Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Index [Cisco ASA 5500 Series Adaptive Security Appliances]

Table Of Contents

Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z

Index

Symbols

/bits subnet masks C-3

?

command string B-4

help B-4

Numerics

4GE SSM

connector types 6-8

fiber 6-8

SFP 6-8

802.1Q tagging 6-19

802.1Q trunk 6-14

A

AAA

about 36-1

accounting 38-14

addressing, configuring 65-2

authentication

CLI access 37-5

network access 38-1

privileged EXEC mode 37-6

authorization

command 37-8

downloadable access lists 38-9

network access 38-8

local database support 36-7

performance 38-1

server 74-4

adding 36-9

types 36-3

support summary 36-3

web clients 38-5

abbreviating commands B-3

ABR

definition of 21-2

Access Control Server 67-2, 67-4, 67-8

access hours, username attribute 64-81

accessing the security appliance using SSL 71-5

accessing the security appliance using TKS1 71-5

access list filter, username attribute 64-83

access lists

about 10-1

ACE logging, configuring 17-1

deny flows, managing 17-5

downloadable 38-10

exemptions from posture validation 67-6

group policy WebVPN filter 64-73

implicit deny 10-3

inbound 35-1

IP address guidelines 10-3

IPsec 61-20

IPv6

about 15-1

configuring 15-4

default settings 15-3

logging 17-1

NAT guidelines 10-3

Network Admission Control, default 67-6

object groups 16-2

outbound 35-1

phone proxy 46-7

remarks 11-6

scheduling activation 16-14

types 10-1

username for Clientless SSL VPN 64-89

access ports 6-17

ACEs

See access lists

activation key

entering 3-21

location 3-18

obtaining 3-21

Active/Active failover

about 34-1

actions 34-5

command replication 34-3

configuration synchronization 34-3

configuring

asymmetric routing support 34-19

failover criteria 34-17

failover group preemption 34-13

HTTP replication 34-15

interface monitoring 34-15

virtual MAC addresses 34-17

device initialization 34-3

duplicate MAC addresses, avoiding 34-2, 34-18

optional settings

about 34-6

configuring 34-13

primary status 34-2

secondary status 34-2

triggers 34-4

Active/Standby failover

about 33-1

actions 33-4

command replication 33-3

configuration synchronization 33-2

device initialization 33-2

primary unit 33-2

secondary unit 33-2

triggers 33-4

Active Directory, settings for password management 64-29

Active Directory proceduresD-16to ??

Adaptive Security Algorithm 1-13

admin context

about 5-3

changing 5-26

administrative distance 19-3, 19-4

Advanced Encryption Standard (AES) 61-3

AIP

See IPS module

AIP SSC

checking status 58-9

loading an image 58-7

AIP SSM

checking status 58-9

loading an image 58-7

alternate address, ICMP message C-15

analyzing syslog messages 74-2

Application Access Panel, WebVPN 71-62

application access using Clientless SSL VPN

group policy attribute for Clientless SSL VPN 64-74

username attribute for Clientless SSL VPN 64-90

application access using WebVPN

and e-mail proxy 71-83

and hosts file errors 71-47

and Web Access 71-83

configuring client applications 71-82

enabling cookies on browser 71-82

privileges 71-82

quitting properly 71-48

setting up on client 71-82

using e-mail 71-83

with IMAP client 71-83

application inspection

about 40-1

applying 40-6

configuring 40-6

inspection class map 9-19

inspection policy map 9-17

security level requirements 6-5

special actions 9-16

Application Profile Customization Framework 71-57

area border router 21-2

ARP inspection

about 4-8

enabling 4-10

static entry 4-10

ARP spoofing 4-8

ARP test, failover 32-15

ASA (Adaptive Security Algorithm) 1-13

ASA 5505

Base license 6-2

client

authentication 68-12

configuration restrictions, table 68-2

device pass-through 68-8

group policy attributes pushed to 68-10

mode 68-3

remote management 68-9

split tunneling 68-8

TCP 68-4

trustpoint 68-7

tunnel group 68-7

tunneling 68-5

Xauth 68-4

interfaces, about 6-1

MAC addresses 6-4

maximum VLANs 6-2

native VLAN support 6-20

non-forwarding interface 6-17

power over Ethernet 6-4

protected switch ports 6-18

Security Plus license 6-2

server (headend) 68-1

SPAN 6-4

Spanning Tree Protocol, unsupported 6-17

ASA 5550 throughput 6-24

ASBR

definition of 21-2

ASDM software

allowing access 37-4

installing 78-2

ASR 34-19

asymmetric routing

TCP state bypass 51-2

asymmetric routing support 34-19

attributes

RADIUS D-30

username 64-81

attribute-value pairs

TACACS+ D-39

attribute-value pairs (AVP) 64-37

authentication

about 36-2

ASA 5505 as Easy VPN client 68-12

CLI access 37-5

FTP 38-3

HTTP 38-2

network access 38-1

privileged EXEC mode 37-6

restrictions, WebVPN 71-8

Telnet 38-2

web clients 38-5

WebVPN users with digital certificates 71-23, 71-24

authorization

about 36-2

command 37-8

downloadable access lists 38-9

network access 38-8

Auto-MDI/MDIX 6-4

auto-signon

group policy attribute for Clientless SSL VPN 64-72

username attribute for Clientless SSL VPN 64-91

Auto-Update, configuring 78-19

B

backup server attributes, group policy 64-56

Baltimore Technologies, CA server support 73-4

banner message, group policy 64-48

basic threat detection

See threat detection

bits subnet masks C-3

Black Ice firewall 64-66

Botnet Traffic Filter

actions 54-2

address categories 54-2

blacklist

adding entries 54-8

description 54-2

blocking traffic manually 54-14

classifying traffic 54-11

configuring 54-6

databases 54-2

default settings 54-6

DNS Reverse Lookup Cache

information about 54-3

maximum entries 54-4

using with dynamic database 54-9

DNS snooping 54-9

dropping traffic 54-12

graylist 54-12

dynamic database

enabling use of 54-7

files 54-3

information about 54-2

searching 54-15

updates 54-7

examples 54-18

feature history 54-21

graylist

description 54-2

dropping traffic 54-12

guidelines and limitations 54-5

information about 54-1

licensing 54-5

monitoring 54-16

static database

adding entries 54-8

information about 54-3

syslog messages 54-16

task flow 54-6

threat level

dropping traffic 54-12

whitelist

adding entries 54-8

description 54-2

working overview 54-4

bridge

entry timeout 4-14

table, See MAC address table

broadcast Ping test 32-15

bypass authentication 68-8

bypassing firewall checks 51-1

C

CA

certificate validation, not done in WebVPN 71-2

CRs and 73-2

public key cryptography 73-2

revoked certificates 73-2

supported servers 73-4

caching 71-56

capturing packets 79-13

cascading access lists 61-15

certificate

authentication, e-mail proxy 71-54

Cisco Unified Mobility 48-5

Cisco Unified Presence 49-3

enrollment protocol 73-10

group matching

configuring 61-9

rule and policy, creating 61-10

Certificate Revocation Lists

See CRLs

certificates

phone proxy 46-15

required by phone proxy 46-16

change query interval 24-24

change query response time 24-24

change query timeout value 24-24

changing between contexts 5-25

changing the severity level 74-16

Cisco-AV-Pair LDAP attributes D-13

Cisco Integrated Firewall 64-65

Cisco IOS CS CA

server support 73-4

Cisco IP Communicator 46-9

Cisco IP Phones

DHCP 7-5

Cisco IP Phones, application inspection 42-26

Cisco Security Agent 64-66

Cisco Trust Agent 67-8

Cisco UMA. See Cisco Unified Mobility.

Cisco Unified Mobility

architecture 48-2

ASA role 45-2, 45-3

certificate 48-5

functionality 48-1

NAT and PAT requirements 48-3, 48-4

trust relationship 48-5

Cisco Unified Presence

ASA role 45-2, 45-3

configuring the TLS Proxy 49-5

debugging the TLS Proxy 49-10

NAT and PAT requirements 49-2

sample configuration 49-11

trust relationship 49-3

Cisco UP. See Cisco Unified Presence.

Class A, B, and C addresses C-1

class-default class map 9-11

classes, logging

filtering messages by 74-11

message class variables 74-3, E-5

types 74-3, E-5

classes, MPF

See class map

classes, resource

See resource management

class map

inspection 9-19

Layer 3/4

management traffic 9-15

match commands 9-13

through traffic 9-13

regular expression 9-23

CLI

abbreviating commands B-3

adding comments B-7

command line editing B-3

command output paging B-6

displaying B-6

help B-4

paging B-6

syntax formatting B-3

client

VPN 3002 hardware, forcing client update 63-4

Windows, client update notification 63-4

client access rules, group policy 64-67

client firewall, group policy 64-63

clientless authentication 67-8

Clientless SSL VPN

configuring for specific users 64-85

client mode 68-3

client update, performing 63-4

cluster

IP address, load balancing 63-7

load balancing configurations 63-9

mixed scenarios 63-10

virtual 63-6

command authorization

about 37-9

configuring 37-8

multiple contexts 37-10

command prompts B-2

comments

configuration B-7

configuration

clearing 2-8

comments B-7

factory default

commands 2-1

restoring 2-2

saving 2-5

text file 2-8

URL for a context 5-18

viewing 2-7

configuration examples

CSC SSM 60-10

logging 74-18

configuration mode

accessing 2-4

prompt B-2

connection blocking 57-2

connection limits

configuring 53-1

per context 5-15

connect time, maximum, username attribute 64-83

console port logging 74-8

content transformation, WebVPN 71-56

contexts

See security contexts

conversion error, ICMP message C-15

cookies, enabling for WebVPN 71-8

copying files with the SMB protocol 78-1

copy smb

command 78-1

Coredump 79-13

CRACK protocol 61-28

crash dump 79-13

creating a custom message list 74-12

crypto map

acccess lists 61-20

applying to interfaces 61-19, 70-7

clearing configurations 61-27

creating an entry to use the dynamic crypto map 66-8

definition 61-12

dynamic 61-25

dynamic, creating 66-7

entries 61-12

examples 61-21

policy 61-13

crypto show commands table 61-26

CSC SSM

about 60-1

checking status 58-9

loading an image 58-7

sending traffic to 60-7

what to scan 60-3

CSC SSM feature history 60-12

custom firewall 64-66

customization, Clientless SSL VPN

group policy attribute 64-70

login windows for users 64-28

username attribute 64-87

username attribute for Clientless SSL VPN 64-25

custom messages list

logging output destination 74-4

cut-through proxy 38-1

D

data flow

routed firewall 4-15

transparent firewall 4-21

date and time in messages 74-15

DDNS 7-8

debug messages 79-13

default

class 5-13

DefaultL2Lgroup 64-1

DefaultRAgroup 64-1

domain name, group policy 64-51

group policy 64-1, 64-37

LAN-to-LAN tunnel group 64-17

remote access tunnel group, configuring 64-7

routes, defining equal cost routes 19-3

tunnel group 61-11, 64-2

default configuration

commands 2-1

restoring 2-2

default policy 9-10

default routes

about 19-3

configuring 19-3

delay sending flow-create events

flow-create events

delay sending 75-6

deleting files from Flash 78-2

deny flows, logging 17-5

deny in a crypto map 61-15

deny-message

group policy attribute for Clientless SSL VPN 64-70

username attribute for Clientless SSL VPN 64-88

DES, IKE policy keywords (table) 61-3

device ID, including in messages 74-14

device ID in messages 74-14

device pass-through, ASA 5505 as Easy VPN client 68-8

DfltGrpPolicy 64-38

DHCP

addressing, configuring 65-3

Cisco IP Phones 7-5

options 7-3

relay 7-6

server 7-2

transparent firewall 11-2

DHCP Intercept, configuring 64-52

Diffie-Hellman

Group 5 61-4

groups supported 61-4

DiffServ preservation 55-5

digital certificates

authenticating WebVPN users 71-23, 71-24

SSL 71-8

WebVPN authentication restrictions 71-8

directory hierarchy search D-4

disabling content rewrite 71-57

disabling messages 74-15

disabling messages, specific message IDs 74-15

DMZ, definition 1-11

DNS

dynamic 7-8

inspection

about 41-2

managing 41-1

rewrite, about 41-2

rewrite, configuring 41-3

NAT effect on 26-9

server, configuring 8-6, 64-41

domain attributes, group policy 64-51

domain name 8-3

dotted decimal subnet masks C-3

downloadable access lists

configuring 38-10

converting netmask expressions 38-13

DSCP preservation 55-5

DUAL 23-2

dual IP stack, configuring 6-5

dual-ISP support 19-5

duplex, configuring 6-8

dynamic crypto map 61-25

creating 66-7

See also crypto map

Dynamic DNS 7-8

dynamic NAT 29-1

E

Easy VPN

client

authentication 68-12

configuration restrictions, table 68-2

enabling and disabling 68-1

group policy attributes pushed to 68-10

mode 68-3

remote management 68-9

trustpoint 68-7

tunnels 68-9

Xauth 68-4

server (headend) 68-1

Easy VPN client

ASA 5505

device pass-through 68-8

split tunneling 68-8

TCP 68-4

tunnel group 68-7

tunneling 68-5

echo reply, ICMP message C-15

editing command lines B-3

egress VLAN for VPN sessions 64-44

EIGRP 11-2

DUAL algorithm 23-2

hello interval 23-11

hello packets 23-1

hold time 23-2, 23-11

neighbor discovery 23-1

stub routing 23-3

stuck-in-active 23-2

e-mail

configuring for WebVPN 71-53

proxies, WebVPN 71-53

proxy, certificate authentication 71-54

WebVPN, configuring 71-53

enable command 2-4

enabling logging 74-6

enabling secure logging 74-13

end-user interface, WebVPN, defining 71-61

Enterprises 7-5

Entrust, CA server support 73-4

established command, security level requirements 6-5

Ethernet

Auto-MDI/MDIX 6-4

duplex 6-8

jumbo frames, ASA 5580 6-31

speed 6-8

evaluation license 3-11

exporting NetFlow records 75-4

external group policy, configuring 64-40

F

facility, syslog 74-7

factory default configuration

commands 2-1

restoring 2-2

failover

about 32-1

Active/Active, See Active/Active failover

Active/Standby, See Active/Standby failover

configuration file

terminal messages, Active/Active 34-3

terminal messages, Active/Standby 33-2

contexts 33-2

debug messages 32-17

disabling 33-15, 34-25

Ethernet failover cable 32-3

examples

Active/Active LAN-based failover A-25, A-30

Active/Standby cable-based failover A-34, A-35

Active/Standby LAN-based failover A-24, A-28

failover link 32-3

forcing 33-15, 34-24

health monitoring 32-14

interface health 32-15

interface monitoring 32-15

interface tests 32-15

license, upgrading 3-23

link communications 32-3

MAC addresses

about 33-2

automatically assigning 5-21

monitoring, health 32-14

network tests 32-15

primary unit 33-2

redundant interfaces 6-12

restoring a failed group 33-15, 34-25

restoring a failed unit 33-15, 34-25

secondary unit 33-2

SNMP syslog traps 32-17

Stateful Failover, See Stateful Failover

state link 32-4

system log messages 32-17

system requirements 32-2

testing 33-16, 34-25

Trusted Flow Acceleration 60-5, 62-4, 72-4, 76-4

type selection 32-9

unit health 32-15

fast path 1-14

fiber interfaces 6-8

Fibre Channel interfaces

default settings 12-3, 13-2, 14-2, 28-3, 29-11, 30-4, 31-3, 31-7, 31-12, 35-4, 60-6

filter (access list)

group policy attribute for Clientless SSL VPN 64-73

username attribute for Clientless SSL VPN 64-89

filtering

FTP 39-11

Java applets 39-3

security level requirements 6-5

show command output B-4

URLs 39-6

filtering messages 74-3

firewall

Black Ice 64-66

Cisco Integrated 64-65

Cisco Security Agent 64-66

custom 64-66

Network Ice 64-66

none 64-66

Sygate personal 64-66

Zone Labs 64-66

firewall mode

about 4-1

configuring 4-1

firewall policy, group policy 64-63

Flash memory

removing files 78-2

flash memory available for logs 74-17

flow control for 10 Gigabit Ethernet 6-9

flow-export actions 75-4

format of messages 74-2

fragmentation policy, IPsec 61-8

fragment protection 1-12

fragment size 57-2

FTP inspection

about 41-12

configuring 41-12

G

general attributes, tunnel group 64-3

general parameters, tunnel group 64-3

general tunnel-group connection parameters 64-3

generating RSA keys 73-9

global addresses

recommendations 26-8

specifying 29-16, 29-18

global e-mail proxy attributes 71-53

global IPsec SA lifetimes, changing 61-22

group-lock, username attribute 64-84

group policy

address pools 64-62

attributes 64-41

backup server attributes 64-56

client access rules 64-67

configuring 64-39

default domain name for tunneled packets 64-51

definition 64-1, 64-37

domain attributes 64-51

Easy VPN client, attributes pushed to ASA 5505 68-10

external, configuring 64-40

firewall policy 64-63

hardware client user idle timeout 64-54

internal, configuring 64-40

IP phone bypass 64-54

IPSec over UDP attributes 64-49

LEAP Bypass 64-55

network extension mode 64-55

security attributes 64-46

split tunneling attributes 64-49

split-tunneling domains 64-51

user authentication 64-53

VPN attributes 64-42

VPN hardware client attributes 64-52

webvpn attributes 64-69

WINS and DNS servers 64-41

group policy, default 64-37

group policy, secure unit authentication 64-53

group policy attributes for Clientless SSL VPN

application access 64-74

auto-signon 64-72

customization 64-70

deny-message 64-70

filter 64-73

home page 64-72

html-content filter 64-71

keep-alive-ignore 64-75

port forward 64-74

port-forward-name 64-75

sso-server 64-76

svc 64-77

url-list 64-73

GTP inspection

about 44-4

configuring 44-3

H

H.225 timeouts 42-9

H.245 troubleshooting 42-10

H.323

transparent firewall guidelines 4-3

H.323 inspection

about 42-4

configuring 42-3

limitations 42-6

troubleshooting 42-11

hairpinning 61-19

hardware client, group policy attributes 64-52

help, command line B-4

high availability

about 32-1

HMAC hashing method 61-3

hold-period 67-11

homepage

group policy attribute for Clientless SSL VPN 64-72

username attribute for Clientless SSL VPN 64-87

hostname

configuring 8-2

in banners 8-2

multiple context mode 8-2

hosts, subnet masks for C-3

hosts file

errors 71-47

reconfiguring 71-49

WebVPN 71-48

HSRP 4-3

html-content-filter

group policy attribute for Clientless SSL VPN 64-71

username attribute for Clientless SSL VPN 64-86

HTTP(S)

authentication 37-6

filtering 39-6

HTTP/HTTPS Web VPN proxy, setting 71-8

HTTP compression, Clientless SSL VPN, enabling 64-76, 64-92

HTTP inspection

about 41-19

configuring 41-19

HTTP redirection for login, Easy VPN client on the ASA 5505 68-12

HTTPS for WebVPN sessions 71-5

hub-and-spoke VPN scenario 61-19

I

ICMP

testing connectivity 79-1

type numbers C-15

idle timeout

hardware client user, group policy 64-54

username attribute 64-82

ID method for ISAKMP peers, determining 61-6

IKE

benefits 61-2

creating policies 61-4

keepalive setting, tunnel group 64-4

pre-shared key, Easy VPN client on the ASA 5505 68-7

See also ISAKMP

ILS inspection 43-1

IM 42-20

inbound access lists 35-1

Individual user authentication 68-12

information reply, ICMP message C-15

information request, ICMP message C-15

inheritance

tunnel group 64-1

username attribute 64-81

inside, definition 1-11

inspection_default class-map 9-11

inspection engines

See application inspection

Instant Messaging inspection 42-20

intercept DHCP, configuring 64-52

interfaces

ASA 5505

about 6-1

enabled status 6-17

MAC addresses 6-4

maximum VLANs 6-2

non-forwarding 6-17

protected switch ports 6-18

switch port configuration 6-17

trunk ports 6-19

ASA 5550 throughput 6-24

configuring for remote access 66-3

default settings 12-3, 13-2, 14-2, 28-3, 29-11, 30-4, 31-3, 31-7, 31-12, 35-4, 60-6

duplex 6-8

enabling 6-11

failover monitoring 32-15

fiber 6-8

global addresses 29-16, 29-18

IDs 6-10

IP address 6-25

MAC addresses

automatically assigning 5-20

manually assigning to interfaces 6-27

mapped name 5-17

naming, physical and subinterface 6-25

redundant 6-11

SFP 6-8

speed 6-8

subinterfaces 6-14

internal group policy, configuring 64-40

Internet Security Association and Key Management Protocol

See ISAKMP

IP addresses

classes C-1

configuring an assignment method for remote access clients 65-1

configuring for VPNs 65-1

configuring local IP address pools 65-2

interface 6-25

management, transparent firewall 8-7

private C-2

subnet mask C-4

IP phone 68-8

phone proxy provisioning 46-11

IP phone bypass, group policy 64-54

IP phones

addressing requirements for phone proxy 46-8

supported for phone proxy 46-3

IPSec

anti-replay window 55-12

modes 62-2

over UDP, group policy, configuring attributes 64-49

remote-access tunnel group 64-7

setting maximum active VPN sessions 63-4

IPsec

access list 61-20

basic configuration with static crypto maps 61-22

Cisco VPN Client 61-2

configuring 61-1, 61-11

crypto map entries 61-12

fragmentation policy 61-8

over NAT-T, enabling 61-7

over TCP, enabling 61-8

SA lifetimes, changing 61-22

tunnel 61-11

view configuration commands table 61-26

IPSec parameters, tunnel group 64-4

ipsec-ra, creating an IPSec remote-access tunnel 64-8

IPS module

about 59-1

configuration 59-5

operating modes 59-2

sending traffic to 59-8

setup command 59-6

traffic flow 59-2

virtual sensors 59-6

IP spoofing, preventing 57-1

IPv6

commands 18-9

configuring alongside IPv4 6-5

default route 19-4

dual IP stack 6-5

duplicate address detection 6-28

neighbor discovery 25-1

router advertisement messages 25-8

static routes 19-4

IPv6 addresses

anycast C-9

command support for 18-9

format C-5

multicast C-8

prefixes C-10

required C-10

types of C-6

unicast C-6

IPv6 VPN

access, enabling with CLI 64-13

ISAKMP

about 61-2

configuring 61-1, 61-2

determining an ID method for peers 61-6

disabling in aggressive mode 61-6

enabling on the outside interface 61-6, 66-4

keepalive setting, tunnel group 64-4

policies, configuring 61-5

See also IKE

J

Java applets, filtering 39-2

Java object signing 71-56

java-trustpoint 71-56

jumbo frames, ASA 5580 6-31

K

keep-alive-ignore

group policy attribute for Clientless SSL VPN 64-75

username attribute for Clientless SSL VPN 64-91

Kerberos

configuring 36-9

support 36-6

L

L2TP description 62-1

LAN-to-LAN tunnel group, configuring 64-17

latency

about 55-1

configuring 55-2, 55-3

reducing 55-8

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

Layer 2 Tunneling Protocol 62-1

Layer 3/4

matching multiple policy maps 9-8

LCS Federation Scenario 49-2

LDAP

AAA support 36-13

application inspection 43-1

attribute mapping 36-16

Cisco-AV-pair D-13

configuring 36-9

configuring a AAA serverD-3to ??

directory search D-4

example configuration proceduresD-16to ??

hierarchy example D-4

SASL 36-14

server type 36-14

user authentication 36-14

user authorization 36-15

LEAP Bypass, group policy 64-55

licenses

activation key

entering 3-21

location 3-18

obtaining 3-21

ASA 5505 3-2

ASA 5510 3-3

ASA 5520 3-4

ASA 5540 3-5

ASA 5550 3-6

ASA 5580 3-7, 3-8

Cisco Unified Communications Proxy features 45-4, 47-5, 49-4

default 3-11

evaluation 3-11

failover 3-18

guidelines 3-18

managing 3-1

preinstalled 3-11

Product Authorization Key 3-21

reload requirements 3-22

shared

backup server, configuring 3-26

backup server, information 3-14

client, configuring 3-27

communication issues 3-14

failover 3-15

maximum clients 3-16

monitoring 3-28

overview 3-13

server, configuring 3-25

SSL messages 3-14

temporary 3-11

upgrading, failover 3-23

viewing current 3-19

VPN Flex 3-11

licensing requirements

CSC SSM 60-4

logging 74-5

link up/down test 32-15

LLQ

See low-latency queue

load balancing

cluster configurations 63-9

concepts 63-6

eligible clients 63-8

eligible platforms 63-8

implementing 63-8

mixed cluster scenarios 63-10

platforms 63-8

prerequisites 63-8

local user database

adding a user 36-8

configuring 36-8

logging in 37-7

support 36-7

lockout recovery 37-19

logging

access lists 17-1

classes

filtering messages by 74-4

types 74-3, 74-11, E-5

device-id, including in system log messages 74-14

e-mail

source address 74-8

EMBLEM format 74-15

facility option 74-7

filtering

by message class 74-11

by message list 74-4

by severity level 74-1

logging queue, configuring 74-13

output destinations

console port 74-7, 74-8

internal buffer 74-1

syslog serversyslog server 74-7

Telnet or SSH session 74-1

queue

changing the size of 74-13

configuring 74-13

viewing queue statistics 74-17

severity level, changing 74-17

timestamp, including 74-15

logging feature history 74-18

logging queue

configuring 74-13

login

banner, configuring 37-20

console 2-4

enable 2-4

FTP 38-3

global configuration mode 2-4

local user 37-7

password 8-1

simultaneous, username attribute 64-82

SSH 37-3

Telnet 8-1

windows, customizing for users of Clientless SSL VPN sessions 64-28

low-latency queue

applying 55-2, 55-3

M

MAC address

redundant interfaces 6-12

MAC addresses

ASA 5505 6-4

ASA 5505 device pass-through 68-8

automatically assigning 5-20

failover 33-2

manually assigning to interfaces 6-27

security context classification 5-3

MAC address table

about 4-21

built-in-switch 4-12

entry timeout 4-14

MAC learning, disabling 4-14

resource management 5-15

static entry 4-13

MAC learning, disabling 4-14

management interfaces

default settings 12-3, 13-2, 14-2, 28-3, 29-11, 30-4, 31-3, 31-7, 31-12, 35-4, 60-6

management IP address, transparent firewall 8-7

man-in-the-middle attack 4-8

mapped interface name 5-17

mask

reply, ICMP message C-15

request, ICMP message C-15

match commands

inspection class map 9-18

Layer 3/4 class map 9-13

matching, certificate group 61-9

maximum active IPSec VPN sessions, setting 63-4

maximum connect time,username attribute 64-83

maximum object size to ignore username attribute for Clientless SSL VPN 64-91

maximum sessions, IPSec 63-16

MD5, IKE policy keywords (table) 61-3

media termination address, criteria 46-5

message filtering 74-3

message list

filtering by 74-4

message-of-the-day banner 37-20

messages, logging

classes

about 74-4

list of 74-3, E-5

component descriptions 74-2

filtering by message list 74-4

format of 74-2

message list, creating 74-12

severity levels 74-3

messages classes 74-3

messages in EMBLEM format 74-15

metacharacters, regular expression 9-21, B-5

MGCP inspection

about 42-11

configuring 42-11

mgmt0 interfaces

default settings 12-3, 13-2, 14-2, 28-3, 29-11, 30-4, 31-3, 31-7, 31-12, 35-4, 60-6

Microsoft Access Proxy 49-1

Microsoft Active Directory, settings for password management 64-29

Microsoft Internet Explorer client parameters, configuring 64-57

Microsoft Windows 2000 CA, supported 73-4

mixed cluster scenarios, load balancing 63-10

mixed-mode Cisco UCM cluster, configuring for phone proxy 46-16

MMP inspection 48-1

mobile redirection, ICMP message C-15

mode

context 5-10

firewall 4-1

Modular Policy Framework

See MPF

modular policy framework

configuring flow-export actions for NetFlow 75-5

monitoring

CSC SSM 60-10

failover 32-14

OSPF 21-15

resource management 5-29

SNMP 76-1

monitoring devices with CS-MARS E-3

monitoring logging 74-17

monitoring NSEL 75-7

monitoring switch traffic, ASA 5505 6-4

More prompt B-6

MPF

about 9-1

default policy 9-10

examples 9-26

feature directionality 9-5

features 9-2

flows 9-8

matching multiple policy maps 9-8

service policy, applying 9-25

See also class map

See also policy map

MPLS

LDP 12-2

router-id 12-2

TDP 12-2

MSIE client parameters, configuring 64-57

MTU size, Easy VPN client, ASA 5505 68-5

multicast traffic 4-3

multiple context mode

logging 74-2

See security contexts

N

NAC

See Network Admission Control

naming an interface

other models 6-25

NAT

about 26-1

bypassing NAT

about 27-3

DNS 26-9

dynamic NAT

about 29-1

configuring 29-13

implementation 29-5

exemption from NAT

about 27-3, 31-11

configuring 31-13

identity NAT

about 27-3, 31-2

configuring 31-4

NAT ID 29-5

order of statements 26-8

overlapping addresses 28-10

PAT

about 29-4

configuring 29-13

implementation 29-5

policy NAT

about 26-5

port redirection 30-10

RPC not supported with 43-3

same security level 26-8

security level requirements 6-5

static identify, about 31-5

static identify, configuring 31-7

static NAT

about 28-1

configuration examples 28-9

configuring 28-4

static PAT

about 30-1

types 26-2

native VLAN support 6-20

NAT-T

enabling IPsec over NAT-T 61-7

using 61-8

NetFlow

overview 75-1

NetFlow collector

configuring 75-4

NetFlow event logging

disabling 75-7

Netscape CMS, CA server support 73-4

Network Activity test 32-15

Network Admission Control

Access Control Server 67-4

ACL, default 67-6

clientless authentication 67-8

configuring 64-59

exemptions 67-6

port 67-10

retransmission retries 67-10

retransmission retry timer 67-10

revalidation timer 67-5

session reinitialization timer 67-11

uses, requirements, and limitations 67-1

network extension mode 68-3

network extension mode, group policy 64-55

Network Ice firewall 64-66

networks, overlapping 28-10

Nokia VPN Client 61-28

non-secure Cisco UCM cluster, configuring phone proxy 46-14

NSEL and syslog messages

redundant messages 75-2

NSEL configuration examples 75-8

NSEL feature history 75-10

NSEL licensing requirements 75-3

NSEL runtime counters

clearing 75-7

NTLM support 36-6

NT server

configuring 36-9

support 36-6

O

object groups

about 16-2

configuring 16-4

removing 16-8

open ports C-14

operating systems, posture validation exemptions 67-6

OSPF

area authentication 21-11

area MD5 authentication 21-11

area parameters 21-11

authentication key 21-9

authentication support 21-2

cost 21-9

dead interval 21-9

default route 21-6

interaction with NAT 21-2

interface parameters 21-8

link-state advertisement 21-2

logging neighbor states 21-14

LSAs 21-2

MD5 authentication 21-10

monitoring 21-15

NSSA 21-12

packet pacing 21-15

processes 21-2

redistributing routes 21-5

route calculation timers 21-13

route map 20-1

route summarization 21-8

stub area 21-11

summary route cost 21-11

outbound access lists 35-1

Outlook Web Access (OWA) and WebVPN 71-83

output destination 74-5

output destinations 74-1

e-mail address 74-1

SNMP management station 74-1

syslog server 74-1

Telnet or SSH session 74-1

outside, definition 1-11

oversubscribing resources 5-12

P

packet

capture 79-13

classifier 5-3

packet flow

routed firewall 4-15

transparent firewall 4-21

paging screen displays B-6

parameter problem, ICMP message C-15

password

resetting on SSM hardware module 79-10

password management, Active Directory settings 64-29

passwords

changing 8-2

clientless authentication 67-9

recovery 79-7

security appliance 8-1

username, setting 64-80

WebVPN 71-78

password-storage, username attribute 64-85

PAT

Easy VPN client mode 68-3

See also NAT

pause frames for flow control 6-9

PDA support for WebVPN 71-52

peers

alerting before disconnecting 61-9

ISAKMP, determining ID method 61-6

performance, optimizing for WebVPN 71-55

permit in a crypto map 61-15

phone proxy

access lists 46-7

ASA role 45-3

certificates 46-15

Cisco IP Communicator 46-9

Cisco UCM supported versions 46-3

configuring mixed-mode Cisco UCM cluster 46-16

configuring non-secure Cisco UCM cluster 46-14

event recovery 46-42

IP phone addressing 46-8

IP phone provisioning 46-11

IP phones supported 46-3

Linksys routers, configuring 46-26

NAT and PAT requirements 46-7

ports 46-7

rate limiting 46-10

required certificates 46-16

sample configurations 46-43

SAST keys 46-42

TLS Proxy on ASA, described 45-3

troubleshooting 46-27

ping

See ICMP

PKI protocol 73-10

PoE 6-4

policing

flow within a tunnel 55-11

policy, QoS 55-1

policy map

inspection 9-17

Layer 3/4

about 9-5

adding 9-24

feature directionality 9-5

flows 9-8

policy NAT

about 26-5

dynamic, configuring 29-15

static PAT, configuring 30-5

pools, address

DHCP 7-3

global NAT 29-16, 29-18

port-forward

group policy attribute for Clientless SSL VPN 64-74

username attribute for Clientless SSL VPN 64-90

port forwarding

configuring client applications 71-82

port-forward-name

group policy attribute for Clientless SSL VPN 64-75

username attribute for Clientless SSL VPN 64-91

ports

open on device C-14

phone proxy 46-7

redirection, NAT 30-10

TCP and UDP C-11

posture validation

exemptions 67-6

port 67-10

revalidation timer 67-5

uses, requirements, and limitations 67-1

power over Ethernet 6-4

PPPoE, configuring69-1to 69-5

prerequisites for use

CSC SSM 60-5

pre-shared key, Easy VPN client on the ASA 5505 68-7

primary unit, failover 33-2

printers 68-8

private networks C-2

privileged EXEC mode, accessing 2-4

privileged mode

accessing 2-4

prompt B-2

privilege level, username, setting 64-80

Product Authorization Key 3-21

prompts

command B-2

more B-6

protocol numbers and literal values C-11

proxy

See e-mail proxy

proxy bypass 71-57

proxy servers

SIP and 42-19

public key cryptography 73-2

Q

QoS

about 55-1, 55-3

DiffServ preservation 55-5

DSCP preservation 55-5

feature interaction 55-4

policies 55-1

priority queueing

IPSec anti-replay window 55-12

statistics 55-15

token bucket 55-2

traffic shaping

overview 55-4

viewing statistics 55-15

Quality of Service

See QoS

question mark

command string B-4

help B-4

queue, logging

changing the size of 74-13

viewing statistics 74-17

queue, QoS

latency, reducing 55-8

limit 55-2, 55-3

R

RADIUS

attributes D-30

Cisco AV pair D-13

configuring a AAA server D-30

configuring a server 36-9

downloadable access lists 38-10

network access authentication 38-3

network access authorization 38-9

support 36-4

RAS, H.323 troubleshooting 42-11

rate limit 74-16

rate limiting 55-3

rate limiting, phone proxy 46-10

RealPlayer 42-15

reboot, waiting until active sessions end 61-9

redirect, ICMP message C-15

redundancy, in site-to-site VPNs, using crypto maps 61-26

redundant interfaces

configuring 6-11

failover 6-12

MAC address 6-12

setting the active interface 6-14

Registration Authority description 73-2

regular expression 9-21

regular NAT

dynamic, configuring 29-17

reloading

context 5-27

security appliance 79-7

remote access

IPSec tunnel group, configuring 64-7

restricting 64-84

tunnel group, configuring default 64-7

VPN, configuring 66-1, 66-10

remote management, ASA 5505 68-9

resetting the SSM hardware module password 79-10

resource management

about 5-12

assigning a context 5-19

class 5-14

configuring 5-11

default class 5-13

monitoring 5-29

oversubscribing 5-12

resource types 5-15

unlimited 5-12

resource usage 5-32

retransmission retries, Network Admission Control 67-10

retransmission retry timer, Network Admission Control 67-10

revalidation timer, Network Admission Control 67-5

revoked certificates 73-2

rewrite, disabling 71-57

RIP

enabling 22-3

routed mode

about 4-1

setting 4-1

route map

about 20-4

route maps

defining 20-4

uses 20-1

router

advertisement, ICMP message C-15

solicitation, ICMP message C-15

routes

about default 19-3

configuring default routes 19-3

configuring IPv6 default 19-4

configuring IPv6 static 19-4

configuring static routes 19-2

routing

other protocols 11-2

RSA

KEON, CA server support 73-4

keys, generating 37-2, 73-9

RTSP inspection

about 42-15

configuring 42-15

running configuration

copying 78-7

saving 2-5

S

same security level communication

enabling 6-30

NAT 26-8

SAs, lifetimes 61-22

SAST keys 46-42

SCCP (Skinny) inspection

about 42-26

configuration 42-26

configuring 42-25

SDI

configuring 36-9

support 36-5

secondary unit, failover 33-2

Secure Socket Layer Protocol 71-2

secure unit authentication 68-12

secure unit authentication, group policy 64-53

security, WebVPN 71-2, 71-9

Security Agent, Cisco 64-66

security appliance

CLI B-1

connecting to 2-4

CS-MARS interoperability E-1

managing licenses 3-1

managing the configuration 2-5

reloading 79-7

upgrading software 78-2

viewing files in Flash memory 78-1

security association

clearing 61-27

See also SAs

security attributes, group policy 64-46

security contexts

about 5-1

adding 5-16

admin context

about 5-3

changing 5-26

assigning to a resource class 5-19

cascading 5-8

changing between 5-25

classifier 5-3

command authorization 37-10

configuration

URL, changing 5-26

URL, setting 5-18

logging in 5-9

MAC addresses

automatically assigning 5-20

classifying using 5-3

managing 5-1, 5-25

mapped interface name 5-17

monitoring 5-28

multiple mode, enabling 5-10

nesting or cascading 5-9

prompt B-2

reloading 5-27

removing 5-25

resource management 5-12

resource usage 5-32

saving all configurations 2-6

unsupported features 5-2

VLAN allocation 5-17

security level

about 6-5

interface 6-25

sending messages to an e-mail address 74-8

sending messages to an SNMP server 74-6

sending messages to ASDM 74-9

sending messages to a specified output destination 74-11

sending messages to a syslog server 74-7

sending messages to a Telnet or SSH session 74-9

sending messages to the console port 74-8

sending messages to the internal log buffer 74-10

server group 67-4

service policy

applying 9-25

default 9-26

global 9-26

interface 9-26

session management path 1-14

session reinitialization timer, Network Admission Control 67-11

severity levels, of system log messages

changing 74-1

filtering by 74-1

list of 74-3

severity levels, of system messages

definition 74-3

SHA, IKE policy keywords (table) 61-3

shared license

backup server, configuring 3-26

backup server, information 3-14

client, configuring 3-27

communication issues 3-14

failover 3-15

maximum clients 3-16

monitoring 3-28

server, configuring 3-25

SSL messages 3-14

show command, filtering output B-4

simultaneous logins, username attribute 64-82

single mode

backing up configuration 5-10

configuration 5-10

enabling 5-10

restoring 5-11

single sign-on

See SSO

single-signon

group policy attribute for Clientless SSL VPN 64-76

username attribute for Clientless SSL VPN 64-92

SIP inspection

about 42-19

configuring 42-19

instant messaging 42-20

timeouts 42-24

troubleshooting 42-25

site-to-site VPNs, redundancy 61-26

Smart Call Home monitoring 77-19

smart tunnels 71-33

SMTP inspection 41-32

SNMP

about 76-1

failover 76-4

management station 74-1

source quench, ICMP message C-15

SPAN 6-4

Spanning Tree Protocol, unsupported 6-17

speed, configuring 6-8

split tunneling

ASA 5505 as Easy VPN client 68-8

group policy 64-49

group policy, domains 64-51

SSCs

management access 58-2

management defaults 58-4

management interface 58-4

password reset 58-8

reload 58-8

reset 58-8

routing 58-3

sessioning to 58-6

shutdown 58-8

supported applications 58-2

SSH

authentication 37-6

concurrent connections 37-2

login 37-1, 37-2, 37-3

password 8-1

RSA key 37-2

username 37-3

SSL

certificate 71-8

used to access the security appliance 71-5

SSL/TLS1 71-2

SSL/TLS encryption protocols

configuring 71-7

WebVPN 71-7

SSL VPN Client

compression 72-15

DPD 72-14

enabling

permanent installation 72-6

group policy attribute for Clientless SSL VPN 64-77

installing

order 72-5

keepalive messages 72-14

username attribute for Clientless SSL VPN 64-93

viewing sessions 72-18

SSCs

See also AIP SSC

SSMs

checking status 58-9

loading an image 58-7

management access 58-2

management defaults 58-4

password reset 58-8

reload 58-8

reset 58-8

routing 58-3

sessioning to 58-6

shutdown 58-8

supported applications 58-2

See also AIP SSM

See also CSC SSM

sso-server

group policy attribute for Clientless SSL VPN 64-76

username attribute for Clientless SSL VPN 64-92

SSO with WebVPN71-9to 71-22

configuring HTTP Basic and NTLM authentication 71-10

configuring HTTP form protocol 71-16

configuring SiteMinder 71-11, 71-13

startup configuration

copying 78-7

saving 2-5

Stateful Failover

about 32-10

state information 32-10

state link 32-4

stateful inspection 1-13

bypassing 51-1

state information 32-10

state link 32-4

static ARP entry 4-10

static bridge entry 4-13

static NAT

See NAT

static PAT

See PAT

static routes

configuring 19-2

statistics, QoS 55-15

stealth firewall

See transparent firewall

stuck-in-active 23-2

subcommand mode prompt B-2

subinterfaces, adding 6-14

subnet masks

/bits C-3

about C-2

address range C-4

determining C-3

dotted decimal C-3

number of hosts C-3

Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 71-43

Sun Microsystems Java Runtime Environment and WebVPN 71-82

Sun RPC inspection

about 43-3

configuring 43-3

SVC

See SSL VPN Client

svc

group policy attribute for Clientless SSL VPN 64-77

username attribute for Clientless SSL VPN 64-93

switch MAC address table 4-12

switch ports

access ports 6-17

protected 6-18

SPAN 6-4

trunk ports 6-19

Sygate Personal Firewall 64-66

SYN attacks, monitoring 5-33

SYN cookies 5-33

syntax formatting B-3

syslogd server program 74-5

syslog messages

analyzing 74-2

syslog server

as output destination

designating more than one 74-5

EMBLEM format

configuring 74-15

enabling 74-7

system configuration 5-2

system log messages

classes 74-3, E-5

classes of 74-4

configuring in groups

by message list 74-4

by severity level 74-1

device ID, including 74-14

disabling logging of 74-1

filtering by message class 74-4

managing in groups

by message class 74-11

output destinations 74-1

syslog message server 74-1

Telnet or SSH session 74-1

severity levels

about 74-3

changing the severity level of a message 74-1

timestamp, including 74-15

T

TACACS+

command authorization, configuring 37-14

configuring a server 36-9

network access authorization 38-8

support 36-5

tail drop 55-3

TCP

ASA 5505 as Easy VPN client 68-4

connection limits per context 5-15

ports and literal values C-11

sequence number randomization

disabling in NAT configuration 29-15, 29-17

disabling using Modular Policy Framework 53-3

TCP Intercept

enabling using Modular Policy Framework 53-3

enabling using NAT 28-3, 29-12

monitoring 5-33

TCP normalization 52-1

TCP state bypass

AAA 51-3

configuring 51-1

failover 51-3

firewall mode 51-2

inspection 51-3

mutliple context mode 51-2

NAT 51-3

SSMs and SSCs 51-3

TCP Intercept 51-3

TCP normalization 51-3

unsupported features 51-3

Telnet

allowing management access 37-1

authentication 37-6

concurrent connections 37-1

password 8-1

template timeout intervals

configuring for flow-export actions 75-6

temporary license 3-11

testing configuration 79-1

threat detection

basic

drop types 50-2

enabling 50-4

overview 50-2

rate intervals 50-2

rate intervals, setting 50-4

statistics, viewing 50-5

system performance 50-2

scanning

attackers, viewing 50-16

default limits, changing 50-15

enabling 50-15

host database 50-14

overview 50-13

shunned hosts, releasing 50-16

shunned hosts, viewing 50-16

shunning attackers 39-7, 50-15

system performance 50-14

targets, viewing 50-16

scanning statistics

enabling 50-7

system performance 50-6

viewing 50-9

time exceeded, ICMP message C-15

time ranges, access lists 16-14

timestamp, including in system log messages 74-15

timestamp reply, ICMP message C-15

timestamp request, ICMP message C-15

TLS1, used to access the security appliance 71-5

TLS Proxy

applications supported by ASA 45-2

Cisco Unified Presence architecture 49-1

configuring for Cisco Unified Presence 49-5

licenses 45-4, 47-5, 48-6, 49-4

tocken bucket 55-2

toolbar, floating, WebVPN 71-62

traffic flow

routed firewall 4-15

transparent firewall 4-21

traffic shaping

overview 55-4

Transform 61-12

transform set

creating 66-1, 66-6

definition 61-12

transmit queue ring limit 55-2, 55-3

transparent firewall

about 4-2

ARP inspection

about 4-8

enabling 4-10

static entry 4-10

data flow 4-21

DHCP packets, allowing 11-2

guidelines 4-5

H.323 guidelines 4-3

HSRP 4-3

MAC address timeout 4-14

MAC learning, disabling 4-14

Management 0/0 IP address 6-24

management IP address 8-7

multicast traffic 4-3

packet handling 11-2

static bridge entry 4-13

unsupported features 4-6

VRRP 4-3

Transport Layer Security 71-2

troubleshooting

H.323 42-9

H.323 RAS 42-11

phone proxy 46-27

SIP 42-25

trunk, 802.1Q 6-14

trunk ports 6-19

Trusted Flow Acceleration

failover 60-5, 62-4, 72-4

modes 4-5, 4-9, 4-13, 11-2, 19-2, 20-3, 21-3, 22-3, 23-2, 24-19, 25-23, 28-2, 29-11, 31-2, 31-6, 34-7, 35-3, 60-5, 62-4, 72-4

trustpoint 73-3

trustpoint, ASA 5505 client 68-7

trust relationship

Cisco Unified Mobility 48-5

Cisco Unified Presence 49-3

tunnel

ASA 5505 as Easy VPN client 68-5

IPsec 61-11

security appliance as a tunnel endpoint 61-1

tunnel group

ASA 5505 as Easy VPN client 68-7

configuring 64-6

creating 64-8

default 61-11, 64-1, 64-2

default, remote access, configuring 64-7

default LAN-to-LAN, configuring 64-17

definition 64-1, 64-2

general parameters 64-3

inheritance 64-1

IPSec parameters 64-4

LAN-to-LAN, configuring 64-17

name and type 64-8

remote access, configuring 66-6

remote-access, configuring 64-7

tunnel-group

general attributes 64-3

tunnel-group ISAKMP/IKE keepalive settings 64-4

tunneling, about 61-1

tunnel mode 62-2

tx-ring-limit 55-2, 55-3

U

UDP

connection limits per context 5-15

connection state information 1-14

ports and literal values C-11

unreachable, ICMP message C-15

url-list

group policy attribute for Clientless SSL VPN 64-73

username attribute for Clientless SSL VPN 64-89

URLs

context configuration, changing 5-26

context configuration, setting 5-18

filtering, about 39-6

filtering, configuration 39-8

user, VPN

definition 64-1

user access, restricting remote 64-84

user authentication, group policy 64-53

user EXEC mode

accessing 2-4

prompt B-2

username

adding 36-8

clientless authentication 67-9

encrypted 36-8

management tunnels 68-9

password 36-8

WebVPN 71-78

Xauth for Easy VPN client 68-4

username attributes

access hours 64-81

configuring 64-79, 64-81

group-lock 64-84

inheritance 64-81

password, setting 64-80

password-storage 64-85

privilege level, setting 64-80

simultaneous logins 64-82

vpn-filter 64-83

vpn-framed-ip-address 64-83

vpn-idle timeout 64-82

vpn-session-timeout 64-83

vpn-tunnel-protocol 64-84

username attributes for Clientless SSL VPN

auto-signon 64-91

customization 64-87

deny message 64-88

filter (access list) 64-89

homepage 64-87

html-content-filter 64-86

keep-alive ignore 64-91

port-forward 64-90

port-forward-name 64-91

sso-server 64-92

svc 64-93

url-list 64-89

username configuration, viewing 64-80

username webvpn mode 64-85

U-turn 61-19

V

VeriSign, configuring CAs example 73-4

viewing QoS statistics 55-15

viewing RMS 78-22

virtual cluster 63-6

IP address 63-7

master 63-6

virtual firewalls

See security contexts

virtual HTTP 38-3

virtual reassembly 1-12

virtual sensors 59-6

VLAN mapping 64-44

VLANs 6-14

802.1Q trunk 6-14

allocating to a context 5-17

ASA 5505

MAC addresses 6-4

maximum 6-2

mapped interface name 5-17

subinterfaces 6-14

VoIP

proxy servers 42-19

troubleshooting 42-9

VPN

address pool, configuring (group-policy) 64-62

address range, subnets C-4

parameters, general, setting 63-1

setting maximum number of IPSec sessions 63-4

VPN attributes, group policy 64-42

VPN Client, IPsec attributes 61-2

vpn-filter username attribute 64-83

VPN flex license 3-11

vpn-framed-ip-address username attribute 64-83

VPN hardware client, group policy attributes 64-52

vpn-idle-timeout username attribute 64-82

vpn load balancing

See load balancing 63-6

vpn-session-timeout username attribute 64-83

vpn-tunnel-protocol username attribute 64-84

VRRP 4-3

W

WCCP 56-1

web browsing with WebVPN 71-81

web caching 56-1

web clients, secure authentication 38-5

web e-Mail (Outlook Web Access), Outlook Web Access 71-54

WebVPN

assigning users to group policies 71-25

authenticating with digital certificates 71-23, 71-24

CA certificate validation not done 71-2

client application requirements 71-79

client requirements 71-79

for file management 71-81

for network browsing 71-81

for port forwarding 71-82

for using applications 71-82

for web browsing 71-81

start-up 71-80

configuring

e-mail 71-53

configuring WebVPN and ASDM on the same interface 71-5

cookies 71-8

defining the end-user interface 71-61

definition 71-1

digital certificate authentication restrictions 71-8

e-mail 71-53

e-mail proxies 71-53

enable cookies for 71-82

end user set-up 71-61

establishing a session 71-5

floating toolbar 71-62

group policy attributes, configuring 71-26

hosts file 71-48

hosts files, reconfiguring 71-49

HTTP/HTTPS proxy, setting 71-8

Java object signing 71-56

PDA support 71-52

printing and 71-80

remote system configuration and end-user requirements 71-80

security preautions 71-2, 71-9

security tips 71-78

setting HTTP/HTTPS proxy 71-6

SSL/TLS encryption protocols 71-7

supported applications 71-79

supported browsers 71-80

supported types of Internet connections 71-80

troubleshooting 71-47

unsupported features 71-4

URL 71-80

use of HTTPS 71-5

username and password required 71-80

usernames and passwords 71-78

use suggestions 71-61, 71-79

WebVPN, Application Access Panel 71-62

webvpn attributes

group policy 64-69

welcome message, group policy 64-48

WINS server, configuring 64-41

X

Xauth, Easy VPN client 68-4

XOFF frames 6-9

Z

Zone Labs firewalls 64-66

Zone Labs Integrity Server 64-64

	Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2
	Index
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 About This Guide Index Glossary Getting Started and General Information Introduction to the Security Appliance Getting Started Managing Feature Licenses Configuring the Transparent or Routed Firewall Managing Multiple Context Mode Configuring Interfaces Configuring DHCP and DDNS Configuring Basic Settings Using Modular Policy Framework Configuring Access Lists Information About Access Control Lists Adding an Extended Access List Adding an EtherType Access List Adding a Standard Access List Adding a Webtype Access List Adding an IPv6 Access List Configuring Object Groups Configuring Logging for Access Lists Configuring IP Routing Information About Routing Configuring Static and Default Routes Defining Route Maps Configuring OSPF Configuring RIP Configuring EIGRP Configuring Multicast Routing Configuring IPv6 Neighbor Discovery Configuring NAT Information About NAT Configuring NAT Control Configuring Dynamic NAT and PAT Configuring Static NAT Configuring Static PAT Bypassing NAT Configuring High Availability Information About High Availability Configuring Active/Standby Failover Configuring Active/Active Failover Configuring Access Control Permitting or Denying Network Access Configuring AAA Servers and the Local Database Configuring Management Access Configuring AAA for Network Access Configuring Filtering Services Configuring Application Layer Procotol Inspection Getting Started With Application Layer Protocol Inspection Configuring Inspection of Basic Internet Protocols Configuring Inspection of Voice and Video Protocols Configuring Inspection of Database and Directory Protocols Configuring Inspection of Management Application Protocols Configuring Unified Communications Information About Cisco Unified Communications Configuring the Cisco Phone Proxy Feature Configuring the TLS Proxy for Encrypted Voice Inspection Feature Configuring the Cisco Unified Mobility Feature Configuring the Cisco Unified Presence Feature Configuring Advanced Connection Settings Configuring Threat Detection Configuring TCP State Bypass Configuring TCP Normalization Configuring Connection Limits and Timeouts Configuring the Botnet Traffic Filter Configuring QoS Configuring Web Cache Services Using WCCP Preventing Network Attacks Configuring Applications on SSMs and SSCs Managing Services Modules Configuring the IPS Module Configuring the Content Security and Control Application on the CSC SSM Configuring VPN Configuring IPSec and ISAKMP Configuring L2TP over IPSec Setting General VPN Parameters Configuring Tunnel Groups, Group Policies, and Users Configuring IP Addresses for VPN Configuring Remote Access VPNs Configuring Network Admission Control Configuring Easy VPN on the ASA 5505 Configuring the PPPoE Client Configuring LAN-to-LAN VPNs Configuring Clientless SSL VPN Configuring AnyConnect VPN Client Connections Configuring Certificates Monitoring Configuring Logging Configuring Network Secure Event Logging (NSEL) Configuring SNMP Configuring Smart Call Home System Administration Managing Software and Configurations Troubleshooting Reference Sample Configurations Using the Command-Line Interface Addresses, Protocols, and Ports Configuring an External Server for Security Appliance User Authorization Configuring the Security Appliance for Use with MARS	Download this chapter Index Download the complete book Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 -- Whole Book PDF (PDF - 22 MB) Table Of Contents Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z Index Symbols /bits subnet masks C-3 ? command string B-4 help B-4 Numerics 4GE SSM connector types 6-8 fiber 6-8 SFP 6-8 802.1Q tagging 6-19 802.1Q trunk 6-14 A AAA about 36-1 accounting 38-14 addressing, configuring 65-2 authentication CLI access 37-5 network access 38-1 privileged EXEC mode 37-6 authorization command 37-8 downloadable access lists 38-9 network access 38-8 local database support 36-7 performance 38-1 server 74-4 adding 36-9 types 36-3 support summary 36-3 web clients 38-5 abbreviating commands B-3 ABR definition of 21-2 Access Control Server 67-2, 67-4, 67-8 access hours, username attribute 64-81 accessing the security appliance using SSL 71-5 accessing the security appliance using TKS1 71-5 access list filter, username attribute 64-83 access lists about 10-1 ACE logging, configuring 17-1 deny flows, managing 17-5 downloadable 38-10 exemptions from posture validation 67-6 group policy WebVPN filter 64-73 implicit deny 10-3 inbound 35-1 IP address guidelines 10-3 IPsec 61-20 IPv6 about 15-1 configuring 15-4 default settings 15-3 logging 17-1 NAT guidelines 10-3 Network Admission Control, default 67-6 object groups 16-2 outbound 35-1 phone proxy 46-7 remarks 11-6 scheduling activation 16-14 types 10-1 username for Clientless SSL VPN 64-89 access ports 6-17 ACEs See access lists activation key entering 3-21 location 3-18 obtaining 3-21 Active/Active failover about 34-1 actions 34-5 command replication 34-3 configuration synchronization 34-3 configuring asymmetric routing support 34-19 failover criteria 34-17 failover group preemption 34-13 HTTP replication 34-15 interface monitoring 34-15 virtual MAC addresses 34-17 device initialization 34-3 duplicate MAC addresses, avoiding 34-2, 34-18 optional settings about 34-6 configuring 34-13 primary status 34-2 secondary status 34-2 triggers 34-4 Active/Standby failover about 33-1 actions 33-4 command replication 33-3 configuration synchronization 33-2 device initialization 33-2 primary unit 33-2 secondary unit 33-2 triggers 33-4 Active Directory, settings for password management 64-29 Active Directory proceduresD-16to ?? Adaptive Security Algorithm 1-13 admin context about 5-3 changing 5-26 administrative distance 19-3, 19-4 Advanced Encryption Standard (AES) 61-3 AIP See IPS module AIP SSC checking status 58-9 loading an image 58-7 AIP SSM checking status 58-9 loading an image 58-7 alternate address, ICMP message C-15 analyzing syslog messages 74-2 Application Access Panel, WebVPN 71-62 application access using Clientless SSL VPN group policy attribute for Clientless SSL VPN 64-74 username attribute for Clientless SSL VPN 64-90 application access using WebVPN and e-mail proxy 71-83 and hosts file errors 71-47 and Web Access 71-83 configuring client applications 71-82 enabling cookies on browser 71-82 privileges 71-82 quitting properly 71-48 setting up on client 71-82 using e-mail 71-83 with IMAP client 71-83 application inspection about 40-1 applying 40-6 configuring 40-6 inspection class map 9-19 inspection policy map 9-17 security level requirements 6-5 special actions 9-16 Application Profile Customization Framework 71-57 area border router 21-2 ARP inspection about 4-8 enabling 4-10 static entry 4-10 ARP spoofing 4-8 ARP test, failover 32-15 ASA (Adaptive Security Algorithm) 1-13 ASA 5505 Base license 6-2 client authentication 68-12 configuration restrictions, table 68-2 device pass-through 68-8 group policy attributes pushed to 68-10 mode 68-3 remote management 68-9 split tunneling 68-8 TCP 68-4 trustpoint 68-7 tunnel group 68-7 tunneling 68-5 Xauth 68-4 interfaces, about 6-1 MAC addresses 6-4 maximum VLANs 6-2 native VLAN support 6-20 non-forwarding interface 6-17 power over Ethernet 6-4 protected switch ports 6-18 Security Plus license 6-2 server (headend) 68-1 SPAN 6-4 Spanning Tree Protocol, unsupported 6-17 ASA 5550 throughput 6-24 ASBR definition of 21-2 ASDM software allowing access 37-4 installing 78-2 ASR 34-19 asymmetric routing TCP state bypass 51-2 asymmetric routing support 34-19 attributes RADIUS D-30 username 64-81 attribute-value pairs TACACS+ D-39 attribute-value pairs (AVP) 64-37 authentication about 36-2 ASA 5505 as Easy VPN client 68-12 CLI access 37-5 FTP 38-3 HTTP 38-2 network access 38-1 privileged EXEC mode 37-6 restrictions, WebVPN 71-8 Telnet 38-2 web clients 38-5 WebVPN users with digital certificates 71-23, 71-24 authorization about 36-2 command 37-8 downloadable access lists 38-9 network access 38-8 Auto-MDI/MDIX 6-4 auto-signon group policy attribute for Clientless SSL VPN 64-72 username attribute for Clientless SSL VPN 64-91 Auto-Update, configuring 78-19 B backup server attributes, group policy 64-56 Baltimore Technologies, CA server support 73-4 banner message, group policy 64-48 basic threat detection See threat detection bits subnet masks C-3 Black Ice firewall 64-66 Botnet Traffic Filter actions 54-2 address categories 54-2 blacklist adding entries 54-8 description 54-2 blocking traffic manually 54-14 classifying traffic 54-11 configuring 54-6 databases 54-2 default settings 54-6 DNS Reverse Lookup Cache information about 54-3 maximum entries 54-4 using with dynamic database 54-9 DNS snooping 54-9 dropping traffic 54-12 graylist 54-12 dynamic database enabling use of 54-7 files 54-3 information about 54-2 searching 54-15 updates 54-7 examples 54-18 feature history 54-21 graylist description 54-2 dropping traffic 54-12 guidelines and limitations 54-5 information about 54-1 licensing 54-5 monitoring 54-16 static database adding entries 54-8 information about 54-3 syslog messages 54-16 task flow 54-6 threat level dropping traffic 54-12 whitelist adding entries 54-8 description 54-2 working overview 54-4 bridge entry timeout 4-14 table, See MAC address table broadcast Ping test 32-15 bypass authentication 68-8 bypassing firewall checks 51-1 C CA certificate validation, not done in WebVPN 71-2 CRs and 73-2 public key cryptography 73-2 revoked certificates 73-2 supported servers 73-4 caching 71-56 capturing packets 79-13 cascading access lists 61-15 certificate authentication, e-mail proxy 71-54 Cisco Unified Mobility 48-5 Cisco Unified Presence 49-3 enrollment protocol 73-10 group matching configuring 61-9 rule and policy, creating 61-10 Certificate Revocation Lists See CRLs certificates phone proxy 46-15 required by phone proxy 46-16 change query interval 24-24 change query response time 24-24 change query timeout value 24-24 changing between contexts 5-25 changing the severity level 74-16 Cisco-AV-Pair LDAP attributes D-13 Cisco Integrated Firewall 64-65 Cisco IOS CS CA server support 73-4 Cisco IP Communicator 46-9 Cisco IP Phones DHCP 7-5 Cisco IP Phones, application inspection 42-26 Cisco Security Agent 64-66 Cisco Trust Agent 67-8 Cisco UMA. See Cisco Unified Mobility. Cisco Unified Mobility architecture 48-2 ASA role 45-2, 45-3 certificate 48-5 functionality 48-1 NAT and PAT requirements 48-3, 48-4 trust relationship 48-5 Cisco Unified Presence ASA role 45-2, 45-3 configuring the TLS Proxy 49-5 debugging the TLS Proxy 49-10 NAT and PAT requirements 49-2 sample configuration 49-11 trust relationship 49-3 Cisco UP. See Cisco Unified Presence. Class A, B, and C addresses C-1 class-default class map 9-11 classes, logging filtering messages by 74-11 message class variables 74-3, E-5 types 74-3, E-5 classes, MPF See class map classes, resource See resource management class map inspection 9-19 Layer 3/4 management traffic 9-15 match commands 9-13 through traffic 9-13 regular expression 9-23 CLI abbreviating commands B-3 adding comments B-7 command line editing B-3 command output paging B-6 displaying B-6 help B-4 paging B-6 syntax formatting B-3 client VPN 3002 hardware, forcing client update 63-4 Windows, client update notification 63-4 client access rules, group policy 64-67 client firewall, group policy 64-63 clientless authentication 67-8 Clientless SSL VPN configuring for specific users 64-85 client mode 68-3 client update, performing 63-4 cluster IP address, load balancing 63-7 load balancing configurations 63-9 mixed scenarios 63-10 virtual 63-6 command authorization about 37-9 configuring 37-8 multiple contexts 37-10 command prompts B-2 comments configuration B-7 configuration clearing 2-8 comments B-7 factory default commands 2-1 restoring 2-2 saving 2-5 text file 2-8 URL for a context 5-18 viewing 2-7 configuration examples CSC SSM 60-10 logging 74-18 configuration mode accessing 2-4 prompt B-2 connection blocking 57-2 connection limits configuring 53-1 per context 5-15 connect time, maximum, username attribute 64-83 console port logging 74-8 content transformation, WebVPN 71-56 contexts See security contexts conversion error, ICMP message C-15 cookies, enabling for WebVPN 71-8 copying files with the SMB protocol 78-1 copy smb command 78-1 Coredump 79-13 CRACK protocol 61-28 crash dump 79-13 creating a custom message list 74-12 crypto map acccess lists 61-20 applying to interfaces 61-19, 70-7 clearing configurations 61-27 creating an entry to use the dynamic crypto map 66-8 definition 61-12 dynamic 61-25 dynamic, creating 66-7 entries 61-12 examples 61-21 policy 61-13 crypto show commands table 61-26 CSC SSM about 60-1 checking status 58-9 loading an image 58-7 sending traffic to 60-7 what to scan 60-3 CSC SSM feature history 60-12 custom firewall 64-66 customization, Clientless SSL VPN group policy attribute 64-70 login windows for users 64-28 username attribute 64-87 username attribute for Clientless SSL VPN 64-25 custom messages list logging output destination 74-4 cut-through proxy 38-1 D data flow routed firewall 4-15 transparent firewall 4-21 date and time in messages 74-15 DDNS 7-8 debug messages 79-13 default class 5-13 DefaultL2Lgroup 64-1 DefaultRAgroup 64-1 domain name, group policy 64-51 group policy 64-1, 64-37 LAN-to-LAN tunnel group 64-17 remote access tunnel group, configuring 64-7 routes, defining equal cost routes 19-3 tunnel group 61-11, 64-2 default configuration commands 2-1 restoring 2-2 default policy 9-10 default routes about 19-3 configuring 19-3 delay sending flow-create events flow-create events delay sending 75-6 deleting files from Flash 78-2 deny flows, logging 17-5 deny in a crypto map 61-15 deny-message group policy attribute for Clientless SSL VPN 64-70 username attribute for Clientless SSL VPN 64-88 DES, IKE policy keywords (table) 61-3 device ID, including in messages 74-14 device ID in messages 74-14 device pass-through, ASA 5505 as Easy VPN client 68-8 DfltGrpPolicy 64-38 DHCP addressing, configuring 65-3 Cisco IP Phones 7-5 options 7-3 relay 7-6 server 7-2 transparent firewall 11-2 DHCP Intercept, configuring 64-52 Diffie-Hellman Group 5 61-4 groups supported 61-4 DiffServ preservation 55-5 digital certificates authenticating WebVPN users 71-23, 71-24 SSL 71-8 WebVPN authentication restrictions 71-8 directory hierarchy search D-4 disabling content rewrite 71-57 disabling messages 74-15 disabling messages, specific message IDs 74-15 DMZ, definition 1-11 DNS dynamic 7-8 inspection about 41-2 managing 41-1 rewrite, about 41-2 rewrite, configuring 41-3 NAT effect on 26-9 server, configuring 8-6, 64-41 domain attributes, group policy 64-51 domain name 8-3 dotted decimal subnet masks C-3 downloadable access lists configuring 38-10 converting netmask expressions 38-13 DSCP preservation 55-5 DUAL 23-2 dual IP stack, configuring 6-5 dual-ISP support 19-5 duplex, configuring 6-8 dynamic crypto map 61-25 creating 66-7 See also crypto map Dynamic DNS 7-8 dynamic NAT 29-1 E Easy VPN client authentication 68-12 configuration restrictions, table 68-2 enabling and disabling 68-1 group policy attributes pushed to 68-10 mode 68-3 remote management 68-9 trustpoint 68-7 tunnels 68-9 Xauth 68-4 server (headend) 68-1 Easy VPN client ASA 5505 device pass-through 68-8 split tunneling 68-8 TCP 68-4 tunnel group 68-7 tunneling 68-5 echo reply, ICMP message C-15 editing command lines B-3 egress VLAN for VPN sessions 64-44 EIGRP 11-2 DUAL algorithm 23-2 hello interval 23-11 hello packets 23-1 hold time 23-2, 23-11 neighbor discovery 23-1 stub routing 23-3 stuck-in-active 23-2 e-mail configuring for WebVPN 71-53 proxies, WebVPN 71-53 proxy, certificate authentication 71-54 WebVPN, configuring 71-53 enable command 2-4 enabling logging 74-6 enabling secure logging 74-13 end-user interface, WebVPN, defining 71-61 Enterprises 7-5 Entrust, CA server support 73-4 established command, security level requirements 6-5 Ethernet Auto-MDI/MDIX 6-4 duplex 6-8 jumbo frames, ASA 5580 6-31 speed 6-8 evaluation license 3-11 exporting NetFlow records 75-4 external group policy, configuring 64-40 F facility, syslog 74-7 factory default configuration commands 2-1 restoring 2-2 failover about 32-1 Active/Active, See Active/Active failover Active/Standby, See Active/Standby failover configuration file terminal messages, Active/Active 34-3 terminal messages, Active/Standby 33-2 contexts 33-2 debug messages 32-17 disabling 33-15, 34-25 Ethernet failover cable 32-3 examples Active/Active LAN-based failover A-25, A-30 Active/Standby cable-based failover A-34, A-35 Active/Standby LAN-based failover A-24, A-28 failover link 32-3 forcing 33-15, 34-24 health monitoring 32-14 interface health 32-15 interface monitoring 32-15 interface tests 32-15 license, upgrading 3-23 link communications 32-3 MAC addresses about 33-2 automatically assigning 5-21 monitoring, health 32-14 network tests 32-15 primary unit 33-2 redundant interfaces 6-12 restoring a failed group 33-15, 34-25 restoring a failed unit 33-15, 34-25 secondary unit 33-2 SNMP syslog traps 32-17 Stateful Failover, See Stateful Failover state link 32-4 system log messages 32-17 system requirements 32-2 testing 33-16, 34-25 Trusted Flow Acceleration 60-5, 62-4, 72-4, 76-4 type selection 32-9 unit health 32-15 fast path 1-14 fiber interfaces 6-8 Fibre Channel interfaces default settings 12-3, 13-2, 14-2, 28-3, 29-11, 30-4, 31-3, 31-7, 31-12, 35-4, 60-6 filter (access list) group policy attribute for Clientless SSL VPN 64-73 username attribute for Clientless SSL VPN 64-89 filtering FTP 39-11 Java applets 39-3 security level requirements 6-5 show command output B-4 URLs 39-6 filtering messages 74-3 firewall Black Ice 64-66 Cisco Integrated 64-65 Cisco Security Agent 64-66 custom 64-66 Network Ice 64-66 none 64-66 Sygate personal 64-66 Zone Labs 64-66 firewall mode about 4-1 configuring 4-1 firewall policy, group policy 64-63 Flash memory removing files 78-2 flash memory available for logs 74-17 flow control for 10 Gigabit Ethernet 6-9 flow-export actions 75-4 format of messages 74-2 fragmentation policy, IPsec 61-8 fragment protection 1-12 fragment size 57-2 FTP inspection about 41-12 configuring 41-12 G general attributes, tunnel group 64-3 general parameters, tunnel group 64-3 general tunnel-group connection parameters 64-3 generating RSA keys 73-9 global addresses recommendations 26-8 specifying 29-16, 29-18 global e-mail proxy attributes 71-53 global IPsec SA lifetimes, changing 61-22 group-lock, username attribute 64-84 group policy address pools 64-62 attributes 64-41 backup server attributes 64-56 client access rules 64-67 configuring 64-39 default domain name for tunneled packets 64-51 definition 64-1, 64-37 domain attributes 64-51 Easy VPN client, attributes pushed to ASA 5505 68-10 external, configuring 64-40 firewall policy 64-63 hardware client user idle timeout 64-54 internal, configuring 64-40 IP phone bypass 64-54 IPSec over UDP attributes 64-49 LEAP Bypass 64-55 network extension mode 64-55 security attributes 64-46 split tunneling attributes 64-49 split-tunneling domains 64-51 user authentication 64-53 VPN attributes 64-42 VPN hardware client attributes 64-52 webvpn attributes 64-69 WINS and DNS servers 64-41 group policy, default 64-37 group policy, secure unit authentication 64-53 group policy attributes for Clientless SSL VPN application access 64-74 auto-signon 64-72 customization 64-70 deny-message 64-70 filter 64-73 home page 64-72 html-content filter 64-71 keep-alive-ignore 64-75 port forward 64-74 port-forward-name 64-75 sso-server 64-76 svc 64-77 url-list 64-73 GTP inspection about 44-4 configuring 44-3 H H.225 timeouts 42-9 H.245 troubleshooting 42-10 H.323 transparent firewall guidelines 4-3 H.323 inspection about 42-4 configuring 42-3 limitations 42-6 troubleshooting 42-11 hairpinning 61-19 hardware client, group policy attributes 64-52 help, command line B-4 high availability about 32-1 HMAC hashing method 61-3 hold-period 67-11 homepage group policy attribute for Clientless SSL VPN 64-72 username attribute for Clientless SSL VPN 64-87 hostname configuring 8-2 in banners 8-2 multiple context mode 8-2 hosts, subnet masks for C-3 hosts file errors 71-47 reconfiguring 71-49 WebVPN 71-48 HSRP 4-3 html-content-filter group policy attribute for Clientless SSL VPN 64-71 username attribute for Clientless SSL VPN 64-86 HTTP(S) authentication 37-6 filtering 39-6 HTTP/HTTPS Web VPN proxy, setting 71-8 HTTP compression, Clientless SSL VPN, enabling 64-76, 64-92 HTTP inspection about 41-19 configuring 41-19 HTTP redirection for login, Easy VPN client on the ASA 5505 68-12 HTTPS for WebVPN sessions 71-5 hub-and-spoke VPN scenario 61-19 I ICMP testing connectivity 79-1 type numbers C-15 idle timeout hardware client user, group policy 64-54 username attribute 64-82 ID method for ISAKMP peers, determining 61-6 IKE benefits 61-2 creating policies 61-4 keepalive setting, tunnel group 64-4 pre-shared key, Easy VPN client on the ASA 5505 68-7 See also ISAKMP ILS inspection 43-1 IM 42-20 inbound access lists 35-1 Individual user authentication 68-12 information reply, ICMP message C-15 information request, ICMP message C-15 inheritance tunnel group 64-1 username attribute 64-81 inside, definition 1-11 inspection_default class-map 9-11 inspection engines See application inspection Instant Messaging inspection 42-20 intercept DHCP, configuring 64-52 interfaces ASA 5505 about 6-1 enabled status 6-17 MAC addresses 6-4 maximum VLANs 6-2 non-forwarding 6-17 protected switch ports 6-18 switch port configuration 6-17 trunk ports 6-19 ASA 5550 throughput 6-24 configuring for remote access 66-3 default settings 12-3, 13-2, 14-2, 28-3, 29-11, 30-4, 31-3, 31-7, 31-12, 35-4, 60-6 duplex 6-8 enabling 6-11 failover monitoring 32-15 fiber 6-8 global addresses 29-16, 29-18 IDs 6-10 IP address 6-25 MAC addresses automatically assigning 5-20 manually assigning to interfaces 6-27 mapped name 5-17 naming, physical and subinterface 6-25 redundant 6-11 SFP 6-8 speed 6-8 subinterfaces 6-14 internal group policy, configuring 64-40 Internet Security Association and Key Management Protocol See ISAKMP IP addresses classes C-1 configuring an assignment method for remote access clients 65-1 configuring for VPNs 65-1 configuring local IP address pools 65-2 interface 6-25 management, transparent firewall 8-7 private C-2 subnet mask C-4 IP phone 68-8 phone proxy provisioning 46-11 IP phone bypass, group policy 64-54 IP phones addressing requirements for phone proxy 46-8 supported for phone proxy 46-3 IPSec anti-replay window 55-12 modes 62-2 over UDP, group policy, configuring attributes 64-49 remote-access tunnel group 64-7 setting maximum active VPN sessions 63-4 IPsec access list 61-20 basic configuration with static crypto maps 61-22 Cisco VPN Client 61-2 configuring 61-1, 61-11 crypto map entries 61-12 fragmentation policy 61-8 over NAT-T, enabling 61-7 over TCP, enabling 61-8 SA lifetimes, changing 61-22 tunnel 61-11 view configuration commands table 61-26 IPSec parameters, tunnel group 64-4 ipsec-ra, creating an IPSec remote-access tunnel 64-8 IPS module about 59-1 configuration 59-5 operating modes 59-2 sending traffic to 59-8 setup command 59-6 traffic flow 59-2 virtual sensors 59-6 IP spoofing, preventing 57-1 IPv6 commands 18-9 configuring alongside IPv4 6-5 default route 19-4 dual IP stack 6-5 duplicate address detection 6-28 neighbor discovery 25-1 router advertisement messages 25-8 static routes 19-4 IPv6 addresses anycast C-9 command support for 18-9 format C-5 multicast C-8 prefixes C-10 required C-10 types of C-6 unicast C-6 IPv6 VPN access, enabling with CLI 64-13 ISAKMP about 61-2 configuring 61-1, 61-2 determining an ID method for peers 61-6 disabling in aggressive mode 61-6 enabling on the outside interface 61-6, 66-4 keepalive setting, tunnel group 64-4 policies, configuring 61-5 See also IKE J Java applets, filtering 39-2 Java object signing 71-56 java-trustpoint 71-56 jumbo frames, ASA 5580 6-31 K keep-alive-ignore group policy attribute for Clientless SSL VPN 64-75 username attribute for Clientless SSL VPN 64-91 Kerberos configuring 36-9 support 36-6 L L2TP description 62-1 LAN-to-LAN tunnel group, configuring 64-17 latency about 55-1 configuring 55-2, 55-3 reducing 55-8 Layer 2 firewall See transparent firewall Layer 2 forwarding table See MAC address table Layer 2 Tunneling Protocol 62-1 Layer 3/4 matching multiple policy maps 9-8 LCS Federation Scenario 49-2 LDAP AAA support 36-13 application inspection 43-1 attribute mapping 36-16 Cisco-AV-pair D-13 configuring 36-9 configuring a AAA serverD-3to ?? directory search D-4 example configuration proceduresD-16to ?? hierarchy example D-4 SASL 36-14 server type 36-14 user authentication 36-14 user authorization 36-15 LEAP Bypass, group policy 64-55 licenses activation key entering 3-21 location 3-18 obtaining 3-21 ASA 5505 3-2 ASA 5510 3-3 ASA 5520 3-4 ASA 5540 3-5 ASA 5550 3-6 ASA 5580 3-7, 3-8 Cisco Unified Communications Proxy features 45-4, 47-5, 49-4 default 3-11 evaluation 3-11 failover 3-18 guidelines 3-18 managing 3-1 preinstalled 3-11 Product Authorization Key 3-21 reload requirements 3-22 shared backup server, configuring 3-26 backup server, information 3-14 client, configuring 3-27 communication issues 3-14 failover 3-15 maximum clients 3-16 monitoring 3-28 overview 3-13 server, configuring 3-25 SSL messages 3-14 temporary 3-11 upgrading, failover 3-23 viewing current 3-19 VPN Flex 3-11 licensing requirements CSC SSM 60-4 logging 74-5 link up/down test 32-15 LLQ See low-latency queue load balancing cluster configurations 63-9 concepts 63-6 eligible clients 63-8 eligible platforms 63-8 implementing 63-8 mixed cluster scenarios 63-10 platforms 63-8 prerequisites 63-8 local user database adding a user 36-8 configuring 36-8 logging in 37-7 support 36-7 lockout recovery 37-19 logging access lists 17-1 classes filtering messages by 74-4 types 74-3, 74-11, E-5 device-id, including in system log messages 74-14 e-mail source address 74-8 EMBLEM format 74-15 facility option 74-7 filtering by message class 74-11 by message list 74-4 by severity level 74-1 logging queue, configuring 74-13 output destinations console port 74-7, 74-8 internal buffer 74-1 syslog serversyslog server 74-7 Telnet or SSH session 74-1 queue changing the size of 74-13 configuring 74-13 viewing queue statistics 74-17 severity level, changing 74-17 timestamp, including 74-15 logging feature history 74-18 logging queue configuring 74-13 login banner, configuring 37-20 console 2-4 enable 2-4 FTP 38-3 global configuration mode 2-4 local user 37-7 password 8-1 simultaneous, username attribute 64-82 SSH 37-3 Telnet 8-1 windows, customizing for users of Clientless SSL VPN sessions 64-28 low-latency queue applying 55-2, 55-3 M MAC address redundant interfaces 6-12 MAC addresses ASA 5505 6-4 ASA 5505 device pass-through 68-8 automatically assigning 5-20 failover 33-2 manually assigning to interfaces 6-27 security context classification 5-3 MAC address table about 4-21 built-in-switch 4-12 entry timeout 4-14 MAC learning, disabling 4-14 resource management 5-15 static entry 4-13 MAC learning, disabling 4-14 management interfaces default settings 12-3, 13-2, 14-2, 28-3, 29-11, 30-4, 31-3, 31-7, 31-12, 35-4, 60-6 management IP address, transparent firewall 8-7 man-in-the-middle attack 4-8 mapped interface name 5-17 mask reply, ICMP message C-15 request, ICMP message C-15 match commands inspection class map 9-18 Layer 3/4 class map 9-13 matching, certificate group 61-9 maximum active IPSec VPN sessions, setting 63-4 maximum connect time,username attribute 64-83 maximum object size to ignore username attribute for Clientless SSL VPN 64-91 maximum sessions, IPSec 63-16 MD5, IKE policy keywords (table) 61-3 media termination address, criteria 46-5 message filtering 74-3 message list filtering by 74-4 message-of-the-day banner 37-20 messages, logging classes about 74-4 list of 74-3, E-5 component descriptions 74-2 filtering by message list 74-4 format of 74-2 message list, creating 74-12 severity levels 74-3 messages classes 74-3 messages in EMBLEM format 74-15 metacharacters, regular expression 9-21, B-5 MGCP inspection about 42-11 configuring 42-11 mgmt0 interfaces default settings 12-3, 13-2, 14-2, 28-3, 29-11, 30-4, 31-3, 31-7, 31-12, 35-4, 60-6 Microsoft Access Proxy 49-1 Microsoft Active Directory, settings for password management 64-29 Microsoft Internet Explorer client parameters, configuring 64-57 Microsoft Windows 2000 CA, supported 73-4 mixed cluster scenarios, load balancing 63-10 mixed-mode Cisco UCM cluster, configuring for phone proxy 46-16 MMP inspection 48-1 mobile redirection, ICMP message C-15 mode context 5-10 firewall 4-1 Modular Policy Framework See MPF modular policy framework configuring flow-export actions for NetFlow 75-5 monitoring CSC SSM 60-10 failover 32-14 OSPF 21-15 resource management 5-29 SNMP 76-1 monitoring devices with CS-MARS E-3 monitoring logging 74-17 monitoring NSEL 75-7 monitoring switch traffic, ASA 5505 6-4 More prompt B-6 MPF about 9-1 default policy 9-10 examples 9-26 feature directionality 9-5 features 9-2 flows 9-8 matching multiple policy maps 9-8 service policy, applying 9-25 See also class map See also policy map MPLS LDP 12-2 router-id 12-2 TDP 12-2 MSIE client parameters, configuring 64-57 MTU size, Easy VPN client, ASA 5505 68-5 multicast traffic 4-3 multiple context mode logging 74-2 See security contexts N NAC See Network Admission Control naming an interface other models 6-25 NAT about 26-1 bypassing NAT about 27-3 DNS 26-9 dynamic NAT about 29-1 configuring 29-13 implementation 29-5 exemption from NAT about 27-3, 31-11 configuring 31-13 identity NAT about 27-3, 31-2 configuring 31-4 NAT ID 29-5 order of statements 26-8 overlapping addresses 28-10 PAT about 29-4 configuring 29-13 implementation 29-5 policy NAT about 26-5 port redirection 30-10 RPC not supported with 43-3 same security level 26-8 security level requirements 6-5 static identify, about 31-5 static identify, configuring 31-7 static NAT about 28-1 configuration examples 28-9 configuring 28-4 static PAT about 30-1 types 26-2 native VLAN support 6-20 NAT-T enabling IPsec over NAT-T 61-7 using 61-8 NetFlow overview 75-1 NetFlow collector configuring 75-4 NetFlow event logging disabling 75-7 Netscape CMS, CA server support 73-4 Network Activity test 32-15 Network Admission Control Access Control Server 67-4 ACL, default 67-6 clientless authentication 67-8 configuring 64-59 exemptions 67-6 port 67-10 retransmission retries 67-10 retransmission retry timer 67-10 revalidation timer 67-5 session reinitialization timer 67-11 uses, requirements, and limitations 67-1 network extension mode 68-3 network extension mode, group policy 64-55 Network Ice firewall 64-66 networks, overlapping 28-10 Nokia VPN Client 61-28 non-secure Cisco UCM cluster, configuring phone proxy 46-14 NSEL and syslog messages redundant messages 75-2 NSEL configuration examples 75-8 NSEL feature history 75-10 NSEL licensing requirements 75-3 NSEL runtime counters clearing 75-7 NTLM support 36-6 NT server configuring 36-9 support 36-6 O object groups about 16-2 configuring 16-4 removing 16-8 open ports C-14 operating systems, posture validation exemptions 67-6 OSPF area authentication 21-11 area MD5 authentication 21-11 area parameters 21-11 authentication key 21-9 authentication support 21-2 cost 21-9 dead interval 21-9 default route 21-6 interaction with NAT 21-2 interface parameters 21-8 link-state advertisement 21-2 logging neighbor states 21-14 LSAs 21-2 MD5 authentication 21-10 monitoring 21-15 NSSA 21-12 packet pacing 21-15 processes 21-2 redistributing routes 21-5 route calculation timers 21-13 route map 20-1 route summarization 21-8 stub area 21-11 summary route cost 21-11 outbound access lists 35-1 Outlook Web Access (OWA) and WebVPN 71-83 output destination 74-5 output destinations 74-1 e-mail address 74-1 SNMP management station 74-1 syslog server 74-1 Telnet or SSH session 74-1 outside, definition 1-11 oversubscribing resources 5-12 P packet capture 79-13 classifier 5-3 packet flow routed firewall 4-15 transparent firewall 4-21 paging screen displays B-6 parameter problem, ICMP message C-15 password resetting on SSM hardware module 79-10 password management, Active Directory settings 64-29 passwords changing 8-2 clientless authentication 67-9 recovery 79-7 security appliance 8-1 username, setting 64-80 WebVPN 71-78 password-storage, username attribute 64-85 PAT Easy VPN client mode 68-3 See also NAT pause frames for flow control 6-9 PDA support for WebVPN 71-52 peers alerting before disconnecting 61-9 ISAKMP, determining ID method 61-6 performance, optimizing for WebVPN 71-55 permit in a crypto map 61-15 phone proxy access lists 46-7 ASA role 45-3 certificates 46-15 Cisco IP Communicator 46-9 Cisco UCM supported versions 46-3 configuring mixed-mode Cisco UCM cluster 46-16 configuring non-secure Cisco UCM cluster 46-14 event recovery 46-42 IP phone addressing 46-8 IP phone provisioning 46-11 IP phones supported 46-3 Linksys routers, configuring 46-26 NAT and PAT requirements 46-7 ports 46-7 rate limiting 46-10 required certificates 46-16 sample configurations 46-43 SAST keys 46-42 TLS Proxy on ASA, described 45-3 troubleshooting 46-27 ping See ICMP PKI protocol 73-10 PoE 6-4 policing flow within a tunnel 55-11 policy, QoS 55-1 policy map inspection 9-17 Layer 3/4 about 9-5 adding 9-24 feature directionality 9-5 flows 9-8 policy NAT about 26-5 dynamic, configuring 29-15 static PAT, configuring 30-5 pools, address DHCP 7-3 global NAT 29-16, 29-18 port-forward group policy attribute for Clientless SSL VPN 64-74 username attribute for Clientless SSL VPN 64-90 port forwarding configuring client applications 71-82 port-forward-name group policy attribute for Clientless SSL VPN 64-75 username attribute for Clientless SSL VPN 64-91 ports open on device C-14 phone proxy 46-7 redirection, NAT 30-10 TCP and UDP C-11 posture validation exemptions 67-6 port 67-10 revalidation timer 67-5 uses, requirements, and limitations 67-1 power over Ethernet 6-4 PPPoE, configuring69-1to 69-5 prerequisites for use CSC SSM 60-5 pre-shared key, Easy VPN client on the ASA 5505 68-7 primary unit, failover 33-2 printers 68-8 private networks C-2 privileged EXEC mode, accessing 2-4 privileged mode accessing 2-4 prompt B-2 privilege level, username, setting 64-80 Product Authorization Key 3-21 prompts command B-2 more B-6 protocol numbers and literal values C-11 proxy See e-mail proxy proxy bypass 71-57 proxy servers SIP and 42-19 public key cryptography 73-2 Q QoS about 55-1, 55-3 DiffServ preservation 55-5 DSCP preservation 55-5 feature interaction 55-4 policies 55-1 priority queueing IPSec anti-replay window 55-12 statistics 55-15 token bucket 55-2 traffic shaping overview 55-4 viewing statistics 55-15 Quality of Service See QoS question mark command string B-4 help B-4 queue, logging changing the size of 74-13 viewing statistics 74-17 queue, QoS latency, reducing 55-8 limit 55-2, 55-3 R RADIUS attributes D-30 Cisco AV pair D-13 configuring a AAA server D-30 configuring a server 36-9 downloadable access lists 38-10 network access authentication 38-3 network access authorization 38-9 support 36-4 RAS, H.323 troubleshooting 42-11 rate limit 74-16 rate limiting 55-3 rate limiting, phone proxy 46-10 RealPlayer 42-15 reboot, waiting until active sessions end 61-9 redirect, ICMP message C-15 redundancy, in site-to-site VPNs, using crypto maps 61-26 redundant interfaces configuring 6-11 failover 6-12 MAC address 6-12 setting the active interface 6-14 Registration Authority description 73-2 regular expression 9-21 regular NAT dynamic, configuring 29-17 reloading context 5-27 security appliance 79-7 remote access IPSec tunnel group, configuring 64-7 restricting 64-84 tunnel group, configuring default 64-7 VPN, configuring 66-1, 66-10 remote management, ASA 5505 68-9 resetting the SSM hardware module password 79-10 resource management about 5-12 assigning a context 5-19 class 5-14 configuring 5-11 default class 5-13 monitoring 5-29 oversubscribing 5-12 resource types 5-15 unlimited 5-12 resource usage 5-32 retransmission retries, Network Admission Control 67-10 retransmission retry timer, Network Admission Control 67-10 revalidation timer, Network Admission Control 67-5 revoked certificates 73-2 rewrite, disabling 71-57 RIP enabling 22-3 routed mode about 4-1 setting 4-1 route map about 20-4 route maps defining 20-4 uses 20-1 router advertisement, ICMP message C-15 solicitation, ICMP message C-15 routes about default 19-3 configuring default routes 19-3 configuring IPv6 default 19-4 configuring IPv6 static 19-4 configuring static routes 19-2 routing other protocols 11-2 RSA KEON, CA server support 73-4 keys, generating 37-2, 73-9 RTSP inspection about 42-15 configuring 42-15 running configuration copying 78-7 saving 2-5 S same security level communication enabling 6-30 NAT 26-8 SAs, lifetimes 61-22 SAST keys 46-42 SCCP (Skinny) inspection about 42-26 configuration 42-26 configuring 42-25 SDI configuring 36-9 support 36-5 secondary unit, failover 33-2 Secure Socket Layer Protocol 71-2 secure unit authentication 68-12 secure unit authentication, group policy 64-53 security, WebVPN 71-2, 71-9 Security Agent, Cisco 64-66 security appliance CLI B-1 connecting to 2-4 CS-MARS interoperability E-1 managing licenses 3-1 managing the configuration 2-5 reloading 79-7 upgrading software 78-2 viewing files in Flash memory 78-1 security association clearing 61-27 See also SAs security attributes, group policy 64-46 security contexts about 5-1 adding 5-16 admin context about 5-3 changing 5-26 assigning to a resource class 5-19 cascading 5-8 changing between 5-25 classifier 5-3 command authorization 37-10 configuration URL, changing 5-26 URL, setting 5-18 logging in 5-9 MAC addresses automatically assigning 5-20 classifying using 5-3 managing 5-1, 5-25 mapped interface name 5-17 monitoring 5-28 multiple mode, enabling 5-10 nesting or cascading 5-9 prompt B-2 reloading 5-27 removing 5-25 resource management 5-12 resource usage 5-32 saving all configurations 2-6 unsupported features 5-2 VLAN allocation 5-17 security level about 6-5 interface 6-25 sending messages to an e-mail address 74-8 sending messages to an SNMP server 74-6 sending messages to ASDM 74-9 sending messages to a specified output destination 74-11 sending messages to a syslog server 74-7 sending messages to a Telnet or SSH session 74-9 sending messages to the console port 74-8 sending messages to the internal log buffer 74-10 server group 67-4 service policy applying 9-25 default 9-26 global 9-26 interface 9-26 session management path 1-14 session reinitialization timer, Network Admission Control 67-11 severity levels, of system log messages changing 74-1 filtering by 74-1 list of 74-3 severity levels, of system messages definition 74-3 SHA, IKE policy keywords (table) 61-3 shared license backup server, configuring 3-26 backup server, information 3-14 client, configuring 3-27 communication issues 3-14 failover 3-15 maximum clients 3-16 monitoring 3-28 server, configuring 3-25 SSL messages 3-14 show command, filtering output B-4 simultaneous logins, username attribute 64-82 single mode backing up configuration 5-10 configuration 5-10 enabling 5-10 restoring 5-11 single sign-on See SSO single-signon group policy attribute for Clientless SSL VPN 64-76 username attribute for Clientless SSL VPN 64-92 SIP inspection about 42-19 configuring 42-19 instant messaging 42-20 timeouts 42-24 troubleshooting 42-25 site-to-site VPNs, redundancy 61-26 Smart Call Home monitoring 77-19 smart tunnels 71-33 SMTP inspection 41-32 SNMP about 76-1 failover 76-4 management station 74-1 source quench, ICMP message C-15 SPAN 6-4 Spanning Tree Protocol, unsupported 6-17 speed, configuring 6-8 split tunneling ASA 5505 as Easy VPN client 68-8 group policy 64-49 group policy, domains 64-51 SSCs management access 58-2 management defaults 58-4 management interface 58-4 password reset 58-8 reload 58-8 reset 58-8 routing 58-3 sessioning to 58-6 shutdown 58-8 supported applications 58-2 SSH authentication 37-6 concurrent connections 37-2 login 37-1, 37-2, 37-3 password 8-1 RSA key 37-2 username 37-3 SSL certificate 71-8 used to access the security appliance 71-5 SSL/TLS1 71-2 SSL/TLS encryption protocols configuring 71-7 WebVPN 71-7 SSL VPN Client compression 72-15 DPD 72-14 enabling permanent installation 72-6 group policy attribute for Clientless SSL VPN 64-77 installing order 72-5 keepalive messages 72-14 username attribute for Clientless SSL VPN 64-93 viewing sessions 72-18 SSCs See also AIP SSC SSMs checking status 58-9 loading an image 58-7 management access 58-2 management defaults 58-4 password reset 58-8 reload 58-8 reset 58-8 routing 58-3 sessioning to 58-6 shutdown 58-8 supported applications 58-2 See also AIP SSM See also CSC SSM sso-server group policy attribute for Clientless SSL VPN 64-76 username attribute for Clientless SSL VPN 64-92 SSO with WebVPN71-9to 71-22 configuring HTTP Basic and NTLM authentication 71-10 configuring HTTP form protocol 71-16 configuring SiteMinder 71-11, 71-13 startup configuration copying 78-7 saving 2-5 Stateful Failover about 32-10 state information 32-10 state link 32-4 stateful inspection 1-13 bypassing 51-1 state information 32-10 state link 32-4 static ARP entry 4-10 static bridge entry 4-13 static NAT See NAT static PAT See PAT static routes configuring 19-2 statistics, QoS 55-15 stealth firewall See transparent firewall stuck-in-active 23-2 subcommand mode prompt B-2 subinterfaces, adding 6-14 subnet masks /bits C-3 about C-2 address range C-4 determining C-3 dotted decimal C-3 number of hosts C-3 Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 71-43 Sun Microsystems Java Runtime Environment and WebVPN 71-82 Sun RPC inspection about 43-3 configuring 43-3 SVC See SSL VPN Client svc group policy attribute for Clientless SSL VPN 64-77 username attribute for Clientless SSL VPN 64-93 switch MAC address table 4-12 switch ports access ports 6-17 protected 6-18 SPAN 6-4 trunk ports 6-19 Sygate Personal Firewall 64-66 SYN attacks, monitoring 5-33 SYN cookies 5-33 syntax formatting B-3 syslogd server program 74-5 syslog messages analyzing 74-2 syslog server as output destination designating more than one 74-5 EMBLEM format configuring 74-15 enabling 74-7 system configuration 5-2 system log messages classes 74-3, E-5 classes of 74-4 configuring in groups by message list 74-4 by severity level 74-1 device ID, including 74-14 disabling logging of 74-1 filtering by message class 74-4 managing in groups by message class 74-11 output destinations 74-1 syslog message server 74-1 Telnet or SSH session 74-1 severity levels about 74-3 changing the severity level of a message 74-1 timestamp, including 74-15 T TACACS+ command authorization, configuring 37-14 configuring a server 36-9 network access authorization 38-8 support 36-5 tail drop 55-3 TCP ASA 5505 as Easy VPN client 68-4 connection limits per context 5-15 ports and literal values C-11 sequence number randomization disabling in NAT configuration 29-15, 29-17 disabling using Modular Policy Framework 53-3 TCP Intercept enabling using Modular Policy Framework 53-3 enabling using NAT 28-3, 29-12 monitoring 5-33 TCP normalization 52-1 TCP state bypass AAA 51-3 configuring 51-1 failover 51-3 firewall mode 51-2 inspection 51-3 mutliple context mode 51-2 NAT 51-3 SSMs and SSCs 51-3 TCP Intercept 51-3 TCP normalization 51-3 unsupported features 51-3 Telnet allowing management access 37-1 authentication 37-6 concurrent connections 37-1 password 8-1 template timeout intervals configuring for flow-export actions 75-6 temporary license 3-11 testing configuration 79-1 threat detection basic drop types 50-2 enabling 50-4 overview 50-2 rate intervals 50-2 rate intervals, setting 50-4 statistics, viewing 50-5 system performance 50-2 scanning attackers, viewing 50-16 default limits, changing 50-15 enabling 50-15 host database 50-14 overview 50-13 shunned hosts, releasing 50-16 shunned hosts, viewing 50-16 shunning attackers 39-7, 50-15 system performance 50-14 targets, viewing 50-16 scanning statistics enabling 50-7 system performance 50-6 viewing 50-9 time exceeded, ICMP message C-15 time ranges, access lists 16-14 timestamp, including in system log messages 74-15 timestamp reply, ICMP message C-15 timestamp request, ICMP message C-15 TLS1, used to access the security appliance 71-5 TLS Proxy applications supported by ASA 45-2 Cisco Unified Presence architecture 49-1 configuring for Cisco Unified Presence 49-5 licenses 45-4, 47-5, 48-6, 49-4 tocken bucket 55-2 toolbar, floating, WebVPN 71-62 traffic flow routed firewall 4-15 transparent firewall 4-21 traffic shaping overview 55-4 Transform 61-12 transform set creating 66-1, 66-6 definition 61-12 transmit queue ring limit 55-2, 55-3 transparent firewall about 4-2 ARP inspection about 4-8 enabling 4-10 static entry 4-10 data flow 4-21 DHCP packets, allowing 11-2 guidelines 4-5 H.323 guidelines 4-3 HSRP 4-3 MAC address timeout 4-14 MAC learning, disabling 4-14 Management 0/0 IP address 6-24 management IP address 8-7 multicast traffic 4-3 packet handling 11-2 static bridge entry 4-13 unsupported features 4-6 VRRP 4-3 Transport Layer Security 71-2 troubleshooting H.323 42-9 H.323 RAS 42-11 phone proxy 46-27 SIP 42-25 trunk, 802.1Q 6-14 trunk ports 6-19 Trusted Flow Acceleration failover 60-5, 62-4, 72-4 modes 4-5, 4-9, 4-13, 11-2, 19-2, 20-3, 21-3, 22-3, 23-2, 24-19, 25-23, 28-2, 29-11, 31-2, 31-6, 34-7, 35-3, 60-5, 62-4, 72-4 trustpoint 73-3 trustpoint, ASA 5505 client 68-7 trust relationship Cisco Unified Mobility 48-5 Cisco Unified Presence 49-3 tunnel ASA 5505 as Easy VPN client 68-5 IPsec 61-11 security appliance as a tunnel endpoint 61-1 tunnel group ASA 5505 as Easy VPN client 68-7 configuring 64-6 creating 64-8 default 61-11, 64-1, 64-2 default, remote access, configuring 64-7 default LAN-to-LAN, configuring 64-17 definition 64-1, 64-2 general parameters 64-3 inheritance 64-1 IPSec parameters 64-4 LAN-to-LAN, configuring 64-17 name and type 64-8 remote access, configuring 66-6 remote-access, configuring 64-7 tunnel-group general attributes 64-3 tunnel-group ISAKMP/IKE keepalive settings 64-4 tunneling, about 61-1 tunnel mode 62-2 tx-ring-limit 55-2, 55-3 U UDP connection limits per context 5-15 connection state information 1-14 ports and literal values C-11 unreachable, ICMP message C-15 url-list group policy attribute for Clientless SSL VPN 64-73 username attribute for Clientless SSL VPN 64-89 URLs context configuration, changing 5-26 context configuration, setting 5-18 filtering, about 39-6 filtering, configuration 39-8 user, VPN definition 64-1 user access, restricting remote 64-84 user authentication, group policy 64-53 user EXEC mode accessing 2-4 prompt B-2 username adding 36-8 clientless authentication 67-9 encrypted 36-8 management tunnels 68-9 password 36-8 WebVPN 71-78 Xauth for Easy VPN client 68-4 username attributes access hours 64-81 configuring 64-79, 64-81 group-lock 64-84 inheritance 64-81 password, setting 64-80 password-storage 64-85 privilege level, setting 64-80 simultaneous logins 64-82 vpn-filter 64-83 vpn-framed-ip-address 64-83 vpn-idle timeout 64-82 vpn-session-timeout 64-83 vpn-tunnel-protocol 64-84 username attributes for Clientless SSL VPN auto-signon 64-91 customization 64-87 deny message 64-88 filter (access list) 64-89 homepage 64-87 html-content-filter 64-86 keep-alive ignore 64-91 port-forward 64-90 port-forward-name 64-91 sso-server 64-92 svc 64-93 url-list 64-89 username configuration, viewing 64-80 username webvpn mode 64-85 U-turn 61-19 V VeriSign, configuring CAs example 73-4 viewing QoS statistics 55-15 viewing RMS 78-22 virtual cluster 63-6 IP address 63-7 master 63-6 virtual firewalls See security contexts virtual HTTP 38-3 virtual reassembly 1-12 virtual sensors 59-6 VLAN mapping 64-44 VLANs 6-14 802.1Q trunk 6-14 allocating to a context 5-17 ASA 5505 MAC addresses 6-4 maximum 6-2 mapped interface name 5-17 subinterfaces 6-14 VoIP proxy servers 42-19 troubleshooting 42-9 VPN address pool, configuring (group-policy) 64-62 address range, subnets C-4 parameters, general, setting 63-1 setting maximum number of IPSec sessions 63-4 VPN attributes, group policy 64-42 VPN Client, IPsec attributes 61-2 vpn-filter username attribute 64-83 VPN flex license 3-11 vpn-framed-ip-address username attribute 64-83 VPN hardware client, group policy attributes 64-52 vpn-idle-timeout username attribute 64-82 vpn load balancing See load balancing 63-6 vpn-session-timeout username attribute 64-83 vpn-tunnel-protocol username attribute 64-84 VRRP 4-3 W WCCP 56-1 web browsing with WebVPN 71-81 web caching 56-1 web clients, secure authentication 38-5 web e-Mail (Outlook Web Access), Outlook Web Access 71-54 WebVPN assigning users to group policies 71-25 authenticating with digital certificates 71-23, 71-24 CA certificate validation not done 71-2 client application requirements 71-79 client requirements 71-79 for file management 71-81 for network browsing 71-81 for port forwarding 71-82 for using applications 71-82 for web browsing 71-81 start-up 71-80 configuring e-mail 71-53 configuring WebVPN and ASDM on the same interface 71-5 cookies 71-8 defining the end-user interface 71-61 definition 71-1 digital certificate authentication restrictions 71-8 e-mail 71-53 e-mail proxies 71-53 enable cookies for 71-82 end user set-up 71-61 establishing a session 71-5 floating toolbar 71-62 group policy attributes, configuring 71-26 hosts file 71-48 hosts files, reconfiguring 71-49 HTTP/HTTPS proxy, setting 71-8 Java object signing 71-56 PDA support 71-52 printing and 71-80 remote system configuration and end-user requirements 71-80 security preautions 71-2, 71-9 security tips 71-78 setting HTTP/HTTPS proxy 71-6 SSL/TLS encryption protocols 71-7 supported applications 71-79 supported browsers 71-80 supported types of Internet connections 71-80 troubleshooting 71-47 unsupported features 71-4 URL 71-80 use of HTTPS 71-5 username and password required 71-80 usernames and passwords 71-78 use suggestions 71-61, 71-79 WebVPN, Application Access Panel 71-62 webvpn attributes group policy 64-69 welcome message, group policy 64-48 WINS server, configuring 64-41 X Xauth, Easy VPN client 68-4 XOFF frames 6-9 Z Zone Labs firewalls 64-66 Zone Labs Integrity Server 64-64
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks