAKMP intrusion prevention configuration 23-4 IP addresses ASA 5505 5-7 classes C-1 configuring an assignment method for remote access clients 33-1 configuring for VPNs 33-1 configuring local IP address pools 33-2 interface 8-5 management, transparent firewall 9-5 private C-2 subnet mask C-4 IP phone 36-8 phone proxy provisioning 27-13 IP phone bypass, group policy 32-52 IP phones addressing requirements for phone proxy 27-11 supported for phone proxy 27-12 IPS configuration 23-4 IPSec anti-replay window 25-12 enabling debug 30-9 modes 30-2 over UDP, group policy, configuring attributes 32-46 remote-access tunnel group 32-8 setting maximum active VPN sessions 31-3 IPsec access list 29-19 basic configuration with static crypto maps 29-22 Cisco VPN Client 29-2 configuring 29-1, 29-11 crypto map entries 29-12 fragmentation policy 29-7 over NAT-T, enabling 29-7 over TCP, enabling 29-8 SA lifetimes, changing 29-21 tunnel 29-11 viewing configuration 29-26 IPSec parameters, tunnel group 32-4 ipsec-ra, creating an IPSec remote-access tunnel 32-8 IP spoofing, preventing 24-21 IPv6 access lists 13-6 commands 13-1 configuring alongside IPv4 13-4 default route 13-5 dual IP stack 13-4 duplicate address detection 13-4 enabling 13-3 neighbor discovery 13-7 router advertisement messages 13-9 static neighbor 13-11 static routes 13-5 verifying 13-11 IPv6 addresses anycast C-9 command support for 13-1 format C-5 multicast C-8 prefixes C-10 required C-10 types of C-6 unicast C-6 IPv6 VPN access, enabling with CLI 32-12 ISAKMP about 29-2 configuring 29-1, 29-2 determining an ID method for peers 29-6 disabling in aggressive mode 29-6 enabling on the outside interface 29-6, 34-3 keepalive setting, tunnel group 32-4 policies, configuring 29-5 See also IKE J Java applets, filtering 22-2 Java object signing 39-53 java-trustpoint 39-53 jumbo frames Ethernet jumbo frames 5-1, 6-1 K keep-alive-ignore group policy attribute for Clientless SSL VPN 32-71 username attribute for Clientless SSL VPN 32-87 Kerberos configuring 14-9 support 14-6 L L2TP description 30-1 LAN-to-LAN tunnel group, configuring 32-16 latency about 25-1 configuring 25-2, 25-3 reducing 25-7 Layer 2 firewall See transparent firewall Layer 2 forwarding table See MAC address table Layer 2 Tunneling Protocol 30-1 Layer 3/4 matching multiple policy maps 16-21 LCS Federation Scenario 27-60 LDAP AAA support 14-12 application inspection 26-54 attribute mapping 14-15 Cisco-AV-pair D-12 configuring 14-9 configuring a AAA serverD-3to ?? directory search D-4 example configuration proceduresD-14to ?? hierarchy example D-4 SASL 14-13 server type 14-13 user authentication 14-13 user authorization 14-14 LEAP Bypass, group policy 32-52 licenses Cisco Unified Communications Proxy features 27-4 FO 15-3 FO_AA 15-3 managing 3-1 UR 15-3 link up/down test 15-18 LLQ See low-latency queue load balancing cluster configurations 31-7 concepts 31-6 eligible clients 31-7 eligible platforms 31-7 implementing 31-6 mixed cluster scenarios 31-8 platforms 31-7 prerequisites 31-7 local user database adding a user 14-8 configuring 14-7 logging in 42-7 support 14-6 lockout recovery 42-19 log buffer save to internal Flash 44-15 send to FTP server 44-15 logging access lists 18-21 classes filtering messages by 44-17 types 44-18, E-5 device-id, including in system log messages 44-20 e-mail configuring as output destination 44-10 destination address 44-11 source address 44-11 EMBLEM format 44-21 facility option 44-9 filtering by message class 44-18 by message list 44-18 by severity level 44-6 logging queue, configuring 44-20 output destinations ASDM 44-11 console port 44-10 email address 44-10 internal buffer 44-6 SNMP 44-5 syslog serversyslog server configuring as output destination 1 Telnet or SSH