-
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6
-
About This Guide
-
Index
-
Glossary
- Getting Started with the ASA
- Configuring Firewall and Security Context Modes
- Configuring Interfaces
- Configuring Basic Settings
- Configuring Objects and Access Lists
- Configuring IP Routing
- Configuring Network Address Translation
- Configuring Service Policies Using the Modular Policy Framework
- Configuring Access Control
- Configuring Application Inspection
- Configuring Unified Communications
- Configuring Connection Settings and QoS
- Configuring Advanced Network Protection
- Configuring Modules
- Configuring High Availability
-
Configuring VPN
-
Configuring IPSec and ISAKMP
-
Configuring L2TP over IPSec
-
Setting General VPN Parameters
-
Configuring Tunnel Groups, Group Policies, and Users
-
Configuring IP Addresses for VPN
-
Configuring Remote Access VPNs
-
Configuring Network Admission Control
-
Configuring Easy VPN on the ASA 5505
-
Configuring the PPPoE Client
-
Configuring LAN-to-LAN VPNs
-
Configuring Clientless SSL VPN
-
Configuring AnyConnect VPN Client Connections
-
Configuring AnyConnect Host Scan
-
- Configuring Logging, SNMP, and Smart Call Home
- System Administration
- Reference
-
Table Of Contents
Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z
Index
Symbols
/bits subnet masks B-3
?
command string A-4
help A-4
Numerics
4GE SSM
connector types 6-11
fiber 6-11
SFP 6-11
802.1Q tagging 7-9
802.1Q trunk 6-30
A
AAA
about 35-1
accounting 38-18
addressing, configuring 67-2
authentication
CLI access 37-19
network access 38-2
privileged EXEC mode 37-19
authorization
command 37-22
downloadable access lists 38-14
network access 38-11
local database support 35-8
performance 38-1
server 76-4
adding 35-11
types 35-1
support summary 35-3
web clients 38-6
abbreviating commands A-3
ABR
definition of 24-2
Access Control Server 69-4, 69-13
Access Group pane
description 26-7
access hours, username attribute 66-81
accessing the security appliance using SSL 73-7
accessing the security appliance using TKS1 73-7
access list filter, username attribute 66-82
access lists
about 14-1
ACE logging, configuring 20-1
deny flows, managing 20-5
downloadable 38-14
exemptions from posture validation 69-11
global access rules 34-4
group policy WebVPN filter 66-74
inbound 34-3
IP address guidelines 14-3
IPsec 63-27
IPv6
about 19-1
configuring 19-4
default settings 19-3
logging 20-1
NAT guidelines 14-3
Network Admission Control, default 69-10
object groups 13-2
outbound 34-3
phone proxy 48-7
remarks 15-5
scheduling activation 13-16
types 14-1
username for Clientless SSL VPN 66-88
access ports 7-7
ACEs
See access lists
activation key
entering 3-33
location 3-32
obtaining 3-32
Active/Active failover
about 62-1
actions 62-5
command replication 62-3
configuration synchronization 62-3
configuring
asymmetric routing support 62-18
failover criteria 62-16
failover group preemption 62-12
HTTP replication 62-14
interface monitoring 62-14
virtual MAC addresses 62-16
device initialization 62-3
duplicate MAC addresses, avoiding 62-2, 62-17
optional settings
about 62-6
configuring 62-12
primary status 62-2
secondary status 62-2
triggers 62-4
Active/Standby failover
about 61-1
actions 61-4
command replication 61-3
configuration synchronization 61-2
device initialization 61-2
primary unit 61-2
secondary unit 61-2
triggers 61-4
Active Directory, settings for password management 66-28
Active Directory proceduresC-16to ??
ActiveX filtering 39-2
Adaptive Security Algorithm 1-24
Add/Edit Access Group dialog box
description 26-7
Add/Edit IGMP Join Group dialog box
description 26-6
Add/Edit OSPF Neighbor Entry dialog box 24-12
admin context
about 5-2
changing 5-24
administrative access
using ICMP for 37-11
administrative distance 22-3, 22-5
Advanced Encryption Standard (AES) 63-9, 63-10
AIP
See IPS module
AIP SSC
loading an image 58-19, 58-21, 59-14, 59-16
setup command 58-13
AIP SSM
about 58-1
loading an image 58-19, 58-21, 59-14, 59-16
port-forwarding
setup command 58-13
alternate address, ICMP message B-15
analyzing syslog messages 76-2
Application Access Panel, WebVPN 73-88
application access using Clientless SSL VPN
group policy attribute for Clientless SSL VPN 66-75
username attribute for Clientless SSL VPN 66-90
application access using WebVPN
and hosts file errors 73-72
quitting properly 73-73
application inspection
about 42-1
applying 42-6
configuring 42-6
inspection class map 33-6
inspection policy map 33-2
security level requirements 8-2, 9-2
special actions 33-1
Application Profile Customization Framework 73-84
area border router 24-2
ARP
NAT 29-22
ARP inspection
about 4-10
enabling 4-12
static entry 4-11
ARP spoofing 4-10
ARP test, failover 60-16
ASA (Adaptive Security Algorithm) 1-24
ASA 5505
Base license 7-2
client
authentication 70-12
configuration restrictions, table 70-2
device pass-through 70-8
group policy attributes pushed to 70-10
mode 70-3
remote management 70-9
split tunneling 70-8
TCP 70-4
trustpoint 70-7
tunnel group 70-7
tunneling 70-5
Xauth 70-4
MAC addresses 7-4
maximum VLANs 7-2
native VLAN support 7-10
non-forwarding interface 7-7
power over Ethernet 7-4
protected switch ports 7-8, 7-10
Security Plus license 7-2
server (headend) 70-1
SPAN 7-4
Spanning Tree Protocol, unsupported 7-8
ASBR
definition of 24-2
ASDM software
allowing access 37-6
installing 80-2
ASR 62-18
asymmetric routing
TCP state bypass 53-4
asymmetric routing support 62-18
attacks
DNS HINFO request 57-7
DNS request for all records 57-7
DNS zone transfer 57-7
DNS zone transfer from high port 57-7
fragmented ICMP traffic 57-6
IP fragment 57-4
IP impossible packet 57-4
large ICMP traffic 57-6
ping of death 57-6
proxied RPC request 57-7
statd buffer overflow 57-8
TCP FIN only flags 57-7
TCP NULL flags 57-6
TCP SYN+FIN flags 57-6
UDP bomb 57-7
UDP chargen DoS 57-7
UDP snork 57-7
attributes
RADIUS C-27
username 66-80
attribute-value pairs
TACACS+ C-37
attribute-value pairs (AVP) 66-36
authentication
about 35-2
ASA 5505 as Easy VPN client 70-12
CLI access 37-19
FTP 38-3
HTTP 38-3
network access 38-2
privileged EXEC mode 37-19
Telnet 38-3
web clients 38-6
WebVPN users with digital certificates 73-28, 73-29
authorization
about 35-2
command 37-22
downloadable access lists 38-14
network access 38-11
auto-signon
group policy attribute for Clientless SSL VPN 66-73
username attribute for Clientless SSL VPN 66-91
Auto-Update, configuring 80-16
B
backup server attributes, group policy 66-56
Baltimore Technologies, CA server support 41-4
banner message, group policy 66-48
basic threat detection
See threat detection
before configuring KCD 73-44
bits subnet masks B-3
Black Ice firewall 66-67
Botnet Traffic Filter
actions 55-2
address categories 55-2
blacklist
adding entries 55-9
description 55-2
blocking traffic manually 55-15
classifying traffic 55-12
configuring 55-6
databases 55-2
default settings 55-6
DNS Reverse Lookup Cache
information about 55-4
maximum entries 55-4
using with dynamic database 55-10
DNS snooping 55-10
dropping traffic 55-13
graylist 55-13
dynamic database
enabling use of 55-7
files 55-3
information about 55-2
searching 55-16
updates 55-7
examples 55-19
feature history 55-22
graylist
description 55-2
dropping traffic 55-13
guidelines and limitations 55-6
information about 55-1
licensing 55-6
monitoring 55-17
static database
adding entries 55-9
information about 55-3
syslog messages 55-17
task flow 55-7
threat level
dropping traffic 55-13
whitelist
adding entries 55-9
description 55-2
working overview 55-5
bridge
entry timeout 4-15
table, See MAC address table
broadcast Ping test 60-16
building blocks 13-1
bypass authentication 70-8
bypassing firewall checks 53-3
C
CA
certificate validation, not done in WebVPN 73-5
CRs and 41-2
public key cryptography 41-2
revoked certificates 41-2
supported servers 41-4
cached Kerberos tickets
clearing 73-48
showing 73-47
caching 73-81
capturing packets 81-14
cascading access lists 63-23
CA server
Digicert 41-4
Geotrust 41-4
Godaddy 41-4
iPlanet 41-4
Netscape 41-4
RSA Keon 41-4
Thawte 41-4
certificate
authentication, e-mail proxy 73-79
Cisco Unified Mobility 50-5
Cisco Unified Presence 51-4
enrollment protocol 41-11
group matching
configuring 63-17
rule and policy, creating 63-17
Certificate Revocation Lists
See CRLs
certificates
phone proxy 48-15
required by phone proxy 48-16
change query interval 26-8
change query response time 26-8
change query timeout value 26-8
changing between contexts 5-23
changing the severity level 76-18
Cisco-AV-Pair LDAP attributes C-13
Cisco Integrated Firewall 66-66
Cisco IOS CS CA
server support 41-4
Cisco IP Communicator 48-10
Cisco IP Phones
DHCP 11-6
Cisco IP Phones, application inspection 44-25
Cisco Security Agent 66-66
Cisco Trust Agent 69-13
Cisco UMA. See Cisco Unified Mobility.
Cisco Unified Mobility
architecture 50-2
certificate 50-5
functionality 50-1
NAT and PAT requirements 50-3, 50-4
trust relationship 50-5
Cisco Unified Presence
configuring the TLS Proxy 51-8
debugging the TLS Proxy 51-14
NAT and PAT requirements 51-2
sample configuration 51-14
trust relationship 51-4
Cisco UP. See Cisco Unified Presence.
Class A, B, and C addresses B-1
class-default class map 32-9
classes, logging
filtering messages by 76-16
message class variables 76-4
types 76-4
classes, resource
See resource management
class map
inspection 33-6
Layer 3/4
management traffic 32-15
through traffic 32-12
regular expression 13-15
clearing cached Kerberos tickets 73-48
CLI
abbreviating commands A-3
adding comments A-5
command line editing A-3
command output paging A-5
displaying A-5
help A-4
paging A-5
syntax formatting A-3
client
VPN 3002 hardware, forcing client update 65-4
Windows, client update notification 65-4
client access rules, group policy 66-68
client firewall, group policy 66-63
clientless authentication 69-13
Clientless SSL VPN
configuring for specific users 66-85
client mode 70-3
client update, performing 65-4
cluster
IP address, load balancing 65-6
load balancing configurations 65-9
mixed scenarios 65-10
virtual 65-6
command authorization
about 37-14
configuring 37-22
multiple contexts 37-16
command prompts A-2
comments
configuration A-5
configuration
clearing 2-18
comments A-5
factory default
commands 2-10
restoring 2-11
saving 2-16
text file 2-19
URL for a context 5-21
viewing 2-18
configuration examples
CSC SSM 59-18
logging 76-20
configuration examples for SNMP 78-27
configuration mode
accessing 2-2
prompt A-2
connection blocking 57-2
connection limits
configuring 53-1
per context 5-17
connect time, maximum, username attribute 66-82
console port logging 76-11
content transformation, WebVPN 73-82
context mode 27-2
context modes 22-2, 23-3, 24-3, 25-3, 26-3, 59-6
contexts
See security contexts
conversion error, ICMP message B-15
cookies, enabling for WebVPN 73-10
copying files using copy smb
command 80-8
Coredump 81-14
CRACK protocol 63-35
crash dump 81-14
creating a custom event list 76-13
crypto map
acccess lists 63-27
applying to interfaces 63-26, 72-10
clearing configurations 63-35
creating an entry to use the dynamic crypto map 68-13
definition 63-20
dynamic 63-32
dynamic, creating 68-12
entries 63-20
examples 63-28
policy 63-21
crypto show commands table 63-34
CSC SSM
about 59-1
loading an image 58-19, 58-21, 59-14, 59-16
sending traffic to 59-10
what to scan 59-3
CSC SSM feature history 59-20
custom firewall 66-67
customization, Clientless SSL VPN
group policy attribute 66-71
login windows for users 66-27
username attribute 66-87
username attribute for Clientless SSL VPN 66-24
custom messages list
logging output destination 76-4
cut-through proxy
AAA performance 38-1
D
data flow
routed firewall 4-17
transparent firewall 4-22
date and time in messages 76-18
DDNS 12-2
debug messages 81-13
default
class 5-9
DefaultL2Lgroup 66-1
DefaultRAgroup 66-1
domain name, group policy 66-51
group policy 66-1, 66-8, 66-36
LAN-to-LAN tunnel group 66-17
remote access tunnel group, configuring 66-7
routes, defining equal cost routes 22-4
default configuration
commands 2-10
restoring 2-11
default policy 32-8
default routes
about 22-4
configuring 22-4
delay sending flow-create events
flow-create events
delay sending 77-7
deleting files from Flash 80-2
deny flows, logging 20-5
deny in a crypto map 63-23
deny-message
group policy attribute for Clientless SSL VPN 66-71
username attribute for Clientless SSL VPN 66-88
DES, IKE policy keywords (table) 63-9, 63-10
device ID, including in messages 76-17
device ID in messages 76-17
device pass-through, ASA 5505 as Easy VPN client 70-8
DfltGrpPolicy 66-37
DHCP
addressing, configuring 67-3
Cisco IP Phones 11-6
options 11-4
relay 11-7
server 11-3
transparent firewall 34-5
DHCP Intercept, configuring 66-52
DHCP Relay panel 12-6
DHCP services 10-6
Diffie-Hellman
DiffServ preservation 54-5
digital certificates
authenticating WebVPN users 73-28, 73-29
SSL 73-11
directory hierarchy search C-3
disabling content rewrite 73-83
disabling messages 76-18
disabling messages, specific message IDs 76-18
DMZ, definition 1-21
DNS
dynamic 12-2
inspection
about 43-2
managing 43-1
rewrite, about 43-2
rewrite, configuring 43-3
NAT effect on 29-24
server, configuring 10-11, 66-40
DNS HINFO request attack 57-7
DNS request for all records attack 57-7
DNS zone transfer attack 57-7
DNS zone transfer from high port attack 57-7
domain attributes, group policy 66-51
domain name 10-3
dotted decimal subnet masks B-3
downloadable access lists
configuring 38-14
converting netmask expressions 38-18
DSCP preservation 54-5
dual IP stack, configuring 8-2
dual-ISP support 22-6
dynamic crypto map 63-32
creating 68-12
See also crypto map
Dynamic DNS 12-2
dynamic NAT
about 29-8
network object NAT 30-4
twice NAT 31-4
dynamic PAT
network object NAT 30-6
See also NAT
twice NAT 31-8
E
Easy VPN
client
authentication 70-12
configuration restrictions, table 70-2
enabling and disabling 70-1
group policy attributes pushed to 70-10
mode 70-3
remote management 70-9
trustpoint 70-7
tunnels 70-9
Xauth 70-4
server (headend) 70-1
Easy VPN client
ASA 5505
device pass-through 70-8
split tunneling 70-8
TCP 70-4
tunnel group 70-7
tunneling 70-5
echo reply, ICMP message B-15
ECMP 22-3
editing command lines A-3
egress VLAN for VPN sessions 66-44
EIGRP 34-5
DUAL algorithm 27-2
hello interval 27-13
hello packets 27-1
neighbor discovery 27-1
stub routing 27-3
stuck-in-active 27-2
configuring for WebVPN 73-79
proxies, WebVPN 73-79
proxy, certificate authentication 73-79
WebVPN, configuring 73-79
enable command 2-1
enabling logging 76-6
enabling secure logging 76-16
end-user interface, WebVPN, defining 73-88
Enterprises 11-6
Entrust, CA server support 41-4
established command, security level requirements 8-2, 9-2
EtherChannel
adding interfaces 6-27
channel group 6-27
compatibility 6-5
converting existing interfaces 6-13
example 6-34
failover 6-10
guidelines 6-10
interface requirements 6-5
LACP 6-6
load balancing
configuring 6-29
overview 6-7
MAC address 6-7
management interface 6-27
maximum interfaces 6-29
minimum interfaces 6-29
mode
active 6-6
on 6-7
passive 6-6
monitoring 6-33
overview 6-5
port priority 6-27
system priority 6-29
Ethernet
jumbo frames, ASA 5580 6-32
EtherType access list
compatibilty with extended access lists 34-2
implicit deny 34-3
evaluation license 3-21
exporting NetFlow records 77-4
extended ACLs
configuring
for management traffic 15-2
external group policy, configuring 66-39
F
facility, syslog 76-8
factory default configuration
commands 2-10
restoring 2-11
failover
about 60-1
Active/Active, See Active/Active failover
Active/Standby, See Active/Standby failover
configuration file
terminal messages, Active/Active 62-3
terminal messages, Active/Standby 61-2
contexts 61-2
debug messages 60-17
Ethernet failover cable 60-3
failover link 60-3
health monitoring 60-15
interface health 60-15
interface monitoring 60-15
interface tests 60-16
link communications 60-3
MAC addresses
about 61-2
automatically assigning 5-12
monitoring, health 60-15
network tests 60-16
primary unit 61-2
redundant interfaces 6-10
restoring a failed group 61-16, 62-24
restoring a failed unit 61-16, 62-24
secondary unit 61-2
SNMP syslog traps 60-17
Stateful Failover, See Stateful Failover
state link 60-4
system log messages 60-17
system requirements 60-2
Trusted Flow Acceleration 64-7
type selection 60-9
unit health 60-15
fast path 1-25
fiber interfaces 6-11
Fibre Channel interfaces
default settings 16-2, 17-2, 18-2, 34-8
filter (access list)
group policy attribute for Clientless SSL VPN 66-74
username attribute for Clientless SSL VPN 66-88
filtering
ActiveX 39-2
FTP 39-14
Java applet 39-4
Java applets 39-4
security level requirements 8-2, 9-2
servers supported 39-6
show command output A-4
filtering messages 76-4
firewall
Black Ice 66-67
Cisco Integrated 66-66
Cisco Security Agent 66-66
custom 66-67
Network Ice 66-67
none 66-66
Sygate personal 66-67
Zone Labs 66-67
firewall mode
about 4-1
configuring 4-1
firewall policy, group policy 66-63
Flash memory
removing files 80-2
flash memory available for logs 76-15
flow control for 10 Gigabit Ethernet 6-22
flow-export actions 77-4
format of messages 76-3
fragmentation policy, IPsec 63-15
fragmented ICMP traffic attack 57-6
fragment protection 1-22
fragment size 57-2
FTP inspection
about 43-11
configuring 43-11
G
general attributes, tunnel group 66-3
general parameters, tunnel group 66-3
general tunnel-group connection parameters 66-3
generating RSA keys 41-9
global e-mail proxy attributes 73-79
global IPsec SA lifetimes, changing 63-29
group-lock, username attribute 66-84
group policy
address pools 66-62
attributes 66-40
backup server attributes 66-56
client access rules 66-68
configuring 66-39
default domain name for tunneled packets 66-51
domain attributes 66-51
Easy VPN client, attributes pushed to ASA 5505 70-10
external, configuring 66-39
firewall policy 66-63
hardware client user idle timeout 66-54
internal, configuring 66-40
IP phone bypass 66-54
IPSec over UDP attributes 66-49
LEAP Bypass 66-55
network extension mode 66-55
security attributes 66-46
split tunneling attributes 66-49
split-tunneling domains 66-52
user authentication 66-53
VPN attributes 66-42
VPN hardware client attributes 66-53
webvpn attributes 66-70
WINS and DNS servers 66-40
group policy, default 66-36
group policy, secure unit authentication 66-53
group policy attributes for Clientless SSL VPN
application access 66-75
auto-signon 66-73
customization 66-71
deny-message 66-71
filter 66-74
home page 66-73
html-content filter 66-72
keep-alive-ignore 66-76
port forward 66-75
port-forward-name 66-76
sso-server 66-77
url-list 66-74
groups
SNMP 78-15
GTP inspection
about 46-3
configuring 46-3
H
H.225 timeouts 44-9
H.245 troubleshooting 44-10
H.323
transparent firewall guidelines 4-4
H.323 inspection
about 44-4
configuring 44-3
limitations 44-5
troubleshooting 44-10
hairpinning 63-26
hardware client, group policy attributes 66-53
help, command line A-4
high availability
about 60-1
HMAC hashing method 63-2, 72-3
hold-period 69-17
homepage
group policy attribute for Clientless SSL VPN 66-73
username attribute for Clientless SSL VPN 66-87
host
SNMP 78-15
hostname
configuring 10-2
in banners 10-2
multiple context mode 10-2
hosts, subnet masks for B-3
hosts file
errors 73-72
reconfiguring 73-73
WebVPN 73-72
HSRP 4-4
html-content-filter
group policy attribute for Clientless SSL VPN 66-72
username attribute for Clientless SSL VPN 66-86
HTTP
filtering 39-1
HTTP(S)
authentication 37-19
filtering 39-7
HTTP/HTTPS Web VPN proxy, setting 73-11
HTTP compression, Clientless SSL VPN, enabling 66-76, 66-92
HTTP inspection
about 43-16
configuring 43-16
HTTP redirection for login, Easy VPN client on the ASA 5505 70-12
HTTPS/Telnet/SSH
allowing network or host access to ASDM 37-1
HTTPS for WebVPN sessions 73-7, 73-8
hub-and-spoke VPN scenario 63-26
I
ICMP
rules for access to ADSM 37-11
testing connectivity 81-1
type numbers B-15
identity NAT
about 29-11
network object NAT 30-12
twice NAT 31-20
idle timeout
hardware client user, group policy 66-54
username attribute 66-82
ID method for ISAKMP peers, determining 63-13
IKE
creating policies 63-11
keepalive setting, tunnel group 66-4
pre-shared key, Easy VPN client on the ASA 5505 70-7
See also ISAKMP
IKEv1 63-19
ILS inspection 45-1
implementing SNMP 78-16
inbound access lists 34-3
Individual user authentication 70-12
information reply, ICMP message B-15
information request, ICMP message B-15
inheritance
tunnel group 66-1
username attribute 66-81
inside, definition 1-21
inspection_default class-map 32-9
inspection engines
See application inspection
Instant Messaging inspection 44-19
intercept DHCP, configuring 66-52
interface
interfaces
ASA 5505
enabled status 7-7
MAC addresses 7-4
maximum VLANs 7-2
non-forwarding 7-7
protected switch ports 7-8, 7-10
switch port configuration 7-7
trunk ports 7-9
configuring for remote access 68-7
default settings 16-2, 17-2, 18-2, 34-8, 59-7
enabling 6-24
failover monitoring 60-15
fiber 6-11
IDs 6-23
MAC addresses
automatically assigning 5-22
manually assigning to interfaces 8-11, 9-14
mapped name 5-20
naming, physical and subinterface 8-7, 9-10, 9-11
redundant 6-25
SFP 6-11
subinterfaces 6-30
internal group policy, configuring 66-40
Internet Security Association and Key Management Protocol
See ISAKMP
IP addresses
classes B-1
configuring an assignment method for remote access clients 67-1
configuring for VPNs 67-1
configuring local IP address pools 67-2
management, transparent firewall 9-7
private B-2
subnet mask B-4
IP fragment attack 57-4
IP impossible packet attack 57-4
IP overlapping fragments attack 57-5
IP phone 70-8
phone proxy provisioning 48-12
IP phone bypass, group policy 66-54
IP phones
addressing requirements for phone proxy 48-9
supported for phone proxy 48-3
IPSec
anti-replay window 54-12
modes 64-2
over UDP, group policy, configuring attributes 66-49
remote-access tunnel group 66-8
setting maximum active VPN sessions 65-3
IPsec
access list 63-27
basic configuration with static crypto maps 63-29
Cisco VPN Client 63-2
crypto map entries 63-20
fragmentation policy 63-15
over NAT-T, enabling 63-14
over TCP, enabling 63-15
SA lifetimes, changing 63-29
tunnel 63-19
view configuration commands table 63-34
IPSec parameters, tunnel group 66-4
ipsec-ra, creating an IPSec remote-access tunnel 66-8
IPS module
about 58-1
configuration 58-7
operating modes 58-2
sending traffic to 58-15
traffic flow 58-2
virtual sensors 58-13
IP spoofing, preventing 57-1
IP teardrop attack 57-5
IPv6
commands 21-10
configuring alongside IPv4 8-2
default route 22-5
dual IP stack 8-2
duplicate address detection 8-12, 9-15
neighbor discovery 28-1
router advertisement messages 28-3
static neighbors 28-4
static routes 22-5
IPv6 addresses
anycast B-9
command support for 21-10
format B-5
multicast B-8
prefixes B-10
required B-10
types of B-6
unicast B-6
IPv6 prefixes 28-10
ISAKMP
about 63-2
configuring 63-1
determining an ID method for peers 63-13
disabling in aggressive mode 63-13
enabling on the outside interface 68-8
keepalive setting, tunnel group 66-4
See also IKE
J
Java applet filtering 39-4
Java applets, filtering 39-2
Java object signing 73-82
Join Group pane
description 26-6
jumbo frames, ASA 5580 6-32
K
before configuring 73-44
KCD status
showing 73-46
keep-alive-ignore
group policy attribute for Clientless SSL VPN 66-76
username attribute for Clientless SSL VPN 66-91
Kerberos
configuring 35-11
support 35-6
Kerberos tickets
clearing 73-48
showing 73-47
L
L2TP description 64-1
LACP 6-6
LAN-to-LAN tunnel group, configuring 66-17
large ICMP traffic attack 57-6
latency
about 54-1
reducing 54-8
Layer 2 firewall
See transparent firewall
Layer 2 forwarding table
See MAC address table
Layer 2 Tunneling Protocol 64-1
Layer 3/4
matching multiple policy maps 32-6
LCS Federation Scenario 51-2
LDAP
application inspection 45-1
attribute mapping 35-18
Cisco-AV-pair C-13
configuring 35-11
configuring a AAA serverC-2to ??
directory search C-3
example configuration proceduresC-16to ??
hierarchy example C-3
SASL 35-6
user authentication 35-6
user authorization 35-16
LEAP Bypass, group policy 66-55
licenses
activation key
entering 3-33
location 3-32
obtaining 3-32
ASA 5505 3-2
ASA 5520 3-4
ASA 5540 3-5
ASA 5550 3-6
ASA 5580 3-7
Cisco Unified Communications Proxy features 47-4, 49-5, 50-6, 51-7, 52-8
default 3-21
evaluation 3-21
failover 3-31
guidelines 3-31
managing 3-1
preinstalled 3-21
Product Authorization Key 3-32
shared
backup server, configuring 3-36
backup server, information 3-25
client, configuring 3-37
communication issues 3-25
failover 3-25
maximum clients 3-27
monitoring 3-44
overview 3-23
server, configuring 3-35
SSL messages 3-25
temporary 3-21
viewing current 3-38
VPN Flex 3-21
licensing requirements
CSC SSM 59-5
logging 76-5
licensing requirements for SNMP 78-16
link up/down test 60-16
LLQ
See low-latency queue
load balancing
cluster configurations 65-9
concepts 65-6
eligible clients 65-8
eligible platforms 65-8
implementing 65-7
mixed cluster scenarios 65-10
platforms 65-8
prerequisites 65-8
local user database
adding a user 35-20
configuring 35-20
logging in 37-20
support 35-8
lockout recovery 37-31
logging
access lists 20-1
classes
filtering messages by 76-4
device-id, including in system log messages 76-17
source address 76-10
EMBLEM format 76-14
facility option 76-8
filtering
by message class 76-16
by message list 76-4
by severity level 76-1
logging queue, configuring 76-15
output destinations 76-8
console port 76-8, 76-10, 76-11
Telnet or SSH session 76-6
queue
changing the size of 76-15
configuring 76-15
viewing queue statistics 76-19
severity level, changing 76-19
timestamp, including 76-18
logging feature history 76-20
logging queue
configuring 76-15
login
banner, configuring 37-7
console 2-1
enable 2-1
FTP 38-3
global configuration mode 2-2
local user 37-20
password 10-1
simultaneous, username attribute 66-81
SSH 37-5
Telnet 10-1
windows, customizing for users of Clientless SSL VPN sessions 66-27
low-latency queue
M
MAC address
redundant interfaces 6-4
MAC addresses
ASA 5505 7-4
ASA 5505 device pass-through 70-8
automatically assigning 5-22
failover 61-2
manually assigning to interfaces 8-11, 9-14
security context classification 5-3
MAC address table
about 4-22
built-in-switch 4-13
entry timeout 4-15
MAC learning, disabling 4-15
resource management 5-17
static entry 4-15
MAC learning, disabling 4-15
management interfaces
default settings 16-2, 17-2, 18-2, 34-8
management IP address, transparent firewall 9-7
man-in-the-middle attack 4-10
mapped addresses
guidelines 29-21
mapped interface name 5-20
mask
reply, ICMP message B-15
request, ICMP message B-15
Master Passphrase 10-6
match commands
inspection class map 33-4
Layer 3/4 class map 32-12, 32-15
matching, certificate group 63-17
maximum active IPSec VPN sessions, setting 65-3
maximum connect time,username attribute 66-82
maximum object size to ignore username attribute for Clientless SSL VPN 66-91
MD5, IKE policy keywords (table) 63-9, 63-10, 63-11
media termination address, criteria 48-6
message filtering 76-4
message list
filtering by 76-4
message-of-the-day banner 37-8
messages, logging
classes
about 76-4
list of 76-4
component descriptions 76-3
filtering by message list 76-4
format of 76-3
message list, creating 76-13
severity levels 76-3
messages classes 76-4
messages in EMBLEM format 76-14
metacharacters, regular expression 13-13
MGCP inspection
about 44-11
configuring 44-11
mgmt0 interfaces
default settings 16-2, 17-2, 18-2, 34-8
MIBs 78-2
MIBs for SNMP 78-28
Microsoft Access Proxy 51-1
Microsoft Active Directory, settings for password management 66-28
Microsoft Internet Explorer client parameters, configuring 66-57
Microsoft Windows CA, supported 41-4
mixed cluster scenarios, load balancing 65-10
mixed-mode Cisco UCM cluster, configuring for phone proxy 48-17
MMP inspection 50-1
mobile redirection, ICMP message B-15
mode
context 5-15
firewall 4-1
modular policy framework
configuring flow-export actions for NetFlow 77-5
monitoring
CSC SSM 59-13
failover 60-15
OSPF 24-16
resource management 5-29
SNMP 78-1
monitoring logging 76-19
monitoring NSEL 77-8
monitoring switch traffic, ASA 5505 7-4
More prompt A-5
MPF
default policy 32-8
examples 32-18
feature directionality 32-3
features 32-2
flows 32-6
matching multiple policy maps 32-6
service policy, applying 32-17
See also class map
See also policy map
MPLS
LDP 34-7
router-id 34-7
TDP 34-7
MRoute pane
description 26-4
MSIE client parameters, configuring 66-57
MTU size, Easy VPN client, ASA 5505 70-5
multicast traffic 4-4
multiple context mode
logging 76-2
See security contexts
N
NAC
See Network Admission Control
naming an interface
NAT
about 29-1
bidirectional initiation 29-2
disabling proxy ARP for global addresses 21-11
DNS 29-24
dynamic
about 29-8
dynamic NAT
network object NAT 30-4
twice NAT 31-4
dynamic PAT
about 29-10
network object NAT 30-6
twice NAT 31-8
identity
about 29-11
identity NAT
network object NAT 30-12
twice NAT 31-20
implementation 29-16
interfaces 29-21
mapped address guidelines 29-21
network object
comparison with twice NAT 29-16
network object NAT
about 29-17
configuring 30-1
dynamic NAT 30-4
dynamic PAT 30-6
examples 30-15
guidelines 30-2
identity NAT 30-12
monitoring 30-14
prerequisites 30-2
static NAT 30-10
object
extended PAT 30-6
flat range for PAT 30-6
routed mode 29-13
RPC not supported with 45-3
rule order 29-20
static
about 29-3
few-to-many mapping 29-7
many-to-few mapping 29-6, 29-7
one-to-many 29-6
static NAT
network object NAT 30-10
twice NAT 31-15
static with port translation
about 29-4
terminology 29-2
transparent mode 29-13
twice
extended PAT 31-8
flat range for PAT 31-8
twice NAT
about 29-17
comparison with network object NAT 29-16
configuring 31-1
dynamic NAT 31-4
dynamic PAT 31-8
examples 31-24
guidelines 31-2
identity NAT 31-20
monitoring 31-24
prerequisites 31-2
static NAT 31-15
types 29-3
VPN 29-14
VPN client rules 29-20
native VLAN support 7-10
NAT-T
enabling IPsec over NAT-T 63-14
using 63-15
neighbor reachable time 28-3
neighbor solicitation messages 28-2
neighrbor advertisement messages 28-2
NetFlow
overview 77-1
NetFlow collector
configuring 77-4
NetFlow event
matching to configured collectors 77-5
NetFlow event logging
disabling 77-7
Network Activity test 60-16
Network Admission Control
ACL, default 69-10
clientless authentication 69-13
configuring 66-59
exemptions 69-11
revalidation timer 69-10
uses, requirements, and limitations 69-1
network extension mode 70-3
network extension mode, group policy 66-55
Network Ice firewall 66-67
network object NAT
about 29-17
comparison with twice NAT 29-16
configuring 30-1
dynamic NAT 30-4
dynamic PAT 30-6
examples 30-15
guidelines 30-2
identity NAT 30-12
monitoring 30-14
prerequisites 30-2
static NAT 30-10
Nokia VPN Client 63-35
non-secure Cisco UCM cluster, configuring phone proxy 48-15
No Payload Encryption 3-30
no proxy ARP 31-19
NSEL and syslog messages
redundant messages 77-2
NSEL configuration examples 77-9
NSEL feature history 77-11
NSEL licensing requirements 77-3
NSEL runtime counters
clearing 77-8
NTLM support 35-6
NT server
configuring 35-11
support 35-6
O
object groups
about 13-1
configuring 13-6
removing 13-11
object NAT
See network object NAT
open ports B-14
operating systems, posture validation exemptions 69-11
OSPF
area authentication 24-11
area MD5 authentication 24-11
area parameters 24-10
authentication key 24-9
authentication support 24-2
cost 24-9
dead interval 24-9
defining a static neighbor 24-12
interaction with NAT 24-2
interface parameters 24-8
link-state advertisement 24-2
logging neighbor states 24-13
LSAs 24-2
MD5 authentication 24-9
monitoring 24-16
NSSA 24-11
packet pacing 24-16
processes 24-2
redistributing routes 24-4
route calculation timers 24-13
route summarization 24-7
outbound access lists 34-3
output destination 76-5
output destinations 76-1, 76-6
SNMP management station 76-1, 76-6
Telnet or SSH session 76-1, 76-6
outside, definition 1-21
oversubscribing resources 5-8
P
packet
capture 81-14
classifier 5-3
packet flow
routed firewall 4-17
transparent firewall 4-22
packet trace, enabling 81-7
paging screen displays A-5
parameter problem, ICMP message B-15
password
resetting on SSM hardware module 81-11
password management, Active Directory settings 66-28
passwords
changing 10-2
recovery 81-8
security appliance 10-1
username, setting 66-80
WebVPN 73-109
password-storage, username attribute 66-84
PAT
Easy VPN client mode 70-3
See dynamic PAT
pause frames for flow control 6-22
PDA support for WebVPN 73-78
peers
alerting before disconnecting 63-16
ISAKMP, determining ID method 63-13
performance, optimizing for WebVPN 73-81
permit in a crypto map 63-23
phone proxy
access lists 48-7
ASA role 47-3
certificates 48-15
Cisco IP Communicator 48-10
Cisco UCM supported versions 48-3
configuring mixed-mode Cisco UCM cluster 48-17
configuring non-secure Cisco UCM cluster 48-15
event recovery 48-41
IP phone addressing 48-9
IP phone provisioning 48-12
IP phones supported 48-3
Linksys routers, configuring 48-26
NAT and PAT requirements 48-8
ports 48-7
rate limiting 48-11
required certificates 48-16
sample configurations 48-43
SAST keys 48-41
TLS Proxy on ASA, described 47-3
troubleshooting 48-27
ping
See ICMP
ping of death attack 57-6
PKI protocol 41-11
PoE 7-4
policing
flow within a tunnel 54-11
policy, QoS 54-1
policy map
inspection 33-2
Layer 3/4
about 32-1
feature directionality 32-3
flows 32-6
pools, address
DHCP 11-3
port-forward
group policy attribute for Clientless SSL VPN 66-75
username attribute for Clientless SSL VPN 66-90
port-forwarding
port-forward-name
group policy attribute for Clientless SSL VPN 66-76
username attribute for Clientless SSL VPN 66-90
ports
open on device B-14
phone proxy 48-7
TCP and UDP B-11
port translation
about 29-4
posture validation
exemptions 69-11
revalidation timer 69-10
uses, requirements, and limitations 69-1
power over Ethernet 7-4
prerequisites for use
CSC SSM 59-5
pre-shared key, Easy VPN client on the ASA 5505 70-7
primary unit, failover 61-2
printers 70-8
private networks B-2
privileged EXEC mode, accessing 2-1
privileged mode
accessing 2-1
prompt A-2
privilege level, username, setting 66-80
Product Authorization Key 3-32
prompts
command A-2
more A-5
protocol numbers and literal values B-11
Protocol pane (PIM)
description 26-10
proxied RPC request attack 57-7
proxy
See e-mail proxy
proxy ARP
NAT
NAT
proxy ARP 1
proxy ARP, disabling 21-11
proxy bypass 73-83
proxy servers
SIP and 44-19
public key cryptography 41-2
Q
QoS
DiffServ preservation 54-5
DSCP preservation 54-5
feature interaction 54-4
policies 54-1
priority queueing
IPSec anti-replay window 54-12
statistics 54-15
token bucket 54-2
traffic shaping
overview 54-4
viewing statistics 54-15
Quality of Service
See QoS
question mark
command string A-4
help A-4
queue, logging
changing the size of 76-15
viewing statistics 76-19
queue, QoS
latency, reducing 54-8
R
RADIUS
attributes C-27
Cisco AV pair C-13
configuring a AAA server C-27
configuring a server 35-11
downloadable access lists 38-14
network access authentication 38-4
network access authorization 38-14
support 35-4
RAS, H.323 troubleshooting 44-10
rate limit 76-19
rate limiting 54-3
rate limiting, phone proxy 48-11
RealPlayer 44-15
reboot, waiting until active sessions end 63-16
redirect, ICMP message B-15
redundancy, in site-to-site VPNs, using crypto maps 63-34
redundant interface
EtherChannel
converting existing interfaces 6-13
redundant interfaces
configuring 6-25
failover 6-10
MAC address 6-4
setting the active interface 6-27
Registration Authority description 41-2
regular expression 13-12
reloading
context 5-26
security appliance 81-8
remote access
IPSec tunnel group, configuring 66-8
restricting 66-84
tunnel group, configuring default 66-7
remote management, ASA 5505 70-9
Request Filter pane
description 26-11
resetting the SSM hardware module password 81-11
resource management
about 5-8
assigning a context 5-21
class 5-16
configuring 5-8
default class 5-9
monitoring 5-29
oversubscribing 5-8
resource types 5-17
unlimited 5-9
resource usage 5-32
revalidation timer, Network Admission Control 69-10
revoked certificates 41-2
rewrite, disabling 73-83
RFCs for SNMP 78-28
RIP
authentication 25-2
definition of 25-1
enabling 25-4
support for 25-2
RIP panel
limitations 25-3
RIP Version 2 Notes 25-3
routed mode
about 4-1
NAT 29-13
setting 4-1
route map
definition 23-1
route maps
defining 23-4
uses 23-1
router
advertisement, ICMP message B-15
solicitation, ICMP message B-15
router advertisement messages 28-3
router advertisement transmission interval 28-7
router lifetime value 28-8
routes
about default 22-4
configuring default routes 22-4
configuring IPv6 default 22-5
configuring IPv6 static 22-5
configuring static routes 22-3
routing
other protocols 34-5
RSA
RTSP inspection
about 44-15
configuring 44-15
rules
ICMP 37-10
running configuration
copying 80-7
saving 2-16
S
same security level communication
SAs, lifetimes 63-29
SAST keys 48-41
SCCP (Skinny) inspection
about 44-25
configuration 44-25
configuring 44-25
SDI
configuring 35-11
support 35-5
secondary unit, failover 61-2
secure unit authentication 70-12
secure unit authentication, group policy 66-53
Security Agent, Cisco 66-66
security appliance
CLI A-1
connecting to 2-1
managing licenses 3-1
managing the configuration 2-15
reloading 81-8
upgrading software 80-2
viewing files in Flash memory 80-1
security association
clearing 63-34
See also SAs
security attributes, group policy 66-46
security contexts
about 5-1
adding 5-18
admin context
about 5-2
changing 5-24
assigning to a resource class 5-21
cascading 5-6
changing between 5-23
classifier 5-3
command authorization 37-16
configuration
URL, changing 5-25
URL, setting 5-21
logging in 5-7
MAC addresses
automatically assigning 5-22
classifying using 5-3
mapped interface name 5-20
monitoring 5-27
multiple mode, enabling 5-15
nesting or cascading 5-7
prompt A-2
reloading 5-26
removing 5-24
resource management 5-8
resource usage 5-32
saving all configurations 2-17
unsupported features 5-14
VLAN allocation 5-20
security level
about 8-1
security models for SNMP 78-15
sending messages to an e-mail address 76-10
sending messages to an SNMP server 76-11
sending messages to ASDM 76-11
sending messages to a specified output destination 76-16
sending messages to a syslog server 76-8
sending messages to a Telnet or SSH session 76-12
sending messages to the console port 76-11
sending messages to the internal log buffer 76-9
service policy
applying 32-17
default 32-17
interface 32-17
session management path 1-25
severity levels, of system log messages
changing 76-1
filtering by 76-1
list of 76-3
severity levels, of system messages
definition 76-3
SHA, IKE policy keywords (table) 63-9, 63-10, 63-11
shared license
backup server, configuring 3-36
backup server, information 3-25
client, configuring 3-37
communication issues 3-25
failover 3-25
maximum clients 3-27
monitoring 3-44
server, configuring 3-35
SSL messages 3-25
show command, filtering output A-4
showing cached Kerberos tickets 73-47
showing KCD status 73-46
simultaneous logins, username attribute 66-81
single mode
backing up configuration 5-15
configuration 5-15
enabling 5-15
restoring 5-16
single sign-on
See SSO
single-signon
group policy attribute for Clientless SSL VPN 66-77
username attribute for Clientless SSL VPN 66-92
SIP inspection
about 44-19
configuring 44-19
instant messaging 44-19
timeouts 44-24
troubleshooting 44-24
site-to-site VPNs, redundancy 63-34
Smart Call Home monitoring 79-19
smart tunnels 73-48
SMTP inspection 43-31
SNMP
about 78-1
failover 78-17
prerequisites 78-16
SNMP configuration 78-17
SNMP groups 78-15
SNMP hosts 78-15
SNMP terminology 78-2
SNMP traps 78-2
SNMP users 78-15
SNMP Versions 1 and 2c 78-21
source quench, ICMP message B-15
SPAN 7-4
Spanning Tree Protocol, unsupported 7-8
split tunneling
ASA 5505 as Easy VPN client 70-8
group policy 66-49
group policy, domains 66-52
SSCs
management access 58-4
management defaults 58-6
management interface 58-9
routing 58-8
sessioning to 58-12
SSH
authentication 37-19
concurrent connections 37-2
login 37-5
password 10-1
RSA key 37-4
username 37-5
SSL
certificate 73-11
used to access the security appliance 73-7
SSL/TLS encryption protocols
configuring 73-10
WebVPN 73-10
SSL VPN Client
compression 74-16
DPD 74-15
enabling
permanent installation 74-7
installing
order 74-6
keepalive messages 74-16
viewing sessions 74-19
SSMs
loading an image 58-19, 58-21, 59-14, 59-16
management access 58-4
management defaults 58-6
routing 58-8
sessioning to 58-12
sso-server
group policy attribute for Clientless SSL VPN 66-77
username attribute for Clientless SSL VPN 66-92
SSO with WebVPN73-13to ??
configuring HTTP Basic and NTLM authentication 73-14
configuring HTTP form protocol 73-20
configuring SiteMinder 73-15, 73-17
startup configuration
copying 80-7
saving 2-16
statd buffer overflow attack 57-8
Stateful Failover
about 60-10
state information 60-11
state link 60-4
stateful inspection 1-24
bypassing 53-3
state information 60-11
state link 60-4
static ARP entry 4-11
static bridge entry 4-15
Static Group pane
description 26-6
static NAT
about 29-3
few-to-many mapping 29-7
many-to-few mapping 29-6, 29-7
network object NAT 30-10
twice NAT 31-15
static NAT with port translation
about 29-4
static routes
configuring 22-3
statistics, QoS 54-15
stealth firewall
See transparent firewall
stuck-in-active 27-2
subcommand mode prompt A-2
subinterfaces, adding 6-30
subnet masks
/bits B-3
about B-2
address range B-4
determining B-3
dotted decimal B-3
number of hosts B-3
Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 73-66
Sun RPC inspection
about 45-3
configuring 45-3
SVC
See SSL VPN Client
switch MAC address table 4-13
switch ports
access ports 7-7
SPAN 7-4
trunk ports 7-9
Sygate Personal Firewall 66-67
SYN attacks, monitoring 5-33
SYN cookies 5-33
syntax formatting A-3
syslogd server program 76-5
syslog messages
analyzing 76-2
syslog messaging for SNMP 78-26
syslog server
designating more than one as output destination 76-5
EMBLEM format
configuring 76-14
system configuration 5-2
system log messages
classes 76-4
classes of 76-4
configuring in groups
by message list 76-4
by severity level 76-1
device ID, including 76-17
disabling logging of 76-1
filtering by message class 76-4
managing in groups
by message class 76-16
output destinations 76-1, 76-6
syslog message server 76-6
Telnet or SSH session 76-6
severity levels
about 76-3
changing the severity level of a message 76-1
timestamp, including 76-18
T
TACACS+
command authorization, configuring 37-29
configuring a server 35-11
network access authorization 38-11
support 35-5
tail drop 54-3
TCP
ASA 5505 as Easy VPN client 70-4
connection limits per context 5-17
ports and literal values B-11
sequence number randomization
disabling using Modular Policy Framework 53-12, 53-14
TCP FIN only flags attack 57-7
TCP Intercept
enabling using Modular Policy Framework 53-12, 53-14
monitoring 5-33
TCP normalization 53-3
TCP NULL flags attack 57-6
TCP state bypass
AAA 53-5
configuring 53-10
failover 53-5
firewall mode 53-5
inspection 53-5
mutliple context mode 53-5
NAT 53-5
SSMs and SSCs 53-5
TCP Intercept 53-5
TCP normalization 53-5
unsupported features 53-5
TCP SYN+FIN flags attack 57-6
Telnet
allowing management access 37-1
authentication 37-19
concurrent connections 37-2
login 37-4
password 10-1
template timeout intervals
configuring for flow-export actions 77-6
temporary license 3-21
testing configuration 81-1
threat detection
basic
drop types 56-2
enabling 56-4
overview 56-2
rate intervals 56-2
rate intervals, setting 56-4
statistics, viewing 56-5
system performance 56-3
scanning
attackers, viewing 56-18
default limits, changing 56-17
enabling 56-17
host database 56-15
overview 56-15
shunned hosts, releasing 56-18
shunned hosts, viewing 56-17
shunning attackers 56-17
system performance 56-15
targets, viewing 56-18
scanning statistics
enabling 56-7
system performance 56-6
viewing 56-9
time exceeded, ICMP message B-15
time ranges, access lists 13-16
timestamp, including in system log messages 76-18
timestamp reply, ICMP message B-15
timestamp request, ICMP message B-15
TLS1, used to access the security appliance 73-7
TLS Proxy
applications supported by ASA 47-3
Cisco Unified Presence architecture 51-1
configuring for Cisco Unified Presence 51-8
licenses 47-4, 49-5, 50-6, 51-7, 52-8
tocken bucket 54-2
toolbar, floating, WebVPN 73-89
traffic flow
routed firewall 4-17
transparent firewall 4-22
traffic shaping
overview 54-4
transform set
definition 63-19
transmit queue ring limit 54-2, 54-3
transparent firewall
about 4-2
ARP inspection
about 4-10
enabling 4-12
static entry 4-11
data flow 4-22
DHCP packets, allowing 34-5
guidelines 4-7
H.323 guidelines 4-4
HSRP 4-4
MAC address timeout 4-15
MAC learning, disabling 4-15
management IP address 9-7
multicast traffic 4-4
packet handling 34-5
static bridge entry 4-15
unsupported features 4-7
VRRP 4-4
transparent mode
NAT 29-13
troubleshooting
H.323 44-9
H.323 RAS 44-10
phone proxy 48-27
SIP 44-24
troubleshooting SNMP 78-23
trunk, 802.1Q 6-30
trunk ports 7-9
Trusted Flow Acceleration
failover 64-7
modes 4-6, 4-10, 4-14, 15-1, 34-7, 62-7, 64-7
trustpoint 41-3
trustpoint, ASA 5505 client 70-7
trust relationship
Cisco Unified Mobility 50-5
Cisco Unified Presence 51-4
tunnel
ASA 5505 as Easy VPN client 70-5
IPsec 63-19
security appliance as a tunnel endpoint 63-2
tunnel group
ASA 5505 as Easy VPN client 70-7
configuring 66-6
creating 66-8
default, remote access, configuring 66-7
default LAN-to-LAN, configuring 66-17
general parameters 66-3
inheritance 66-1
IPSec parameters 66-4
LAN-to-LAN, configuring 66-17
name and type 66-8
remote access, configuring 68-11
remote-access, configuring 66-8
tunnel-group
general attributes 66-3
tunnel-group ISAKMP/IKE keepalive settings 66-4
tunneling, about 63-1
tunnel mode 64-2
twice NAT
about 29-17
comparison with network object NAT 29-16
configuring 31-1
dynamic NAT 31-4
dynamic PAT 31-8
examples 31-24
guidelines 31-2
identity NAT 31-20
monitoring 31-24
prerequisites 31-2
static NAT 31-15
U
UDP
bomb attack 57-7
chargen DoS attack 57-7
connection limits per context 5-17
connection state information 1-25
ports and literal values B-11
snork attack 57-7
unreachable, ICMP message B-15
unreachable messages
required for MTU discovery 37-10
url-list
group policy attribute for Clientless SSL VPN 66-74
username attribute for Clientless SSL VPN 66-89
URLs
context configuration, changing 5-25
context configuration, setting 5-21
filtering 39-1
filtering, about 39-7
filtering, configuration 39-11
user, VPN
definition 66-1
user access, restricting remote 66-84
user authentication, group policy 66-53
user EXEC mode
accessing 2-1
prompt A-2
username
adding 35-20
clientless authentication 69-14
encrypted 35-22
management tunnels 70-9
password 35-22
WebVPN 73-109
Xauth for Easy VPN client 70-4
username attributes
access hours 66-81
group-lock 66-84
inheritance 66-81
password, setting 66-80
password-storage 66-84
privilege level, setting 66-80
simultaneous logins 66-81
vpn-filter 66-82
vpn-framed-ip-address 66-83
vpn-idle timeout 66-82
vpn-session-timeout 66-82
vpn-tunnel-protocol 66-83
username attributes for Clientless SSL VPN
auto-signon 66-91
customization 66-87
deny message 66-88
filter (access list) 66-88
homepage 66-87
html-content-filter 66-86
keep-alive ignore 66-91
port-forward 66-90
port-forward-name 66-90
sso-server 66-92
url-list 66-89
username configuration, viewing 66-79
username webvpn mode 66-85
users
SNMP 78-15
U-turn 63-26
V
VeriSign, configuring CAs example 41-4
viewing QoS statistics 54-15
viewing RMS 80-19
virtual cluster 65-6
IP address 65-6
master 65-6
virtual firewalls
See security contexts
virtual HTTP 38-3
virtual reassembly 1-22
virtual sensors 58-13
VLAN mapping 66-44
VLANs 6-30
802.1Q trunk 6-30
allocating to a context 5-20
ASA 5505
MAC addresses 7-4
maximum 7-2
mapped interface name 5-20
subinterfaces 6-30
VoIP
proxy servers 44-19
troubleshooting 44-9
VPN
address pool, configuring (group-policy) 66-62
address range, subnets B-4
parameters, general, setting 65-1
setting maximum number of IPSec sessions 65-3
VPN attributes, group policy 66-42
VPN client
NAT rules 29-20
VPN Client, IPsec attributes 63-2
vpn-filter username attribute 66-82
VPN flex license 3-21
vpn-framed-ip-address username attribute 66-83
VPN hardware client, group policy attributes 66-53
vpn-idle-timeout username attribute 66-82
vpn load balancing
See load balancing 65-6
vpn-session-timeout username attribute 66-82
vpn-tunnel-protocol username attribute 66-83
VRRP 4-4
W
WCCP 40-1
web caching 40-1
web clients, secure authentication 38-6
web e-Mail (Outlook Web Access), Outlook Web Access 73-80
WebVPN
assigning users to group policies 73-31, 73-32
authenticating with digital certificates 73-28, 73-29
CA certificate validation not done 73-5
client application requirements 73-110
client requirements 73-110
configuring
e-mail 73-79
configuring WebVPN and ASDM on the same interface 73-8
cookies 73-10
defining the end-user interface 73-88
definition 73-2
e-mail 73-79
e-mail proxies 73-79
end user set-up 73-87
floating toolbar 73-89
group policy attributes, configuring 73-33
hosts file 73-72
hosts files, reconfiguring 73-73
HTTP/HTTPS proxy, setting 73-11
Java object signing 73-82
PDA support 73-78
security preautions 73-5, 73-13
security tips 73-109
setting HTTP/HTTPS proxy 73-8
SSL/TLS encryption protocols 73-10
supported applications 73-110
troubleshooting 73-72
unsupported features 73-5
use of HTTPS 73-7
usernames and passwords 73-109
WebVPN, Application Access Panel 73-88
webvpn attributes
group policy 66-70
welcome message, group policy 66-48
WINS server, configuring 66-40
X
Xauth, Easy VPN client 70-4
XOFF frames 6-22
Z
Zone Labs firewalls 66-67
Zone Labs Integrity Server 66-64