-
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3
-
About This Guide
-
Index
-
Glossary
- Getting Started and General Information
- Setting Up the Adaptive Security Appliance
- Configuring Access Lists
- Configuring IP Routing
- Configuring NAT
- Configuring Service Policies Using the Modular Policy Framework
- Configuring Access Control
- Configuring Application Inspection
- Configuring Unified Communications
- Configuring Connection Settings and QoS
- Configuring Advanced Network Protection
- Configuring Applications on SSMs and SSCs
- Configuring High Availability
-
Configuring VPN
-
Configuring IPSec and ISAKMP
-
Configuring L2TP over IPSec
-
Setting General VPN Parameters
-
Configuring Tunnel Groups, Group Policies, and Users
-
Configuring IP Addresses for VPN
-
Configuring Remote Access VPNs
-
Configuring Network Admission Control
-
Configuring Easy VPN on the ASA 5505
-
Configuring the PPPoE Client
-
Configuring LAN-to-LAN VPNs
-
Configuring Clientless SSL VPN
-
Configuring AnyConnect VPN Client Connections
-
- Configuring Logging and SNMP
- System Administration
- Reference
-
Table Of Contents
Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z
Index
Symbols
/bits subnet masks B-3
?
command string A-4
help A-4
Numerics
2H_Head2. Configuration Example for SNMP Versions 1 and 2c 74-15
2H_Head2. Configuring NSEL Collectors 73-4
3H_Head3. Generating Syslog Messages in EMBLEM Format to a Syslog Server 72-14
4GE SSM
connector types 6-8
fiber 6-8
SFP 6-8
support 1-1
802.1Q tagging 6-20
802.1Q trunk 6-14
A
AAA
about 33-1
accounting 35-14
addressing, configuring 64-2
authentication
CLI access 34-11
network access 35-1
privileged EXEC mode 34-12
authorization
command 34-14
downloadable access lists 35-10
network access 35-8
local database support 33-7
performance 35-1
server 72-4
types 33-3
support summary 33-3
web clients 35-5
abbreviating commands A-3
ABR
definition of 22-2
Access Control Server 66-2, 66-5, 66-8
Access Group panel
description 25-7
access hours, username attribute 63-83
accessing the security appliance using SSL 70-4
accessing the security appliance using TKS1 70-4
access list filter, username attribute 63-85
access lists
about 12-1
ACE logging, configuring 18-1
deny flows, managing 18-5
downloadable 35-10
exemptions from posture validation 66-7
global access rules 32-4
group policy WebVPN filter 63-75
implicit deny 12-3
inbound 32-2
IP address guidelines 12-3
IPsec 60-21
IPv6
about 17-1
configuring 17-4
default settings 17-3
logging 18-1
NAT guidelines 12-3
Network Admission Control, default 66-6
object groups 11-2
outbound 32-2
phone proxy 44-7
remarks 13-5
scheduling activation 11-16
types 12-1
username for Clientless SSL VPN 63-91
access ports 6-17
ACEs
See access lists
activation key
entering 3-30
location 3-23
obtaining 3-29
Active/Active failover
about 58-1
actions 58-5
command replication 58-3
configuration synchronization 58-3
configuring
asymmetric routing support 58-19
failover criteria 58-17
failover group preemption 58-14
HTTP replication 58-15
interface monitoring 58-15
virtual MAC addresses 58-17
device initialization 58-3
duplicate MAC addresses, avoiding 58-2, 58-18
optional settings
about 58-6
configuring 58-13
primary status 58-2
secondary status 58-2
triggers 58-5
Active/Standby failover
about 59-1
actions 59-4
command replication 59-3
configuration synchronization 59-2
device initialization 59-2
primary unit 59-2
secondary unit 59-2
triggers 59-4
Active Directory, settings for password management 63-29
Active Directory proceduresC-16to ??
ActiveX filtering 36-2
Adaptive Security Algorithm 1-13
Add/Edit Access Group dialog box
description 25-7
Add/Edit IGMP Join Group dialog box
description 25-6
Add/Edit OSPF Neighbor Entry dialog box 22-12
admin context
about 5-2
changing 5-24
administrative access
using ICMP for 34-9
administrative distance 20-3, 20-5
Advanced Encryption Standard (AES) 60-4
AIP
See IPS module
AIP SSC
checking status 54-11
loading an image 54-8
setup command 55-6
AIP SSM
about 55-1
checking status 54-11
loading an image 54-8
port-forwarding
enabling 6-24
setup command 55-6
support 1-1
alternate address, ICMP message B-15
analyzing syslog messages 72-2
Application Access Panel, WebVPN 70-65
application access using Clientless SSL VPN
group policy attribute for Clientless SSL VPN 63-76
username attribute for Clientless SSL VPN 63-92
application access using WebVPN
and e-mail proxy 70-87
and hosts file errors 70-51
and Web Access 70-87
configuring client applications 70-86
enabling cookies on browser 70-86, 70-87
privileges 70-86
quitting properly 70-52
setting up on client 70-86
using e-mail 70-87
with IMAP client 70-87
application inspection
about 38-1
applying 38-6
configuring 38-6
inspection class map 31-5
inspection policy map 31-2
security level requirements 6-5
special actions 31-1
Application Profile Customization Framework 70-61
area border router 22-2
ARP
NAT 27-21
ARP inspection
about 4-8
enabling 4-11
static entry 4-10
ARP spoofing 4-9
ARP test, failover 57-16
ASA (Adaptive Security Algorithm) 1-13
ASA 5505
Base license 6-2
client
authentication 67-12
configuration restrictions, table 67-2
device pass-through 67-8
group policy attributes pushed to 67-10
mode 67-3
remote management 67-9
split tunneling 67-8
TCP 67-4
trustpoint 67-7
tunnel group 67-7
tunneling 67-5
Xauth 67-4
interfaces, about 6-1
MAC addresses 6-4
maximum VLANs 6-2
native VLAN support 6-20
non-forwarding interface 6-17
power over Ethernet 6-4
protected switch ports 6-18
Security Plus license 6-2
server (headend) 67-1
SPAN 6-5
Spanning Tree Protocol, unsupported 6-17
ASA 5550 throughput 6-24
ASBR
definition of 22-2
ASDM software
allowing access 34-5
installing 76-3
ASR 58-19
asymmetric routing
TCP state bypass 49-4
asymmetric routing support 58-19
attacks
DNS HINFO request 53-7
DNS request for all records 53-7
DNS zone transfer 53-7
DNS zone transfer from high port 53-7
fragmented ICMP traffic 53-6
IP fragment 53-4
IP impossible packet 53-4
large ICMP traffic 53-6
ping of death 53-6
proxied RPC request 53-7
statd buffer overflow 53-8
TCP FIN only flags 53-7
TCP NULL flags 53-6
TCP SYN+FIN flags 53-6
UDP bomb 53-7
UDP chargen DoS 53-7
UDP snork 53-7
attributes
RADIUS C-30
username 63-83
attribute-value pairs
TACACS+ C-39
attribute-value pairs (AVP) 63-38
authentication
about 33-2
ASA 5505 as Easy VPN client 67-12
CLI access 34-11
FTP 35-3
HTTP 35-2
network access 35-1
privileged EXEC mode 34-12
restrictions, WebVPN 70-7
Telnet 35-2
web clients 35-5
WebVPN users with digital certificates 70-22, 70-23
authorization
about 33-2
command 34-14
downloadable access lists 35-10
network access 35-8
Auto-MDI/MDIX 6-5
auto-signon
group policy attribute for Clientless SSL VPN 63-74
username attribute for Clientless SSL VPN 63-93
Auto-Update, configuring 76-17
B
backup server attributes, group policy 63-57
Baltimore Technologies, CA server support 37-5
banner message, group policy 63-49
basic threat detection
See threat detection
bits subnet masks B-3
Black Ice firewall 63-68
Botnet Traffic Filter
actions 51-2
address categories 51-2
blacklist
adding entries 51-8
description 51-2
blocking traffic manually 51-14
classifying traffic 51-11
configuring 51-6
databases 51-2
default settings 51-6
DNS Reverse Lookup Cache
information about 51-3
maximum entries 51-4
using with dynamic database 51-9
DNS snooping 51-9
dropping traffic 51-12
graylist 51-12
dynamic database
enabling use of 51-7
files 51-3
information about 51-2
searching 51-15
updates 51-7
examples 51-18
feature history 51-21
graylist
description 51-2
dropping traffic 51-12
guidelines and limitations 51-5
information about 51-1
licensing 51-5
monitoring 51-16
static database
adding entries 51-8
information about 51-3
syslog messages 51-16
task flow 51-6
threat level
dropping traffic 51-12
whitelist
adding entries 51-8
description 51-2
working overview 51-4
bridge
entry timeout 4-14
table, See MAC address table
broadcast Ping test 57-16
building blocks 11-1
bypass authentication 67-8
bypassing firewall checks 49-3
C
CA
certificate validation, not done in WebVPN 70-2
CRs and 37-2
public key cryptography 37-2
revoked certificates 37-2
supported servers 37-5
caching 70-59
capturing packets 77-11
cascading access lists 60-16
certificate
authentication, e-mail proxy 70-58
Cisco Unified Mobility 46-5
Cisco Unified Presence 47-4
enrollment protocol 37-10
group matching
configuring 60-10
rule and policy, creating 60-11
Certificate Revocation Lists
See CRLs
certificates
phone proxy 44-15
required by phone proxy 44-17
change query interval 25-8
change query response time 25-8
change query timeout value 25-8
changing between contexts 5-23
changing the severity level 72-18
Cisco-AV-Pair LDAP attributes C-13
Cisco Integrated Firewall 63-67
Cisco IOS CS CA
server support 37-5
Cisco IP Communicator 44-10
Cisco IP Phones
DHCP 8-6
Cisco IP Phones, application inspection 40-26
Cisco Security Agent 63-67
Cisco Trust Agent 66-8
Cisco UMA. See Cisco Unified Mobility.
Cisco Unified Mobility
architecture 46-2
certificate 46-5
functionality 46-1
NAT and PAT requirements 46-3, 46-4
trust relationship 46-5
Cisco Unified Presence
configuring the TLS Proxy 47-8
debugging the TLS Proxy 47-14
NAT and PAT requirements 47-2
sample configuration 47-14
trust relationship 47-4
Cisco UP. See Cisco Unified Presence.
Class A, B, and C addresses B-1
class-default class map 30-9
classes, logging
filtering messages by 72-15
message class variables 72-4
types 72-4
classes, resource
See resource management
class map
inspection 31-5
Layer 3/4
management traffic 30-15
match commands 30-12
through traffic 30-12
regular expression 11-15
CLI
abbreviating commands A-3
adding comments A-7
command line editing A-3
command output paging A-6
displaying A-6
help A-4
paging A-6
syntax formatting A-3
client
VPN 3002 hardware, forcing client update 62-4
Windows, client update notification 62-4
client access rules, group policy 63-69
client firewall, group policy 63-64
clientless authentication 66-8
Clientless SSL VPN
configuring for specific users 63-87
client mode 67-3
client update, performing 62-4
cluster
configuring device attributes 62-12
IP address, load balancing 62-6
load balancing configurations 62-9
mixed scenarios 62-10
virtual 62-6
command authorization
about 34-14
configuring 34-14
multiple contexts 34-16
command prompts A-2
comments
configuration A-7
compiling syslog MIB files 74-7
configuration
clearing 2-9
comments A-7
factory default
commands 2-1
restoring 2-2
saving 2-6
text file 2-9
URL for a context 5-21
viewing 2-8
configuration examples
CSC SSM 56-13
logging 72-20
configuration examples for SNMP 74-15
configuration mode
accessing 2-5
prompt A-2
connection blocking 53-2
connection limits
configuring 49-1
per context 5-15
connect time, maximum, username attribute 63-85
console port logging 72-11
content transformation, WebVPN 70-59
contexts
See security contexts
conversion error, ICMP message B-16
cookies, enabling for WebVPN 70-7
copying files using copy smb
command 76-2
Coredump 77-12
CRACK protocol 60-29
crash dump 77-12
creating a custom event list 72-13
crypto map
acccess lists 60-21
applying to interfaces 60-21, 69-8
clearing configurations 60-29
creating an entry to use the dynamic crypto map 65-8
definition 60-13
dynamic 60-26
dynamic, creating 65-7
entries 60-13
examples 60-22
policy 60-14
crypto show commands table 60-28
CSC SSM
about 56-1
checking status 54-11
loading an image 54-8
sending traffic to 56-10
support 1-1
what to scan 56-3
CSC SSM feature history 56-15
custom firewall 63-68
customization, Clientless SSL VPN
group policy attribute 63-72
login windows for users 63-29
username attribute 63-89
username attribute for Clientless SSL VPN 63-25
custom messages list
logging output destination 72-5
cut-through proxy 35-1
D
data flow
routed firewall 4-16
transparent firewall 4-22
date and time in messages 72-18
DDNS 9-2
debug messages 77-11
default
class 5-9
DefaultL2Lgroup 63-1
DefaultRAgroup 63-1
domain name, group policy 63-52
LAN-to-LAN tunnel group 63-18
remote access tunnel group, configuring 63-7
routes, defining equal cost routes 20-4
default configuration
commands 2-1
restoring 2-2
default policy 30-8
default routes
about 20-4
configuring 20-4
delay sending flow-create events
flow-create events
delay sending 73-7
deleting files from Flash 76-2
deny flows, logging 18-5
deny in a crypto map 60-16
deny-message
group policy attribute for Clientless SSL VPN 63-72
username attribute for Clientless SSL VPN 63-90
DES, IKE policy keywords (table) 60-4
device ID, including in messages 72-17
device ID in messages 72-17
device pass-through, ASA 5505 as Easy VPN client 67-8
DfltGrpPolicy 63-39
DHCP
addressing, configuring 64-3
Cisco IP Phones 8-6
options 8-4
relay 8-7
transparent firewall 32-5
DHCP Intercept, configuring 63-53
DHCP Relay panel 9-6
DHCP services 7-6
Diffie-Hellman
Group 5 60-5
groups supported 60-5
DiffServ preservation 50-5
digital certificates
authenticating WebVPN users 70-22, 70-23
SSL 70-7
WebVPN authentication restrictions 70-7
directory hierarchy search C-4
disabling content rewrite 70-60
disabling messages 72-18
disabling messages, specific message IDs 72-18
DMZ, definition 1-10
DNS
dynamic 9-2
inspection
about 39-2
managing 39-1
rewrite, about 39-2
rewrite, configuring 39-3
NAT effect on 27-21
server, configuring 7-11, 63-42
DNS HINFO request attack 53-7
DNS request for all records attack 53-7
DNS zone transfer attack 53-7
DNS zone transfer from high port attack 53-7
domain attributes, group policy 63-52
domain name 7-3
dotted decimal subnet masks B-3
downloadable access lists
configuring 35-10
converting netmask expressions 35-14
DSCP preservation 50-5
DUAL 24-2
dual IP stack, configuring 6-6
dual-ISP support 20-6
duplex, configuring 6-8
dynamic crypto map 60-26
creating 65-7
See also crypto map
Dynamic DNS 9-2
dynamic NAT
about 27-8
network object NAT 28-4
twice NAT 29-3
dynamic PAT
configuring (8.2 and earlier) 27-10
network object NAT 28-6
twice NAT 29-8
E
Easy VPN
client
authentication 67-12
configuration restrictions, table 67-2
enabling and disabling 67-1
group policy attributes pushed to 67-10
mode 67-3
remote management 67-9
trustpoint 67-7
tunnels 67-9
Xauth 67-4
server (headend) 67-1
Easy VPN client
ASA 5505
device pass-through 67-8
split tunneling 67-8
TCP 67-4
tunnel group 67-7
tunneling 67-5
echo reply, ICMP message B-15
editing command lines A-3
egress VLAN for VPN sessions 63-45
EIGRP 32-5
DUAL algorithm 24-2
hello interval 24-14
hello packets 24-1
neighbor discovery 24-1
stub routing 24-4
stuck-in-active 24-2
configuring for WebVPN 70-57
proxies, WebVPN 70-57
proxy, certificate authentication 70-58
WebVPN, configuring 70-57
enable command 2-5
enabling logging 72-6
enabling secure logging 72-16
end-user interface, WebVPN, defining 70-64
Enterprises 8-6
Entrust, CA server support 37-5
established command, security level requirements 6-6
Ethernet
Auto-MDI/MDIX 6-5
duplex 6-8
jumbo frames, ASA 5580 6-31
speed 6-8
EtherType access list
compatibilty with extended access lists 32-2
evaluation license 3-13
exporting NetFlow records 73-4
external group policy, configuring 63-41
F
facility, syslog 72-9
factory default configuration
commands 2-1
restoring 2-2
failover
about 57-1
Active/Active, See Active/Active failover
Active/Standby, See Active/Standby failover
configuration file
terminal messages, Active/Active 58-3
terminal messages, Active/Standby 59-2
contexts 59-2
debug messages 57-17
Ethernet failover cable 57-3
failover link 57-3
health monitoring 57-15
interface health 57-15
interface monitoring 57-15
interface tests 57-15
link communications 57-3
MAC addresses
about 59-2
automatically assigning 5-11
monitoring, health 57-15
network tests 57-15
primary unit 59-2
redundant interfaces 6-12
restoring a failed group 58-25, 59-16
restoring a failed unit 58-25, 59-16
secondary unit 59-2
SNMP syslog traps 57-17
Stateful Failover, See Stateful Failover
state link 57-4
system log messages 57-17
system requirements 57-2
Trusted Flow Acceleration 56-6, 61-4, 71-3, 74-5
type selection 57-9
unit health 57-15
fast path 1-13
fiber interfaces 6-8
Fibre Channel interfaces
default settings 14-2, 15-2, 16-2, 32-7, 56-6
filter (access list)
group policy attribute for Clientless SSL VPN 63-75
username attribute for Clientless SSL VPN 63-91
filtering
ActiveX 36-2
FTP 36-13
Java applet 36-4
Java applets 36-4
security level requirements 6-5
servers supported 36-6
show command output A-4
filtering messages 72-4
firewall
Black Ice 63-68
Cisco Integrated 63-67
Cisco Security Agent 63-67
custom 63-68
Network Ice 63-68
none 63-67
Sygate personal 63-68
Zone Labs 63-68
firewall mode
about 4-1
configuring 4-1
firewall policy, group policy 63-64
Flash memory
removing files 76-2
flash memory available for logs 72-14
flow control for 10 Gigabit Ethernet 6-9
flow-export actions 73-4
format of messages 72-3
fragmentation policy, IPsec 60-9
fragmented ICMP traffic attack 53-6
fragment protection 1-11
fragment size 53-2
FTP inspection
about 39-11
configuring 39-11
G
general attributes, tunnel group 63-3
general parameters, tunnel group 63-3
general tunnel-group connection parameters 63-3
generating RSA keys 37-9
global e-mail proxy attributes 70-57
global IPsec SA lifetimes, changing 60-23
group-lock, username attribute 63-86
group policy
address pools 63-63
attributes 63-42
backup server attributes 63-57
client access rules 63-69
configuring 63-40
default domain name for tunneled packets 63-52
domain attributes 63-52
Easy VPN client, attributes pushed to ASA 5505 67-10
external, configuring 63-41
firewall policy 63-64
hardware client user idle timeout 63-55
internal, configuring 63-41
IP phone bypass 63-55
IPSec over UDP attributes 63-50
LEAP Bypass 63-56
network extension mode 63-56
security attributes 63-47
split tunneling attributes 63-50
split-tunneling domains 63-52
user authentication 63-54
VPN attributes 63-43
VPN hardware client attributes 63-53
webvpn attributes 63-71
WINS and DNS servers 63-42
group policy, default 63-38
group policy, secure unit authentication 63-54
group policy attributes for Clientless SSL VPN
application access 63-76
auto-signon 63-74
customization 63-72
deny-message 63-72
filter 63-75
home page 63-74
html-content filter 63-73
keep-alive-ignore 63-77
port forward 63-76
port-forward-name 63-77
sso-server 63-78
svc 63-79
url-list 63-75
groups
SNMP 74-4
GTP inspection
about 42-3
configuring 42-3
H
H.225 timeouts 40-9
H.245 troubleshooting 40-10
H.323
transparent firewall guidelines 4-3
H.323 inspection
about 40-4
configuring 40-3
limitations 40-6
troubleshooting 40-10
hairpinning 60-21
hardware client, group policy attributes 63-53
help, command line A-4
high availability
about 57-1
HMAC hashing method 60-3
hold-period 66-11
homepage
group policy attribute for Clientless SSL VPN 63-74
username attribute for Clientless SSL VPN 63-89
host
SNMP 74-4
hostname
configuring 7-2
in banners 7-2
multiple context mode 7-2
hosts, subnet masks for B-3
hosts file
errors 70-51
reconfiguring 70-53
WebVPN 70-52
HSRP 4-3
html-content-filter
group policy attribute for Clientless SSL VPN 63-73
username attribute for Clientless SSL VPN 63-88
HTTP
filtering 36-1
HTTP(S)
authentication 34-11
filtering 36-7
HTTP/HTTPS Web VPN proxy, setting 70-7
HTTP compression, Clientless SSL VPN, enabling 63-78, 63-94
HTTP inspection
about 39-18
configuring 39-18
HTTP redirection for login, Easy VPN client on the ASA 5505 67-12
HTTPS/Telnet/SSH
allowing network or host access to ASDM 34-1
HTTPS for WebVPN sessions 70-4, 70-5
hub-and-spoke VPN scenario 60-21
I
ICMP
rules for access to ADSM 34-9
testing connectivity 77-1
type numbers B-15
identity NAT
about 27-11
network object NAT 28-10
twice NAT 29-17
idle timeout
hardware client user, group policy 63-55
username attribute 63-84
ID method for ISAKMP peers, determining 60-7
IKE
benefits 60-3
creating policies 60-5
keepalive setting, tunnel group 63-4
pre-shared key, Easy VPN client on the ASA 5505 67-7
See also ISAKMP
ILS inspection 41-1
implementing SNMP 74-4
inbound access lists 32-2
Individual user authentication 67-12
information reply, ICMP message B-16
information request, ICMP message B-16
inheritance
tunnel group 63-1
username attribute 63-83
inside, definition 1-10
inspection_default class-map 30-9
inspection engines
See application inspection
Instant Messaging inspection 40-20
intercept DHCP, configuring 63-53
interfaces
ASA 5505
about 6-1
enabled status 6-17
MAC addresses 6-4
maximum VLANs 6-2
non-forwarding 6-17
protected switch ports 6-18
switch port configuration 6-17
trunk ports 6-20
ASA 5550 throughput 6-24
configuring for remote access 65-3
default settings 14-2, 15-2, 16-2, 32-7, 56-6
duplex 6-8
enabling 6-11
failover monitoring 57-15
fiber 6-8
IDs 6-10
IP address 6-25
MAC addresses
automatically assigning 5-22
manually assigning to interfaces 6-27
naming, physical and subinterface 6-25
redundant 6-11
SFP 6-8
speed 6-8
subinterfaces 6-14
inter-interface traffic, permitting 62-2
internal group policy, configuring 63-41
Internet Security Association and Key Management Protocol
See ISAKMP
intra-interface traffic, permitting 62-2
IP addresses
classes B-1
configuring an assignment method for remote access clients 64-1
configuring for VPNs 64-1
configuring local IP address pools 64-2
interface 6-25
management, transparent firewall 7-12
private B-2
subnet mask B-4
IP fragment attack 53-4
IP impossible packet attack 53-4
IP overlapping fragments attack 53-5
IP phone 67-8
phone proxy provisioning 44-11
IP phone bypass, group policy 63-55
IP phones
addressing requirements for phone proxy 44-9
supported for phone proxy 44-3
IPSec
anti-replay window 50-12
configuring to bypass ACLs 62-1
modes 61-2
over UDP, group policy, configuring attributes 63-50
remote-access tunnel group 63-7
setting maximum active VPN sessions 62-4
IPsec
access list 60-21
basic configuration with static crypto maps 60-24
Cisco VPN Client 60-2
crypto map entries 60-13
fragmentation policy 60-9
over NAT-T, enabling 60-8
over TCP, enabling 60-9
SA lifetimes, changing 60-23
tunnel 60-13
view configuration commands table 60-28
IPSec parameters, tunnel group 63-4
ipsec-ra, creating an IPSec remote-access tunnel 63-8
IPS module
about 55-1
configuration 55-5
operating modes 55-2
sending traffic to 55-8
traffic flow 55-1
virtual sensors 55-6
IP spoofing, preventing 53-1
IP teardrop attack 53-5
IPv6
commands 19-10
configuring alongside IPv4 6-6
default route 20-5
dual IP stack 6-6
duplicate address detection 6-27
neighbor discovery 26-1
router advertisement messages 26-7
static routes 20-5
IPv6 addresses
anycast B-9
command support for 19-10
format B-5
multicast B-8
prefixes B-10
required B-10
types of B-6
unicast B-6
IPv6 VPN
access, enabling with CLI 63-13
ISAKMP
about 60-3
determining an ID method for peers 60-7
disabling in aggressive mode 60-7
enabling on the outside interface 60-7, 65-4
keepalive setting, tunnel group 63-4
policies, configuring 60-6
See also IKE
J
Java applet filtering 36-4
Java applets, filtering 36-2
Java object signing 70-60
java-trustpoint 70-60
Join Group panel
description 25-6
jumbo frames, ASA 5580 6-31
K
keep-alive-ignore
group policy attribute for Clientless SSL VPN 63-77
username attribute for Clientless SSL VPN 63-93
Kerberos
support 33-6
L
L2TP description 61-1
LAN-to-LAN tunnel group, configuring 63-18
large ICMP traffic attack 53-6
latency
about 50-1
reducing 50-8
Layer 2 firewall
See transparent firewall
Layer 2 forwarding table
See MAC address table
Layer 2 Tunneling Protocol 61-1
Layer 3/4
matching multiple policy maps 30-6
LCS Federation Scenario 47-2
LDAP
AAAsupport 33-15
application inspection 41-1
attribute mapping 33-18
Cisco-AV-pair C-13
configuring a AAA serverC-3to ??
directory search C-4
example configuration proceduresC-16to ??
hierarchy example C-4
SASL 33-15
server type 33-16
user authentication 33-15
user authorization 33-17
LEAP Bypass, group policy 63-56
licenses
activation key
entering 3-30
location 3-23
obtaining 3-29
ASA 5505 3-3
ASA 5510 3-4
ASA 5520 3-5
ASA 5540 3-6
ASA 5550 3-7
ASA 5580 3-8
Cisco Unified Communications Proxy features 43-4, 45-5, 46-6, 47-7, 48-8
default 3-13
evaluation 3-13
failover 3-22
guidelines 3-22
managing 3-1
preinstalled 3-13
Product Authorization Key 3-29
shared
backup server, configuring 3-33
backup server, information 3-17
client, configuring 3-34
communication issues 3-17
failover 3-18
maximum clients 3-19
monitoring 3-35
overview 3-15
server, configuring 3-32
SSL messages 3-17
temporary 3-13
viewing current 3-24
VPN Flex 3-13
licensing requirements
CSC SSM 56-5
logging 72-5
licensing requirements for SNMP 74-4
link up/down test 57-15
LLQ
See low-latency queue
load balancing
cluster configurations 62-9
concepts 62-6
configuring cluster attributes for each device 62-12
configuring for ASA 7.1(1) 62-11
configuring public and private interfaces 62-11
eligible clients 62-8
eligible platforms 62-8
implementing 62-8
mixed cluster scenarios 62-10
platforms 62-8
prerequisites 62-8
local user database
adding a user 33-9
configuring 33-8
logging in 34-12
support 33-7
lockout recovery 34-27
logging
access lists 18-1
classes
filtering messages by 72-4
device-id, including in system log messages 72-17
source address 72-10
EMBLEM format 72-14
facility option 72-9
filtering
by message class 72-15
by message list 72-5
by severity level 72-1
logging queue, configuring 72-15
output destinations
console port 72-8, 72-10, 72-11
syslog server 72-8
Telnet or SSH session 72-6
queue
changing the size of 72-15
configuring 72-15
viewing queue statistics 72-19
severity level, changing 72-19
timestamp, including 72-18
logging feature history 72-20
logging queue
configuring 72-15
login
banner, configuring 34-6
console 2-4
enable 2-5
FTP 35-3
global configuration mode 2-5
local user 34-12
password 7-1
simultaneous, username attribute 63-84
SSH 34-4
Telnet 7-1
windows, customizing for users of Clientless SSL VPN sessions 63-29
low-latency queue
M
MAC address
redundant interfaces 6-12
MAC addresses
ASA 5505 6-4
ASA 5505 device pass-through 67-8
automatically assigning 5-22
failover 59-2
manually assigning to interfaces 6-27
security context classification 5-3
MAC address table
about 4-22
built-in-switch 4-12
entry timeout 4-14
MAC learning, disabling 4-14
resource management 5-15
static entry 4-13
MAC learning, disabling 4-14
management interfaces
default settings 14-2, 15-2, 16-2, 32-7, 56-6
management IP address, transparent firewall 7-12
man-in-the-middle attack 4-9
mapped addresses
guidelines 27-20
mapped interface name 5-19, 5-20
mask
reply, ICMP message B-16
request, ICMP message B-16
Master Passphrase 7-6
match commands
inspection class map 31-4
Layer 3/4 class map 30-12
matching, certificate group 60-10
maximum active IPSec VPN sessions, setting 62-4
maximum connect time,username attribute 63-85
maximum object size to ignore username attribute for Clientless SSL VPN 63-93
maximum sessions, IPSec 62-16
MD5, IKE policy keywords (table) 60-4
media termination address, criteria 44-6
message filtering 72-4
message list
filtering by 72-5
message-of-the-day banner 34-7
messages, logging
classes
about 72-4
list of 72-4
component descriptions 72-3
filtering by message list 72-5
format of 72-3
message list, creating 72-13
severity levels 72-3
messages classes 72-4
messages in EMBLEM format 72-14
metacharacters, regular expression 11-13, A-5
MGCP inspection
about 40-11
configuring 40-11
mgmt0 interfaces
default settings 14-2, 15-2, 16-2, 32-7, 56-6
MIBs 74-2
MIBs for SNMP 74-16
Microsoft Access Proxy 47-1
Microsoft Active Directory, settings for password management 63-29
Microsoft Internet Explorer client parameters, configuring 63-58
Microsoft Windows 2000 CA, supported 37-5
mixed cluster scenarios, load balancing 62-10
mixed-mode Cisco UCM cluster, configuring for phone proxy 44-17
MMP inspection 46-1
mobile redirection, ICMP message B-16
mode
context 5-14
firewall 4-1
modular policy framework
configuring flow-export actions for NetFlow 73-5
monitoring
CSC SSM 56-13
failover 57-15
OSPF 22-16
resource management 5-29
SNMP 74-1
monitoring logging 72-19
monitoring NSEL 73-8
monitoring switch traffic, ASA 5505 6-5
More prompt A-6
MPF
default policy 30-8
examples 30-18
feature directionality 30-3
features 30-2
flows 30-6
matching multiple policy maps 30-6
service policy, applying 30-17
See also class map
See also policy map
MPLS
LDP 32-6
router-id 32-6
TDP 32-6
MRoute panel
description 25-4
MSIE client parameters, configuring 63-58
MTU size, Easy VPN client, ASA 5505 67-5
multicast traffic 4-3
multiple context mode
logging 72-2
See security contexts
N
NAC
See Network Admission Control
naming an interface
other models 6-25
NAT 27-21
about 27-1
bidirectional initiation 27-2
disabling proxy ARP for global addresses 19-11
DNS 27-21
dynamic NAT
about 27-8
network object NAT 28-4
twice NAT 29-3
dynamic PAT
about 27-10
network object NAT 28-6
twice NAT 29-8
identity NAT
about 27-11
network object NAT 28-10
twice NAT 29-17
implementation 27-15
interfaces 27-20
mapped address guidelines 27-20
network object NAT
about 27-16
comparison with twice NAT 27-15
configuring 28-1
dynamic NAT 28-4
dynamic PAT 28-6
examples 28-12
guidelines 28-2
identity NAT 28-10
monitoring 28-11
prerequisites 28-2
static NAT 28-8
routed mode 27-13
RPC not supported with 41-3
rule order 27-19
static
many-to-few mapping 27-7
static NAT
about 27-3
few-to-many mapping 27-7
many-to-few mapping 27-6
network object NAT 28-8
one-to-many 27-6
twice NAT 29-12
static NAT with port translation
about 27-3
terminology 27-2
transparent mode 27-13
twice NAT
about 27-16
comparison with network object NAT 27-15
configuring 29-1
dynamic NAT 29-3
dynamic PAT 29-8
examples 29-20
guidelines 29-2
identity NAT 29-17
monitoring 29-20
prerequisites 29-2
static NAT 29-12
types 27-2
VPN client rules 27-19
native VLAN support 6-20
NAT-T
enabling IPsec over NAT-T 60-8
using 60-9
NetFlow
overview 73-1
NetFlow collector
configuring 73-4
NetFlow event
matching to configured collectors 73-5
NetFlow event logging
disabling 73-7
Netscape CMS, CA server support 37-5
Network Activity test 57-15
Network Admission Control
Access Control Server 66-5
ACL, default 66-6
clientless authentication 66-8
configuring 63-60
exemptions 66-7
port 66-10
retransmission retries 66-11
retransmission retry timer 66-10
revalidation timer 66-6
session reinitialization timer 66-11
uses, requirements, and limitations 66-1
network extension mode 67-3
network extension mode, group policy 63-56
Network Ice firewall 63-68
network object NAT
about 27-16
comparison with twice NAT 27-15
configuring 28-1
dynamic NAT 28-4
dynamic PAT 28-6
examples 28-12
guidelines 28-2
identity NAT 28-10
monitoring 28-11
prerequisites 28-2
static NAT 28-8
Nokia VPN Client 60-29
non-secure Cisco UCM cluster, configuring phone proxy 44-15
NSEL and syslog messages
redundant messages 73-2
NSEL configuration examples 73-9
NSEL feature history 73-11
NSEL licensing requirements 73-3
NSEL runtime counters
clearing 73-8
NTLM support 33-6
NT server
support 33-6
O
object groups
about 11-1
configuring 11-6
removing 11-11
object NAT
See network object NAT
open ports B-14
operating systems, posture validation exemptions 66-7
OSPF
area authentication 22-11
area MD5 authentication 22-11
area parameters 22-10
authentication key 22-9
authentication support 22-2
cost 22-9
dead interval 22-9
defining a static neighbor 22-12
interaction with NAT 22-2
interface parameters 22-8
link-state advertisement 22-2
logging neighbor states 22-14
LSAs 22-2
MD5 authentication 22-9
monitoring 22-16
NSSA 22-11
packet pacing 22-16
processes 22-2
redistributing routes 22-4
route calculation timers 22-13
route map 21-1
route summarization 22-7
outbound access lists 32-2
Outlook Web Access (OWA) and WebVPN 70-87
output destination 72-5
output destinations 72-1, 72-6
SNMP management station 72-1, 72-6
syslog server 72-6
Telnet or SSH session 72-1, 72-6
outside, definition 1-10
oversubscribing resources 5-8
P
packet
capture 77-11
classifier 5-3
packet flow
routed firewall 4-16
transparent firewall 4-22
packet trace, enabling 77-6
paging screen displays A-6
parameter problem, ICMP message B-15
password
resetting on SSM hardware module 77-9
password management, Active Directory settings 63-29
passwords
changing 7-2
clientless authentication 66-9
recovery 77-7
security appliance 7-1
username, setting 63-82
WebVPN 70-82
password-storage, username attribute 63-87
PAT
Easy VPN client mode 67-3
See dynamic PAT
pause frames for flow control 6-9
PDA support for WebVPN 70-56
peers
alerting before disconnecting 60-10
ISAKMP, determining ID method 60-7
performance, optimizing for WebVPN 70-59
permit in a crypto map 60-16
phone proxy
access lists 44-7
ASA role 43-3
certificates 44-15
Cisco IP Communicator 44-10
Cisco UCM supported versions 44-3
configuring mixed-mode Cisco UCM cluster 44-17
configuring non-secure Cisco UCM cluster 44-15
event recovery 44-43
IP phone addressing 44-9
IP phone provisioning 44-11
IP phones supported 44-3
Linksys routers, configuring 44-27
NAT and PAT requirements 44-8
ports 44-7
rate limiting 44-10
required certificates 44-17
sample configurations 44-44
SAST keys 44-43
TLS Proxy on ASA, described 43-3
troubleshooting 44-28
ping
See ICMP
ping of death attack 53-6
PKI protocol 37-10
PoE 6-4
policing
flow within a tunnel 50-11
policy, QoS 50-1
policy map
inspection 31-2
Layer 3/4
about 30-1
feature directionality 30-3
flows 30-6
pools, address
DHCP 8-3
port-forward
group policy attribute for Clientless SSL VPN 63-76
username attribute for Clientless SSL VPN 63-92
port forwarding
configuring client applications 70-86
port-forwarding
enabling 6-24
port-forward-name
group policy attribute for Clientless SSL VPN 63-77
username attribute for Clientless SSL VPN 63-93
ports
open on device B-14
phone proxy 44-7
TCP and UDP B-11
port translation, about 27-3
posture validation
exemptions 66-7
port 66-10
revalidation timer 66-6
uses, requirements, and limitations 66-1
power over Ethernet 6-4
prerequisites for use
CSC SSM 56-5
pre-shared key, Easy VPN client on the ASA 5505 67-7
primary unit, failover 59-2
printers 67-8
private interface, configuring for load balancing 62-11
private networks B-2
privileged EXEC mode, accessing 2-5
privileged mode
accessing 2-5
prompt A-2
privilege level, username, setting 63-82
Product Authorization Key 3-29
prompts
command A-2
more A-6
protocol numbers and literal values B-11
Protocol panel (PIM)
description 25-10
proxied RPC request attack 53-7
proxy
See e-mail proxy
proxy ARP
NAT 27-21
proxy ARP, disabling 19-11
proxy bypass 70-60
proxy servers
SIP and 40-19
public interface, configuring for load balancing 62-11
public key cryptography 37-2
Q
QoS
DiffServ preservation 50-5
DSCP preservation 50-5
feature interaction 50-4
policies 50-1
priority queueing
IPSec anti-replay window 50-12
statistics 50-15
token bucket 50-2
traffic shaping
overview 50-4
viewing statistics 50-15
Quality of Service
See QoS
question mark
command string A-4
help A-4
queue, logging
changing the size of 72-15
viewing statistics 72-19
queue, QoS
latency, reducing 50-8
R
RADIUS
attributes C-30
Cisco AV pair C-13
configuring a AAA server C-30
downloadable access lists 35-10
network access authentication 35-4
network access authorization 35-10
support 33-4
RAS, H.323 troubleshooting 40-10
rate limit 72-19
rate limiting 50-3
rate limiting, phone proxy 44-10
RealPlayer 40-15
reboot, waiting until active sessions end 60-10
redirect, ICMP message B-15
redundancy, in site-to-site VPNs, using crypto maps 60-28
redundant interfaces
configuring 6-11
failover 6-12
MAC address 6-12
setting the active interface 6-14
Registration Authority description 37-2
regular expression 11-12
reloading
context 5-26
security appliance 77-6
remote access
IPSec tunnel group, configuring 63-7
restricting 63-86
tunnel group, configuring default 63-7
remote management, ASA 5505 67-9
Request Filter panel
description 25-11
resetting the SSM hardware module password 77-9
resource management
about 5-8
assigning a context 5-22
class 5-15
configuring 5-8
default class 5-9
monitoring 5-29
oversubscribing 5-8
resource types 5-15
unlimited 5-9
resource usage 5-32
retransmission retries, Network Admission Control 66-11
retransmission retry timer, Network Admission Control 66-10
revalidation timer, Network Admission Control 66-6
revoked certificates 37-2
rewrite, disabling 70-60
RFCs for SNMP 74-16
RIP
authentication 23-1
definition of 23-1
enabling 23-4
support for 23-1
RIP panel
limitations 23-3
RIP Version 2 Notes 23-3
routed, single mode VPN 62-1
routed mode
about 4-1
NAT 27-13
setting 4-1
route maps
defining 21-4
uses 21-1
router
advertisement, ICMP message B-15
solicitation, ICMP message B-15
routes
about default 20-4
configuring default routes 20-4
configuring IPv6 default 20-5
configuring IPv6 static 20-5
configuring static routes 20-3
routing
other protocols 32-4
RSA
KEON, CA server support 37-5
RTSP inspection
about 40-15
configuring 40-15
rules
ICMP 34-9
running configuration
copying 76-8
saving 2-6
S
same security level communication
enabling 6-30
SAs, lifetimes 60-23
SAST keys 44-43
SCCP (Skinny) inspection
about 40-26
configuration 40-26
configuring 40-25
SDI
support 33-5
secondary unit, failover 59-2
Secure Socket Layer Protocol 70-2
secure unit authentication 67-12
secure unit authentication, group policy 63-54
security,WebVPN 70-2
Security Agent, Cisco 63-67
security appliance
CLI A-1
connecting to 2-4
managing licenses 3-1
managing the configuration 2-5
reloading 77-6
upgrading software 76-3
viewing files in Flash memory 76-1
security association
clearing 60-28
See also SAs
security attributes, group policy 63-47
security contexts
about 5-1
adding 5-17
admin context
about 5-2
changing 5-24
assigning to a resource class 5-22
cascading 5-6
changing between 5-23
classifier 5-3
command authorization 34-16
configuration
URL, changing 5-25
URL, setting 5-21
logging in 5-7
MAC addresses
automatically assigning 5-22
classifying using 5-3
mapped interface name 5-19, 5-20
monitoring 5-27
multiple mode, enabling 5-14
nesting or cascading 5-7
prompt A-2
reloading 5-26
removing 5-24
resource management 5-8
resource usage 5-32
saving all configurations 2-7
unsupported features 5-12
security level
about 6-5
interface 6-25
security models for SNMP 74-3
sending messages to an e-mail address 72-10
sending messages to an SNMP server 72-12
sending messages to ASDM 72-11
sending messages to a specified output destination 72-15
sending messages to a syslog server 72-8
sending messages to a Telnet or SSH session 72-12
sending messages to the console port 72-11
sending messages to the internal log buffer 72-9
server group 66-5
service policy
applying 30-17
default 30-18
global 30-17
interface 30-17
session management path 1-13
session reinitialization timer, Network Admission Control 66-11
severity levels, of system log messages
changing 72-1
filtering by 72-1
list of 72-3
severity levels, of system messages
definition 72-3
SHA, IKE policy keywords (table) 60-4
shared license
backup server, configuring 3-33
backup server, information 3-17
client, configuring 3-34
communication issues 3-17
failover 3-18
maximum clients 3-19
monitoring 3-35
server, configuring 3-32
SSL messages 3-17
show command, filtering output A-4
simultaneous logins, username attribute 63-84
single, routed mode VPN 62-1
single mode
backing up configuration 5-14
configuration 5-14
enabling 5-14
restoring 5-14
single sign-on
See SSO
single-signon
group policy attribute for Clientless SSL VPN 63-78
username attribute for Clientless SSL VPN 63-94
SIP inspection
about 40-19
configuring 40-19
instant messaging 40-20
timeouts 40-24
troubleshooting 40-25
site-to-site VPNs, redundancy 60-28
smart tunnels 70-33
SMTP inspection 39-32
SNMP
about 74-1
failover 74-5
prerequisites 74-5
SNMP configuration 74-6
SNMP groups 74-4
SNMP hosts 74-4
SNMP terminology 74-2
SNMP traps 74-2
SNMP users 74-4
SNMP Versions 1 and 2c 74-9
source quench, ICMP message B-15
SPAN 6-5
Spanning Tree Protocol, unsupported 6-17
speed, configuring 6-8
split tunneling
ASA 5505 as Easy VPN client 67-8
group policy 63-50
group policy, domains 63-52
SSCs
management access 54-2
management defaults 54-4
management interface 54-5
password reset 54-9
reload 54-10
reset 54-10
routing 54-3
sessioning to 54-7
shutdown 54-10
supported applications 54-2
SSH
authentication 34-11
concurrent connections 34-3
password 7-1
RSA key 34-3
username 34-4
SSL
certificate 70-7
used to access the security appliance 70-4
SSL/TLS1 70-2
SSL/TLS encryption protocols
configuring 70-7
WebVPN 70-7
SSL VPN Client
compression 71-15
DPD 71-13
enabling
permanent installation 71-6
group policy attribute for Clientless SSL VPN 63-79
installing
order 71-4
keepalive messages 71-14
username attribute for Clientless SSL VPN 63-95
viewing sessions 71-16
SSCs
See also AIP SSC
SSMs
checking status 54-11
loading an image 54-8
management access 54-2
management defaults 54-4
password reset 54-9
reload 54-10
reset 54-10
routing 54-3
sessioning to 54-7
shutdown 54-10
supported applications 54-2
See also AIP SSM
See also CSC SSM
sso-server
group policy attribute for Clientless SSL VPN 63-78
username attribute for Clientless SSL VPN 63-94
configuring HTTP Basic and NTLM authentication 70-9
configuring HTTP form protocol 70-16
configuring SiteMinder 70-11, 70-13
startup configuration
copying 76-8
saving 2-6
statd buffer overflow attack 53-8
Stateful Failover
about 57-10
state information 57-10
state link 57-4
stateful inspection 1-13
bypassing 49-3
state information 57-10
state link 57-4
static ARP entry 4-10
static bridge entry 4-13
Static Group panel
description 25-6
static NAT
about 27-3
few-to-many mapping 27-7
many-to-few mapping 27-6, 27-7
network object NAT 28-8
twice NAT 29-12
static NAT with port translation, about 27-3
static routes
configuring 20-3
statistics, QoS 50-15
stealth firewall
See transparent firewall
stuck-in-active 24-2
subcommand mode prompt A-2
subinterfaces, adding 6-14
subnet masks
/bits B-3
about B-2
address range B-4
determining B-3
dotted decimal B-3
number of hosts B-3
Sun Microsystems Java Runtime Environment and WebVPN 70-86, 70-87
Sun RPC inspection
about 41-3
configuring 41-3
SVC
See SSL VPN Client
svc
group policy attribute for Clientless SSL VPN 63-79
username attribute for Clientless SSL VPN 63-95
switch MAC address table 4-12
switch ports
access ports 6-17
protected 6-18
SPAN 6-5
trunk ports 6-20
Sygate Personal Firewall 63-68
SYN attacks, monitoring 5-33
SYN cookies 5-33
syntax formatting A-3
syslogd server program 72-5
syslog messages
analyzing 72-2
syslog messaging for SNMP 74-14
syslog server
as output destination
designating more than one 72-5
EMBLEM format
configuring 72-14
enabling 72-8
system configuration 5-2
system log messages 72-4
classes of 72-4
configuring in groups
by message list 72-5
by severity level 72-1
device ID, including 72-17
disabling logging of 72-1
filtering by message class 72-4
managing in groups
by message class 72-15
output destinations 72-1, 72-6
syslog message server 72-6
Telnet or SSH session 72-6
severity levels
about 72-3
changing the severity level of a message 72-1
timestamp, including 72-18
T
TACACS+
command authorization, configuring 34-21
configuring a server 33-11
network access authorization 35-8
support 33-5
tail drop 50-3
TCP
ASA 5505 as Easy VPN client 67-4
connection limits per context 5-15
ports and literal values B-11
sequence number randomization
disabling using Modular Policy Framework 49-13
TCP FIN only flags attack 53-7
TCP Intercept
enabling using Modular Policy Framework 49-13
monitoring 5-33
TCP normalization 49-3
TCP NULL flags attack 53-6
TCP state bypass
AAA 49-5
configuring 49-11
failover 49-5
firewall mode 49-5
inspection 49-5
mutliple context mode 49-5
NAT 49-5
SSMs and SSCs 49-5
TCP Intercept 49-5
TCP normalization 49-5
unsupported features 49-5
TCP SYN+FIN flags attack 53-6
Telnet
allowing management access 34-1
authentication 34-11
concurrent connections 34-2
password 7-1
template timeout intervals
configuring for flow-export actions 73-6
temporary license 3-13
testing configuration 77-1
threat detection
basic
drop types 52-2
enabling 52-4
overview 52-2
rate intervals 52-2
rate intervals, setting 52-4
statistics, viewing 52-5
system performance 52-2
scanning
attackers, viewing 52-18
default limits, changing 52-17
enabling 52-17
host database 52-15
overview 52-15
shunned hosts, releasing 52-18
shunned hosts, viewing 52-17
shunning attackers 52-17
system performance 52-16
targets, viewing 52-18
scanning statistics
enabling 52-7
system performance 52-6
viewing 52-9
time exceeded, ICMP message B-15
time ranges, access lists 11-16
timestamp, including in system log messages 72-18
timestamp reply, ICMP message B-15
timestamp request, ICMP message B-15
TLS1, used to access the security appliance 70-4
TLS Proxy
applications supported by ASA 43-3
Cisco Unified Presence architecture 47-1
configuring for Cisco Unified Presence 47-8
licenses 43-4, 45-5, 46-6, 47-7, 48-8
tocken bucket 50-2
toolbar, floating, WebVPN 70-66
traffic
inter- and intra-interface, permitting 62-2
traffic flow
routed firewall 4-16
transparent firewall 4-22
traffic shaping
overview 50-4
Transform 60-13
transform set
definition 60-13
transmit queue ring limit 50-2, 50-3
transparent firewall
about 4-2
ARP inspection
about 4-8
enabling 4-11
static entry 4-10
data flow 4-22
DHCP packets, allowing 32-5
guidelines 4-5
H.323 guidelines 4-3
HSRP 4-3
MAC address timeout 4-14
MAC learning, disabling 4-14
Management 0/0 IP address 6-24
management IP address 7-12
multicast traffic 4-3
packet handling 32-4
static bridge entry 4-13
unsupported features 4-6
VRRP 4-3
transparent mode
NAT 27-13
Transport Layer Security 70-2
troubleshooting
H.323 40-9
H.323 RAS 40-10
phone proxy 44-28
SIP 40-25
troubleshooting SNMP 74-11
trunk, 802.1Q 6-14
trunk ports 6-20
Trusted Flow Acceleration
modes 4-5, 4-9, 4-13, 13-2, 20-2, 21-3, 22-3, 23-3, 24-2, 25-3, 26-20, 32-6, 56-6, 58-7, 61-3, 71-3
trustpoint 37-3
trustpoint, ASA 5505 client 67-7
trust relationship
Cisco Unified Mobility 46-5
Cisco Unified Presence 47-4
tunnel
ASA 5505 as Easy VPN client 67-5
IPsec 60-13
security appliance as a tunnel endpoint 60-1
tunnel group
ASA 5505 as Easy VPN client 67-7
configuring 63-6
creating 63-8
default, remote access, configuring 63-7
default LAN-to-LAN, configuring 63-18
general parameters 63-3
inheritance 63-1
IPSec parameters 63-4
LAN-to-LAN, configuring 63-18
name and type 63-8
remote access, configuring 65-6
remote-access, configuring 63-7
tunnel-group
general attributes 63-3
tunnel-group ISAKMP/IKE keepalive settings 63-4
tunneling, about 60-1
tunnel mode 61-2
twice NAT
about 27-16
comparison with network object NAT 27-15
configuring 29-1
dynamic NAT 29-3
dynamic PAT 29-8
examples 29-20
guidelines 29-2
identity NAT 29-17
monitoring 29-20
prerequisites 29-2
static NAT 29-12
U
UDP
bomb attack 53-7
chargen DoS attack 53-7
connection limits per context 5-15
connection state information 1-14
ports and literal values B-11
snork attack 53-7
unreachable, ICMP message B-15
unreachable messages
required for MTU discovery 34-9
url-list
group policy attribute for Clientless SSL VPN 63-75
username attribute for Clientless SSL VPN 63-91
URLs
context configuration, changing 5-25
context configuration, setting 5-21
filtering 36-1
filtering, about 36-7
filtering, configuration 36-10
user, VPN
definition 63-1
user access, restricting remote 63-86
user authentication, group policy 63-54
user EXEC mode
accessing 2-5
prompt A-2
username
adding 33-8
clientless authentication 66-9
encrypted 33-9
management tunnels 67-9
password 33-9
WebVPN 70-82
Xauth for Easy VPN client 67-4
username attributes
access hours 63-83
group-lock 63-86
inheritance 63-83
password, setting 63-82
password-storage 63-87
privilege level, setting 63-82
simultaneous logins 63-84
vpn-filter 63-85
vpn-framed-ip-address 63-85
vpn-idle timeout 63-84
vpn-session-timeout 63-85
vpn-tunnel-protocol 63-86
username attributes for Clientless SSL VPN
auto-signon 63-93
customization 63-89
deny message 63-90
filter (access list) 63-91
homepage 63-89
html-content-filter 63-88
keep-alive ignore 63-93
port-forward 63-92
port-forward-name 63-93
sso-server 63-94
svc 63-95
url-list 63-91
username configuration, viewing 63-82
username webvpn mode 63-87
users
SNMP 74-4
U-turn 60-21
V
VeriSign, configuring CAs example 37-5
viewing QoS statistics 50-15
viewing RMS 76-20
virtual cluster 62-6
IP address 62-6
master 62-6
virtual firewalls
See security contexts
virtual HTTP 35-3
virtual reassembly 1-11
virtual sensors 55-6
VLAN mapping 63-45
VLANs 6-14
802.1Q trunk 6-14
allocating to a context 5-19, 5-20
ASA 5505
MAC addresses 6-4
maximum 6-2
mapped interface name 5-19, 5-20
subinterfaces 6-14
VoIP
proxy servers 40-19
troubleshooting 40-9
VPN
address pool, configuring (group-policy) 63-63
address range, subnets B-4
parameters, general, setting 62-1
setting maximum number of IPSec sessions 62-4
single, routed mode 62-1
VPN attributes, group policy 63-43
VPN client
NAT rules 27-19
VPN Client, IPsec attributes 60-2
vpn-filter username attribute 63-85
VPN flex license 3-13
vpn-framed-ip-address username attribute 63-85
VPN hardware client, group policy attributes 63-53
vpn-idle-timeout username attribute 63-84
vpn load balancing
See load balancing 62-6
VPN session limits, configuring 62-16
vpn-session-timeout username attribute 63-85
vpn-tunnel-protocol username attribute 63-86
VRRP 4-3
W
WCCP 10-1
web browsing with WebVPN 70-85
web caching 10-1
web clients, secure authentication 35-5
web e-Mail (Outlook Web Access), Outlook Web Access 70-58
WebVPN
assigning users to group policies 70-24
authenticating with digital certificates 70-22, 70-23
CA certificate validation not done 70-2
client application requirements 70-83
client requirements 70-83
for file management 70-85
for network browsing 70-85
for port forwarding 70-86
for using applications 70-86
for web browsing 70-85
start-up 70-84
configuring
e-mail 70-57
configuring WebVPN and ASDM on the same interface 70-5
cookies 70-7
defining the end-user interface 70-64
definition 70-1
digital certificate authentication restrictions 70-7
e-mail 70-57
e-mail proxies 70-57
enable cookies for 70-86, 70-87
end user set-up 70-64
establishing a session 70-4
floating toolbar 70-66
group policy attributes, configuring 70-25
hosts file 70-52
hosts files, reconfiguring 70-53
HTTP/HTTPS proxy, setting 70-7
Java object signing 70-60
PDA support 70-56
printing and 70-84
remote system configuration and end-user requirements 70-84
security preautions 70-2, 70-9
security tips 70-83
setting HTTP/HTTPS proxy 70-5
SSL/TLS encryption protocols 70-7
supported applications 70-83
supported browsers 70-84
supported types of Internet connections 70-84
troubleshooting 70-51
unsupported features 70-4
URL 70-84
use of HTTPS 70-4
username and password required 70-84
usernames and passwords 70-82
WebVPN, Application Access Panel 70-65
webvpn attributes
group policy 63-71
WebVPN security precautions 70-2
welcome message, group policy 63-49
WINS server, configuring 63-42
X
Xauth, Easy VPN client 67-4
XOFF frames 6-9
Z
Zone Labs firewalls 63-68
Zone Labs Integrity Server 63-65