session 44-6 queue changing the size of 44-20 configuring 44-20 viewing queue statistics 44-20 severity level changing 44-22 severity level, changing 44-22 timestamp, including 44-20 login banner, configuring 42-20 console 2-5 enable 2-5 FTP 21-3 global configuration mode 2-5 local user 42-7 password 9-1 simultaneous, username attribute 32-78 SSH 42-3 Telnet 9-1 windows, customizing for users of Clientless SSL VPN sessions 32-27 low-latency queue applying 25-2, 25-3 M MAC address redundant interfaces 6-5 MAC addresses ASA 5505 5-4 ASA 5505 device pass-through 36-8 automatically assigning 7-11 failover 15-7 manually assigning to interfaces 8-5 security context classification 4-4 MAC address table about 17-11 built-in-switch 28-3 entry timeout 28-4 MAC learning, disabling 28-4 resource management 7-6 static entry 28-3 MAC learning, disabling 28-4 management IP address, transparent firewall 9-5 man-in-the-middle attack 28-2 mapped interface name 7-8 mask reply, ICMP message C-16 request, ICMP message C-15 match commands inspection class map 16-10 Layer 3/4 class map 16-5 matching, certificate group 29-9 maximum active IPSec VPN sessions, setting 31-3 maximum connect time,username attribute 32-79 maximum object size to ignore username attribute for Clientless SSL VPN 32-87 maximum sessions, IPSec 31-13 MD5, IKE policy keywords (table) 29-3 media termination address, criteria 27-9 message list filtering by 44-18 message-of-the-day banner 42-20 messages, logging classes about 44-17 list of 44-18, E-5 component descriptions 44-24 filtering by message list 44-18 format of 44-24 message list, creating 44-18 severity levels 44-25 metacharacters, regular expression 16-13, B-5 MGCP inspection about 26-55 configuring 26-55 MIBs 44-1 Microsoft Access Proxy 27-59 Microsoft Active Directory, settings for password management 32-27 Microsoft Internet Explorer client parameters, configuring 32-54 Microsoft Windows 2000 CA, supported 41-5 mixed cluster scenarios, load balancing 31-8 mixed-mode Cisco UCM cluster, configuring for phone proxy 27-19 MMP inspection 27-52 mobile redirection, ICMP message C-16 mode context 4-10 firewall 2-5 Modular Policy Framework See MPF monitoring failover 15-18 OSPF 10-19 resource management 7-19 SNMP 44-1 monitoring devices with CS-MARS E-3 monitoring switch traffic, ASA 5505 5-4 More prompt B-6 MPF about 16-1 default policy 16-3 examples 16-24 feature directionality 16-18 features 16-1 flows 16-21 matching multiple policy maps 16-21 service policy, applying 16-23 See also class map See also policy map MPLS LDP 18-10 router-id 18-10 TDP 18-10 MSIE client parameters, configuring 32-54 MTU size, Easy VPN client, ASA 5505 36-5 multicast traffic 17-8 multiple context mode See security contexts N NAC See Network Admission Control naming an interface ASA 5505 5-6 other models 8-4 NAT about 19-1 bypassing NAT about 19-11 configuration 19-32 DNS 19-17 dynamic NAT about 19-6 configuring 19-25 implementation 19-19 examples 19-36 exemption from NAT about 19-11 configuration 19-35 identity NAT about 19-11 configuration 19-32 NAT ID 19-19 order of statements 19-16 overlapping addresses 19-36 PAT about 19-8 configuring 19-25 implementation 19-19 policy NAT about 19-11 port redirection 19-38 RPC not supported with 26-81 same security level 19-15 security level requirements 8-2 static identify, configuring 19-33 static NAT about 19-9 configuring 19-28 static PAT about 19-9 configuring 19-29 transparent mode 19-3 types 19-6 native VLAN support 5-11 NAT-T enabling IPsec over NAT-T 29-7 using 29-7 Netscape CMS, CA server support 41-5 Network Activity test 15-19 Network Admission Control Access Control Server 35-5 ACL, default 35-6 clientless authentication 35-8 configuring 32-56 exemptions 35-7 port 35-10 retransmission retries 35-11 retransmission retry timer 35-10 revalidation timer 35-6 session reinitialization timer 35-11 uses, requirements, and limitations 35-1 network extension mode 36-3 network extension mode, group policy 32-53 Network Ice firewall 32-62 networks, overlapping 19-36 Nokia VPN Client 29-27 non-secure Cisco UCM cluster, configuring phone proxy 27-13 NTLM support 14-6 NT server configuring 14-9 support 14-6 O object groups nesting 18-16 removing 18-19 open ports C-14 operating systems, posture validation exemptions 35-7 OSPF about 10-9 area authentication 10-14 area MD5 authentication 10-14 area parameters 10-14 authentication key 10-12 cost 10-12 dead interval 10-12 default route 10-17 displaying update packet pacing 10-19 enabling 10-10 hello interval 10-12 interface parameters 10-12 link-state advertisement 10-9 logging neighbor states 10-18 MD5 authentication 10-12 monitoring 10-19 NSSA 10-15 packet pacing 10-19 processes 10-9 redistributing routes 10-10 route calculation timers 10-18 route map 10-7 route summarization 10-16 stub area 10-14 summary route cost 10-14 outbound access lists 20-1 Outlook Web Access (OWA) and WebVPN 39-79 output destinations 44-6 e-mail address 44-6, 44-10 SNMP management station 44-6 specifying 44-10 syslog server 44-6, 44-8 Telnet or SSH session 44-6 viewing logs 44-8 outside, definition 1-14 oversubscribing resources 7-2 P packet capture 45-12 classifier 4-3 packet flow routed firewall 17-1 transparent firewall 17-11 paging screen displays B-6 parameter problem, ICMP message C-15 password resetting on SSM hardware module 45-10 password management, Active Directory settings 32-27 passwords changing 9-1 clientless authentication 35-9 recovery 45-6 security appliance 9-1 username, setting 32-76 WebVPN 39-74 password-storage, username attribute 32-81 PAT Easy VPN client mode 36-3 See also NAT static 19-29 PDA support for WebVPN 39-50 peers alerting before disconnecting 29-9 ISAKMP, determining ID method 29-6 performance, optimizing for WebVPN 39-52 permit in a crypto map 29-15 phone proxy access lists 27-9 ASA role 27-3 certificates 27-17 Cisco IP Communicator 27-24 Cisco UCM supported versions 27-12 configuration prerequisites 27-9 configuring mixed-mode Cisco UCM cluster 27-19 configuring non-secure Cisco UCM cluster 27-13 event recovery 27-41 IP phone addressing 27-11 IP phone provisioning 27-13 IP phones supported 27-12 Linksys routers, configuring 27-24 NAT and PAT requirements 27-10 ports 27-10 rate limiting 27-25 required certificates 27-18 sample configurations 27-65 SAST keys 27-41 TLS Proxy on ASA, described 27-3 troubleshooting 27-26 ping See ICMP PKI protocol 41-7 PoE 5-4 policing flow within a tunnel 25-9 policy, QoS 25-1 policy map inspection 16-9 Layer 3/4 about 16-17 adding 16-22 default policy 16-21 feature directionality 16-18 flows 16-21 policy NAT about 19-11 dynamic, configuring 19-25 static, configuring 19-28 static PAT, configuring 19-30 pools, address DHCP 11-2 global NAT 19-26 port-forward group policy attribute for Clientless SSL VPN 32-70 username attribute for Clientless SSL VPN 32-86 port forwarding configuring client applications 39-78 port-forward-name group policy attribute for Clientless SSL VPN 32-71 username attribute for Clientless SSL VPN 32-87 ports open on device C-14 phone proxy 27-10 redirection, NAT 19-38 TCP and UDP C-11 posture validation exemptions 35-7 port 35-10 revalidation timer 35-6 uses, requirements, and limitations 35-1 power over Ethernet 5-4 PPPoE, configuring37-1to 37-5 pre-shared key, Easy VPN client on the ASA 5505 36-7 primary unit, failover 15-7 printers 36-8 private networks C-2 privileged EXEC mode, accessing 2-5 privileged mode accessing 2-5 prompt B-2 privilege level, username, setting 32-76 prompts command B-2 more B-6 protocol numbers and literal values C-11 proxy See e-mail proxy proxy bypass 39-53 proxy servers SIP and 26-69 public key cryptography 41-1 Q QoS about 25-1, 25-3 DiffServ preservation 25-5 DSCP preservation 25-5 feature interaction 25-4 policies 25-1 priority queueing IPSec anti-replay window 25-12 statistics 25-13 token bucket 25-2 traffic shaping overview 25-4 viewing statistics 25-13 Quality of Service See QoS question mark command string B-4 help B-4 queue, logging changing the size of 44-20 viewing statistics 44-20 queue, QoS latency, reducing 25-7 limit 25-2, 25-3 R RADIUS attributes D-27 Cisco AV pair D-12 configuring a AAA server D-27 configuring a server 14-9 downloadable access lists 21-10 network access authentication 21-3 network access authorization 21-10 support 14-4 RAS, H.323 troubleshooting 26-45 rate limiting 25-3 rate limiting, phone proxy 27-25 RealPlayer 26-65 reboot, waiting until active sessions end 29-8 redirect, ICMP message C-15 redundancy, in site-to-site VPNs, using crypto maps 29-26 redundant interfaces configuring 6-6 failover 6-5 MAC address 6-5 setting the active interface 6-7 Registration Authority description 41-2 regular expression 16-13 reloading context 7-17 security appliance 45-6 remarks 18-19 remote access configuration summary 34-1 IPSec tunnel group, configuring 32-8 restricting 32-80 tunnel group, configuring default 32-7 user, adding 34-4 VPN, configuring 34-1 remote management, ASA 5505 36-9 resetting the SSM hardware module password 45-10 resource management about 7-2 assigning a context 7-10 class 7-4 configuring 7-1 default class 7-3 monitoring 7-19 oversubscribing 7-2 resource types 7-6 unlimited 7-2 resource usage 7-22 retransmission retries, Network Admission Control 35-11 retransmission retry timer, Network Admission Control 35-10 revalidation timer, Network Admission Control 35-6 revoked certificates 41-2 rewrite, disabling 39-53 RIP about 10-20 enabling 10-21 routed mode about 17-1 setting 2-5 route maps defining 10-7 uses 10-7 router advertisement, ICMP message C-15 solicitation, ICMP message C-15 routes about default 10-4 about static 10-2 configuring default routes 10-4 configuring IPv6 default 13-5 configuring IPv6 static 13-5 configuring static routes 10-3 routing OSPF 10-20 other protocols 18-6 RS-232 cable See failover 15-4 RSA KEON, CA server support 41-5 keys, generating 41-6, 42-2 signatures, IKE authentication method 41-2 RTSP inspection about 26-65 configuring 26-65 running configuration copying 43-8 saving 2-6 S same security level communication enabling 8-7 NAT 19-15 SAs, lifetimes 29-21 SAST keys 27-41 SCCP (Skinny) inspection about 26-75 configuration 26-75 configuring 26-75 SDI configuring 14-9 support 14-5 secondary device, virtual cluster 31-6 secondary unit, failover 15-7 secure unit authentication 36-12 secure unit authentication, group policy 32-50 security, WebVPN 39-2, 39-8 Security Agent, Cisco 32-61 security appliance CLI B-1 connecting to 2-4 CS-MARS interoperability E-1 managing licenses 3-1 managing the configuration 2-6 reloading 45-6 upgrading software 43-2 viewing files in Flash memory 43-1 security association clearing 29-26 See also SAs security attributes, group policy 32-44 security contexts about 4-1 adding 7-7 admin context about 4-3 changing 7-16 assigning to a resource class 7-10 cascading 4-8 changing between 7-14 classifier 4-3 command authorization 42-10 configuration URL, changing 7-16 URL, setting 7-9 logging in 4-9 MAC addresses automatically assigning 7-11 classifying using 4-4 managing 7-1, 7-15 mapped interface name 7-8 monitoring 7-18 multiple mode, enabling 4-10 nesting or cascading 4-9 prompt B-2 reloading 7-17 removing 7-15 resource management 7-2 resource