Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3 - Index [Cisco Adaptive Security Device Manager]

Table Of Contents

Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z

Index

Symbols

/bits subnet masks A-3

Numerics

3H_Head3. Generating Syslog Messages in EMBLEM Format to a Syslog Server 72-16

4GE SSM

connector types 8-8

fiber 8-8

SFP 8-8

support 1-2

802.1Q tagging 8-19

802.1Q trunk 8-14

A

AAA

aboute 32-1

accounting 34-15

authentication

CLI access 33-11

network access 34-1

proxy limit 34-9

authorization

command 33-13

downloadable access lists 34-10

network access 34-9

local database support 32-7

performance 34-1

server 72-4

adding 32-8, 32-10

types 32-3

support summaries 32-3

web clients 34-5

AAA server group, add (group-policy) 65-6

ABR

definition of 21-2

access_rules 17-3

Access Control Server 64-28

Access Group panel

description 24-8

access lists

downloadable 34-11

global access rules 31-4

implicit deny 31-3

inbound 31-3

outbound 31-3

overview 31-1

phone proxy 44-7

access ports 8-18

access rules

turn off expansion 31-12

Accounting tab, tunnel group 65-91

ACE

add/edit/paste 15-3, 65-17

Extended ACL tab 15-2, 65-16

ACL

enabling IPSEC authenticated inbound sessions to bypass ACLs 65-104, 65-116

extended 15-2, 65-16

for Clientless SSL VPN 65-29

standard 15-1, 65-15

ACL Manager

Add/Edit/Paste ACE 15-3, 65-17

dialog box 15-1, 65-15

activation key

entering 4-25

location 4-23

obtaining 4-24

Active/Active failover

about 61-1

actions 61-5

command replication 61-3

configuration synchronization 61-3

device initialization 61-3

duplicate MAC addresses, avoiding 61-2

optional settings

about 61-6

primary status 61-2

secondary status 61-2

triggers 61-4

Active/Standby failover

about 60-1

actions 60-4

command replication 60-3

configuration synchronization 60-2

device initialization 60-2

primary unit 60-2

secondary unit 60-2

triggers 60-3

Active Directory proceduresB-16to ??

Adaptive Security Algorithm 1-18

Add/Edit Access Group dialog box

description 24-8

Add/Edit Filtering Entry dialog box

description 21-16

Add/Edit IGMP Join Group dialog box

description 24-7

Add/Edit IGMP Static Group dialog box

description 24-8

Add/Edit Multicast Group dialog box 24-14

description 24-14

Add/Edit OSPF Area dialog box 21-12

description 21-12

Add/Edit OSPF Neighbor Entry dialog box 21-14, 21-15

description 21-15

Add/Edit Periodic Time Range dialog box 13-18

Add/Edit Rendezvous Point dialog box

restrictions 24-11

Add/Edit Summary Address dialog box

description 21-8, 21-12

Add/Edit Time Range dialog box 13-16

Add/Edit Virtual Link dialog box

description 21-17

add_acl 17-3

address assignment, client 65-91

Address Pool panel, VPN wizard 63-12

address pools, tunnel group 65-91

Address Translation Exemption panel, VPN wizard 63-13

admin context

about 6-2

administrative access

using ICMP for 33-9

administrative distance 19-4

Advanced DHCP Options dialog box

description 10-7

Advanced OSPF Interface Properties dialog box 21-11

Advanced OSPF Virtual Link Properties dialog box

description 21-18

Advanced tab, tunnel group 65-92

ae_standard_access_list_rule 17-3

ae_webtype_acl 16-3

AIP

See IPS module

AIP SSM

about 55-1

port-forwarding

enabling 8-21

support 1-2

alternate address, ICMP message A-15

analyzing syslog messages 72-2

anti-replay window size 64-11

APN, GTP application inspection 41-11

APPE command, denied request 38-22

application access

and e-mail proxy 67-7

and Web Access 67-7

configuring client applications 67-6

enabling cookies on browser 67-6

privileges 67-6

quitting properly 67-6

setting up on client 67-6

using e-mail 67-7

with IMAP client 67-7

application firewall 38-31

application inspection

about 37-1

applying 37-5

configuring 37-5

security level requirements 8-5

Apply button 3-12

Area/Networks tab

description 21-4

area border router 21-2

ARP

NAT 26-21

ARP inspection

about 5-8

enabling 5-10

static entry 5-9

ARP spoofing 5-8

ARP table

monitoring 8-33

ARP test, failover 58-16

ASA (Adaptive Security Algorithm) 1-18

ASA 5505

Base license 8-2

client

Xauth 65-108

interfaces, about 8-1

MAC addresses 8-4

maximum VLANs 8-2

power over Ethernet 8-4

Security Plus license 8-2

SPAN 8-4

Spanning Tree Protocol, unsupported 8-18

ASA 5550 throughput 8-22

ASBR

definition of 21-2

asymmetric routing

TCP state bypass 49-4

attacks

DNS HINFO request 53-10

DNS request for all records 53-10

DNS zone transfer 53-10

DNS zone transfer from high port 53-10

fragmented ICMP traffic 53-9

IP fragment 53-7

IP impossible packet 53-7

large ICMP traffic 53-9

ping of death 53-9

proxied RPC request 53-10

statd buffer overflow 53-11

TCP FIN only flags 53-10

TCP NULL flags 53-9

TCP SYN+FIN flags 53-9

UDP bomb 53-10

UDP chargen DoS 53-10

UDP snork 53-10

attributes

RADIUS B-30

Attributes Pushed to Client panel, VPN wizard 63-13

attribute-value pairs

TACACS+ B-39

authenticating a certificate 36-8

authentication

about 32-2

CLI access 33-11

FTP 34-3

HTTP 34-2

network access 34-1

Telnet 34-2

web clients 34-5

Authentication tab

description 21-9

authorization

about 32-2

command 33-13

downloadable access lists 34-10

network access 34-9

Auto-MDI/MDIX 8-5

B

backed up configurations

restoring 76-16

backing up configurations 76-13

Baltimore Technologies, CA server support 36-5

bandwidth 3-17

banner, view/configure 65-34

Basic tab

IPSec LAN-to-LAN, General tab 65-96

basic threat detection

See threat detection

bits subnet masks A-3

Botnet Traffic Filter

actions 51-2

address categories 51-2

blacklist

adding entries 51-8

description 51-2

blocking traffic manually 51-12

classifying traffic 51-10

configuring 51-6

databases 51-2

default settings 51-6

DNS Reverse Lookup Cache

information about 51-3

maximum entries 51-4

using with dynamic database 51-9

DNS snooping 51-9

dropping traffic 51-10

graylist 51-10

dynamic database

enabling use of 51-7

files 51-3

information about 51-2

searching 51-13

updates 51-7

feature history 51-15

graylist

description 51-2

dropping traffic 51-10

guidelines and limitations 51-5

information about 51-1

licensing 51-5

monitoring 51-13

static database

adding entries 51-8

information about 51-3

syslog messages 51-13

task flow 51-6

threat level

dropping traffic 51-10

whitelist

adding entries 51-8

description 51-2

working overview 51-4

broadcast Ping test 58-16

Browse ICMP 65-21

Browse Other 65-22

Browse Source or Destination Address 65-19

Browse Source or Destination Port 65-19

Browse Time Range 65-13

building blocks 13-1

bypassing firewall checks 49-3

C

CA

certificate validation, not done in WebVPN 68-1

CRs and 36-3

public key cryptography 36-2

revoked certificates 36-3

supported servers 36-5

CA certificate 36-1

CA certificates 36-8

call agents

MGCP application inspection 39-17, 39-18

Cancel button 3-12

CDUP command, denied request 38-22

certificate

CA 36-8

Cisco Unified Mobility 46-5

Cisco Unified Presence 47-4

code-signer 36-20

Identity 36-14

local CA 36-22

certificate authentication 36-8

certificate enrollment 36-9

Certificate Revocation Lists

See CRLs

change query interval 24-9

change query response time 24-9

change query timeout value 24-9

changing the severity level 72-20

CIFS mount point

accessing 76-4

Cisco-AV-Pair LDAP attributes B-13

Cisco Client Parameters tab 65-34

Cisco IOS CS CA

server support 36-5

Cisco IP Communicator 44-9

Cisco IP Phones, application inspection 39-37

Cisco UMA. See Cisco Unified Mobility.

Cisco Unified Mobility

architecture 46-2

ASA role 42-2, 42-3, 43-2

certificate 46-5

functionality 46-1

NAT and PAT requirements 46-3, 46-4

trust relationship 46-5

Cisco Unified Presence

ASA role 42-2, 42-3, 43-2

configuring the TLS Proxy 47-8

NAT and PAT requirements 47-2

trust relationship 47-4

Cisco UP. See Cisco Unified Presence.

