Cisco ASA 5580 Adaptive Security Appliance Command Line Configuration Guide, Version 8.1 - Index [Cisco ASA 5500 Series Adaptive Security Appliances]

Table Of Contents

Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Symbols

/bits subnet masks D-3

?

command string C-4

help C-4

Numerics

802.1Q trunk 4-6

A

AAA

about 12-1

accounting 19-14

addressing, configuring 29-2

authentication

CLI access 37-5

network access 19-1

privileged EXEC mode 37-6

authorization

command 37-8

downloadable access lists 19-10

network access 19-8

local database support 12-6

performance 19-1

server 39-22

adding 12-9

types 12-3

support summary 12-3

web clients 19-5

abbreviating commands C-3

Access Control Server 31-2, 31-5, 31-8

access hours, username attribute 28-76

accessing the security appliance using SSL 34-3

accessing the security appliance using TKS1 34-3

access list filter, username attribute 28-78

access lists

about 14-1

ACE logging, configuring 14-21

comments 14-19

deny flows, managing 14-23

downloadable 19-10

EtherType, adding 14-9

exemptions from posture validation 31-7

extended

about 14-6

adding 14-7

group policy WebVPN filter 28-68

implicit deny 14-3

inbound 18-1

interface, applying 18-2

IP address guidelines 14-3

IPSec 25-20

logging 14-21

NAT guidelines 14-3

Network Admission Control, default 31-6

object groups 14-18

outbound 18-1

remarks 14-19

scheduling activation 14-19

standard, adding 14-11

types 14-2

username for Clientless SSL VPN 28-84

ACEs

See access lists

Active/Active failover

about 13-8

actions 13-12

command replication 13-10

configuration synchronization 13-10

configuring

asymmetric routing support 13-30

failover criteria 13-29

failover group preemption 13-27

HTTP replication 13-28

interface monitoring 13-28

LAN-based failover 13-24

prerequisites 13-24

virtual MAC addresses 13-29

device initialization 13-10

duplicate MAC addresses, avoiding 13-9, 13-29

primary status 13-9

secondary status 13-9

triggers 13-12

Active/Standby failover

about 13-5

actions 13-7

command replication 13-6

configuration synchronization 13-5

configuring

failover criteria 13-22

HTTP replication 13-21

interface monitoring 13-21

interface poll times 13-33

LAN-based 13-18

prerequisites 13-18

unit poll times 13-33

virtual MAC addresses 13-23

device initialization 13-5

primary unit 13-5

secondary unit 13-5

triggers 13-7

Active Directory, settings for password management 28-27

Active Directory proceduresE-14to ??

Adaptive Security Algorithm 1-8

admin context

about 3-2

changing 5-13

administrative distance 8-3

Advanced Encryption Standard (AES) 25-3

alternate address, ICMP message D-15

Application Access Panel, WebVPN 34-54

application access using Clientless SSL VPN

group policy attribute for Clientless SSL VPN 28-69

username attribute for Clientless SSL VPN 28-85

application access using WebVPN

and e-mail proxy 34-76

and hosts file errors 34-41

and Web Access 34-76

configuring client applications 34-75

enabling cookies on browser 34-75

privileges 34-75

quitting properly 34-43

setting up on client 34-75

using e-mail 34-76

with IMAP client 34-76

application inspection

about 23-2

applying 23-5

configuring 23-5

inspection class map 15-12

inspection policy map 15-9

security level requirements 6-1

special actions 15-8

Application Profile Customization Framework 34-51

ARP inspection

about 24-1

enabling 24-2

static entry 24-2

ARP spoofing 24-2

ARP test, failover 13-16

ASA (Adaptive Security Algorithm) 1-8

ASDM software

allowing access 37-4

installing 38-4

ASR 13-30

asymmetric routing support 13-30

attributes

RADIUS E-27

username 28-76

attribute-value pairs

TACACS+ E-35

attribute-value pairs (AVP) 28-35

authentication

about 12-2

CLI access 37-5

FTP 19-3

HTTP 19-2

network access 19-1

privileged EXEC mode 37-6

restrictions, WebVPN 34-6

Telnet 19-2

web clients 19-5

WebVPN users with digital certificates 34-21

authorization

about 12-2

command 37-8

downloadable access lists 19-10

network access 19-8

Auto-MDI/MDIX 4-2

auto-signon

group policy attribute for Clientless SSL VPN 28-67

username attribute for Clientless SSL VPN 28-86

Auto-Update, configuring 38-18

B

backup device, load balancing 27-6

backup server attributes, group policy 28-52

Baltimore Technologies, CA server support 36-5

banner message, group policy 28-45

basic threat detection

See threat detection

bits subnet masks D-3

Black Ice firewall 28-61

BPDUs, EtherType access list 14-11

bridge

entry timeout 24-4

table, See MAC address table

broadcast Ping test 13-16

C

CA

certificate validation, not done in WebVPN 34-2

CRs and 36-2

public key cryptography 36-1

revoked certificates 36-2

server support 36-5

supported servers 36-5

caching 34-49

capturing packets 40-12

cascading access lists 25-15

certificate

authentication, e-mail proxy 34-48

enrollment protocol 36-7

group matching

configuring 25-9

rule and policy, creating 25-10

Certificate Revocation Lists

See CRLs

certification authority

See CA

changing between contexts 5-11

Cisco-AV-Pair LDAP attributes E-12

Cisco Integrated Firewall 28-60

Cisco IP Phones

DHCP 9-4

Cisco IP Phones, application inspection 23-71

Cisco Security Agent 28-60

Cisco Trust Agent 31-8

Class A, B, and C addresses D-1

class-default class map 15-5

classes, logging

filtering messages by 39-22

message class variables 39-23, F-3

types 39-23, F-3

classes, MPF

See class map

classes, resource

See resource management

class map

inspection 15-12

Layer 3/4

management traffic 15-7

match commands 15-5

through traffic 15-5

regular expression 15-16

CLI

abbreviating commands C-3

adding comments C-7

command line editing C-3

command output paging C-6

displaying C-6

help C-4

paging C-6

syntax formatting C-3

client

VPN 3002 hardware, forcing client update 27-4

Windows, client update notification 27-4

client access rules, group policy 28-62

client firewall, group policy 28-59

clientless authentication 31-8

Clientless SSL VPN

configuring for specific users 28-80

client update, performing 27-4

cluster

IP address, load balancing 27-6

load balancing configurations 27-7

mixed scenarios 27-8

virtual 27-6

command authorization

about 37-9

configuring 37-8

multiple contexts 37-9

command prompts C-2

comments

access lists 14-19

configuration C-7

configuration

clearing 2-7

comments C-7

factory default

commands 2-1

restoring 2-1

saving 2-5

text file 2-8

URL for a context 5-9

viewing 2-7

configuration mode

accessing 2-3

prompt C-2

connection blocking 21-21

connection limits

configuring 21-17

per context 5-6

connect time, maximum, username attribute 28-78

console port logging 39-14

content transformation, WebVPN 34-49

contexts

See security contexts

conversion error, ICMP message D-16

cookies, enabling for WebVPN 34-6

CRACK protocol 25-28

crash dump 40-12

crypto map

acccess lists 25-20

applying to interfaces 25-20, 33-7

clearing configurations 25-28

creating an entry to use the dynamic crypto map 30-7

definition 25-12

dynamic 25-25

dynamic, creating 30-6

entries 25-12

examples 25-21

policy 25-13

crypto show commands 25-27

custom firewall 28-61

customization, Clientless SSL VPN

group policy attribute 28-65

login windows for users 28-26

username attribute 28-82

username attribute for Clientless SSL VPN 28-23

cut-through proxy 19-1

D

data flow

routed firewall 16-1

transparent firewall 16-11

DDNS 9-6

debugging IPSec 26-8

debug messages 40-12

default

class 5-3

DefaultL2Lgroup 28-1

DefaultRAgroup 28-1

domain name, group policy 28-48

group policy 28-1, 28-35

LAN-to-LAN tunnel group 28-16

remote access tunnel group, configuring 28-6

routes, defining equal cost routes 8-4

tunnel group 25-11, 28-2

default configuration

commands 2-1

restoring 2-1

default policy 15-3

default routes

about 8-4

configuring 8-4

deny flows, logging 14-23

deny in a crypto map 25-15

deny-message

group policy attribute for Clientless SSL VPN 28-65

username attribute for Clientless SSL VPN 28-83

DES, IKE policy keywords (table) 25-3

device ID, including in messages 39-25

DfltGrpPolicy 28-36

DHCP

addressing, configuring 29-3

Cisco IP Phones 9-4

options 9-3

relay 9-5

server 9-1, 9-2

transparent firewall 14-7

DHCP Intercept, configuring 28-49

Diffie-Hellman

Group 5 25-4

groups supported 25-4

DiffServ preservation 22-5

digital certificates

authenticating WebVPN users 34-21

SSL 34-6

WebVPN authentication restrictions 34-6

directory hierarchy search E-4

disabling content rewrite 34-50

disabling messages, specific message IDs 39-27

DMZ, definition 1-5

DNS

dynamic 9-6

inspection

about 23-13

managing 23-13

rewrite, about 23-14

rewrite, configuring 23-15

NAT effect on 17-17

server, configuring 28-39

domain attributes, group policy 28-47

domain name 7-2

dotted decimal subnet masks D-3

downloadable access lists

configuring 19-10

converting netmask expressions 19-14

DSCP preservation 22-5

DUAL 8-25

dual IP stack, configuring 11-4

dual-ISP support 8-5

duplex, configuring 4-2

dynamic crypto map 25-25

creating 30-6

See also crypto map

Dynamic DNS 9-6

dynamic NAT

See NAT

E

echo reply, ICMP message D-15

ECMP 8-3

editing command lines C-3

egress VLAN for VPN sessions 28-42

EIGRP 14-7

configuring 8-26

DUAL algorithm 8-25

hello interval 8-30

hello packets 8-25

hold time 8-25, 8-30

neighbor discovery 8-25

Overview 8-25

stub routing 8-27

stuck-in-active 8-26

e-mail

configuring for WebVPN 34-47

proxies, WebVPN 34-47

proxy, certificate authentication 34-48

WebVPN, configuring 34-47

EMBLEM format, using in logs 39-26

enable command 2-3

end-user interface, WebVPN, defining 34-53

Enterprises 9-4

Entrust, CA server support 36-5

ESP security protocol 25-2

established command, security level requirements 6-2

Ethernet

Auto-MDI/MDIX 4-2

duplex 4-2

speed 4-2

EtherType

assigned numbers 14-11

See also access lists

exporting NetFlow records 39-33

external group policy, configuring 28-37

F

facility, syslog 39-14

factory default configuration

commands 2-1

restoring 2-1

failover

about 13-1

Active/Active, configuring 13-23

Active/Active, See Active/Active failover

Active/Standby, configuring 13-18

Active/Standby, See Active/Standby failover

configuration file

terminal messages, Active/Active 13-10

terminal messages, Active/Standby 13-6

configuring 13-17

contexts 13-5

controlling 13-43

debug messages 13-45

disabling 13-44

displaying commands 13-42

encrypting failover communication 13-33

Ethernet failover cable 13-3

examples

Active/Active LAN-based failover B-24, B-29

Active/Standby LAN-based failover B-23, B-27

failover link 13-2

forcing 13-43

health monitoring 13-15

interface health 13-16

interface monitoring 13-16

interface tests 13-16

link communications 13-2

MAC addresses

about 13-5

automatically assigning 5-11

monitoring, configuration 13-43

monitoring, health 13-15

network tests 13-16

primary unit 13-5

redundant interfaces 4-4

restoring a failed group 13-44

restoring a failed unit 13-44

secondary unit 13-5

SNMP syslog traps 13-45

Stateful Failover, See Stateful Failover

state link 13-3

subsecond 13-33

system log messages 13-45

system requirements 13-2

testing 13-43

type selection 13-13

understanding 13-1

unit health 13-15

verifying the configuration 13-34

fast path 1-9

filter (access list)

group policy attribute for Clientless SSL VPN 28-68

username attribute for Clientless SSL VPN 28-84

filtering

about 20-1

ActiveX 20-2

FTP 20-9

Java applets 20-3

security level requirements 6-2

servers supported 20-4

show command output C-4

URLs 20-4

filtering NetFlow events 39-35

firewall

Black Ice 28-61

Cisco Integrated 28-60

Cisco Security Agent 28-60

custom 28-61

Network Ice 28-61

none 28-61

Sygate personal 28-61

Zone Labs 28-61

firewall mode

about 16-1

configuring 2-3

firewall policy, group policy 28-59

format of messages 39-30

fragmentation policy, IPSec 25-8

fragment protection 1-6

fragment size 21-21

FTP inspection

about 23-25

configuring 23-25

G

general attributes, tunnel group 28-3

general parameters, tunnel group 28-3

general tunnel-group connection parameters 28-3

generating RSA keys 36-6

global addresses

recommendations 17-16

specifying 17-26

global e-mail proxy attributes 34-47

global IPSec SA lifetimes, changing 25-22

group-lock, username attribute 28-79

group policy

address pools 28-59

attributes 28-39

backup server attributes 28-52

client access rules 28-62

configuring 28-37

default domain name for tunneled packets 28-48

definition 28-1, 28-35

domain attributes 28-47

external, configuring 28-37

firewall policy 28-59

hardware client user idle timeout 28-50

internal, configuring 28-38

IP phone bypass 28-51

IPSec over UDP attributes 28-45

LEAP Bypass 28-51

network extension mode 28-52

security attributes 28-43

split tunneling attributes 28-46

split-tunneling domains 28-48

user authentication 28-50

VPN attributes 28-40

VPN hardware client attributes 28-49

webvpn attributes 28-64

WINS and DNS servers 28-39

group policy, default 28-35

group policy, secure unit authentication 28-49

group policy attributes for Clientless SSL VPN

application access 28-69

auto-signon 28-67

customization 28-65

deny-message 28-65

filter 28-68

home page 28-67

html-content filter 28-66

keep-alive-ignore 28-70

port forward 28-69

port-forward-name 28-70

sso-server 28-71

svc 28-72

url-list 28-68

GTP inspection

about 23-31

configuring 23-30

H

H.225 timeouts 23-41

H.245 troubleshooting 23-42

H.323

transparent firewall guidelines 16-8

H.323 inspection

about 23-37

configuring 23-37

limitations 23-38

troubleshooting 23-43

hairpinning 25-20

hardware client, group policy attributes 28-49

help, command line C-4

HMAC hashing method 25-3

hold-period 31-11

homepage

group policy attribute for Clientless SSL VPN 28-67

username attribute for Clientless SSL VPN 28-82

hostname

configuring 7-2

in banners 7-2

multiple context mode 7-2

hosts, subnet masks for D-3

hosts file

errors 34-41

reconfiguring 34-43

WebVPN 34-42

HSRP 16-8

html-content-filter

group policy attribute for Clientless SSL VPN 28-66

username attribute for Clientless SSL VPN 28-81

HTTP(S)

authentication 37-6

filtering 20-4

HTTP/HTTPS Web VPN proxy, setting 34-6

HTTP compression, Clientless SSL VPN, enabling 28-71, 28-87

HTTP inspection

about 23-43

configuring 23-43

HTTPS for WebVPN sessions 34-3, 34-4

hub-and-spoke VPN scenario 25-20

I

ICMP

testing connectivity 40-1

type numbers D-15

idle timeout

hardware client user, group policy 28-50

username attribute 28-77

ID method for ISAKMP peers, determining 25-7

IKE

benefits 25-3

creating policies 25-4

keepalive setting, tunnel group 28-4

See also ISAKMP

ILS inspection 23-52

IM 23-65

inbound access lists 18-1

information reply, ICMP message D-16

information request, ICMP message D-16

inheritance

tunnel group 28-1

username attribute 28-76

inside, definition 1-5

inspection_default class-map 15-4

inspection engines

See application inspection

Instant Messaging inspection 23-65

intercept DHCP, configuring 28-49

interfaces

configuring for remote access 30-2

configuring IPv6 on 11-3

duplex 4-2

enabled status 4-2

enabling 4-3

failover monitoring 13-16

global addresses 17-26

IDs 4-2

IP address 6-4

MAC addresses

automatically assigning 5-11

manually assigning to interfaces 6-5

mapped name 5-8

naming, physical and subinterface 6-4

redundant 4-3

speed 4-2

subinterfaces 4-6

viewing monitored interface status 13-42

internal group policy, configuring 28-38

Internet Security Association and Key Management Protocol

See ISAKMP

IP addresses

classes D-1

configuring an assignment method for remote access clients 29-1

configuring for VPNs 29-1

configuring local IP address pools 29-2

interface 6-4

management, transparent firewall 7-5

private D-2

subnet mask D-4

IP phone bypass, group policy 28-51

IPSec

about 25-2

access list 25-20

anti-replay window 22-12

basic configuration with static crypto maps 25-23

Cisco VPN Client 25-2

configuring 25-1, 25-11

crypto map entries 25-12

enabling debug 26-8

fragmentation policy 25-8

LAN-to-LAN configurations 25-2

modes 26-2

over NAT-T, enabling 25-7

over TCP, enabling 25-8

over UDP, group policy, configuring attributes 28-45

remote access configurations 25-2

remote-access tunnel group 28-7

SA lifetimes, changing 25-22

setting maximum active VPN sessions 27-3

tunnel 25-12

viewing configuration 25-27

IPSec parameters, tunnel group 28-4

ipsec-ra, creating an IPSec remote-access tunnel 28-7

IP spoofing, preventing 21-20

IPv6

access lists 11-6

commands 11-1

configuring alongside IPv4 11-4

default route 11-5

dual IP stack 11-4

duplicate address detection 11-4

enabling 11-3

neighbor discovery 11-7

router advertisement messages 11-9

static neighbor 11-11

static routes 11-5

verifying 11-11

IPv6 addresses

anycast D-9

command support for 11-1

format D-5

multicast D-8

prefixes D-10

required D-10

types of D-6

unicast D-6

IPv6 VPN

access, enabling with CLI 28-12

ISAKMP

about 25-3

configuring 25-1, 25-2

determining an ID method for peers 25-7

disabling in aggressive mode 25-6

enabling on the outside interface 25-6, 30-3

keepalive setting, tunnel group 28-4

policies, configuring 25-5

See also IKE

J

Java applets, filtering 20-2

Java object signing 34-50

java-trustpoint 34-50

K

keep-alive-ignore

group policy attribute for Clientless SSL VPN 28-70

username attribute for Clientless SSL VPN 28-86

Kerberos

configuring 12-9

support 12-6

L

L2TP description 26-1

LAN-to-LAN tunnel group, configuring 28-16

latency

about 22-1

configuring 22-2, 22-3

reducing 22-7

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

Layer 2 Tunneling Protocol 26-1

Layer 3/4

matching multiple policy maps 15-21

LDAP

AAA support 12-12

application inspection 23-52

attribute mapping 12-15

Cisco-AV-pair E-12

configuring 12-9

configuring a AAA serverE-3to ??

directory search E-4

example configuration proceduresE-14to ??

hierarchy example E-3

SASL 12-13

server type 12-13

user authentication 12-13

user authorization 12-14

LEAP Bypass, group policy 28-51

licenses

managing 38-1

per model A-1

link up/down test 13-16

LLQ

See low-latency queue

load balancing

cluster configurations 27-7

concepts 27-6

eligible clients 27-7

eligible platforms 27-7

implementing 27-6

mixed cluster scenarios 27-8

platforms 27-7

prerequisites 27-7

local user database

adding a user 12-7

configuring 12-7

logging in 37-7

support 12-6

lockout recovery 37-19

log buffer

save to internal Flash 39-20

send to FTP server 39-20

logging

access lists 14-21

classes

filtering messages by 39-22

types 39-22, 39-23, F-3

device-id, including in system log messages 39-26

e-mail

configuring as output destination 39-15

destination address 39-15

source address 39-15

EMBLEM format 39-26

facility option 39-14

filtering

by message class 39-22

by message list 39-23

by severity level 39-11

logging queue, configuring 39-25

output destinations

ASDM 39-16

console port 39-14

email address 39-15

internal buffer 39-11

SNMP 39-10

syslog server 39-13

Telnet or SSH session 39-11

queue

changing the size of 39-25

configuring 39-25

viewing queue statistics 39-25

severity level

changing 39-28

severity level, changing 39-28

timestamp, including 39-25

login

banner, configuring 37-20

console 2-3

enable 2-3

FTP 19-3

global configuration mode 2-3

local user 37-7

password 7-1

simultaneous, username attribute 28-77

SSH 37-3

Telnet 7-1

windows, customizing for users of Clientless SSL VPN sessions 28-26

low-latency queue

applying 22-2, 22-3

M

MAC address

redundant interfaces 4-4

MAC addresses

automatically assigning 5-11

failover 13-5

manually assigning to interfaces 6-5

security context classification 3-3

MAC address table

about 16-11

entry timeout 24-4

MAC learning, disabling 24-4

resource management 5-6

static entry 24-3

MAC learning, disabling 24-4

management IP address, transparent firewall 7-5

man-in-the-middle attack 24-2

mapped interface name 5-8

mask

reply, ICMP message D-16

request, ICMP message D-16

match commands

inspection class map 15-10

Layer 3/4 class map 15-5

matching, certificate group 25-9

maximum active IPSec VPN sessions, setting 27-3

maximum connect time,username attribute 28-78

maximum object size to ignore username attribute for Clientless SSL VPN 28-86

maximum sessions, IPSec 27-13

MD5, IKE policy keywords (table) 25-4

message list

filtering by 39-23

message-of-the-day banner 37-20

messages, logging

classes

about 39-22

list of 39-23, F-3

component descriptions 39-30

filtering by message list 39-23

format of 39-30

message list, creating 39-24

severity levels 39-30

metacharacters, regular expression 15-13, C-5

MGCP inspection

about 23-53

configuring 23-53

MIBs 39-1

Microsoft Active Directory, settings for password management 28-27

Microsoft Internet Explorer client parameters, configuring 28-53

Microsoft Windows 2000 CA, supported 36-5

mixed cluster scenarios, load balancing 27-8

mobile redirection, ICMP message D-16

mode

context 3-10

firewall 2-3

Modular Policy Framework

See MPF

monitoring

failover 13-15

OSPF 8-19

resource management 5-16

SNMP 39-1

More prompt C-6

MPF

about 15-1

default policy 15-3

examples 15-24

feature directionality 15-18

features 15-1

flows 15-21

matching multiple policy maps 15-21

service policy, applying 15-24

See also class map

See also policy map

MPLS

LDP 14-10

router-id 14-10

TDP 14-10

MSIE client parameters, configuring 28-53

multicast traffic 16-8

multiple context mode

See security contexts

N

NAC

See Network Admission Control

naming an interface

other models 6-4

NAT

about 17-1, 17-2

bypassing NAT

about 17-11

configuration 17-32

DNS 17-17

dynamic NAT

about 17-6

configuring 17-25

implementation 17-19

examples 17-36

exemption from NAT

about 17-11

configuration 17-35

identity NAT

about 17-11

configuration 17-32

NAT ID 17-19

order of statements 17-16

overlapping addresses 17-36

PAT

about 17-8

configuring 17-25

implementation 17-19

policy NAT

about 17-11

port redirection 17-38

RPC not supported with 23-77

same security level 17-15

security level requirements 6-2

static identify, configuring 17-33

static NAT

about 17-9

configuring 17-28

static PAT

about 17-9

configuring 17-29

transparent mode 17-4

types 17-6

NAT-T

enabling IPSec over NAT-T 25-7

using 25-8

NetFlow

displaying system log messages 39-35

overview 39-31

Netflow

system log message handling 39-31

NetFlow collector

configuring 39-33

NetFlow event filtering 39-35

NetFlow event logging

disabling 39-34

Netscape CMS, CA server support 36-5

Network Activity test 13-16

Network Admission Control

Access Control Server 31-5

ACL, default 31-6

clientless authentication 31-8

configuring 28-55

exemptions 31-7

port 31-10

retransmission retries 31-11

retransmission retry timer 31-10

revalidation timer 31-6

session reinitialization timer 31-11

uses, requirements, and limitations 31-1

network extension mode, group policy 28-52

Network Ice firewall 28-61

networks, overlapping 17-36

Nokia VPN Client 25-28

NTLM support 12-6

NT server

configuring 12-9

support 12-6

O

object groups

nesting 14-16

removing 14-18

open ports D-14

operating systems, posture validation exemptions 31-7

OSPF

about 8-9

area authentication 8-14

area MD5 authentication 8-14

area parameters 8-14

authentication key 8-12

cost 8-11, 8-12

dead interval 8-12

default route 8-17, 8-22, 8-28

displaying update packet pacing 8-19

enabling 8-9

hello interval 8-12

interface parameters 8-11

link-state advertisement 8-9

logging neighbor states 8-18

MD5 authentication 8-12

monitoring 8-19

NSSA 8-15

packet pacing 8-19

processes 8-9

redistributing routes 8-10

route calculation timers 8-18

route map 8-7

route summarization 8-16

stub area 8-14

summary route cost 8-14

outbound access lists 18-1

Outlook Web Access (OWA) and WebVPN 34-76

output destinations 39-11

e-mail address 39-11, 39-15

SNMP management station 39-11

specifying 39-15

syslog server 39-11, 39-12

Telnet or SSH session 39-11

viewing logs 39-13

outside, definition 1-5

oversubscribing resources 5-2

P

packet

capture 40-12

classifier 3-3

packet flow

routed firewall 16-1

transparent firewall 16-11

paging screen displays C-6

parameter problem, ICMP message D-15

password management, Active Directory settings 28-27

passwords

changing 7-1

clientless authentication 31-9

recovery 40-6

security appliance 7-1

username, setting 28-75

WebVPN 34-71

password-storage, username attribute 28-80

PAT

See also NAT

static 17-29

PDA support for WebVPN 34-47

peers

alerting before disconnecting 25-9

ISAKMP, determining ID method 25-7

performance, optimizing for WebVPN 34-49

permit in a crypto map 25-15

ping

See ICMP

PKI protocol 36-7

policing

flow within a tunnel 22-9

policy, QoS 22-1

policy map

inspection 15-9

Layer 3/4

about 15-17

adding 15-22

default policy 15-21

feature directionality 15-18

flows 15-21

policy NAT

about 17-11

dynamic, configuring 17-26

static, configuring 17-28

static PAT, configuring 17-30

pools, address

DHCP 9-2

global NAT 17-26

port-forward

group policy attribute for Clientless SSL VPN 28-69

username attribute for Clientless SSL VPN 28-85

port forwarding

configuring client applications 34-75

port-forward-name

group policy attribute for Clientless SSL VPN 28-70

username attribute for Clientless SSL VPN 28-86

ports

open on device D-14

redirection, NAT 17-38

TCP and UDP D-11

posture validation

exemptions 31-7

port 31-10

revalidation timer 31-6

uses, requirements, and limitations 31-1

PPPoE, configuring32-1to 32-5

primary unit, failover 13-5

private networks D-2

privileged EXEC mode, accessing 2-3

privileged mode

accessing 2-3

prompt C-2

privilege level, username, setting 28-75

prompts

command C-2

more C-6

protocol numbers and literal values D-11

proxy

See e-mail proxy

proxy bypass 34-50

proxy servers

SIP and 23-64

public key cryptography 36-1

Q

QoS

about 22-1, 22-3

DiffServ preservation 22-5

DSCP preservation 22-5

feature interaction 22-4

policies 22-1

priority queueing

IPSec anti-replay window 22-12

statistics 22-13

token bucket 22-2

traffic shaping

overview 22-4

viewing statistics 22-13

Quality of Service

See QoS

question mark

command string C-4

help C-4

queue, logging

changing the size of 39-25

viewing statistics 39-25

queue, QoS

latency, reducing 22-7

limit 22-2, 22-3

R

RADIUS

attributes E-27

Cisco AV pair E-12

configuring a AAA server E-27

configuring a server 12-9

downloadable access lists 19-10

network access authentication 19-4

network access authorization 19-10

support 12-4

RAS, H.323 troubleshooting 23-43

rate limiting 22-3

RealPlayer 23-60

reboot, waiting until active sessions end 25-9

redirect, ICMP message D-15

redundancy, in site-to-site VPNs, using crypto maps 25-27

redundant interfaces

configuring 4-5

failover 4-4

MAC address 4-4

setting the active interface 4-6

Registration Authority description 36-2

regular expression 15-13

reloading

context 5-14

security appliance 40-6

remarks 14-19

remote access

configuration summary 30-1

IPSec tunnel group, configuring 28-7

restricting 28-79

tunnel group, configuring default 28-6

user, adding 30-4

VPN, configuring 30-1

resource management

about 5-2

assigning a context 5-10

class 5-4

configuring 5-1

default class 5-3

monitoring 5-16

oversubscribing 5-2

resource types 5-6

unlimited 5-2

resource usage 5-19

retransmission retries, Network Admission Control 31-11

retransmission retry timer, Network Admission Control 31-10

revalidation timer, Network Admission Control 31-6

revoked certificates 36-2

rewrite, disabling 34-50

RIP

about 8-20

enabling 8-21

routed mode

about 16-1

setting 2-3

route maps

defining 8-7

uses 8-7

router

advertisement, ICMP message D-15

solicitation, ICMP message D-15

routes

about default 8-4

about static 8-2

configuring default routes 8-4

configuring IPv6 default 11-5

configuring IPv6 static 11-5

configuring static routes 8-3

routing

OSPF 8-20

other protocols 14-7

RSA

KEON, CA server support 36-5

keys, generating 36-6, 37-2

signatures, IKE authentication method 36-2

RTSP inspection

about 23-60

configuring 23-60

running configuration

copying 38-7

saving 2-5

runtime counters

clearing 39-34

displaying 39-34

S

same security level communication

enabling 6-6

NAT 17-15

SAs, lifetimes 25-22

SCCP (Skinny) inspection

about 23-71

configuration 23-71

configuring 23-70

SDI

configuring 12-9

support 12-5

secondary device, virtual cluster 27-6

secondary unit, failover 13-5

secure unit authentication, group policy 28-49

security, WebVPN 34-2, 34-8

Security Agent, Cisco 28-60

security appliance

CLI C-1

connecting to 2-2

CS-MARS interoperability F-1

managing licenses 38-1

managing the configuration 2-4

reloading 40-6

upgrading software 38-4

viewing files in Flash memory 38-3

security association

clearing 25-27

See also SAs

security attributes, group policy 28-43

security contexts

about 3-1

adding 5-7

admin context

about 3-2

changing 5-13

assigning to a resource class 5-10

cascading 3-8

changing between 5-11

classifier 3-3

command authorization 37-9

configuration

URL, changing 5-13

URL, setting 5-9

logging in 3-9

MAC addresses

automatically assigning 5-11

classifying using 3-3

managing 5-1, 5-12

mapped interface name 5-8

monitoring 5-15

multiple mode, enabling 3-10

nesting or cascading 3-9

prompt C-2

reloading 5-14

removing 5-12

resource management 5-2

resource usage 5-19

saving all configurations 2-5

unsupported features 3-2

VLAN allocation 5-7

security level

about 6-1

interface 6-4

serial cable

See failover

server group 31-5

service policy

applying 15-24

default 15-24

global 15-24

interface 15-24

session management path 1-8

session reinitialization timer, Network Admission Control 31-11

severity levels, of system log messages

changing 39-11

filtering by 39-11

list of 39-30

severity levels, of system messages

definition 39-30

SHA, IKE policy keywords (table) 25-4

show command, filtering output C-4

simultaneous logins, username attribute 28-77

single mode

backing up configuration 3-10

configuration 3-10

enabling 3-10

restoring 3-11

single sign-on

See SSO

single-signon

group policy attribute for Clientless SSL VPN 28-71

username attribute for Clientless SSL VPN 28-87

SIP inspection

about 23-64

configuring 23-64

instant messaging 23-65

timeouts 23-69

troubleshooting 23-70

site-to-site VPNs, redundancy 25-27

smart tunnels 34-29

SMTP inspection 23-74

SNMP

about 39-1

management station 39-11

MIBs 39-1

traps 39-2

source quench, ICMP message D-15

speed, configuring 4-2

split tunneling

group policy 28-46

group policy, domains 28-48

SSH

authentication 37-6

concurrent connections 37-2

login 37-3

password 7-1

RSA key 37-2

username 37-3

SSL

certificate 34-6

used to access the security appliance 34-3

SSL/TLS encryption protocols

configuring 34-6

WebVPN 34-6

SSL VPN Client

compression 35-14

DPD 35-12

enabling 35-3

address assignment 35-3

permanent installation 35-5

tunnel group 35-4

group policy attribute for Clientless SSL VPN 28-72

installing 35-2

images 35-2

order 35-2

keepalive messages 35-13

logging out sessions 35-15

username attribute for Clientless SSL VPN 28-88

viewing sessions 35-15

sso-server

group policy attribute for Clientless SSL VPN 28-71

username attribute for Clientless SSL VPN 28-87

SSO with WebVPN34-8to 34-20

configuring HTTP Basic and NTLM authentication 34-8

configuring HTTP form protocol 34-14

configuring SiteMinder 34-10, 34-12

startup configuration

copying 38-7

saving 2-5

Stateful Failover

about 13-14

state information 13-14

state link 13-3

statistics 13-37, 13-41

stateful inspection 1-8

state information 13-14

state link 13-3

static ARP entry 24-2

static bridge entry 24-3

static NAT

See NAT

static PAT

See PAT

static routes

about 8-2

configuring 8-3

tracking 8-5

statistics, QoS 22-13

stealth firewall

See transparent firewall

stuck-in-active 8-26

subcommand mode prompt C-2

subinterfaces, adding 4-6

subnet masks

/bits D-3

about D-2

address range D-4

determining D-3

dotted decimal D-3

number of hosts D-3

Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 34-38

Sun Microsystems Java Runtime Environment and WebVPN 34-75

Sun RPC inspection

about 23-77

configuring 23-76

SVC

See SSL VPN Client

svc

group policy attribute for Clientless SSL VPN 28-72

username attribute for Clientless SSL VPN 28-88

Sygate Personal Firewall 28-61

SYN attacks, monitoring 5-20

SYN cookies 5-20

syntax formatting C-3

syslog server

as output destination 39-12

designating 39-13

designating more than one 39-13

EMBLEM format

configuring 39-26

enabling 39-13

system configuration 3-2

system log messages

classes 39-23, F-3

classes of 39-22

configuring in groups

by message list 39-23

by severity level 39-11

creating lists of 39-21

device ID, including 39-25

disabling logging of 39-11

filtering by message class 39-21

managing in groups

by message class 39-22

creating a message list 39-21

output destinations 39-11

email address 39-15

SNMP 39-10

syslog message server 39-11

Telnet or SSH session 39-11

severity levels

about 39-30

changing the severity level of a message 39-11

timestamp, including 39-25

T

TACACS+

command authorization, configuring 37-13

configuring a server 12-9

network access authorization 19-8

support 12-5

tail drop 22-3

TCP

connection limits per context 5-6

ports and literal values D-11

sequence number randomization

disabling in NAT configuration 17-26

disabling using Modular Policy Framework 21-19

TCP Intercept

enabling using Modular Policy Framework 21-19

enabling using NAT 17-26

monitoring 5-20

TCP normalization 21-12

Telnet

allowing management access 37-1

authentication 37-6

concurrent connections 37-1

password 7-1

template timeout intervals

configuring 39-33

testing configuration 40-1

threat detection

basic

drop types 21-2

enabling 21-2

overview 21-2

rate intervals 21-2

rate intervals, setting 21-3

statistics, clearing 21-4

statistics, viewing 21-4

system performance 21-2

scanning

attackers, viewing 21-7

default limits, changing 21-6

enabling 21-5

host database 21-5

overview 21-5

shunned hosts, releasing 21-7

shunned hosts, viewing 21-6

shunning attackers 21-5

system performance 21-5

targets, viewing 21-7

scanning statistics

enabling 21-7

system performance 21-7

viewing 21-8

time exceeded, ICMP message D-15

time ranges, access lists 14-19

timestamp, including in system log messages 39-25

timestamp reply, ICMP message D-15

timestamp request, ICMP message D-15

TLS1, used to access the security appliance 34-3

tocken bucket 22-2

toolbar, floating, WebVPN 34-55

traffic flow

routed firewall 16-1

transparent firewall 16-11

traffic shaping

overview 22-4

Transform 25-12

transform set

creating 30-4

definition 25-12

transmit queue ring limit 22-2, 22-3

transparent firewall

about 16-7

ARP inspection

about 24-1

enabling 24-2

static entry 24-2

data flow 16-11

DHCP packets, allowing 14-7

guidelines 16-9

H.323 guidelines 16-8

HSRP 16-8

MAC address timeout 24-4

MAC learning, disabling 24-4

Management 0/0 IP address 6-4

management IP address 7-5

multicast traffic 16-8

packet handling 14-7

static bridge entry 24-3

unsupported features 16-10

VRRP 16-8

transparent mode

NAT 17-4

traps, SNMP 39-2

troubleshooting

H.323 23-42

H.323 RAS 23-43

SIP 23-70

trunk, 802.1Q 4-6

trustpoint 36-3

tunnel

IPSec 25-12

security appliance as a tunnel endpoint 25-1

tunnel group

configuring 28-6

creating 28-7

default 25-11, 28-1, 28-2

default, remote access, configuring 28-6

default LAN-to-LAN, configuring 28-16

definition 28-1, 28-2

general parameters 28-3

inheritance 28-1

IPSec parameters 28-4

LAN-to-LAN, configuring 28-16

name and type 28-7

remote access, configuring 30-5

remote-access, configuring 28-7

tunnel-group

general attributes 28-3

tunnel-group ISAKMP/IKE keepalive settings 28-4

tunneling, about 25-1

tunnel mode 26-2

tx-ring-limit 22-2, 22-3

U

UDP

connection limits per context 5-6

connection state information 1-9

ports and literal values D-11

unreachable, ICMP message D-15

url-list

group policy attribute for Clientless SSL VPN 28-68

username attribute for Clientless SSL VPN 28-84

URLs

context configuration, changing 5-13

context configuration, setting 5-9

filtering, about 20-4

filtering, configuration 20-6

user, VPN

definition 28-1

remote access, adding 30-4

user access, restricting remote 28-79

user authentication, group policy 28-50

user EXEC mode

accessing 2-3

prompt C-2

username

adding 12-7

clientless authentication 31-9

encrypted 12-8

password 12-8

WebVPN 34-71

username attributes

access hours 28-76

configuring 28-74, 28-76

group-lock 28-79

inheritance 28-76

password, setting 28-75

password-storage 28-80

privilege level, setting 28-75

simultaneous logins 28-77

vpn-filter 28-78

vpn-framed-ip-address 28-78

vpn-idle timeout 28-77

vpn-session-timeout 28-78

vpn-tunnel-protocol 28-79

username attributes for Clientless SSL VPN

auto-signon 28-86

customization 28-82

deny message 28-83

filter (access list) 28-84

homepage 28-82

html-content-filter 28-81

keep-alive ignore 28-86

port-forward 28-85

port-forward-name 28-86

sso-server 28-87

svc 28-88

url-list 28-84

username configuration, viewing 28-75

username webvpn mode 28-80

U-turn 25-20

V

VeriSign, configuring CAs example 36-5

viewing logs 39-13

viewing QoS statistics 22-13

viewing RMS 38-21

virtual cluster 27-6

IP address 27-6

master 27-6

virtual firewalls

See security contexts

virtual HTTP 19-3

virtual reassembly 1-6

VLAN mapping 28-42

VLANs 4-6

802.1Q trunk 4-6

allocating to a context 5-7

mapped interface name 5-8

subinterfaces 4-6

VoIP

proxy servers 23-64

troubleshooting 23-42

VPN

address pool, configuring 30-4

address pool, configuring (group-policy) 28-59

address range, subnets D-4

Client, IPSec attributes 25-2

parameters, general, setting 27-1

setting maximum number of IPSec sessions 27-3

VPN attributes, group policy 28-40

vpn-filter username attribute 28-78

vpn-framed-ip-address username attribute 28-78

VPN hardware client, group policy attributes 28-49

vpn-idle-timeout username attribute 28-77

vpn load balancing

See load balancing 27-6

vpn-session-timeout username attribute 28-78

vpn-tunnel-protocol username attribute 28-79

VRRP 16-8

W

WCCP 9-9

web browsing with WebVPN 34-74

web caching 9-9

web clients, secure authentication 19-5

web e-Mail (Outlook Web Access), Outlook Web Access 34-48

WebVPN

assigning users to group policies 34-21

authenticating with digital certificates 34-21

CA certificate validation not done 34-2

client application requirements 34-72

client requirements 34-72

for file management 34-74

for network browsing 34-74

for port forwarding 34-75

for using applications 34-75

for web browsing 34-74

start-up 34-73

configuring

e-mail 34-47

configuring WebVPN and ASDM on the same interface 34-4

cookies 34-6

defining the end-user interface 34-53

definition 34-1

digital certificate authentication restrictions 34-6

e-mail 34-47

e-mail proxies 34-47

enable cookies for 34-75

end user set-up 34-53

establishing a session 34-3

floating toolbar 34-55

group policy attributes, configuring 34-22

hosts file 34-42

hosts files, reconfiguring 34-43

HTTP/HTTPS proxy, setting 34-6

Java object signing 34-50

PDA support 34-47

printing and 34-73

remote system configuration and end-user requirements 34-73

security preautions 34-2, 34-8

security tips 34-71

setting HTTP/HTTPS proxy 34-4

SSL/TLS encryption protocols 34-6

supported applications 34-72

supported browsers 34-73

supported types of Internet connections 34-73

troubleshooting 34-41

unsupported features 34-3

URL 34-73

use of HTTPS 34-3

username and password required 34-73

usernames and passwords 34-71

use suggestions 34-53, 34-72

WebVPN, Application Access Panel 34-54

webvpn attributes

group policy 28-64

welcome message, group policy 28-45

WINS server, configuring 28-39

Z

Zone Labs firewalls 28-61

Zone Labs Integrity Server 12-17

	Cisco ASA 5580 Adaptive Security Appliance Command Line Configuration Guide, Version 8.1
	Index
Cisco ASA 5580 Adaptive Security Appliance Command Line Configuration Guide, Version 8.1 About This Guide Getting Started and General Information Introduction to the Security Appliance Getting Started Enabling Multiple Context Mode Configuring Ethernet Settings and Subinterfaces Adding and Managing Security Contexts Configuring Interface Parameters Configuring Basic Settings Configuring IP Routing Configuring Multicast Routing Configuring DHCP, DDNS, and WCCP Services Configuring IPv6 Configuring AAA Servers and the Local Database Configuring Failover Identifying Traffic With Access Lists Configuring the Firewall Firewall Mode Overview Applying NAT Permitting or Denying Network Access Applying AAA for Network Access Applying Filtering Services Using Modular Policy Framework Preventing Network Attacks Applying QoS Policies Applying Application Layer Protocol Inspection Configuring ARP Inspection and Bridging Parameters in Transparent Mode Configuring VPN Configuring IPSec and ISAKMP Configuring L2TP over IPSec Setting General VPN Parameters Configuring Tunnel Groups, Group Policies, and Users Configuring IP Addresses for VPN Configuring Remote Access VPNs Configuring Network Admission Control Configuring the PPPoE Client Configuring LAN-to-LAN VPNs Configuring Clientless SSL VPN Configuring SSL VPN Client Configuring Certificates System Administration Managing System Access Managing Software, Licenses, and Configurations Monitoring the Security Appliance Troubleshooting the Security Appliance Reference Feature Licenses and Specifications Sample Configurations Using the Command-Line Interface Addresses, Protocols, and Ports Configuring an External Server for Security Appliance User Authorization Configuring the Security Appliance for Use with MARS Glossary Index	Download this chapter Index Download the complete book Full-Book PDF: Cisco ASA 5580 Adaptive Security Appliance Command Line Configuration Guide, 8.1 (PDF - 14 MB) Table Of Contents Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - Z Index Symbols /bits subnet masks D-3 ? command string C-4 help C-4 Numerics 802.1Q trunk 4-6 A AAA about 12-1 accounting 19-14 addressing, configuring 29-2 authentication CLI access 37-5 network access 19-1 privileged EXEC mode 37-6 authorization command 37-8 downloadable access lists 19-10 network access 19-8 local database support 12-6 performance 19-1 server 39-22 adding 12-9 types 12-3 support summary 12-3 web clients 19-5 abbreviating commands C-3 Access Control Server 31-2, 31-5, 31-8 access hours, username attribute 28-76 accessing the security appliance using SSL 34-3 accessing the security appliance using TKS1 34-3 access list filter, username attribute 28-78 access lists about 14-1 ACE logging, configuring 14-21 comments 14-19 deny flows, managing 14-23 downloadable 19-10 EtherType, adding 14-9 exemptions from posture validation 31-7 extended about 14-6 adding 14-7 group policy WebVPN filter 28-68 implicit deny 14-3 inbound 18-1 interface, applying 18-2 IP address guidelines 14-3 IPSec 25-20 logging 14-21 NAT guidelines 14-3 Network Admission Control, default 31-6 object groups 14-18 outbound 18-1 remarks 14-19 scheduling activation 14-19 standard, adding 14-11 types 14-2 username for Clientless SSL VPN 28-84 ACEs See access lists Active/Active failover about 13-8 actions 13-12 command replication 13-10 configuration synchronization 13-10 configuring asymmetric routing support 13-30 failover criteria 13-29 failover group preemption 13-27 HTTP replication 13-28 interface monitoring 13-28 LAN-based failover 13-24 prerequisites 13-24 virtual MAC addresses 13-29 device initialization 13-10 duplicate MAC addresses, avoiding 13-9, 13-29 primary status 13-9 secondary status 13-9 triggers 13-12 Active/Standby failover about 13-5 actions 13-7 command replication 13-6 configuration synchronization 13-5 configuring failover criteria 13-22 HTTP replication 13-21 interface monitoring 13-21 interface poll times 13-33 LAN-based 13-18 prerequisites 13-18 unit poll times 13-33 virtual MAC addresses 13-23 device initialization 13-5 primary unit 13-5 secondary unit 13-5 triggers 13-7 Active Directory, settings for password management 28-27 Active Directory proceduresE-14to ?? Adaptive Security Algorithm 1-8 admin context about 3-2 changing 5-13 administrative distance 8-3 Advanced Encryption Standard (AES) 25-3 alternate address, ICMP message D-15 Application Access Panel, WebVPN 34-54 application access using Clientless SSL VPN group policy attribute for Clientless SSL VPN 28-69 username attribute for Clientless SSL VPN 28-85 application access using WebVPN and e-mail proxy 34-76 and hosts file errors 34-41 and Web Access 34-76 configuring client applications 34-75 enabling cookies on browser 34-75 privileges 34-75 quitting properly 34-43 setting up on client 34-75 using e-mail 34-76 with IMAP client 34-76 application inspection about 23-2 applying 23-5 configuring 23-5 inspection class map 15-12 inspection policy map 15-9 security level requirements 6-1 special actions 15-8 Application Profile Customization Framework 34-51 ARP inspection about 24-1 enabling 24-2 static entry 24-2 ARP spoofing 24-2 ARP test, failover 13-16 ASA (Adaptive Security Algorithm) 1-8 ASDM software allowing access 37-4 installing 38-4 ASR 13-30 asymmetric routing support 13-30 attributes RADIUS E-27 username 28-76 attribute-value pairs TACACS+ E-35 attribute-value pairs (AVP) 28-35 authentication about 12-2 CLI access 37-5 FTP 19-3 HTTP 19-2 network access 19-1 privileged EXEC mode 37-6 restrictions, WebVPN 34-6 Telnet 19-2 web clients 19-5 WebVPN users with digital certificates 34-21 authorization about 12-2 command 37-8 downloadable access lists 19-10 network access 19-8 Auto-MDI/MDIX 4-2 auto-signon group policy attribute for Clientless SSL VPN 28-67 username attribute for Clientless SSL VPN 28-86 Auto-Update, configuring 38-18 B backup device, load balancing 27-6 backup server attributes, group policy 28-52 Baltimore Technologies, CA server support 36-5 banner message, group policy 28-45 basic threat detection See threat detection bits subnet masks D-3 Black Ice firewall 28-61 BPDUs, EtherType access list 14-11 bridge entry timeout 24-4 table, See MAC address table broadcast Ping test 13-16 C CA certificate validation, not done in WebVPN 34-2 CRs and 36-2 public key cryptography 36-1 revoked certificates 36-2 server support 36-5 supported servers 36-5 caching 34-49 capturing packets 40-12 cascading access lists 25-15 certificate authentication, e-mail proxy 34-48 enrollment protocol 36-7 group matching configuring 25-9 rule and policy, creating 25-10 Certificate Revocation Lists See CRLs certification authority See CA changing between contexts 5-11 Cisco-AV-Pair LDAP attributes E-12 Cisco Integrated Firewall 28-60 Cisco IP Phones DHCP 9-4 Cisco IP Phones, application inspection 23-71 Cisco Security Agent 28-60 Cisco Trust Agent 31-8 Class A, B, and C addresses D-1 class-default class map 15-5 classes, logging filtering messages by 39-22 message class variables 39-23, F-3 types 39-23, F-3 classes, MPF See class map classes, resource See resource management class map inspection 15-12 Layer 3/4 management traffic 15-7 match commands 15-5 through traffic 15-5 regular expression 15-16 CLI abbreviating commands C-3 adding comments C-7 command line editing C-3 command output paging C-6 displaying C-6 help C-4 paging C-6 syntax formatting C-3 client VPN 3002 hardware, forcing client update 27-4 Windows, client update notification 27-4 client access rules, group policy 28-62 client firewall, group policy 28-59 clientless authentication 31-8 Clientless SSL VPN configuring for specific users 28-80 client update, performing 27-4 cluster IP address, load balancing 27-6 load balancing configurations 27-7 mixed scenarios 27-8 virtual 27-6 command authorization about 37-9 configuring 37-8 multiple contexts 37-9 command prompts C-2 comments access lists 14-19 configuration C-7 configuration clearing 2-7 comments C-7 factory default commands 2-1 restoring 2-1 saving 2-5 text file 2-8 URL for a context 5-9 viewing 2-7 configuration mode accessing 2-3 prompt C-2 connection blocking 21-21 connection limits configuring 21-17 per context 5-6 connect time, maximum, username attribute 28-78 console port logging 39-14 content transformation, WebVPN 34-49 contexts See security contexts conversion error, ICMP message D-16 cookies, enabling for WebVPN 34-6 CRACK protocol 25-28 crash dump 40-12 crypto map acccess lists 25-20 applying to interfaces 25-20, 33-7 clearing configurations 25-28 creating an entry to use the dynamic crypto map 30-7 definition 25-12 dynamic 25-25 dynamic, creating 30-6 entries 25-12 examples 25-21 policy 25-13 crypto show commands 25-27 custom firewall 28-61 customization, Clientless SSL VPN group policy attribute 28-65 login windows for users 28-26 username attribute 28-82 username attribute for Clientless SSL VPN 28-23 cut-through proxy 19-1 D data flow routed firewall 16-1 transparent firewall 16-11 DDNS 9-6 debugging IPSec 26-8 debug messages 40-12 default class 5-3 DefaultL2Lgroup 28-1 DefaultRAgroup 28-1 domain name, group policy 28-48 group policy 28-1, 28-35 LAN-to-LAN tunnel group 28-16 remote access tunnel group, configuring 28-6 routes, defining equal cost routes 8-4 tunnel group 25-11, 28-2 default configuration commands 2-1 restoring 2-1 default policy 15-3 default routes about 8-4 configuring 8-4 deny flows, logging 14-23 deny in a crypto map 25-15 deny-message group policy attribute for Clientless SSL VPN 28-65 username attribute for Clientless SSL VPN 28-83 DES, IKE policy keywords (table) 25-3 device ID, including in messages 39-25 DfltGrpPolicy 28-36 DHCP addressing, configuring 29-3 Cisco IP Phones 9-4 options 9-3 relay 9-5 server 9-1, 9-2 transparent firewall 14-7 DHCP Intercept, configuring 28-49 Diffie-Hellman Group 5 25-4 groups supported 25-4 DiffServ preservation 22-5 digital certificates authenticating WebVPN users 34-21 SSL 34-6 WebVPN authentication restrictions 34-6 directory hierarchy search E-4 disabling content rewrite 34-50 disabling messages, specific message IDs 39-27 DMZ, definition 1-5 DNS dynamic 9-6 inspection about 23-13 managing 23-13 rewrite, about 23-14 rewrite, configuring 23-15 NAT effect on 17-17 server, configuring 28-39 domain attributes, group policy 28-47 domain name 7-2 dotted decimal subnet masks D-3 downloadable access lists configuring 19-10 converting netmask expressions 19-14 DSCP preservation 22-5 DUAL 8-25 dual IP stack, configuring 11-4 dual-ISP support 8-5 duplex, configuring 4-2 dynamic crypto map 25-25 creating 30-6 See also crypto map Dynamic DNS 9-6 dynamic NAT See NAT E echo reply, ICMP message D-15 ECMP 8-3 editing command lines C-3 egress VLAN for VPN sessions 28-42 EIGRP 14-7 configuring 8-26 DUAL algorithm 8-25 hello interval 8-30 hello packets 8-25 hold time 8-25, 8-30 neighbor discovery 8-25 Overview 8-25 stub routing 8-27 stuck-in-active 8-26 e-mail configuring for WebVPN 34-47 proxies, WebVPN 34-47 proxy, certificate authentication 34-48 WebVPN, configuring 34-47 EMBLEM format, using in logs 39-26 enable command 2-3 end-user interface, WebVPN, defining 34-53 Enterprises 9-4 Entrust, CA server support 36-5 ESP security protocol 25-2 established command, security level requirements 6-2 Ethernet Auto-MDI/MDIX 4-2 duplex 4-2 speed 4-2 EtherType assigned numbers 14-11 See also access lists exporting NetFlow records 39-33 external group policy, configuring 28-37 F facility, syslog 39-14 factory default configuration commands 2-1 restoring 2-1 failover about 13-1 Active/Active, configuring 13-23 Active/Active, See Active/Active failover Active/Standby, configuring 13-18 Active/Standby, See Active/Standby failover configuration file terminal messages, Active/Active 13-10 terminal messages, Active/Standby 13-6 configuring 13-17 contexts 13-5 controlling 13-43 debug messages 13-45 disabling 13-44 displaying commands 13-42 encrypting failover communication 13-33 Ethernet failover cable 13-3 examples Active/Active LAN-based failover B-24, B-29 Active/Standby LAN-based failover B-23, B-27 failover link 13-2 forcing 13-43 health monitoring 13-15 interface health 13-16 interface monitoring 13-16 interface tests 13-16 link communications 13-2 MAC addresses about 13-5 automatically assigning 5-11 monitoring, configuration 13-43 monitoring, health 13-15 network tests 13-16 primary unit 13-5 redundant interfaces 4-4 restoring a failed group 13-44 restoring a failed unit 13-44 secondary unit 13-5 SNMP syslog traps 13-45 Stateful Failover, See Stateful Failover state link 13-3 subsecond 13-33 system log messages 13-45 system requirements 13-2 testing 13-43 type selection 13-13 understanding 13-1 unit health 13-15 verifying the configuration 13-34 fast path 1-9 filter (access list) group policy attribute for Clientless SSL VPN 28-68 username attribute for Clientless SSL VPN 28-84 filtering about 20-1 ActiveX 20-2 FTP 20-9 Java applets 20-3 security level requirements 6-2 servers supported 20-4 show command output C-4 URLs 20-4 filtering NetFlow events 39-35 firewall Black Ice 28-61 Cisco Integrated 28-60 Cisco Security Agent 28-60 custom 28-61 Network Ice 28-61 none 28-61 Sygate personal 28-61 Zone Labs 28-61 firewall mode about 16-1 configuring 2-3 firewall policy, group policy 28-59 format of messages 39-30 fragmentation policy, IPSec 25-8 fragment protection 1-6 fragment size 21-21 FTP inspection about 23-25 configuring 23-25 G general attributes, tunnel group 28-3 general parameters, tunnel group 28-3 general tunnel-group connection parameters 28-3 generating RSA keys 36-6 global addresses recommendations 17-16 specifying 17-26 global e-mail proxy attributes 34-47 global IPSec SA lifetimes, changing 25-22 group-lock, username attribute 28-79 group policy address pools 28-59 attributes 28-39 backup server attributes 28-52 client access rules 28-62 configuring 28-37 default domain name for tunneled packets 28-48 definition 28-1, 28-35 domain attributes 28-47 external, configuring 28-37 firewall policy 28-59 hardware client user idle timeout 28-50 internal, configuring 28-38 IP phone bypass 28-51 IPSec over UDP attributes 28-45 LEAP Bypass 28-51 network extension mode 28-52 security attributes 28-43 split tunneling attributes 28-46 split-tunneling domains 28-48 user authentication 28-50 VPN attributes 28-40 VPN hardware client attributes 28-49 webvpn attributes 28-64 WINS and DNS servers 28-39 group policy, default 28-35 group policy, secure unit authentication 28-49 group policy attributes for Clientless SSL VPN application access 28-69 auto-signon 28-67 customization 28-65 deny-message 28-65 filter 28-68 home page 28-67 html-content filter 28-66 keep-alive-ignore 28-70 port forward 28-69 port-forward-name 28-70 sso-server 28-71 svc 28-72 url-list 28-68 GTP inspection about 23-31 configuring 23-30 H H.225 timeouts 23-41 H.245 troubleshooting 23-42 H.323 transparent firewall guidelines 16-8 H.323 inspection about 23-37 configuring 23-37 limitations 23-38 troubleshooting 23-43 hairpinning 25-20 hardware client, group policy attributes 28-49 help, command line C-4 HMAC hashing method 25-3 hold-period 31-11 homepage group policy attribute for Clientless SSL VPN 28-67 username attribute for Clientless SSL VPN 28-82 hostname configuring 7-2 in banners 7-2 multiple context mode 7-2 hosts, subnet masks for D-3 hosts file errors 34-41 reconfiguring 34-43 WebVPN 34-42 HSRP 16-8 html-content-filter group policy attribute for Clientless SSL VPN 28-66 username attribute for Clientless SSL VPN 28-81 HTTP(S) authentication 37-6 filtering 20-4 HTTP/HTTPS Web VPN proxy, setting 34-6 HTTP compression, Clientless SSL VPN, enabling 28-71, 28-87 HTTP inspection about 23-43 configuring 23-43 HTTPS for WebVPN sessions 34-3, 34-4 hub-and-spoke VPN scenario 25-20 I ICMP testing connectivity 40-1 type numbers D-15 idle timeout hardware client user, group policy 28-50 username attribute 28-77 ID method for ISAKMP peers, determining 25-7 IKE benefits 25-3 creating policies 25-4 keepalive setting, tunnel group 28-4 See also ISAKMP ILS inspection 23-52 IM 23-65 inbound access lists 18-1 information reply, ICMP message D-16 information request, ICMP message D-16 inheritance tunnel group 28-1 username attribute 28-76 inside, definition 1-5 inspection_default class-map 15-4 inspection engines See application inspection Instant Messaging inspection 23-65 intercept DHCP, configuring 28-49 interfaces configuring for remote access 30-2 configuring IPv6 on 11-3 duplex 4-2 enabled status 4-2 enabling 4-3 failover monitoring 13-16 global addresses 17-26 IDs 4-2 IP address 6-4 MAC addresses automatically assigning 5-11 manually assigning to interfaces 6-5 mapped name 5-8 naming, physical and subinterface 6-4 redundant 4-3 speed 4-2 subinterfaces 4-6 viewing monitored interface status 13-42 internal group policy, configuring 28-38 Internet Security Association and Key Management Protocol See ISAKMP IP addresses classes D-1 configuring an assignment method for remote access clients 29-1 configuring for VPNs 29-1 configuring local IP address pools 29-2 interface 6-4 management, transparent firewall 7-5 private D-2 subnet mask D-4 IP phone bypass, group policy 28-51 IPSec about 25-2 access list 25-20 anti-replay window 22-12 basic configuration with static crypto maps 25-23 Cisco VPN Client 25-2 configuring 25-1, 25-11 crypto map entries 25-12 enabling debug 26-8 fragmentation policy 25-8 LAN-to-LAN configurations 25-2 modes 26-2 over NAT-T, enabling 25-7 over TCP, enabling 25-8 over UDP, group policy, configuring attributes 28-45 remote access configurations 25-2 remote-access tunnel group 28-7 SA lifetimes, changing 25-22 setting maximum active VPN sessions 27-3 tunnel 25-12 viewing configuration 25-27 IPSec parameters, tunnel group 28-4 ipsec-ra, creating an IPSec remote-access tunnel 28-7 IP spoofing, preventing 21-20 IPv6 access lists 11-6 commands 11-1 configuring alongside IPv4 11-4 default route 11-5 dual IP stack 11-4 duplicate address detection 11-4 enabling 11-3 neighbor discovery 11-7 router advertisement messages 11-9 static neighbor 11-11 static routes 11-5 verifying 11-11 IPv6 addresses anycast D-9 command support for 11-1 format D-5 multicast D-8 prefixes D-10 required D-10 types of D-6 unicast D-6 IPv6 VPN access, enabling with CLI 28-12 ISAKMP about 25-3 configuring 25-1, 25-2 determining an ID method for peers 25-7 disabling in aggressive mode 25-6 enabling on the outside interface 25-6, 30-3 keepalive setting, tunnel group 28-4 policies, configuring 25-5 See also IKE J Java applets, filtering 20-2 Java object signing 34-50 java-trustpoint 34-50 K keep-alive-ignore group policy attribute for Clientless SSL VPN 28-70 username attribute for Clientless SSL VPN 28-86 Kerberos configuring 12-9 support 12-6 L L2TP description 26-1 LAN-to-LAN tunnel group, configuring 28-16 latency about 22-1 configuring 22-2, 22-3 reducing 22-7 Layer 2 firewall See transparent firewall Layer 2 forwarding table See MAC address table Layer 2 Tunneling Protocol 26-1 Layer 3/4 matching multiple policy maps 15-21 LDAP AAA support 12-12 application inspection 23-52 attribute mapping 12-15 Cisco-AV-pair E-12 configuring 12-9 configuring a AAA serverE-3to ?? directory search E-4 example configuration proceduresE-14to ?? hierarchy example E-3 SASL 12-13 server type 12-13 user authentication 12-13 user authorization 12-14 LEAP Bypass, group policy 28-51 licenses managing 38-1 per model A-1 link up/down test 13-16 LLQ See low-latency queue load balancing cluster configurations 27-7 concepts 27-6 eligible clients 27-7 eligible platforms 27-7 implementing 27-6 mixed cluster scenarios 27-8 platforms 27-7 prerequisites 27-7 local user database adding a user 12-7 configuring 12-7 logging in 37-7 support 12-6 lockout recovery 37-19 log buffer save to internal Flash 39-20 send to FTP server 39-20 logging access lists 14-21 classes filtering messages by 39-22 types 39-22, 39-23, F-3 device-id, including in system log messages 39-26 e-mail configuring as output destination 39-15 destination address 39-15 source address 39-15 EMBLEM format 39-26 facility option 39-14 filtering by message class 39-22 by message list 39-23 by severity level 39-11 logging queue, configuring 39-25 output destinations ASDM 39-16 console port 39-14 email address 39-15 internal buffer 39-11 SNMP 39-10 syslog server 39-13 Telnet or SSH session 39-11 queue changing the size of 39-25 configuring 39-25 viewing queue statistics 39-25 severity level changing 39-28 severity level, changing 39-28 timestamp, including 39-25 login banner, configuring 37-20 console 2-3 enable 2-3 FTP 19-3 global configuration mode 2-3 local user 37-7 password 7-1 simultaneous, username attribute 28-77 SSH 37-3 Telnet 7-1 windows, customizing for users of Clientless SSL VPN sessions 28-26 low-latency queue applying 22-2, 22-3 M MAC address redundant interfaces 4-4 MAC addresses automatically assigning 5-11 failover 13-5 manually assigning to interfaces 6-5 security context classification 3-3 MAC address table about 16-11 entry timeout 24-4 MAC learning, disabling 24-4 resource management 5-6 static entry 24-3 MAC learning, disabling 24-4 management IP address, transparent firewall 7-5 man-in-the-middle attack 24-2 mapped interface name 5-8 mask reply, ICMP message D-16 request, ICMP message D-16 match commands inspection class map 15-10 Layer 3/4 class map 15-5 matching, certificate group 25-9 maximum active IPSec VPN sessions, setting 27-3 maximum connect time,username attribute 28-78 maximum object size to ignore username attribute for Clientless SSL VPN 28-86 maximum sessions, IPSec 27-13 MD5, IKE policy keywords (table) 25-4 message list filtering by 39-23 message-of-the-day banner 37-20 messages, logging classes about 39-22 list of 39-23, F-3 component descriptions 39-30 filtering by message list 39-23 format of 39-30 message list, creating 39-24 severity levels 39-30 metacharacters, regular expression 15-13, C-5 MGCP inspection about 23-53 configuring 23-53 MIBs 39-1 Microsoft Active Directory, settings for password management 28-27 Microsoft Internet Explorer client parameters, configuring 28-53 Microsoft Windows 2000 CA, supported 36-5 mixed cluster scenarios, load balancing 27-8 mobile redirection, ICMP message D-16 mode context 3-10 firewall 2-3 Modular Policy Framework See MPF monitoring failover 13-15 OSPF 8-19 resource management 5-16 SNMP 39-1 More prompt C-6 MPF about 15-1 default policy 15-3 examples 15-24 feature directionality 15-18 features 15-1 flows 15-21 matching multiple policy maps 15-21 service policy, applying 15-24 See also class map See also policy map MPLS LDP 14-10 router-id 14-10 TDP 14-10 MSIE client parameters, configuring 28-53 multicast traffic 16-8 multiple context mode See security contexts N NAC See Network Admission Control naming an interface other models 6-4 NAT about 17-1, 17-2 bypassing NAT about 17-11 configuration 17-32 DNS 17-17 dynamic NAT about 17-6 configuring 17-25 implementation 17-19 examples 17-36 exemption from NAT about 17-11 configuration 17-35 identity NAT about 17-11 configuration 17-32 NAT ID 17-19 order of statements 17-16 overlapping addresses 17-36 PAT about 17-8 configuring 17-25 implementation 17-19 policy NAT about 17-11 port redirection 17-38 RPC not supported with 23-77 same security level 17-15 security level requirements 6-2 static identify, configuring 17-33 static NAT about 17-9 configuring 17-28 static PAT about 17-9 configuring 17-29 transparent mode 17-4 types 17-6 NAT-T enabling IPSec over NAT-T 25-7 using 25-8 NetFlow displaying system log messages 39-35 overview 39-31 Netflow system log message handling 39-31 NetFlow collector configuring 39-33 NetFlow event filtering 39-35 NetFlow event logging disabling 39-34 Netscape CMS, CA server support 36-5 Network Activity test 13-16 Network Admission Control Access Control Server 31-5 ACL, default 31-6 clientless authentication 31-8 configuring 28-55 exemptions 31-7 port 31-10 retransmission retries 31-11 retransmission retry timer 31-10 revalidation timer 31-6 session reinitialization timer 31-11 uses, requirements, and limitations 31-1 network extension mode, group policy 28-52 Network Ice firewall 28-61 networks, overlapping 17-36 Nokia VPN Client 25-28 NTLM support 12-6 NT server configuring 12-9 support 12-6 O object groups nesting 14-16 removing 14-18 open ports D-14 operating systems, posture validation exemptions 31-7 OSPF about 8-9 area authentication 8-14 area MD5 authentication 8-14 area parameters 8-14 authentication key 8-12 cost 8-11, 8-12 dead interval 8-12 default route 8-17, 8-22, 8-28 displaying update packet pacing 8-19 enabling 8-9 hello interval 8-12 interface parameters 8-11 link-state advertisement 8-9 logging neighbor states 8-18 MD5 authentication 8-12 monitoring 8-19 NSSA 8-15 packet pacing 8-19 processes 8-9 redistributing routes 8-10 route calculation timers 8-18 route map 8-7 route summarization 8-16 stub area 8-14 summary route cost 8-14 outbound access lists 18-1 Outlook Web Access (OWA) and WebVPN 34-76 output destinations 39-11 e-mail address 39-11, 39-15 SNMP management station 39-11 specifying 39-15 syslog server 39-11, 39-12 Telnet or SSH session 39-11 viewing logs 39-13 outside, definition 1-5 oversubscribing resources 5-2 P packet capture 40-12 classifier 3-3 packet flow routed firewall 16-1 transparent firewall 16-11 paging screen displays C-6 parameter problem, ICMP message D-15 password management, Active Directory settings 28-27 passwords changing 7-1 clientless authentication 31-9 recovery 40-6 security appliance 7-1 username, setting 28-75 WebVPN 34-71 password-storage, username attribute 28-80 PAT See also NAT static 17-29 PDA support for WebVPN 34-47 peers alerting before disconnecting 25-9 ISAKMP, determining ID method 25-7 performance, optimizing for WebVPN 34-49 permit in a crypto map 25-15 ping See ICMP PKI protocol 36-7 policing flow within a tunnel 22-9 policy, QoS 22-1 policy map inspection 15-9 Layer 3/4 about 15-17 adding 15-22 default policy 15-21 feature directionality 15-18 flows 15-21 policy NAT about 17-11 dynamic, configuring 17-26 static, configuring 17-28 static PAT, configuring 17-30 pools, address DHCP 9-2 global NAT 17-26 port-forward group policy attribute for Clientless SSL VPN 28-69 username attribute for Clientless SSL VPN 28-85 port forwarding configuring client applications 34-75 port-forward-name group policy attribute for Clientless SSL VPN 28-70 username attribute for Clientless SSL VPN 28-86 ports open on device D-14 redirection, NAT 17-38 TCP and UDP D-11 posture validation exemptions 31-7 port 31-10 revalidation timer 31-6 uses, requirements, and limitations 31-1 PPPoE, configuring32-1to 32-5 primary unit, failover 13-5 private networks D-2 privileged EXEC mode, accessing 2-3 privileged mode accessing 2-3 prompt C-2 privilege level, username, setting 28-75 prompts command C-2 more C-6 protocol numbers and literal values D-11 proxy See e-mail proxy proxy bypass 34-50 proxy servers SIP and 23-64 public key cryptography 36-1 Q QoS about 22-1, 22-3 DiffServ preservation 22-5 DSCP preservation 22-5 feature interaction 22-4 policies 22-1 priority queueing IPSec anti-replay window 22-12 statistics 22-13 token bucket 22-2 traffic shaping overview 22-4 viewing statistics 22-13 Quality of Service See QoS question mark command string C-4 help C-4 queue, logging changing the size of 39-25 viewing statistics 39-25 queue, QoS latency, reducing 22-7 limit 22-2, 22-3 R RADIUS attributes E-27 Cisco AV pair E-12 configuring a AAA server E-27 configuring a server 12-9 downloadable access lists 19-10 network access authentication 19-4 network access authorization 19-10 support 12-4 RAS, H.323 troubleshooting 23-43 rate limiting 22-3 RealPlayer 23-60 reboot, waiting until active sessions end 25-9 redirect, ICMP message D-15 redundancy, in site-to-site VPNs, using crypto maps 25-27 redundant interfaces configuring 4-5 failover 4-4 MAC address 4-4 setting the active interface 4-6 Registration Authority description 36-2 regular expression 15-13 reloading context 5-14 security appliance 40-6 remarks 14-19 remote access configuration summary 30-1 IPSec tunnel group, configuring 28-7 restricting 28-79 tunnel group, configuring default 28-6 user, adding 30-4 VPN, configuring 30-1 resource management about 5-2 assigning a context 5-10 class 5-4 configuring 5-1 default class 5-3 monitoring 5-16 oversubscribing 5-2 resource types 5-6 unlimited 5-2 resource usage 5-19 retransmission retries, Network Admission Control 31-11 retransmission retry timer, Network Admission Control 31-10 revalidation timer, Network Admission Control 31-6 revoked certificates 36-2 rewrite, disabling 34-50 RIP about 8-20 enabling 8-21 routed mode about 16-1 setting 2-3 route maps defining 8-7 uses 8-7 router advertisement, ICMP message D-15 solicitation, ICMP message D-15 routes about default 8-4 about static 8-2 configuring default routes 8-4 configuring IPv6 default 11-5 configuring IPv6 static 11-5 configuring static routes 8-3 routing OSPF 8-20 other protocols 14-7 RSA KEON, CA server support 36-5 keys, generating 36-6, 37-2 signatures, IKE authentication method 36-2 RTSP inspection about 23-60 configuring 23-60 running configuration copying 38-7 saving 2-5 runtime counters clearing 39-34 displaying 39-34 S same security level communication enabling 6-6 NAT 17-15 SAs, lifetimes 25-22 SCCP (Skinny) inspection about 23-71 configuration 23-71 configuring 23-70 SDI configuring 12-9 support 12-5 secondary device, virtual cluster 27-6 secondary unit, failover 13-5 secure unit authentication, group policy 28-49 security, WebVPN 34-2, 34-8 Security Agent, Cisco 28-60 security appliance CLI C-1 connecting to 2-2 CS-MARS interoperability F-1 managing licenses 38-1 managing the configuration 2-4 reloading 40-6 upgrading software 38-4 viewing files in Flash memory 38-3 security association clearing 25-27 See also SAs security attributes, group policy 28-43 security contexts about 3-1 adding 5-7 admin context about 3-2 changing 5-13 assigning to a resource class 5-10 cascading 3-8 changing between 5-11 classifier 3-3 command authorization 37-9 configuration URL, changing 5-13 URL, setting 5-9 logging in 3-9 MAC addresses automatically assigning 5-11 classifying using 3-3 managing 5-1, 5-12 mapped interface name 5-8 monitoring 5-15 multiple mode, enabling 3-10 nesting or cascading 3-9 prompt C-2 reloading 5-14 removing 5-12 resource management 5-2 resource usage 5-19 saving all configurations 2-5 unsupported features 3-2 VLAN allocation 5-7 security level about 6-1 interface 6-4 serial cable See failover server group 31-5 service policy applying 15-24 default 15-24 global 15-24 interface 15-24 session management path 1-8 session reinitialization timer, Network Admission Control 31-11 severity levels, of system log messages changing 39-11 filtering by 39-11 list of 39-30 severity levels, of system messages definition 39-30 SHA, IKE policy keywords (table) 25-4 show command, filtering output C-4 simultaneous logins, username attribute 28-77 single mode backing up configuration 3-10 configuration 3-10 enabling 3-10 restoring 3-11 single sign-on See SSO single-signon group policy attribute for Clientless SSL VPN 28-71 username attribute for Clientless SSL VPN 28-87 SIP inspection about 23-64 configuring 23-64 instant messaging 23-65 timeouts 23-69 troubleshooting 23-70 site-to-site VPNs, redundancy 25-27 smart tunnels 34-29 SMTP inspection 23-74 SNMP about 39-1 management station 39-11 MIBs 39-1 traps 39-2 source quench, ICMP message D-15 speed, configuring 4-2 split tunneling group policy 28-46 group policy, domains 28-48 SSH authentication 37-6 concurrent connections 37-2 login 37-3 password 7-1 RSA key 37-2 username 37-3 SSL certificate 34-6 used to access the security appliance 34-3 SSL/TLS encryption protocols configuring 34-6 WebVPN 34-6 SSL VPN Client compression 35-14 DPD 35-12 enabling 35-3 address assignment 35-3 permanent installation 35-5 tunnel group 35-4 group policy attribute for Clientless SSL VPN 28-72 installing 35-2 images 35-2 order 35-2 keepalive messages 35-13 logging out sessions 35-15 username attribute for Clientless SSL VPN 28-88 viewing sessions 35-15 sso-server group policy attribute for Clientless SSL VPN 28-71 username attribute for Clientless SSL VPN 28-87 SSO with WebVPN34-8to 34-20 configuring HTTP Basic and NTLM authentication 34-8 configuring HTTP form protocol 34-14 configuring SiteMinder 34-10, 34-12 startup configuration copying 38-7 saving 2-5 Stateful Failover about 13-14 state information 13-14 state link 13-3 statistics 13-37, 13-41 stateful inspection 1-8 state information 13-14 state link 13-3 static ARP entry 24-2 static bridge entry 24-3 static NAT See NAT static PAT See PAT static routes about 8-2 configuring 8-3 tracking 8-5 statistics, QoS 22-13 stealth firewall See transparent firewall stuck-in-active 8-26 subcommand mode prompt C-2 subinterfaces, adding 4-6 subnet masks /bits D-3 about D-2 address range D-4 determining D-3 dotted decimal D-3 number of hosts D-3 Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 34-38 Sun Microsystems Java Runtime Environment and WebVPN 34-75 Sun RPC inspection about 23-77 configuring 23-76 SVC See SSL VPN Client svc group policy attribute for Clientless SSL VPN 28-72 username attribute for Clientless SSL VPN 28-88 Sygate Personal Firewall 28-61 SYN attacks, monitoring 5-20 SYN cookies 5-20 syntax formatting C-3 syslog server as output destination 39-12 designating 39-13 designating more than one 39-13 EMBLEM format configuring 39-26 enabling 39-13 system configuration 3-2 system log messages classes 39-23, F-3 classes of 39-22 configuring in groups by message list 39-23 by severity level 39-11 creating lists of 39-21 device ID, including 39-25 disabling logging of 39-11 filtering by message class 39-21 managing in groups by message class 39-22 creating a message list 39-21 output destinations 39-11 email address 39-15 SNMP 39-10 syslog message server 39-11 Telnet or SSH session 39-11 severity levels about 39-30 changing the severity level of a message 39-11 timestamp, including 39-25 T TACACS+ command authorization, configuring 37-13 configuring a server 12-9 network access authorization 19-8 support 12-5 tail drop 22-3 TCP connection limits per context 5-6 ports and literal values D-11 sequence number randomization disabling in NAT configuration 17-26 disabling using Modular Policy Framework 21-19 TCP Intercept enabling using Modular Policy Framework 21-19 enabling using NAT 17-26 monitoring 5-20 TCP normalization 21-12 Telnet allowing management access 37-1 authentication 37-6 concurrent connections 37-1 password 7-1 template timeout intervals configuring 39-33 testing configuration 40-1 threat detection basic drop types 21-2 enabling 21-2 overview 21-2 rate intervals 21-2 rate intervals, setting 21-3 statistics, clearing 21-4 statistics, viewing 21-4 system performance 21-2 scanning attackers, viewing 21-7 default limits, changing 21-6 enabling 21-5 host database 21-5 overview 21-5 shunned hosts, releasing 21-7 shunned hosts, viewing 21-6 shunning attackers 21-5 system performance 21-5 targets, viewing 21-7 scanning statistics enabling 21-7 system performance 21-7 viewing 21-8 time exceeded, ICMP message D-15 time ranges, access lists 14-19 timestamp, including in system log messages 39-25 timestamp reply, ICMP message D-15 timestamp request, ICMP message D-15 TLS1, used to access the security appliance 34-3 tocken bucket 22-2 toolbar, floating, WebVPN 34-55 traffic flow routed firewall 16-1 transparent firewall 16-11 traffic shaping overview 22-4 Transform 25-12 transform set creating 30-4 definition 25-12 transmit queue ring limit 22-2, 22-3 transparent firewall about 16-7 ARP inspection about 24-1 enabling 24-2 static entry 24-2 data flow 16-11 DHCP packets, allowing 14-7 guidelines 16-9 H.323 guidelines 16-8 HSRP 16-8 MAC address timeout 24-4 MAC learning, disabling 24-4 Management 0/0 IP address 6-4 management IP address 7-5 multicast traffic 16-8 packet handling 14-7 static bridge entry 24-3 unsupported features 16-10 VRRP 16-8 transparent mode NAT 17-4 traps, SNMP 39-2 troubleshooting H.323 23-42 H.323 RAS 23-43 SIP 23-70 trunk, 802.1Q 4-6 trustpoint 36-3 tunnel IPSec 25-12 security appliance as a tunnel endpoint 25-1 tunnel group configuring 28-6 creating 28-7 default 25-11, 28-1, 28-2 default, remote access, configuring 28-6 default LAN-to-LAN, configuring 28-16 definition 28-1, 28-2 general parameters 28-3 inheritance 28-1 IPSec parameters 28-4 LAN-to-LAN, configuring 28-16 name and type 28-7 remote access, configuring 30-5 remote-access, configuring 28-7 tunnel-group general attributes 28-3 tunnel-group ISAKMP/IKE keepalive settings 28-4 tunneling, about 25-1 tunnel mode 26-2 tx-ring-limit 22-2, 22-3 U UDP connection limits per context 5-6 connection state information 1-9 ports and literal values D-11 unreachable, ICMP message D-15 url-list group policy attribute for Clientless SSL VPN 28-68 username attribute for Clientless SSL VPN 28-84 URLs context configuration, changing 5-13 context configuration, setting 5-9 filtering, about 20-4 filtering, configuration 20-6 user, VPN definition 28-1 remote access, adding 30-4 user access, restricting remote 28-79 user authentication, group policy 28-50 user EXEC mode accessing 2-3 prompt C-2 username adding 12-7 clientless authentication 31-9 encrypted 12-8 password 12-8 WebVPN 34-71 username attributes access hours 28-76 configuring 28-74, 28-76 group-lock 28-79 inheritance 28-76 password, setting 28-75 password-storage 28-80 privilege level, setting 28-75 simultaneous logins 28-77 vpn-filter 28-78 vpn-framed-ip-address 28-78 vpn-idle timeout 28-77 vpn-session-timeout 28-78 vpn-tunnel-protocol 28-79 username attributes for Clientless SSL VPN auto-signon 28-86 customization 28-82 deny message 28-83 filter (access list) 28-84 homepage 28-82 html-content-filter 28-81 keep-alive ignore 28-86 port-forward 28-85 port-forward-name 28-86 sso-server 28-87 svc 28-88 url-list 28-84 username configuration, viewing 28-75 username webvpn mode 28-80 U-turn 25-20 V VeriSign, configuring CAs example 36-5 viewing logs 39-13 viewing QoS statistics 22-13 viewing RMS 38-21 virtual cluster 27-6 IP address 27-6 master 27-6 virtual firewalls See security contexts virtual HTTP 19-3 virtual reassembly 1-6 VLAN mapping 28-42 VLANs 4-6 802.1Q trunk 4-6 allocating to a context 5-7 mapped interface name 5-8 subinterfaces 4-6 VoIP proxy servers 23-64 troubleshooting 23-42 VPN address pool, configuring 30-4 address pool, configuring (group-policy) 28-59 address range, subnets D-4 Client, IPSec attributes 25-2 parameters, general, setting 27-1 setting maximum number of IPSec sessions 27-3 VPN attributes, group policy 28-40 vpn-filter username attribute 28-78 vpn-framed-ip-address username attribute 28-78 VPN hardware client, group policy attributes 28-49 vpn-idle-timeout username attribute 28-77 vpn load balancing See load balancing 27-6 vpn-session-timeout username attribute 28-78 vpn-tunnel-protocol username attribute 28-79 VRRP 16-8 W WCCP 9-9 web browsing with WebVPN 34-74 web caching 9-9 web clients, secure authentication 19-5 web e-Mail (Outlook Web Access), Outlook Web Access 34-48 WebVPN assigning users to group policies 34-21 authenticating with digital certificates 34-21 CA certificate validation not done 34-2 client application requirements 34-72 client requirements 34-72 for file management 34-74 for network browsing 34-74 for port forwarding 34-75 for using applications 34-75 for web browsing 34-74 start-up 34-73 configuring e-mail 34-47 configuring WebVPN and ASDM on the same interface 34-4 cookies 34-6 defining the end-user interface 34-53 definition 34-1 digital certificate authentication restrictions 34-6 e-mail 34-47 e-mail proxies 34-47 enable cookies for 34-75 end user set-up 34-53 establishing a session 34-3 floating toolbar 34-55 group policy attributes, configuring 34-22 hosts file 34-42 hosts files, reconfiguring 34-43 HTTP/HTTPS proxy, setting 34-6 Java object signing 34-50 PDA support 34-47 printing and 34-73 remote system configuration and end-user requirements 34-73 security preautions 34-2, 34-8 security tips 34-71 setting HTTP/HTTPS proxy 34-4 SSL/TLS encryption protocols 34-6 supported applications 34-72 supported browsers 34-73 supported types of Internet connections 34-73 troubleshooting 34-41 unsupported features 34-3 URL 34-73 use of HTTPS 34-3 username and password required 34-73 usernames and passwords 34-71 use suggestions 34-53, 34-72 WebVPN, Application Access Panel 34-54 webvpn attributes group policy 28-64 welcome message, group policy 28-45 WINS server, configuring 28-39 Z Zone Labs firewalls 28-61 Zone Labs Integrity Server 12-17
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.