usage 7-22 saving all configurations 2-7 unsupported features 4-2 VLAN allocation 7-7 security level about 8-1 interface 8-4 interface, ASA 5505 5-6 serial cable See failover server group 35-5 service policy applying 16-23 default 16-24 global 16-24 interface 16-24 session management path 1-17 session reinitialization timer, Network Admission Control 35-11 severity levels, of system log messages changing 44-6 filtering by 44-6 list of 44-25 severity levels, of system messages definition 44-25 SHA, IKE policy keywords (table) 29-3 show command, filtering output B-4 simultaneous logins, username attribute 32-78 single mode backing up configuration 4-10 configuration 4-10 enabling 4-10 restoring 4-11 single sign-on See SSO single-signon group policy attribute for Clientless SSL VPN 32-72 username attribute for Clientless SSL VPN 32-88 SIP inspection about 26-69 configuring 26-68 instant messaging 26-69 timeouts 26-74 troubleshooting 26-74 site-to-site VPNs, redundancy 29-26 smart tunnels 39-30 SMTP inspection 26-78 SNMP about 44-1 management station 44-6 MIBs 44-1 traps 44-2 source quench, ICMP message C-15 SPAN 5-4 Spanning Tree Protocol, unsupported 5-9 speed, configuring 6-2 split tunneling ASA 5505 as Easy VPN client 36-8 group policy 32-47 group policy, domains 32-49 SSH authentication 42-6 concurrent connections 42-2 login 42-3 password 9-1 RSA key 42-2 username 42-3 SSL certificate 39-6 used to access the security appliance 39-3 SSL/TLS encryption protocols configuring 39-6 WebVPN 39-6 SSL VPN Client compression 40-14 DPD 40-12 enabling 40-3 address assignment 40-3 permanent installation 40-5 tunnel group 40-4 group policy attribute for Clientless SSL VPN 32-73 installing 40-2 images 40-2 order 40-2 keepalive messages 40-13 logging out sessions 40-15 username attribute for Clientless SSL VPN 32-89 viewing sessions 40-15 SSM checking status 23-18 configuration AIP SSM 23-4 CSC SSM 23-12 loading an image 23-19 See also AIP SSM See also CSC SSM sso-server group policy attribute for Clientless SSL VPN 32-72 username attribute for Clientless SSL VPN 32-88 SSO with WebVPN39-8to 39-20 configuring HTTP Basic and NTLM authentication 39-9 configuring HTTP form protocol 39-15 configuring SiteMinder 39-10, 39-12 startup configuration copying 43-8 saving 2-6 Stateful Failover about 15-16 state information 15-17 state link 15-5 statistics 15-45, 15-49 stateful inspection 1-17 state information 15-17 state link 15-5 static ARP entry 28-2 static bridge entry 28-3 static NAT See NAT static PAT See PAT static routes about 10-2 configuring 10-3 tracking 10-5 statistics, QoS 25-13 stealth firewall See transparent firewall stuck-in-active 10-25 subcommand mode prompt B-2 subinterfaces, adding 6-7 subnet masks /bits C-3 about C-2 address range C-4 determining C-3 dotted decimal C-3 number of hosts C-3 Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 39-40 Sun Microsystems Java Runtime Environment and WebVPN 39-78 Sun RPC inspection about 26-81 configuring 26-81 SVC See SSL VPN Client svc group policy attribute for Clientless SSL VPN 32-73 username attribute for Clientless SSL VPN 32-89 switch MAC address table 28-3 switch ports access ports 5-9 default configuration 5-4 protected 5-9 SPAN 5-4 trunk ports 5-11 Sygate Personal Firewall 32-62 SYN attacks, monitoring 7-23 SYN cookies 7-23 syntax formatting B-3 syslog server as output destination 44-8 designating 44-9 designating more than one 44-9 EMBLEM format configuring 44-21 enabling 44-9 system configuration 4-3 system log messages classes 44-18, E-5 classes of 44-17 configuring in groups by message list 44-18 by severity level 44-6 creating lists of 44-17 device ID, including 44-20 disabling logging of 44-6 filtering by message class 44-17 managing in groups by message class 44-18 creating a message list 44-17 output destinations 44-6 email address 44-10 SNMP 44-5 syslog message server 44-6 Telnet or SSH session 44-6 severity levels about 44-25 changing the severity level of a message 44-6 timestamp, including 44-20 T TACACS+ command authorization, configuring 42-14 configuring a server 14-9 network access authorization 21-8 support 14-5 tail drop 25-3 TCP ASA 5505 as Easy VPN client 36-4 connection limits per context 7-6 ports and literal values C-11 sequence number randomization disabling in NAT configuration 19-26 disabling using Modular Policy Framework 24-19 TCP Intercept enabling using Modular Policy Framework 24-19 enabling using NAT 19-26 monitoring 7-23 TCP normalization 24-12 Telnet allowing management access 42-1 authentication 42-6 concurrent connections 42-1 password 9-1 testing configuration 45-1 threat detection basic drop types 24-2 enabling 24-2 overview 24-2 rate intervals 24-2 rate intervals, setting 24-3 statistics, clearing 24-4 statistics, viewing 24-4 system performance 24-2 scanning attackers, viewing 24-7 default limits, changing 24-6 enabling 24-5 host database 24-5 overview 24-5 shunned hosts, releasing 24-7 shunned hosts, viewing 24-6 shunning attackers 24-5 system performance 24-5 targets, viewing 24-7 scanning statistics enabling 24-7 system performance 24-7 viewing 24-8 time exceeded, ICMP message C-15 time ranges, access lists 18-19 timestamp, including in system log messages 44-20 timestamp reply, ICMP message C-15 timestamp request, ICMP message C-15 TLS1, used to access the security appliance 39-3 TLS Proxy applications supported by ASA 27-3 Cisco Unified Presence architecture 27-59 configuring for Cisco Unified Presence 27-62 debugging for Cisco Unified Presence 27-64 licenses 27-4 tocken bucket 25-2 toolbar, floating, WebVPN 39-58 traffic flow routed firewall 17-1 transparent firewall 17-11 traffic shaping overview 25-4 Transform 29-12 transform set creating 34-4 definition 29-12 transmit queue ring limit 25-2, 25-3 transparent firewall about 17-7 ARP inspection about 28-1 enabling 28-2 static entry 28-2 data flow 17-11 DHCP packets, allowing 18-6 guidelines 17-9 H.323 guidelines 17-8 HSRP 17-8 MAC address timeout 28-4 MAC learning, disabling 28-4 Management 0/0 IP address 8-5 management IP address 9-5 multicast traffic 17-8 packet handling 18-6 static bridge entry 28-3 unsupported features 17-10 VRRP 17-8 transparent mode NAT 19-3 traps, SNMP 44-2 troubleshooting H.323 26-44 H.323 RAS 26-45 phone proxy 27-26 SIP 26-74 trunk, 802.1Q 6-7 trunk ports 5-11 trustpoint 41-3 trustpoint, ASA 5505 client 36-7 trust relationship Cisco Unified Mobility 27-56 Cisco Unified Presence 27-61 tunnel ASA 5505 as Easy VPN client 36-5 IPsec 29-11 security appliance as a tunnel endpoint 29-1 tunnel group ASA 5505 as Easy VPN client 36-7 configuring 32-6 creating 32-8 default 29-11, 32-1, 32-2 default, remote access, configuring 32-7 default LAN-to-LAN, configuring 32-16 definition 32-1, 32-2 general parameters 32-3 inheritance 32-1 IPSec parameters 32-4 LAN-to-LAN, configuring 32-16 name and type 32-8 remote access, configuring 34-5 remote-access, configuring 32-8 tunnel-group general attributes 32-3 tunnel-group ISAKMP/IKE keepalive settings 32-4 tunneling, about 29-1 tunnel mode 30-2 tx-ring-limit 25-2, 25-3 U UDP connection limits per context 7-6 connection state information 1-18 ports and literal values C-11 unreachable, ICMP message C-15 UR (unrestricted) license 15-3 url-list group policy attribute for Clientless SSL VPN 32-69 username attribute for Clientless SSL VPN 32-85 URLs context configuration, changing 7-16 context configuration, setting 7-9 filtering, about 22-4 filtering, configuration 22-6 user, VPN definition 32-1 remote access, adding 34-4 user access, restricting remote 32-80 user authentication, group policy 32-51 user EXEC mode accessing 2-5 prompt B-2 username adding 14-7 clientless authentication 35-9 encrypted 14-8 management tunnels 36-9 password 14-8 WebVPN 39-74 Xauth for Easy VPN client 36-4 username attributes access hours 32-77 configuring 32-75, 32-77 group-lock 32-80 inheritance 32-77 password, setting 32-76 password-storage 32-81 privilege level, setting 32-76 simultaneous logins 32-78 vpn-filter 32-79 vpn-framed-ip-address 32-79 vpn-idle timeout 32-78 vpn-session-timeout 32-79 vpn-tunnel-protocol 32-80 username attributes for Clientless SSL VPN auto-signon 32-87 customization 32-83 deny message 32-84 filter (access list) 32-85 homepage 32-83 html-content-filter 32-82 keep-alive ignore 32-87 port-forward 32-86 port-forward-name 32-87 sso-server 32-88 svc 32-89 url-list 32-85 username configuration, viewing 32-76 username webvpn mode 32-81 U-turn 29-19 V VeriSign, configuring CAs example 41-5 viewing logs 44-8 viewing QoS statistics 25-13 viewing RMS 43-22 virtual cluster 31-6 IP address 31-6 master 31-6 virtual firewalls See security contexts virtual HTTP 21-3 virtual reassembly 1-15 VLAN mapping 32-43 VLANs 6-7 802.1Q trunk 6-7 allocating to a context 7-7 ASA 5505 configuring 5-5 MAC addresses 5-4 maximum 5-2 mapped interface name 7-8 subinterfaces 6-7 VoIP proxy servers 26-69 troubleshooting 26-44 VPN address pool, configuring 34-4 address pool, configuring (group-policy) 32-60 address range, subnets C-4 parameters, general, setting 31-1 setting maximum number of IPSec sessions 31-3 VPN attributes, group policy 32-41 VPN Client, IPsec attributes 29-2 vpn-filter username attribute 32-79 vpn-framed-ip-address username attribute 32-79 VPN hardware client, group policy attributes 32-50 vpn-idle-timeout username attribute 32-78 vpn load balancing See load balancing 31-6 vpn-session-timeout username attribute 32-79 vpn-tunnel-protocol username attribute 32-80 VRRP 17-8 W WCCP 11-9 web browsing with WebVPN 39-77 web caching 11-9 web clients, secure authentication 21-5 web e-Mail (Outlook Web Access), Outlook Web Access 39-51 WebVPN assigning users to group policies 39-21 authenticating with digital certificates 39-21 CA certificate validation not done 39-2 client application requirements 39-75 client requirements 39-75 for file management 39-77 for network browsing 39-77 for port forwarding 39-78 for using applications 39-78 for web browsing 39-77 start-up 39-76 configuring e-mail 39-50 configuring WebVPN and ASDM on the same interface 39-4 cookies 39-7 defining the end-user interface 39-56 definition 39-1 digital certificate authentication restrictions 39-6 e-mail 39-50 e-mail proxies 39-50 enable cookies for 39-78 end user set-up 39-56 establishing a session 39-3 floating toolbar 39-58 group policy attributes, configuring 39-22 hosts file 39-45 hosts files, reconfiguring 39-46 HTTP/HTTPS proxy, setting 39-7 Java object signing 39-53 PDA support 39-50 printing and 39-76 remote system configuration and end-user requirements 39-76 security preautions 39-2, 39-8 security tips 39-75 setting HTTP/HTTPS proxy 39-4 SSL/TLS encryption protocols 39-6 supported applications 39-75 supported browsers 39-76 supported types of Internet connections 39-76 troubleshooting 39-44 unsupported features 39-3 URL 39-76 use of HTTPS 39-3 username and password required 39-76 usernames and passwords 39-74 use suggestions 39-56, 39-75 WebVPN, Application Access Panel 39-57 webvpn attributes group policy 32-65 welcome message, group policy 32-46 WINS server, configuring 32-40 X Xauth, Easy VPN client 36-4 Z Zone Labs firewalls 32-62 Zone Labs Integrity Server 14-17
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.