Class A, B, and C addresses A-1

classes, logging

message class variables 72-4

types 72-4

classes, resource

See resource management

class map

regular expression 13-15

Client Access Rule, add or edit 65-31

Client Address Assignment 65-91

Client Authentication panel, VPN wizard 63-10

Client Configuration tab 65-32

Client Firewall tab 65-37

Clientless SSL VPN

client application requirements 67-2

client requirements 67-2

for file management 67-5

for network browsing 67-5

for web browsing 67-4

start-up 67-3

enable cookies for 67-6

end user set-up 67-1

printing and 67-3

remote requirements

for port forwarding 67-6

for using applications 67-6

remote system configuration and end-user requirements 67-3

security tips 67-2

supported applications 67-2

supported browsers 67-3

supported types of Internet connections 67-3

URL 67-3

username and password required 67-3

usernames and passwords 67-1

use suggestions 67-1

client parameters, configuring 65-32

Client Update, edit , Windows and VPN 3002 clients 65-3

Client Update window, Windows and VPN 3002 clients 65-1

cluster

mixed scenarios 64-22

code-signer certificate 36-20

command authorization

about 33-14

configuring 33-13

multiple contexts 33-15

compiling syslog MIB files 74-8

configuration

factory default

commands 2-5

restoring 2-5

configurations, backing up 76-13

configuring

CSC activation 57-4

CSC email 57-14

CSC file transfer 57-15

CSC IP address 57-5

CSC license 57-4

CSC management access 57-6

CSC notifications 57-5

CSC password 57-7

CSC Setup Wizard 57-8, 57-11

CSC Setup Wizard Activation Codes Configuration 57-9

CSC Setup Wizard Host Configuration 57-9

CSC Setup Wizard IP Configuration 57-9

CSC Setup Wizard Management Access Configuration 57-10

CSC Setup Wizard Password Configuration 57-10

CSC Setup Wizard Summary 57-12

CSC Setup Wizard Traffic Selection for CSC Scan 57-11

CSC updates 57-16

CSC Web 57-13

configuring mobile user security services 65-63

configuring MUS 65-63

connection limits

configuring 49-1

per context 6-15

console port logging 72-15

contexts

See security contexts

conversion error, ICMP message A-16

creating a custom event list 72-15

CRL

cache refresh time 36-13

CSC 57-9

CSC activation

configuring 57-4

CSC CPU

monitoring 56-13

CSC email

configuring 57-14

CSC file transfer

configuring 57-15

CSC IP address

configuring 57-5

CSC license

configuring 57-4

CSC management access

configuring 57-6

CSC memory

monitoring 56-14

CSC notifications

configuring 57-5

CSC password

configuring 57-7

CSC security events

monitoring 56-11

CSC Setup Wizard 57-8

activation codes configuratrion 57-9

Host configuratrion 57-9

IP configuratrion 57-9

management access configuratrion 57-10

password configuratrion 57-10

specifying traffic for CSC Scanning 57-11

summary 57-12

traffic selection for CSC Scan 57-11

CSC software updates

monitoring 56-13

CSC SSM

about 56-1, 57-2

support 1-2

what to scan 56-3

CSC SSM feature history 56-15, 57-17

CSC SSM GUI

configuring 57-13

CSC threats

monitoring 56-11

CSC updates

configuring 57-16

CSC Web

configuring 57-13

customizing the end-user experience

by the security appliance 68-87

custom messages list

logging output destination 72-5

cut-through proxy 34-1

D

data flow

routed firewall 5-14

transparent firewall 5-20

date and time in messages 72-20

default

class 6-9

routes, defining equal cost routes 19-6

default configuration

commands 2-5

restoring 2-5

default policy 30-7

default routes

about 19-6

configuring 19-6

default tunnel gateway 65-4

destination address, browse 65-19

destination port, browse 65-19

device ID, including in messages 72-19

device ID in messages 72-19

Device Pass-Through 65-109

DHCP

configuring 10-5

monitoring

interface lease 8-33

IP addresses 8-33

server 8-33

statistics 8-35

statistics 8-35

transparent firewall 31-5

DHCP relay

overview 10-2

DHCP Relay - Add/Edit DHCP Server dialog box

description 10-4

restrictions 10-4

DHCP Relay pane

description 10-2

DHCP Relay panel 10-2, 11-4

prerequisites 10-3

restrictions 10-3

DHCP Server pane

description 10-5

DHCP Server panel 10-5

DHCP services 9-6

DiffServ preservation 50-5

digital certificates 36-1

directory hierarchy search B-4

disabling content rewrite 68-17

disabling messages 72-20

disabling messages, specific message IDs 72-20

DMZ, definition 1-15

DNS

inspection

about 38-2

managing 38-1

rewrite, about 38-3

rewrite, configuring 38-3

NAT effect on 26-21

NAT effect on (8.2 and earlier) 29-13

server, configuring 9-10

DNS HINFO request attack 53-10

DNS request for all records attack 53-10

DNS zone transfer attack 53-10

DNS zone transfer from high port attack 53-10

dotted decimal subnet masks A-3

downloadable access lists

configuring 34-11

converting netmask expressions 34-15

DSCP preservation 50-5

DUAL 23-2

dual IP stack, configuring 8-6

dual-ISP support 19-8

duplex

interface 8-19, 8-20

duplex, configuring 8-8

dynamic NAT

about 26-8

configuring (8.2 and earlier) 29-16

network object NAT 27-3

twice NAT 28-3

dynamic PAT

configuring (8.2 and earlier) 26-10

network object NAT 27-7

twice NAT 28-7

E

Easy VPN

client

Xauth 65-108

Easy VPN, advanced properties 65-109

Easy VPN client 65-107

Easy VPN Remote 65-107

echo reply, ICMP message A-15

Edit DHCP Relay Agent Settings dialog box

description 10-4

prerequisites 10-4

restrictions 10-4

Edit DHCP Server dialog box

description 10-6

Edit OSPF Interface Authentication dialog box 21-9

description 21-9

Edit OSPF Interface Properties dialog box 21-10

EIGRP 31-5

DUAL algorithm 23-2

hello interval 23-15

hello packets 23-1

hold time 23-2, 23-15

neighbor discovery 23-1

stub routing 23-5

stuck-in-active 23-2

e-mail proxy

and Clientless SSL VPN 67-7

Enable IPSec authenticated inbound sessions 65-104, 65-116

enabling logging 72-6

enabling secure logging 72-19

enrolling

certificate 36-9

Entrust, CA server support 36-5

established command, security level requirements 8-5

Ethernet

Auto-MDI/MDIX 8-5

duplex 8-8

jumbo frames, ASA 5580 8-32

jumbo frame support

single mode 8-26

MTU 8-26

speed 8-8

EtherType access list

compatibilty with extended access lists 31-2

implicit deny 31-3

evaluation license 4-13

extended ACL 15-2, 65-16

External Group Policy, add or edit 65-6

F

factory default configuration

commands 2-5

restoring 2-5

failover

about 58-1

about virtual MAC addresses 60-11

Active/Active, See Active/Active failover

Active/Standby, See Active/Standby failover

configuration file

terminal messages, Active/Active 61-3

terminal messages, Active/Standby 60-2

contexts 60-2

criteria 60-10, 61-12

debug messages 58-17

defining standby IP addresses 60-8, 60-9

disabling 60-13, 61-17

enable 61-10

enabling Stateful Failover 60-7

Ethernet failover cable 58-3

failover link 58-3

forcing 60-12, 61-17

health monitoring 58-15

in multiple context mode 61-9

interface health 58-15

interface monitoring 58-15

interface tests 58-15

key 61-10

link communications 58-3

MAC addresses

about 60-2

automatically assigning 6-11

monitoring, health 58-15

network tests 58-15

primary unit 60-2

redundant interfaces 8-12

reset 61-18

restoring a failed group 60-13, 61-17

restoring a failed unit 60-13, 61-17

secondary unit 60-2

SNMP syslog traps 58-17

Stateful Failover 61-11

Stateful Failover, See Stateful Failover

state link 58-4

system log messages 58-17

system requirements 58-2

Trusted Flow Acceleration 7-2, 56-6, 57-3, 74-5

type selection 58-9

unit health 58-15

failover groups

about 61-12

adding 61-13

editing 61-13

monitoring 61-19

reset 61-19

fast path 1-19

fiber interfaces 8-8

Fibre Channel interfaces

default settings 16-2, 17-2, 31-7, 56-6, 57-3

filtering

rules 35-6

security level requirements 8-5

servers supported 35-2

URLs 35-1, 35-2

filtering messages 72-4

Filtering panel

description 21-16

firewall, client, configuring settings 65-37

firewall mode

about 5-1

configuring 5-1

firewall server, Zone Labs 65-105

flash memory available for logs 72-18

flow control for 10 Gigabit Ethernet 8-9

flow-export actions 73-4

format of messages 72-3

fragmentation policy, IPsec 64-2

fragmented ICMP traffic attack 53-9

Fragment panel 53-2

fragment protection 1-16

fragment size 53-2

FTP

application inspection

viewing 38-9, 38-18, 38-19, 38-32, 38-46, 38-53, 38-54, 39-7, 39-9, 39-17, 39-21, 39-30, 39-39, 39-40, 41-2, 41-14

filtering option 35-10

FTP inspection

about 38-13

configuring 38-13

G

gateway, default tunnel gateway 65-4

gateways

MGCP application inspection 39-19

General Client Parameters tab 65-32

graphs

bookmarking 8-38

interface monitoring 8-38

printing 8-38

Group Policy window

add or edit, General tab 65-7, 65-12

introduction 65-5

IPSec tab, add or edit 65-30

groups

SNMP 74-4

GTP

application inspection

viewing 41-7

GTP inspection

about 41-5

configuring 41-5

H

H.323

transparent firewall guidelines 5-3

H.323 inspection

about 39-3

configuring 39-2

limitations 39-4

Hardware Client tab 65-39

HA Wizard

accessing 59-1

licensing requirements 59-1

requirements for setup 59-2

Help button 3-12

HELP command, denied request 38-22

Help menu 3-9

hierarchical policy, traffic shaping and priority queueing 50-11

high availability

about 58-1

history metrics 9-13

host

SNMP 74-4

hosts, subnet masks for A-3

HSRP 5-3

HTTP

application inspection

viewing 38-31

filtering 35-1

configuring 35-9

HTTP(S)

filtering 35-2

HTTP inspection

about 38-24

configuring 38-24

HTTPS/Telnet/SSH

allowing network or host access to ASDM 33-1

I

ICMP

add group 65-21

browse 65-21

rules for access to ADSM 33-9

testing connectivity 77-1

type numbers A-15

ICMP Group 65-21

ICMP unreachable message limits 33-10

Identity Certificates 36-14

identity NAT

about 26-11

configuring (8.2 and earlier) 29-16

network object NAT 27-14

twice NAT 28-15

IKE Policy panel, VPN wizard 63-5

ILS inspection 40-1

IM 39-24

implementing SNMP 74-4

inbound access lists 31-3

individual syslog messages

assigning or changing rate limits 72-21

information reply, ICMP message A-16

information request, ICMP message A-16

inside, definition 1-15

inspection engines

See application inspection

Instant Messaging inspection 39-24

interface

duplex 8-19, 8-20

MTU 8-26

status 3-17

subinterface, adding 8-15

throughput 3-17

Interface panel 21-9

interfaces

ASA 5505

about 8-1

enabled status 8-18

MAC addresses 8-4

maximum VLANs 8-2

switch port configuration 8-18

trunk ports 8-19

ASA 5550 throughput 8-22

default settings 16-2, 17-2, 31-7, 56-6, 57-3

duplex 8-8

failover monitoring 58-15

fiber 8-8

jumbo frame support

single mode 8-26

MAC addresses

automatically assigning 6-19

monitoring 8-36

redundant 8-11

SFP 8-8

speed 8-8

subinterfaces 8-14

IP addresses

classes A-1

management, transparent firewall 9-14

private A-2

subnet mask A-4

IP audit

enabling 53-5

signatures 53-6

IP fragment attack 53-7

IP fragment database, displaying 53-2

IP fragment database, editing 53-3

IP impossible packet attack 53-7

IP overlapping fragments attack 53-8

IP phone

phone proxy provisioning 44-11

IP phones

addressing requirements for phone proxy 44-8

supported for phone proxy 44-3

IPS

IP audit 53-5

IPSec

anti-replay window 50-11

IPsec

Cisco VPN Client 64-9

fragmentation policy 64-2

IPSec Encryption and Authentication panel, VPN wizard 63-6

IPSec rules

anti-replay window size 64-11

IPSec tab

internal group policy 65-30

IPSec LAN-to-LAN 65-97

tunnel group 65-93

IPS module

about 55-1

configuration 55-5

operating modes 55-2

sending traffic to 55-7

traffic flow 55-1

virtual sensors 55-6

IP spoofing, preventing 53-1

IP teardrop attack 53-8

IPv6

commands 18-9

configuring alongside IPv4 8-6

default route 19-7

dual IP stack 8-6

duplicate address detection 7-21, 8-27, 25-6

neighbor discovery 25-1

router advertisement messages 7-22, 25-8

static routes 19-7

IPv6 addresses

anycast A-9

command support for 18-9

format A-5

multicast A-8

prefixes A-10

required A-10

types of A-6

unicast A-6

J

Java console 77-12

Join Group panel

description 24-7

jumbo frames, ASA 5580 8-32

jumbo frame support

single mode 8-26

K

Kerberos

configuring 32-8

support 32-6

key pairs 36-15

L

large ICMP traffic attack 53-9

latency

about 50-1

configuring 50-2, 50-3

reducing 50-8

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

Layer 3/4

matching multiple policy maps 30-5

LCS Federation Scenario 47-2

LDAP

application inspection 40-1

attribute mapping 32-22

Cisco-AV-pair B-13

configuring 32-8

configuring a AAA serverB-3to ??

directory search B-4

example configuration proceduresB-16to ??

hierarchy example B-4

licenses

activation key

entering 4-25

location 4-23

obtaining 4-24

ASA 5505 4-3

ASA 5510 4-4

ASA 5520 4-5

ASA 5540 4-6

ASA 5550 4-7

ASA 5580 4-8

Cisco Unified Communications Proxy features 42-4, 45-3, 46-6, 47-7, 48-8

default 4-13

evaluation 4-13

failover 4-22

guidelines 4-22

managing 4-1

preinstalled 4-13

Product Authorization Key 4-24

shared

backup server, information 4-17

client, configuring 4-28

communication issues 4-17

failover 4-18

maximum clients 4-19

monitoring 4-28

overview 4-15

server, configuring 4-27

SSL messages 4-17

temporary 4-13

viewing current 4-24

VPN Flex 4-13

licensing requirements

CSC SSM 56-5, 57-2

logging 72-5

licensing requirements for SNMP 74-4

link up/down test 58-15

LLQ

See low-latency queue

load balancing

mixed cluster scenarios 64-22

local CA 36-22

Local CA User Database 36-25

Local Hosts and Networks panel, VPN wizard 63-7

local user database

support 32-7

lockout recovery 33-24

logging

classes

filtering messages by 72-4

types 72-4

filtering

by message list 72-5

by severity level 72-1

output destinations

internal buffer 72-1, 72-7

Telnet or SSH session 72-7

queue

changing the size of 72-18

configuring 72-18

logging feature history 72-25

logging queue

configuring 72-18

login

banner, configuring 33-3

FTP 34-3

SSH 33-3

low-latency queue

applying 50-2, 50-3

M

MAC address

redundant interfaces 8-12

MAC addresses

ASA 5505 8-4

automatically assigning 6-19

failover 60-2

security context classification 6-3

MAC address table

about 5-20

built-in-switch 5-11

MAC learning, disabling 5-13

monitoring 8-35

resource management 6-15

static entry 5-13

MAC learning, disabling 5-13

management interfaces

default settings 16-2, 17-2, 31-7, 56-6, 57-3

management IP address, transparent firewall 9-14

man-in-the-middle attack 5-8

mapped addresses

guidelines 26-20

guidelines (8.2 and earlier) 29-13

mask

reply, ICMP message A-16

request, ICMP message A-16

Master Passphrase 9-6

maximum sessions, IPSec 65-104

media termination address, criteria 44-6

menus 3-4

message filtering 72-4

message list

filtering by 72-5

messages, logging

classes

about 72-4

list of 72-4

component descriptions 72-3

filtering by message list 72-5

format of 72-3

severity levels 72-3

messages classes 72-4

messages in EMBLEM format 72-16, 72-17

metacharacters, regular expression 13-11

MGCP

application inspection

configuring 39-18

viewing 39-16

MGCP inspection

about 39-14

configuring 39-13

mgmt0 interfaces

default settings 16-2, 17-2, 31-7, 56-6, 57-3

MIBs 74-2

MIBs for SNMP 74-12

Microsoft Access Proxy 47-1

Microsoft client parameters, configuring 65-32

Microsoft Windows 2000 CA, supported 36-5

mixed cluster scenarios, load balancing 64-22

MMP inspection 46-1

mobile redirection, ICMP message A-16

mode

context 6-14

firewall 5-1

monitoring

ARP table 8-33

CSC CPU 56-13

CSC memory 56-14

CSC security events 56-11

CSC software updates 56-13

CSC SSM 56-10

CSC threats 56-11

DHCP

interface lease 8-33

IP addresses 8-33

server 8-33

statistics 8-35

failover 58-15

failover groups 61-19

history metrics 9-13

interfaces 8-36

MAC address table 8-35

OSPF 21-20

SNMP 74-1

monitoring logging 72-22

monitoring NSEL 73-6

monitoring switch traffic, ASA 5505 8-4

MPF

default policy 30-7

feature directionality 30-3

features 30-1

flows 30-5

matching multiple policy maps 30-5

See also class map

See also policy map

MPLS

LDP 31-6

router-id 31-6

TDP 31-6

MRoute panel

description 24-5

MTU 8-26

multicast traffic 5-3

multiple context mode

logging 72-2

See security contexts

MUS

configuring 65-63

N

NAT 26-21

about 26-1, 29-1

about (8.2 and earlier) 29-1

bidirectional initiation 26-2

bypassing NAT (8.2 and earlier) 29-10

disabling proxy ARP for global addresses 18-11

DNS 26-21

DNS (8.2 and earlier) 29-13

dynamic NAT

about 26-8

about (8.2 and earlier) 29-6

configuring (8.2 and earlier) 29-22

implementation (8.2 and earlier) 29-16

network object NAT 27-3

twice NAT 28-3

dynamic PAT

about 26-10

network object NAT 27-7

twice NAT 28-7

exemption (8.2 and earlier) 29-10

identity NAT

about 26-11

about (8.2 and earlier) 29-10

network object NAT 27-14

twice NAT 28-15

implementation 26-15

interfaces 26-20

mapped address guidelines 26-20

network object NAT

about 26-16

comparison with twice NAT 26-15

configuring 27-1

dynamic NAT 27-3

dynamic PAT 27-7

examples 27-17

guidelines 27-2

identity NAT 27-14

prerequisites 27-2

static NAT 27-11

PAT

about (8.2 and earlier) 29-8

configuring (8.2 and earlier) 29-22

implementation (8.2 and earlier) 29-16

policy NAT, about (8.2 and earlier) 29-10

routed mode 26-13

RPC not supported with 40-3

rule order 26-19

rule order (8.2 and earlier) 29-13

same security level (8.2 and earlier) 29-12

static

many-to-few mapping 26-7

static NAT

about 26-3

about (8.2 and earlier) 29-8

configuring (8.2 and earlier) 29-27

few-to-many mapping 26-7

many-to-few mapping 26-6

network object NAT 27-11

one-to-many 26-6

twice NAT 28-11

static NAT with port translation

about 26-3

static PAT

about (8.2 and earlier) 29-9

terminology 26-2

transparent mode 26-13

transparent mode (8.2 and earlier) 29-3

twice NAT

about 26-16

comparison with network object NAT 26-15

configuring 28-1

dynamic NAT 28-3

dynamic PAT 28-7

examples 28-19

guidelines 28-2

identity NAT 28-15

prerequisites 28-2

static NAT 28-11

types 26-2

types (8.2 and earlier) 29-6

VPN client rules 26-19

NetBIOS server

tab 65-71

NetFlow

overview 73-1

NetFlow event

matching to configured collectors 73-5

Netscape CMS, CA server support 36-5

Network Activity test 58-15

Network Admission Control

uses, requirements, and limitations 64-27

network object NAT

about 26-16

comparison with twice NAT 26-15

configuring 27-1

dynamic NAT 27-3

dynamic PAT 27-7

examples 27-17

guidelines 27-2

identity NAT 27-14

prerequisites 27-2

static NAT 27-11

New Authentication Server Group panel, VPN wizard 63-11

NSEL and syslog messages

redundant messages 73-2

NSEL feature history 73-8

NSEL licensing requirements 73-3

NTLM support 32-6

NT server

configuring 32-8

support 32-6

O

object NAT

See network object NAT

open ports A-14

Options menu 3-5

OSPF

area parameters 21-12

authentication support 21-2

configuring authentication 21-9

defining a static neighbor 21-14, 21-15

defining interface properties 21-10

interaction with NAT 21-2

interface parameters 21-9

interface properties 21-9, 21-10

link-state advertisement 21-2

logging neighbor states 21-16

LSAs 21-2

monitoring 21-20

NSSA 21-13

processes 21-2

redistributing routes 21-5

route calculation timers 21-15

route map 20-1

route summarization 21-8

OSPF parameters

dead interval 21-11

hello interval 21-11

retransmit interval 21-11

transmit delay 21-11

outbound access lists 31-3

Outlook Web Access (OWA) and Clientless SSL VPN 67-7

output destination 72-5

output destinations 72-1, 72-7

e-mail address 72-1, 72-7

SNMP management station 72-1, 72-7

syslog server 72-7

Telnet or SSH session 72-1, 72-7

outside, definition 1-15

oversubscribing resources 6-8

P

packet

classifier 6-3

packet flow

routed firewall 5-14

transparent firewall 5-20

packet trace, enabling 77-7

parameter problem, ICMP message A-15

password

Clientless SSL VPN 67-1

PAT

See dynamic PAT

pause frames for flow control 8-9

PDP context, GTP application inspection 41-10

phone proxy

access lists 44-7

ASA role 42-3

Cisco IP Communicator 44-9

Cisco UCM supported versions 44-3

IP phone addressing 44-8

IP phone provisioning 44-11

IP phones supported 44-3

Linksys routers, configuring 44-20

NAT and PAT requirements 44-8

ports 44-7

rate limiting 44-10

TLS Proxy on ASA, described 42-3

PIM

shortest path tree settings 24-13

ping

See ICMP

using 77-3

ping of death attack 53-9

PoE 8-4

policing

flow within a tunnel 50-10

policy, QoS 50-1

policy map

Layer 3/4

about 30-1

feature directionality 30-3

flows 30-5

policy NAT, about (8.2 and earlier) 29-10

Port Forwarding

configuring client applications 67-6

port-forwarding

enabling 8-21

port forwarding entry 68-22

ports

open on device A-14

phone proxy 44-7

TCP and UDP A-11

port translation, about 26-3

posture validation

uses, requirements, and limitations 64-27

Posture Validation Exception, add/edit 64-30

power over Ethernet 8-4

PPP tab, tunnel-group 65-95

prerequisites for use

CSC SSM 56-5, 57-2

presence_proxy_remotecert 43-9

primary unit, failover 60-2

printing

graphs 8-38

priority queueing

hierarchical policy with traffic shaping 50-11

IPSec anti-replay window size 64-11

private networks A-2

Process Instances tab

description 21-4

Product Authorization Key 4-24

Properties tab 21-10

description 21-10

fields 21-10

Protocol Group, add 65-22

protocol numbers and literal values A-11

Protocol panel (PIM)

description 24-11

proxied RPC request attack 53-10

proxy ARP

NAT 26-21

proxy ARP, disabling 18-11

proxy bypass 68-28

proxy servers

SIP and 39-24

public key cryptography 36-2

Q

QoS

about 50-1, 50-3

DiffServ preservation 50-5

DSCP preservation 50-5

feature interaction 50-4

policies 50-1

priority queueing

hierarchical policy with traffic shaping 50-11

IPSec anti-replay window 50-11

IPSec anti-replay window size 64-11

token bucket 50-2

traffic shaping

overview 50-4

Quality of Service

See QoS

queue, logging

changing the size of 72-18

queue, QoS

latency, reducing 50-8

limit 50-2, 50-3

R

RADIUS

attributes B-30

Cisco AV pair B-13

configuring a AAA server B-30

configuring a server 32-8

downloadable access lists 34-11

network access authentication 34-4

network access authorization 34-10

support 32-4

rate limit 72-20

rate limiting 50-3

rate limiting, phone proxy 44-10

RealPlayer 39-19

recurring time range, add or edit 65-14

redirect, ICMP message A-15

redundant interfaces

configuring 8-11

failover 8-12

MAC address 8-12

setting the active interface 8-13

Registration Authority description 36-3

regular expression 13-10

Remote Access Client panel, VPN wizard 63-8

Remote Site Peer panel, VPN wizard 63-4

Request Filter panel

description 24-12

reset

inbound connections 53-3

outside connections 53-3

Reset button 3-12

resource management

about 6-8

class 6-15

configuring 6-8

default class 6-9

oversubscribing 6-8

resource types 6-15

unlimited 6-9

restoring backups 76-16

revoked certificates 36-3

rewrite, disabling 68-17

RFCs for SNMP 74-12

RIP

authentication 22-1

definition of 22-1

enabling 22-4

support for 22-1

RIP panel

limitations 22-3

RIP Version 2 Notes 22-3

RNFR command, denied request 38-22

RNTO command, denied request 38-22

routed mode

about 5-1

NAT 26-13

setting 5-1

route maps

uses 20-1

router

advertisement, ICMP message A-15

solicitation, ICMP message A-15

routes

about default 19-6

configuring default routes 19-6

configuring IPv6 default 19-7

configuring IPv6 static 19-7

configuring static routes 19-3

Route Summarization tab

description 21-4

Route Tree panel 24-13

description 24-13

routing

other protocols 31-5

RSA

KEON, CA server support 36-5

RTSP inspection

about 39-19

configuring 39-19

rules

ICMP 33-9

S

same security level communication

enabling 8-31

NAT (8.2 and earlier) 29-12

SCCP (Skinny) inspection

about 39-37

configuration 39-37

configuring 39-36

SDI

configuring 32-8

support 32-5

secondary unit, failover 60-2

Secure Computing SmartFilter filtering server 35-3

Secure Copy

configure server 33-6

security, WebVPN 68-1

security appliance

managing licenses 4-1

security contexts

about 6-1

adding 6-17

admin context

about 6-2

cascading 6-6

classifier 6-3

command authorization 33-15

logging in 6-7

MAC addresses

automatically assigning 6-19

classifying using 6-3

managing 6-1

monitoring 6-20

multiple mode, enabling 6-14

nesting or cascading 6-7

resource management 6-8

unsupported features 6-12

security level

about 8-5

security models for SNMP 74-3

segment size

maximum and minimum 53-3

sending messages to an e-mail address 72-12

sending messages to a specified output destination 72-19

sending messages to a syslog server 72-7

sending messages to a Telnet or SSH session 72-15

sending messages to the console port 72-15

sending messages to the internal log buffer 72-11

Server and URL List

add/edit 65-42

Server or URL

dialog box 65-42

session management path 1-19

severity levels, of system log messages

changing 72-1

filtering by 72-1

list of 72-3

severity levels, of system messages

definition 72-3

shared license

backup server, information 4-17

client, configuring 4-28

communication issues 4-17

failover 4-18

maximum clients 4-19

monitoring 4-28

server, configuring 4-27

SSL messages 4-17

shun

duration 52-10

signatures

attack and informational 53-6

single mode

backing up configuration 6-14

configuration 6-14

enabling 6-14

restoring 6-14

SIP inspection

about 39-24

configuring 39-23

instant messaging 39-24

SITE command, denied request 38-22

SMTP inspection 38-51

SNMP

about 74-1

application inspection

viewing 41-17

failover 74-5

management station 72-1, 72-7

prerequisites 74-5

SNMP configuration 74-6

SNMP groups 74-4

SNMP hosts 74-4

SNMP management station

adding 74-6

SNMP monitoring 74-10, 74-11, 75-5

SNMP terminology 74-2

SNMP traps 74-2

SNMP users 74-4

SNMP Version 3 74-3, 74-9

SNMP Versions 1 and 2c 74-9

software

version 3-23

source address, browse 65-19

source port, browse 65-19

source quench, ICMP message A-15

SPAN 8-4

Spanning Tree Protocol, unsupported 8-18

specifying traffic for CSC scanning 57-11

speed, configuring 8-8

SSCs

management access 54-2

management defaults 54-4

management interface 54-4

password reset 54-6

routing 54-3

supported applications 54-2

SSH

concurrent connections 33-2

login 33-3

username 33-3

SSMs

management access 54-2

management defaults 54-4

password reset 54-6

routing 54-3

supported applications 54-2

Standard Access List Rule, add/edit 65-36

Standard ACL tab 15-1, 65-15

Startup Wizard

acessing 7-1

licensing requirements 7-1, 43-3

requirements for setup 7-2

statd buffer overflow attack 53-11

Stateful Failover

about 58-10

enabling 60-7

settings 61-11

state information 58-10

state link 58-4

stateful inspection 1-18

bypassing 49-3

state information 58-10

state link 58-4

static ARP entry 5-9

static bridge entry 5-13

Static Group panel

description 24-7

static NAT

about 26-3

few-to-many mapping 26-7

many-to-few mapping 26-6, 26-7

network object NAT 27-11

twice NAT 28-11

static NAT with port translation, about 26-3

static PAT

See PAT

static routes

configuring 19-3

deleting 19-6

status bar 3-11

stealth firewall

See transparent firewall

STOU command, denied request 38-22

stuck-in-active 23-2

subinterface

adding 8-15

subinterfaces, adding 8-14

subnet masks

/bits A-3

about A-2

address range A-4

determining A-3

dotted decimal A-3

number of hosts A-3

subordinate certificate 36-1

Summary Address panel

description 21-7

Summary panel, VPN wizard 63-14

Sun Microsystems Java™ Runtime Environment (JRE) and Clientless SSL VPN 67-6

Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 68-23

Sun RPC inspection

about 40-3

configuring 40-3

switch MAC address table 5-11

switch ports

access ports 8-18

SPAN 8-4

trunk ports 8-19

syslogd server program 72-5

syslog message filtering

using log viewers 72-22

syslog messages

analyzing 72-2

syslog messaging for SNMP 74-11

syslog server

as output destination

designating more than one 72-5

EMBLEM format

configuring 72-17

system configuration 6-2

system log messages 72-4

classes of 72-4

configuring in groups

by message list 72-5

by severity level 72-1

device ID, including 72-19

disabling logging of 72-1

filtering by message class 72-4

output destinations 72-1, 72-7

syslog message server 72-7

Telnet or SSH session 72-7

severity levels

about 72-3

changing the severity level of a message 72-1

timestamp, including 72-20

T

TACACS+

command authorization, configuring 33-19

configuring a server 32-8

network access authorization 34-9

support 32-5

tail drop 50-3

TCP

connection limits per context 6-15

maximum segment size 53-3

ports and literal values A-11

TIME_WAIT state 53-4

TCP FIN only flags attack 53-10

TCP Intercept

statistics 52-6

TCP normalization 49-3

TCP NULL flags attack 53-9

TCP Service Group, add 65-20

TCP state bypass

AAA 49-5

configuring 49-8

failover 49-5

firewall mode 49-5

inspection 49-5

mutliple context mode 49-5

NAT 49-5

SSMs and SSCs 49-5

TCP Intercept 49-5

TCP normalization 49-5

unsupported features 49-5

TCP SYN+FIN flags attack 53-9

Telnet

allowing management access 33-1

concurrent connections 33-2

temporary license 4-13

testing configuration 77-1

threat detection

basic

drop types 52-2

enabling 52-4

overview 52-2

rate intervals 52-2

statistics, viewing 52-4

system performance 52-2

scanning

enabling 52-10

host database 52-9

overview 52-8

shunning attackers 52-10

system performance 52-9

scanning statistics

enabling 52-5

system performance 3-20, 52-5

viewing 52-7

shun

duration 52-10

TIME_WAIT state 53-4

time exceeded, ICMP message A-15

time range

add or edit 65-14

browse 65-13

recurring 65-14

timestamp, including in system log messages 72-20

timestamp reply, ICMP message A-15

timestamp request, ICMP message A-15

TLS Proxy

applications supported by ASA 42-3

Cisco Unified Presence architecture 47-1

configuring for Cisco Unified Presence 47-8

licenses 42-4, 45-3, 46-6, 47-7, 48-8

tocken bucket 50-2

Tools menu 3-6

traceroute, enabling 3-7, 77-6

traffic flow

routed firewall 5-14

transparent firewall 5-20

traffic shaping

overview 50-4

transmit queue ring limit 50-2, 50-3

transparent firewall

about 5-2

ARP inspection

about 5-8

enabling 5-10

static entry 5-9

data flow 5-20

DHCP packets, allowing 31-5

guidelines 5-5

H.323 guidelines 5-3

HSRP 5-3

MAC learning, disabling 5-13

Management 0/0 IP address 8-22

management IP address 9-14

multicast traffic 5-3

packet handling 31-5

static bridge entry 5-13

unsupported features 5-6

VRRP 5-3

transparent mode

NAT 26-13

NAT (8.2 and earlier) 29-3

trunk, 802.1Q 8-14

trunk ports 8-19

Trusted Flow Acceleration

failover 7-2, 56-6, 57-3

modes 5-5, 5-9, 5-12, 7-2, 19-2, 20-3, 21-3, 22-3, 23-2, 24-3, 25-18, 31-7, 56-6, 57-3, 59-2, 61-7

trustpoint 36-4

trust relationship

Cisco Unified Mobility 46-5

Cisco Unified Presence 47-4

Tunneled Management 65-109

tunnel gateway, default 65-4

twice NAT

about 26-16

comparison with network object NAT 26-15

configuring 28-1

dynamic NAT 28-3

dynamic PAT 28-7

examples 28-19

guidelines 28-2

identity NAT 28-15

prerequisites 28-2

static NAT 28-11

tx-ring-limit 50-2, 50-3

U

UDP

bomb attack 53-10

chargen DoS attack 53-10

connection limits per context 6-15

connection state information 1-19

ports and literal values A-11

snork attack 53-10

unreachable, ICMP message A-15

unreachable messages

required for MTU discovery 33-9

URL

filtering

configuring 35-9

URLs

filtering 35-1

filtering, about 35-2

User Accounts panel, VPN wizard 63-11

username

Clientless SSL VPN 67-1

Xauth for Easy VPN client 65-108

users

SNMP 74-4

V

VeriSign, configuring CAs example 36-6

version

IPS software 3-23

View/Config Banner 65-34

virtual firewalls

See security contexts

virtual HTTP 34-3

Virtual Link

description 21-17

virtual MAC address

defining for Active/Active failover 61-15

virtual MAC addresses

about 60-11, 61-15

defaults for Active/Active failover 61-15

defining for Active/Standby failover 61-16

virtual private network

overview 63-2

virtual reassembly 1-16

virtual sensors 55-6

VLANs 8-14

802.1Q trunk 8-14

ASA 5505

MAC addresses 8-4

maximum 8-2

subinterfaces 8-14

VoIP

proxy servers 39-24

VPN

address range, subnets A-4

overview 63-1, 63-2

system options 65-104

VPN client

NAT rules 26-19

VPN Client, IPsec attributes 64-9

VPN flex license 4-13

VPN Tunnel Type panel, VPN wizard 63-3

VPN wizard 63-2

Address Pool panel 63-12

Address Translation Exemption panel 63-13

Attributes Pushed to Client panel 63-13

Client Authentication panel 63-10

IKE Policy panel 63-5

IPSec Encryption and AUthentication panel 63-6

Remote Access Client panel 63-8

Remote Site Peer panel 63-4

Summary panel 63-14

User Accounts panel 63-11

VPN Tunnel Type panel 63-3

VPNwizard

Local Hosts and Networks panel 63-7

New Authentication Server Group panel 63-11

VRRP 5-3

W

WCCP 12-1

web browsing with Clientless SSL VPN 67-4

web caching 12-1

web clients, secure authentication 34-5

Websense filtering server 35-3

WebVPN

CA certificate validation not done 68-1

security preautions 68-1

use suggestions 67-2

Window menu 3-9

Wizards menu 3-8

X

Xauth, Easy VPN client 65-108

XOFF frames 8-9

Z

Zone Labs Integrity Server 65-105

	Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
	Index
Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3 About This Guide Index Glossary Getting Started and General Information Introduction to the Security Appliance Getting Started Using the ASDM Interface Managing Feature Licenses Configuring the Transparent or Routed Firewall Setting Up the Adaptive Security Appliance Managing Multiple Context Mode Using the Startup Wizard Configuring DHCP Configuring Interfaces Configuring Basic Settings Configuring Dynamic DNS Configuring Web Cache Services Using WCCP Adding Global Objects Configuring Public Servers Configuring Access Lists Using the ACL Manager Adding a Standard Access List Adding a Webtype Access List Configuring IP Routing Information About Routing Configuring Static and Default Routes Defining Route Maps Configuring OSPF Configuring RIP Configuring EIGRP Configuring Multicast Routing Configuring IPv6 Neighbor Discovery Configuring NAT (ASA 8.3 and Later) Information About NAT (ASA 8.3 and Later) Configuring Network Object NAT (ASA 8.3 and Later) Configuring Twice NAT (ASA 8.3 and Later) Configuring NAT (ASA 8.2 and Earlier) Configuring NAT (ASA 8.2 and Earlier) Configuring Service Policies Configuring a Service Policy Configuring Access Control Configuring Access Rules Configuring AAA Servers and the Local Database Configuring Management Access Configuring AAA for Network Access Configuring Filtering Services Configuring Digital Certificates Configuring Application Inspection Getting Started With Application Layer Protocol Inspection Configuring Inspection of Basic Internet Protocols Configuring Inspection of Voice and Video Protocols Configuring Inspection of Database and Directory Protocols Configuring Inspection of Management Application Protocols Configuring Unified Communications Information About Cisco Unified Communications Using the Cisco Unified Communication Wizard Configuring the Cisco Phone Proxy Feature Configuring the TLS Proxy for Encrypted Voice Inspection Feature Configuring the Cisco Unified Mobility Feature Configuring the Cisco Unified Presence Feature Configuring Cisco Unified Communications Intercompany Media Engine Configuring Connection Settings and QoS Configuring Connection Limits and Timeouts Configuring QoS Configuring Advanced Network Protection Configuring the Botnet Traffic Filter Configuring Threat Detection Using Protection Tools Configuring Applications on SSMs and SSCs Managing SSCs and SSMs Configuring the IPS Application on the AIP SSM and SSC Configuring the Content Security and Control Application on the CSC SSM Configuring Trend Micro Content Security Configuring High Availability Information About High Availability Using the High Availability and Scalability Wizard Configuring Active/Standby Failover Configuring Active/Active Failover Configuring VPN Using the SSL VPN Wizard Using the VPNWizard Configuring IKE General VPN Setup Configuring Dynamic Access Policies Clientless SSL VPN End User Set-up Configuring Clientless SSL VPN Configuring the E-Mail Proxy Configuring SSL Settings Monitoring VPN Configuring Logging, SNMP, and Smart Call Home Configuring Logging Configuring Network Secure Event Logging (NSEL) Configuring SNMP Configuring Smart Call Home System Administration Managing Software and Configurations Troubleshooting Reference Addresses, Protocols, and Ports Configuring an External Server for Security Appliance User Authorization	Download this chapter Index Download the complete book Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3 (PDF - 15 MB) Table Of Contents Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z Index Symbols /bits subnet masks A-3 Numerics 3H_Head3. Generating Syslog Messages in EMBLEM Format to a Syslog Server 72-16 4GE SSM connector types 8-8 fiber 8-8 SFP 8-8 support 1-2 802.1Q tagging 8-19 802.1Q trunk 8-14 A AAA aboute 32-1 accounting 34-15 authentication CLI access 33-11 network access 34-1 proxy limit 34-9 authorization command 33-13 downloadable access lists 34-10 network access 34-9 local database support 32-7 performance 34-1 server 72-4 adding 32-8, 32-10 types 32-3 support summaries 32-3 web clients 34-5 AAA server group, add (group-policy) 65-6 ABR definition of 21-2 access_rules 17-3 Access Control Server 64-28 Access Group panel description 24-8 access lists downloadable 34-11 global access rules 31-4 implicit deny 31-3 inbound 31-3 outbound 31-3 overview 31-1 phone proxy 44-7 access ports 8-18 access rules turn off expansion 31-12 Accounting tab, tunnel group 65-91 ACE add/edit/paste 15-3, 65-17 Extended ACL tab 15-2, 65-16 ACL enabling IPSEC authenticated inbound sessions to bypass ACLs 65-104, 65-116 extended 15-2, 65-16 for Clientless SSL VPN 65-29 standard 15-1, 65-15 ACL Manager Add/Edit/Paste ACE 15-3, 65-17 dialog box 15-1, 65-15 activation key entering 4-25 location 4-23 obtaining 4-24 Active/Active failover about 61-1 actions 61-5 command replication 61-3 configuration synchronization 61-3 device initialization 61-3 duplicate MAC addresses, avoiding 61-2 optional settings about 61-6 primary status 61-2 secondary status 61-2 triggers 61-4 Active/Standby failover about 60-1 actions 60-4 command replication 60-3 configuration synchronization 60-2 device initialization 60-2 primary unit 60-2 secondary unit 60-2 triggers 60-3 Active Directory proceduresB-16to ?? Adaptive Security Algorithm 1-18 Add/Edit Access Group dialog box description 24-8 Add/Edit Filtering Entry dialog box description 21-16 Add/Edit IGMP Join Group dialog box description 24-7 Add/Edit IGMP Static Group dialog box description 24-8 Add/Edit Multicast Group dialog box 24-14 description 24-14 Add/Edit OSPF Area dialog box 21-12 description 21-12 Add/Edit OSPF Neighbor Entry dialog box 21-14, 21-15 description 21-15 Add/Edit Periodic Time Range dialog box 13-18 Add/Edit Rendezvous Point dialog box restrictions 24-11 Add/Edit Summary Address dialog box description 21-8, 21-12 Add/Edit Time Range dialog box 13-16 Add/Edit Virtual Link dialog box description 21-17 add_acl 17-3 address assignment, client 65-91 Address Pool panel, VPN wizard 63-12 address pools, tunnel group 65-91 Address Translation Exemption panel, VPN wizard 63-13 admin context about 6-2 administrative access using ICMP for 33-9 administrative distance 19-4 Advanced DHCP Options dialog box description 10-7 Advanced OSPF Interface Properties dialog box 21-11 Advanced OSPF Virtual Link Properties dialog box description 21-18 Advanced tab, tunnel group 65-92 ae_standard_access_list_rule 17-3 ae_webtype_acl 16-3 AIP See IPS module AIP SSM about 55-1 port-forwarding enabling 8-21 support 1-2 alternate address, ICMP message A-15 analyzing syslog messages 72-2 anti-replay window size 64-11 APN, GTP application inspection 41-11 APPE command, denied request 38-22 application access and e-mail proxy 67-7 and Web Access 67-7 configuring client applications 67-6 enabling cookies on browser 67-6 privileges 67-6 quitting properly 67-6 setting up on client 67-6 using e-mail 67-7 with IMAP client 67-7 application firewall 38-31 application inspection about 37-1 applying 37-5 configuring 37-5 security level requirements 8-5 Apply button 3-12 Area/Networks tab description 21-4 area border router 21-2 ARP NAT 26-21 ARP inspection about 5-8 enabling 5-10 static entry 5-9 ARP spoofing 5-8 ARP table monitoring 8-33 ARP test, failover 58-16 ASA (Adaptive Security Algorithm) 1-18 ASA 5505 Base license 8-2 client Xauth 65-108 interfaces, about 8-1 MAC addresses 8-4 maximum VLANs 8-2 power over Ethernet 8-4 Security Plus license 8-2 SPAN 8-4 Spanning Tree Protocol, unsupported 8-18 ASA 5550 throughput 8-22 ASBR definition of 21-2 asymmetric routing TCP state bypass 49-4 attacks DNS HINFO request 53-10 DNS request for all records 53-10 DNS zone transfer 53-10 DNS zone transfer from high port 53-10 fragmented ICMP traffic 53-9 IP fragment 53-7 IP impossible packet 53-7 large ICMP traffic 53-9 ping of death 53-9 proxied RPC request 53-10 statd buffer overflow 53-11 TCP FIN only flags 53-10 TCP NULL flags 53-9 TCP SYN+FIN flags 53-9 UDP bomb 53-10 UDP chargen DoS 53-10 UDP snork 53-10 attributes RADIUS B-30 Attributes Pushed to Client panel, VPN wizard 63-13 attribute-value pairs TACACS+ B-39 authenticating a certificate 36-8 authentication about 32-2 CLI access 33-11 FTP 34-3 HTTP 34-2 network access 34-1 Telnet 34-2 web clients 34-5 Authentication tab description 21-9 authorization about 32-2 command 33-13 downloadable access lists 34-10 network access 34-9 Auto-MDI/MDIX 8-5 B backed up configurations restoring 76-16 backing up configurations 76-13 Baltimore Technologies, CA server support 36-5 bandwidth 3-17 banner, view/configure 65-34 Basic tab IPSec LAN-to-LAN, General tab 65-96 basic threat detection See threat detection bits subnet masks A-3 Botnet Traffic Filter actions 51-2 address categories 51-2 blacklist adding entries 51-8 description 51-2 blocking traffic manually 51-12 classifying traffic 51-10 configuring 51-6 databases 51-2 default settings 51-6 DNS Reverse Lookup Cache information about 51-3 maximum entries 51-4 using with dynamic database 51-9 DNS snooping 51-9 dropping traffic 51-10 graylist 51-10 dynamic database enabling use of 51-7 files 51-3 information about 51-2 searching 51-13 updates 51-7 feature history 51-15 graylist description 51-2 dropping traffic 51-10 guidelines and limitations 51-5 information about 51-1 licensing 51-5 monitoring 51-13 static database adding entries 51-8 information about 51-3 syslog messages 51-13 task flow 51-6 threat level dropping traffic 51-10 whitelist adding entries 51-8 description 51-2 working overview 51-4 broadcast Ping test 58-16 Browse ICMP 65-21 Browse Other 65-22 Browse Source or Destination Address 65-19 Browse Source or Destination Port 65-19 Browse Time Range 65-13 building blocks 13-1 bypassing firewall checks 49-3 C CA certificate validation, not done in WebVPN 68-1 CRs and 36-3 public key cryptography 36-2 revoked certificates 36-3 supported servers 36-5 CA certificate 36-1 CA certificates 36-8 call agents MGCP application inspection 39-17, 39-18 Cancel button 3-12 CDUP command, denied request 38-22 certificate CA 36-8 Cisco Unified Mobility 46-5 Cisco Unified Presence 47-4 code-signer 36-20 Identity 36-14 local CA 36-22 certificate authentication 36-8 certificate enrollment 36-9 Certificate Revocation Lists See CRLs change query interval 24-9 change query response time 24-9 change query timeout value 24-9 changing the severity level 72-20 CIFS mount point accessing 76-4 Cisco-AV-Pair LDAP attributes B-13 Cisco Client Parameters tab 65-34 Cisco IOS CS CA server support 36-5 Cisco IP Communicator 44-9 Cisco IP Phones, application inspection 39-37 Cisco UMA. See Cisco Unified Mobility. Cisco Unified Mobility architecture 46-2 ASA role 42-2, 42-3, 43-2 certificate 46-5 functionality 46-1 NAT and PAT requirements 46-3, 46-4 trust relationship 46-5 Cisco Unified Presence ASA role 42-2, 42-3, 43-2 configuring the TLS Proxy 47-8 NAT and PAT requirements 47-2 trust relationship 47-4 Cisco UP. See Cisco Unified Presence. Class A, B, and C addresses A-1 classes, logging message class variables 72-4 types 72-4 classes, resource See resource management class map regular expression 13-15 Client Access Rule, add or edit 65-31 Client Address Assignment 65-91 Client Authentication panel, VPN wizard 63-10 Client Configuration tab 65-32 Client Firewall tab 65-37 Clientless SSL VPN client application requirements 67-2 client requirements 67-2 for file management 67-5 for network browsing 67-5 for web browsing 67-4 start-up 67-3 enable cookies for 67-6 end user set-up 67-1 printing and 67-3 remote requirements for port forwarding 67-6 for using applications 67-6 remote system configuration and end-user requirements 67-3 security tips 67-2 supported applications 67-2 supported browsers 67-3 supported types of Internet connections 67-3 URL 67-3 username and password required 67-3 usernames and passwords 67-1 use suggestions 67-1 client parameters, configuring 65-32 Client Update, edit , Windows and VPN 3002 clients 65-3 Client Update window, Windows and VPN 3002 clients 65-1 cluster mixed scenarios 64-22 code-signer certificate 36-20 command authorization about 33-14 configuring 33-13 multiple contexts 33-15 compiling syslog MIB files 74-8 configuration factory default commands 2-5 restoring 2-5 configurations, backing up 76-13 configuring CSC activation 57-4 CSC email 57-14 CSC file transfer 57-15 CSC IP address 57-5 CSC license 57-4 CSC management access 57-6 CSC notifications 57-5 CSC password 57-7 CSC Setup Wizard 57-8, 57-11 CSC Setup Wizard Activation Codes Configuration 57-9 CSC Setup Wizard Host Configuration 57-9 CSC Setup Wizard IP Configuration 57-9 CSC Setup Wizard Management Access Configuration 57-10 CSC Setup Wizard Password Configuration 57-10 CSC Setup Wizard Summary 57-12 CSC Setup Wizard Traffic Selection for CSC Scan 57-11 CSC updates 57-16 CSC Web 57-13 configuring mobile user security services 65-63 configuring MUS 65-63 connection limits configuring 49-1 per context 6-15 console port logging 72-15 contexts See security contexts conversion error, ICMP message A-16 creating a custom event list 72-15 CRL cache refresh time 36-13 CSC 57-9 CSC activation configuring 57-4 CSC CPU monitoring 56-13 CSC email configuring 57-14 CSC file transfer configuring 57-15 CSC IP address configuring 57-5 CSC license configuring 57-4 CSC management access configuring 57-6 CSC memory monitoring 56-14 CSC notifications configuring 57-5 CSC password configuring 57-7 CSC security events monitoring 56-11 CSC Setup Wizard 57-8 activation codes configuratrion 57-9 Host configuratrion 57-9 IP configuratrion 57-9 management access configuratrion 57-10 password configuratrion 57-10 specifying traffic for CSC Scanning 57-11 summary 57-12 traffic selection for CSC Scan 57-11 CSC software updates monitoring 56-13 CSC SSM about 56-1, 57-2 support 1-2 what to scan 56-3 CSC SSM feature history 56-15, 57-17 CSC SSM GUI configuring 57-13 CSC threats monitoring 56-11 CSC updates configuring 57-16 CSC Web configuring 57-13 customizing the end-user experience by the security appliance 68-87 custom messages list logging output destination 72-5 cut-through proxy 34-1 D data flow routed firewall 5-14 transparent firewall 5-20 date and time in messages 72-20 default class 6-9 routes, defining equal cost routes 19-6 default configuration commands 2-5 restoring 2-5 default policy 30-7 default routes about 19-6 configuring 19-6 default tunnel gateway 65-4 destination address, browse 65-19 destination port, browse 65-19 device ID, including in messages 72-19 device ID in messages 72-19 Device Pass-Through 65-109 DHCP configuring 10-5 monitoring interface lease 8-33 IP addresses 8-33 server 8-33 statistics 8-35 statistics 8-35 transparent firewall 31-5 DHCP relay overview 10-2 DHCP Relay - Add/Edit DHCP Server dialog box description 10-4 restrictions 10-4 DHCP Relay pane description 10-2 DHCP Relay panel 10-2, 11-4 prerequisites 10-3 restrictions 10-3 DHCP Server pane description 10-5 DHCP Server panel 10-5 DHCP services 9-6 DiffServ preservation 50-5 digital certificates 36-1 directory hierarchy search B-4 disabling content rewrite 68-17 disabling messages 72-20 disabling messages, specific message IDs 72-20 DMZ, definition 1-15 DNS inspection about 38-2 managing 38-1 rewrite, about 38-3 rewrite, configuring 38-3 NAT effect on 26-21 NAT effect on (8.2 and earlier) 29-13 server, configuring 9-10 DNS HINFO request attack 53-10 DNS request for all records attack 53-10 DNS zone transfer attack 53-10 DNS zone transfer from high port attack 53-10 dotted decimal subnet masks A-3 downloadable access lists configuring 34-11 converting netmask expressions 34-15 DSCP preservation 50-5 DUAL 23-2 dual IP stack, configuring 8-6 dual-ISP support 19-8 duplex interface 8-19, 8-20 duplex, configuring 8-8 dynamic NAT about 26-8 configuring (8.2 and earlier) 29-16 network object NAT 27-3 twice NAT 28-3 dynamic PAT configuring (8.2 and earlier) 26-10 network object NAT 27-7 twice NAT 28-7 E Easy VPN client Xauth 65-108 Easy VPN, advanced properties 65-109 Easy VPN client 65-107 Easy VPN Remote 65-107 echo reply, ICMP message A-15 Edit DHCP Relay Agent Settings dialog box description 10-4 prerequisites 10-4 restrictions 10-4 Edit DHCP Server dialog box description 10-6 Edit OSPF Interface Authentication dialog box 21-9 description 21-9 Edit OSPF Interface Properties dialog box 21-10 EIGRP 31-5 DUAL algorithm 23-2 hello interval 23-15 hello packets 23-1 hold time 23-2, 23-15 neighbor discovery 23-1 stub routing 23-5 stuck-in-active 23-2 e-mail proxy and Clientless SSL VPN 67-7 Enable IPSec authenticated inbound sessions 65-104, 65-116 enabling logging 72-6 enabling secure logging 72-19 enrolling certificate 36-9 Entrust, CA server support 36-5 established command, security level requirements 8-5 Ethernet Auto-MDI/MDIX 8-5 duplex 8-8 jumbo frames, ASA 5580 8-32 jumbo frame support single mode 8-26 MTU 8-26 speed 8-8 EtherType access list compatibilty with extended access lists 31-2 implicit deny 31-3 evaluation license 4-13 extended ACL 15-2, 65-16 External Group Policy, add or edit 65-6 F factory default configuration commands 2-5 restoring 2-5 failover about 58-1 about virtual MAC addresses 60-11 Active/Active, See Active/Active failover Active/Standby, See Active/Standby failover configuration file terminal messages, Active/Active 61-3 terminal messages, Active/Standby 60-2 contexts 60-2 criteria 60-10, 61-12 debug messages 58-17 defining standby IP addresses 60-8, 60-9 disabling 60-13, 61-17 enable 61-10 enabling Stateful Failover 60-7 Ethernet failover cable 58-3 failover link 58-3 forcing 60-12, 61-17 health monitoring 58-15 in multiple context mode 61-9 interface health 58-15 interface monitoring 58-15 interface tests 58-15 key 61-10 link communications 58-3 MAC addresses about 60-2 automatically assigning 6-11 monitoring, health 58-15 network tests 58-15 primary unit 60-2 redundant interfaces 8-12 reset 61-18 restoring a failed group 60-13, 61-17 restoring a failed unit 60-13, 61-17 secondary unit 60-2 SNMP syslog traps 58-17 Stateful Failover 61-11 Stateful Failover, See Stateful Failover state link 58-4 system log messages 58-17 system requirements 58-2 Trusted Flow Acceleration 7-2, 56-6, 57-3, 74-5 type selection 58-9 unit health 58-15 failover groups about 61-12 adding 61-13 editing 61-13 monitoring 61-19 reset 61-19 fast path 1-19 fiber interfaces 8-8 Fibre Channel interfaces default settings 16-2, 17-2, 31-7, 56-6, 57-3 filtering rules 35-6 security level requirements 8-5 servers supported 35-2 URLs 35-1, 35-2 filtering messages 72-4 Filtering panel description 21-16 firewall, client, configuring settings 65-37 firewall mode about 5-1 configuring 5-1 firewall server, Zone Labs 65-105 flash memory available for logs 72-18 flow control for 10 Gigabit Ethernet 8-9 flow-export actions 73-4 format of messages 72-3 fragmentation policy, IPsec 64-2 fragmented ICMP traffic attack 53-9 Fragment panel 53-2 fragment protection 1-16 fragment size 53-2 FTP application inspection viewing 38-9, 38-18, 38-19, 38-32, 38-46, 38-53, 38-54, 39-7, 39-9, 39-17, 39-21, 39-30, 39-39, 39-40, 41-2, 41-14 filtering option 35-10 FTP inspection about 38-13 configuring 38-13 G gateway, default tunnel gateway 65-4 gateways MGCP application inspection 39-19 General Client Parameters tab 65-32 graphs bookmarking 8-38 interface monitoring 8-38 printing 8-38 Group Policy window add or edit, General tab 65-7, 65-12 introduction 65-5 IPSec tab, add or edit 65-30 groups SNMP 74-4 GTP application inspection viewing 41-7 GTP inspection about 41-5 configuring 41-5 H H.323 transparent firewall guidelines 5-3 H.323 inspection about 39-3 configuring 39-2 limitations 39-4 Hardware Client tab 65-39 HA Wizard accessing 59-1 licensing requirements 59-1 requirements for setup 59-2 Help button 3-12 HELP command, denied request 38-22 Help menu 3-9 hierarchical policy, traffic shaping and priority queueing 50-11 high availability about 58-1 history metrics 9-13 host SNMP 74-4 hosts, subnet masks for A-3 HSRP 5-3 HTTP application inspection viewing 38-31 filtering 35-1 configuring 35-9 HTTP(S) filtering 35-2 HTTP inspection about 38-24 configuring 38-24 HTTPS/Telnet/SSH allowing network or host access to ASDM 33-1 I ICMP add group 65-21 browse 65-21 rules for access to ADSM 33-9 testing connectivity 77-1 type numbers A-15 ICMP Group 65-21 ICMP unreachable message limits 33-10 Identity Certificates 36-14 identity NAT about 26-11 configuring (8.2 and earlier) 29-16 network object NAT 27-14 twice NAT 28-15 IKE Policy panel, VPN wizard 63-5 ILS inspection 40-1 IM 39-24 implementing SNMP 74-4 inbound access lists 31-3 individual syslog messages assigning or changing rate limits 72-21 information reply, ICMP message A-16 information request, ICMP message A-16 inside, definition 1-15 inspection engines See application inspection Instant Messaging inspection 39-24 interface duplex 8-19, 8-20 MTU 8-26 status 3-17 subinterface, adding 8-15 throughput 3-17 Interface panel 21-9 interfaces ASA 5505 about 8-1 enabled status 8-18 MAC addresses 8-4 maximum VLANs 8-2 switch port configuration 8-18 trunk ports 8-19 ASA 5550 throughput 8-22 default settings 16-2, 17-2, 31-7, 56-6, 57-3 duplex 8-8 failover monitoring 58-15 fiber 8-8 jumbo frame support single mode 8-26 MAC addresses automatically assigning 6-19 monitoring 8-36 redundant 8-11 SFP 8-8 speed 8-8 subinterfaces 8-14 IP addresses classes A-1 management, transparent firewall 9-14 private A-2 subnet mask A-4 IP audit enabling 53-5 signatures 53-6 IP fragment attack 53-7 IP fragment database, displaying 53-2 IP fragment database, editing 53-3 IP impossible packet attack 53-7 IP overlapping fragments attack 53-8 IP phone phone proxy provisioning 44-11 IP phones addressing requirements for phone proxy 44-8 supported for phone proxy 44-3 IPS IP audit 53-5 IPSec anti-replay window 50-11 IPsec Cisco VPN Client 64-9 fragmentation policy 64-2 IPSec Encryption and Authentication panel, VPN wizard 63-6 IPSec rules anti-replay window size 64-11 IPSec tab internal group policy 65-30 IPSec LAN-to-LAN 65-97 tunnel group 65-93 IPS module about 55-1 configuration 55-5 operating modes 55-2 sending traffic to 55-7 traffic flow 55-1 virtual sensors 55-6 IP spoofing, preventing 53-1 IP teardrop attack 53-8 IPv6 commands 18-9 configuring alongside IPv4 8-6 default route 19-7 dual IP stack 8-6 duplicate address detection 7-21, 8-27, 25-6 neighbor discovery 25-1 router advertisement messages 7-22, 25-8 static routes 19-7 IPv6 addresses anycast A-9 command support for 18-9 format A-5 multicast A-8 prefixes A-10 required A-10 types of A-6 unicast A-6 J Java console 77-12 Join Group panel description 24-7 jumbo frames, ASA 5580 8-32 jumbo frame support single mode 8-26 K Kerberos configuring 32-8 support 32-6 key pairs 36-15 L large ICMP traffic attack 53-9 latency about 50-1 configuring 50-2, 50-3 reducing 50-8 Layer 2 firewall See transparent firewall Layer 2 forwarding table See MAC address table Layer 3/4 matching multiple policy maps 30-5 LCS Federation Scenario 47-2 LDAP application inspection 40-1 attribute mapping 32-22 Cisco-AV-pair B-13 configuring 32-8 configuring a AAA serverB-3to ?? directory search B-4 example configuration proceduresB-16to ?? hierarchy example B-4 licenses activation key entering 4-25 location 4-23 obtaining 4-24 ASA 5505 4-3 ASA 5510 4-4 ASA 5520 4-5 ASA 5540 4-6 ASA 5550 4-7 ASA 5580 4-8 Cisco Unified Communications Proxy features 42-4, 45-3, 46-6, 47-7, 48-8 default 4-13 evaluation 4-13 failover 4-22 guidelines 4-22 managing 4-1 preinstalled 4-13 Product Authorization Key 4-24 shared backup server, information 4-17 client, configuring 4-28 communication issues 4-17 failover 4-18 maximum clients 4-19 monitoring 4-28 overview 4-15 server, configuring 4-27 SSL messages 4-17 temporary 4-13 viewing current 4-24 VPN Flex 4-13 licensing requirements CSC SSM 56-5, 57-2 logging 72-5 licensing requirements for SNMP 74-4 link up/down test 58-15 LLQ See low-latency queue load balancing mixed cluster scenarios 64-22 local CA 36-22 Local CA User Database 36-25 Local Hosts and Networks panel, VPN wizard 63-7 local user database support 32-7 lockout recovery 33-24 logging classes filtering messages by 72-4 types 72-4 filtering by message list 72-5 by severity level 72-1 output destinations internal buffer 72-1, 72-7 Telnet or SSH session 72-7 queue changing the size of 72-18 configuring 72-18 logging feature history 72-25 logging queue configuring 72-18 login banner, configuring 33-3 FTP 34-3 SSH 33-3 low-latency queue applying 50-2, 50-3 M MAC address redundant interfaces 8-12 MAC addresses ASA 5505 8-4 automatically assigning 6-19 failover 60-2 security context classification 6-3 MAC address table about 5-20 built-in-switch 5-11 MAC learning, disabling 5-13 monitoring 8-35 resource management 6-15 static entry 5-13 MAC learning, disabling 5-13 management interfaces default settings 16-2, 17-2, 31-7, 56-6, 57-3 management IP address, transparent firewall 9-14 man-in-the-middle attack 5-8 mapped addresses guidelines 26-20 guidelines (8.2 and earlier) 29-13 mask reply, ICMP message A-16 request, ICMP message A-16 Master Passphrase 9-6 maximum sessions, IPSec 65-104 media termination address, criteria 44-6 menus 3-4 message filtering 72-4 message list filtering by 72-5 messages, logging classes about 72-4 list of 72-4 component descriptions 72-3 filtering by message list 72-5 format of 72-3 severity levels 72-3 messages classes 72-4 messages in EMBLEM format 72-16, 72-17 metacharacters, regular expression 13-11 MGCP application inspection configuring 39-18 viewing 39-16 MGCP inspection about 39-14 configuring 39-13 mgmt0 interfaces default settings 16-2, 17-2, 31-7, 56-6, 57-3 MIBs 74-2 MIBs for SNMP 74-12 Microsoft Access Proxy 47-1 Microsoft client parameters, configuring 65-32 Microsoft Windows 2000 CA, supported 36-5 mixed cluster scenarios, load balancing 64-22 MMP inspection 46-1 mobile redirection, ICMP message A-16 mode context 6-14 firewall 5-1 monitoring ARP table 8-33 CSC CPU 56-13 CSC memory 56-14 CSC security events 56-11 CSC software updates 56-13 CSC SSM 56-10 CSC threats 56-11 DHCP interface lease 8-33 IP addresses 8-33 server 8-33 statistics 8-35 failover 58-15 failover groups 61-19 history metrics 9-13 interfaces 8-36 MAC address table 8-35 OSPF 21-20 SNMP 74-1 monitoring logging 72-22 monitoring NSEL 73-6 monitoring switch traffic, ASA 5505 8-4 MPF default policy 30-7 feature directionality 30-3 features 30-1 flows 30-5 matching multiple policy maps 30-5 See also class map See also policy map MPLS LDP 31-6 router-id 31-6 TDP 31-6 MRoute panel description 24-5 MTU 8-26 multicast traffic 5-3 multiple context mode logging 72-2 See security contexts MUS configuring 65-63 N NAT 26-21 about 26-1, 29-1 about (8.2 and earlier) 29-1 bidirectional initiation 26-2 bypassing NAT (8.2 and earlier) 29-10 disabling proxy ARP for global addresses 18-11 DNS 26-21 DNS (8.2 and earlier) 29-13 dynamic NAT about 26-8 about (8.2 and earlier) 29-6 configuring (8.2 and earlier) 29-22 implementation (8.2 and earlier) 29-16 network object NAT 27-3 twice NAT 28-3 dynamic PAT about 26-10 network object NAT 27-7 twice NAT 28-7 exemption (8.2 and earlier) 29-10 identity NAT about 26-11 about (8.2 and earlier) 29-10 network object NAT 27-14 twice NAT 28-15 implementation 26-15 interfaces 26-20 mapped address guidelines 26-20 network object NAT about 26-16 comparison with twice NAT 26-15 configuring 27-1 dynamic NAT 27-3 dynamic PAT 27-7 examples 27-17 guidelines 27-2 identity NAT 27-14 prerequisites 27-2 static NAT 27-11 PAT about (8.2 and earlier) 29-8 configuring (8.2 and earlier) 29-22 implementation (8.2 and earlier) 29-16 policy NAT, about (8.2 and earlier) 29-10 routed mode 26-13 RPC not supported with 40-3 rule order 26-19 rule order (8.2 and earlier) 29-13 same security level (8.2 and earlier) 29-12 static many-to-few mapping 26-7 static NAT about 26-3 about (8.2 and earlier) 29-8 configuring (8.2 and earlier) 29-27 few-to-many mapping 26-7 many-to-few mapping 26-6 network object NAT 27-11 one-to-many 26-6 twice NAT 28-11 static NAT with port translation about 26-3 static PAT about (8.2 and earlier) 29-9 terminology 26-2 transparent mode 26-13 transparent mode (8.2 and earlier) 29-3 twice NAT about 26-16 comparison with network object NAT 26-15 configuring 28-1 dynamic NAT 28-3 dynamic PAT 28-7 examples 28-19 guidelines 28-2 identity NAT 28-15 prerequisites 28-2 static NAT 28-11 types 26-2 types (8.2 and earlier) 29-6 VPN client rules 26-19 NetBIOS server tab 65-71 NetFlow overview 73-1 NetFlow event matching to configured collectors 73-5 Netscape CMS, CA server support 36-5 Network Activity test 58-15 Network Admission Control uses, requirements, and limitations 64-27 network object NAT about 26-16 comparison with twice NAT 26-15 configuring 27-1 dynamic NAT 27-3 dynamic PAT 27-7 examples 27-17 guidelines 27-2 identity NAT 27-14 prerequisites 27-2 static NAT 27-11 New Authentication Server Group panel, VPN wizard 63-11 NSEL and syslog messages redundant messages 73-2 NSEL feature history 73-8 NSEL licensing requirements 73-3 NTLM support 32-6 NT server configuring 32-8 support 32-6 O object NAT See network object NAT open ports A-14 Options menu 3-5 OSPF area parameters 21-12 authentication support 21-2 configuring authentication 21-9 defining a static neighbor 21-14, 21-15 defining interface properties 21-10 interaction with NAT 21-2 interface parameters 21-9 interface properties 21-9, 21-10 link-state advertisement 21-2 logging neighbor states 21-16 LSAs 21-2 monitoring 21-20 NSSA 21-13 processes 21-2 redistributing routes 21-5 route calculation timers 21-15 route map 20-1 route summarization 21-8 OSPF parameters dead interval 21-11 hello interval 21-11 retransmit interval 21-11 transmit delay 21-11 outbound access lists 31-3 Outlook Web Access (OWA) and Clientless SSL VPN 67-7 output destination 72-5 output destinations 72-1, 72-7 e-mail address 72-1, 72-7 SNMP management station 72-1, 72-7 syslog server 72-7 Telnet or SSH session 72-1, 72-7 outside, definition 1-15 oversubscribing resources 6-8 P packet classifier 6-3 packet flow routed firewall 5-14 transparent firewall 5-20 packet trace, enabling 77-7 parameter problem, ICMP message A-15 password Clientless SSL VPN 67-1 PAT See dynamic PAT pause frames for flow control 8-9 PDP context, GTP application inspection 41-10 phone proxy access lists 44-7 ASA role 42-3 Cisco IP Communicator 44-9 Cisco UCM supported versions 44-3 IP phone addressing 44-8 IP phone provisioning 44-11 IP phones supported 44-3 Linksys routers, configuring 44-20 NAT and PAT requirements 44-8 ports 44-7 rate limiting 44-10 TLS Proxy on ASA, described 42-3 PIM shortest path tree settings 24-13 ping See ICMP using 77-3 ping of death attack 53-9 PoE 8-4 policing flow within a tunnel 50-10 policy, QoS 50-1 policy map Layer 3/4 about 30-1 feature directionality 30-3 flows 30-5 policy NAT, about (8.2 and earlier) 29-10 Port Forwarding configuring client applications 67-6 port-forwarding enabling 8-21 port forwarding entry 68-22 ports open on device A-14 phone proxy 44-7 TCP and UDP A-11 port translation, about 26-3 posture validation uses, requirements, and limitations 64-27 Posture Validation Exception, add/edit 64-30 power over Ethernet 8-4 PPP tab, tunnel-group 65-95 prerequisites for use CSC SSM 56-5, 57-2 presence_proxy_remotecert 43-9 primary unit, failover 60-2 printing graphs 8-38 priority queueing hierarchical policy with traffic shaping 50-11 IPSec anti-replay window size 64-11 private networks A-2 Process Instances tab description 21-4 Product Authorization Key 4-24 Properties tab 21-10 description 21-10 fields 21-10 Protocol Group, add 65-22 protocol numbers and literal values A-11 Protocol panel (PIM) description 24-11 proxied RPC request attack 53-10 proxy ARP NAT 26-21 proxy ARP, disabling 18-11 proxy bypass 68-28 proxy servers SIP and 39-24 public key cryptography 36-2 Q QoS about 50-1, 50-3 DiffServ preservation 50-5 DSCP preservation 50-5 feature interaction 50-4 policies 50-1 priority queueing hierarchical policy with traffic shaping 50-11 IPSec anti-replay window 50-11 IPSec anti-replay window size 64-11 token bucket 50-2 traffic shaping overview 50-4 Quality of Service See QoS queue, logging changing the size of 72-18 queue, QoS latency, reducing 50-8 limit 50-2, 50-3 R RADIUS attributes B-30 Cisco AV pair B-13 configuring a AAA server B-30 configuring a server 32-8 downloadable access lists 34-11 network access authentication 34-4 network access authorization 34-10 support 32-4 rate limit 72-20 rate limiting 50-3 rate limiting, phone proxy 44-10 RealPlayer 39-19 recurring time range, add or edit 65-14 redirect, ICMP message A-15 redundant interfaces configuring 8-11 failover 8-12 MAC address 8-12 setting the active interface 8-13 Registration Authority description 36-3 regular expression 13-10 Remote Access Client panel, VPN wizard 63-8 Remote Site Peer panel, VPN wizard 63-4 Request Filter panel description 24-12 reset inbound connections 53-3 outside connections 53-3 Reset button 3-12 resource management about 6-8 class 6-15 configuring 6-8 default class 6-9 oversubscribing 6-8 resource types 6-15 unlimited 6-9 restoring backups 76-16 revoked certificates 36-3 rewrite, disabling 68-17 RFCs for SNMP 74-12 RIP authentication 22-1 definition of 22-1 enabling 22-4 support for 22-1 RIP panel limitations 22-3 RIP Version 2 Notes 22-3 RNFR command, denied request 38-22 RNTO command, denied request 38-22 routed mode about 5-1 NAT 26-13 setting 5-1 route maps uses 20-1 router advertisement, ICMP message A-15 solicitation, ICMP message A-15 routes about default 19-6 configuring default routes 19-6 configuring IPv6 default 19-7 configuring IPv6 static 19-7 configuring static routes 19-3 Route Summarization tab description 21-4 Route Tree panel 24-13 description 24-13 routing other protocols 31-5 RSA KEON, CA server support 36-5 RTSP inspection about 39-19 configuring 39-19 rules ICMP 33-9 S same security level communication enabling 8-31 NAT (8.2 and earlier) 29-12 SCCP (Skinny) inspection about 39-37 configuration 39-37 configuring 39-36 SDI configuring 32-8 support 32-5 secondary unit, failover 60-2 Secure Computing SmartFilter filtering server 35-3 Secure Copy configure server 33-6 security, WebVPN 68-1 security appliance managing licenses 4-1 security contexts about 6-1 adding 6-17 admin context about 6-2 cascading 6-6 classifier 6-3 command authorization 33-15 logging in 6-7 MAC addresses automatically assigning 6-19 classifying using 6-3 managing 6-1 monitoring 6-20 multiple mode, enabling 6-14 nesting or cascading 6-7 resource management 6-8 unsupported features 6-12 security level about 8-5 security models for SNMP 74-3 segment size maximum and minimum 53-3 sending messages to an e-mail address 72-12 sending messages to a specified output destination 72-19 sending messages to a syslog server 72-7 sending messages to a Telnet or SSH session 72-15 sending messages to the console port 72-15 sending messages to the internal log buffer 72-11 Server and URL List add/edit 65-42 Server or URL dialog box 65-42 session management path 1-19 severity levels, of system log messages changing 72-1 filtering by 72-1 list of 72-3 severity levels, of system messages definition 72-3 shared license backup server, information 4-17 client, configuring 4-28 communication issues 4-17 failover 4-18 maximum clients 4-19 monitoring 4-28 server, configuring 4-27 SSL messages 4-17 shun duration 52-10 signatures attack and informational 53-6 single mode backing up configuration 6-14 configuration 6-14 enabling 6-14 restoring 6-14 SIP inspection about 39-24 configuring 39-23 instant messaging 39-24 SITE command, denied request 38-22 SMTP inspection 38-51 SNMP about 74-1 application inspection viewing 41-17 failover 74-5 management station 72-1, 72-7 prerequisites 74-5 SNMP configuration 74-6 SNMP groups 74-4 SNMP hosts 74-4 SNMP management station adding 74-6 SNMP monitoring 74-10, 74-11, 75-5 SNMP terminology 74-2 SNMP traps 74-2 SNMP users 74-4 SNMP Version 3 74-3, 74-9 SNMP Versions 1 and 2c 74-9 software version 3-23 source address, browse 65-19 source port, browse 65-19 source quench, ICMP message A-15 SPAN 8-4 Spanning Tree Protocol, unsupported 8-18 specifying traffic for CSC scanning 57-11 speed, configuring 8-8 SSCs management access 54-2 management defaults 54-4 management interface 54-4 password reset 54-6 routing 54-3 supported applications 54-2 SSH concurrent connections 33-2 login 33-3 username 33-3 SSMs management access 54-2 management defaults 54-4 password reset 54-6 routing 54-3 supported applications 54-2 Standard Access List Rule, add/edit 65-36 Standard ACL tab 15-1, 65-15 Startup Wizard acessing 7-1 licensing requirements 7-1, 43-3 requirements for setup 7-2 statd buffer overflow attack 53-11 Stateful Failover about 58-10 enabling 60-7 settings 61-11 state information 58-10 state link 58-4 stateful inspection 1-18 bypassing 49-3 state information 58-10 state link 58-4 static ARP entry 5-9 static bridge entry 5-13 Static Group panel description 24-7 static NAT about 26-3 few-to-many mapping 26-7 many-to-few mapping 26-6, 26-7 network object NAT 27-11 twice NAT 28-11 static NAT with port translation, about 26-3 static PAT See PAT static routes configuring 19-3 deleting 19-6 status bar 3-11 stealth firewall See transparent firewall STOU command, denied request 38-22 stuck-in-active 23-2 subinterface adding 8-15 subinterfaces, adding 8-14 subnet masks /bits A-3 about A-2 address range A-4 determining A-3 dotted decimal A-3 number of hosts A-3 subordinate certificate 36-1 Summary Address panel description 21-7 Summary panel, VPN wizard 63-14 Sun Microsystems Java™ Runtime Environment (JRE) and Clientless SSL VPN 67-6 Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 68-23 Sun RPC inspection about 40-3 configuring 40-3 switch MAC address table 5-11 switch ports access ports 8-18 SPAN 8-4 trunk ports 8-19 syslogd server program 72-5 syslog message filtering using log viewers 72-22 syslog messages analyzing 72-2 syslog messaging for SNMP 74-11 syslog server as output destination designating more than one 72-5 EMBLEM format configuring 72-17 system configuration 6-2 system log messages 72-4 classes of 72-4 configuring in groups by message list 72-5 by severity level 72-1 device ID, including 72-19 disabling logging of 72-1 filtering by message class 72-4 output destinations 72-1, 72-7 syslog message server 72-7 Telnet or SSH session 72-7 severity levels about 72-3 changing the severity level of a message 72-1 timestamp, including 72-20 T TACACS+ command authorization, configuring 33-19 configuring a server 32-8 network access authorization 34-9 support 32-5 tail drop 50-3 TCP connection limits per context 6-15 maximum segment size 53-3 ports and literal values A-11 TIME_WAIT state 53-4 TCP FIN only flags attack 53-10 TCP Intercept statistics 52-6 TCP normalization 49-3 TCP NULL flags attack 53-9 TCP Service Group, add 65-20 TCP state bypass AAA 49-5 configuring 49-8 failover 49-5 firewall mode 49-5 inspection 49-5 mutliple context mode 49-5 NAT 49-5 SSMs and SSCs 49-5 TCP Intercept 49-5 TCP normalization 49-5 unsupported features 49-5 TCP SYN+FIN flags attack 53-9 Telnet allowing management access 33-1 concurrent connections 33-2 temporary license 4-13 testing configuration 77-1 threat detection basic drop types 52-2 enabling 52-4 overview 52-2 rate intervals 52-2 statistics, viewing 52-4 system performance 52-2 scanning enabling 52-10 host database 52-9 overview 52-8 shunning attackers 52-10 system performance 52-9 scanning statistics enabling 52-5 system performance 3-20, 52-5 viewing 52-7 shun duration 52-10 TIME_WAIT state 53-4 time exceeded, ICMP message A-15 time range add or edit 65-14 browse 65-13 recurring 65-14 timestamp, including in system log messages 72-20 timestamp reply, ICMP message A-15 timestamp request, ICMP message A-15 TLS Proxy applications supported by ASA 42-3 Cisco Unified Presence architecture 47-1 configuring for Cisco Unified Presence 47-8 licenses 42-4, 45-3, 46-6, 47-7, 48-8 tocken bucket 50-2 Tools menu 3-6 traceroute, enabling 3-7, 77-6 traffic flow routed firewall 5-14 transparent firewall 5-20 traffic shaping overview 50-4 transmit queue ring limit 50-2, 50-3 transparent firewall about 5-2 ARP inspection about 5-8 enabling 5-10 static entry 5-9 data flow 5-20 DHCP packets, allowing 31-5 guidelines 5-5 H.323 guidelines 5-3 HSRP 5-3 MAC learning, disabling 5-13 Management 0/0 IP address 8-22 management IP address 9-14 multicast traffic 5-3 packet handling 31-5 static bridge entry 5-13 unsupported features 5-6 VRRP 5-3 transparent mode NAT 26-13 NAT (8.2 and earlier) 29-3 trunk, 802.1Q 8-14 trunk ports 8-19 Trusted Flow Acceleration failover 7-2, 56-6, 57-3 modes 5-5, 5-9, 5-12, 7-2, 19-2, 20-3, 21-3, 22-3, 23-2, 24-3, 25-18, 31-7, 56-6, 57-3, 59-2, 61-7 trustpoint 36-4 trust relationship Cisco Unified Mobility 46-5 Cisco Unified Presence 47-4 Tunneled Management 65-109 tunnel gateway, default 65-4 twice NAT about 26-16 comparison with network object NAT 26-15 configuring 28-1 dynamic NAT 28-3 dynamic PAT 28-7 examples 28-19 guidelines 28-2 identity NAT 28-15 prerequisites 28-2 static NAT 28-11 tx-ring-limit 50-2, 50-3 U UDP bomb attack 53-10 chargen DoS attack 53-10 connection limits per context 6-15 connection state information 1-19 ports and literal values A-11 snork attack 53-10 unreachable, ICMP message A-15 unreachable messages required for MTU discovery 33-9 URL filtering configuring 35-9 URLs filtering 35-1 filtering, about 35-2 User Accounts panel, VPN wizard 63-11 username Clientless SSL VPN 67-1 Xauth for Easy VPN client 65-108 users SNMP 74-4 V VeriSign, configuring CAs example 36-6 version IPS software 3-23 View/Config Banner 65-34 virtual firewalls See security contexts virtual HTTP 34-3 Virtual Link description 21-17 virtual MAC address defining for Active/Active failover 61-15 virtual MAC addresses about 60-11, 61-15 defaults for Active/Active failover 61-15 defining for Active/Standby failover 61-16 virtual private network overview 63-2 virtual reassembly 1-16 virtual sensors 55-6 VLANs 8-14 802.1Q trunk 8-14 ASA 5505 MAC addresses 8-4 maximum 8-2 subinterfaces 8-14 VoIP proxy servers 39-24 VPN address range, subnets A-4 overview 63-1, 63-2 system options 65-104 VPN client NAT rules 26-19 VPN Client, IPsec attributes 64-9 VPN flex license 4-13 VPN Tunnel Type panel, VPN wizard 63-3 VPN wizard 63-2 Address Pool panel 63-12 Address Translation Exemption panel 63-13 Attributes Pushed to Client panel 63-13 Client Authentication panel 63-10 IKE Policy panel 63-5 IPSec Encryption and AUthentication panel 63-6 Remote Access Client panel 63-8 Remote Site Peer panel 63-4 Summary panel 63-14 User Accounts panel 63-11 VPN Tunnel Type panel 63-3 VPNwizard Local Hosts and Networks panel 63-7 New Authentication Server Group panel 63-11 VRRP 5-3 W WCCP 12-1 web browsing with Clientless SSL VPN 67-4 web caching 12-1 web clients, secure authentication 34-5 Websense filtering server 35-3 WebVPN CA certificate validation not done 68-1 security preautions 68-1 use suggestions 67-2 Window menu 3-9 Wizards menu 3-8 X Xauth, Easy VPN client 65-108 XOFF frames 8-9 Z Zone Labs Integrity Server 65-105
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks