Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 3.1 - Index [Cisco Services Modules]

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W -

Index

Symbols

/bits subnet masks D-3

?

command string C-4

help C-4

A

AAA

accounting 15-10

authentication

CLI access 21-11

network access 15-1

privileged EXEC mode 21-12

authorization

commands 21-13

downloadable access lists 15-7

network access 15-6

clearing settings 24-7

local database support 14-8

maximum rules A-5

overview 14-1

performance 15-1

server

adding 14-11

types 14-3

support summary 14-3

with web clients 15-4

abbreviating commands C-3

access lists

ACE logging, configuring 10-20

ACE order 10-2

comments 10-16

commitment 10-5

deny flows, managing 10-21

downloadable 15-8

EtherType, adding 10-9

EtherType, overview 10-8

expanded 10-5

extended, adding 10-5

extended, overview 10-6

implicit deny 10-3

inbound 11-1

interface, applying 11-4

IP address guidelines with NAT 10-3

logging 10-18

maximum rules 10-5

memory limits 10-5

memory partitions 4-16

NAT addresses 10-3

object grouping 10-10

outbound 11-1

overview 10-1

remarks 10-16

standard access lists, adding 10-10

accounting 15-10

ACEs

expanded 10-5

logging 10-18

maximum 10-5

order 10-2

Active/Active failover

about 13-12

actions 13-14

active state 13-12

command replication 13-13

configuration synchronization 13-12

configuring

failover 13-23

failover group preemption 13-26

HTTP replication 13-26

interface poll time 13-27

unit poll time 13-27

criteria for failover 13-27

device initialization 13-12

failover groups 13-12

primary status 13-12

saving the configuration 13-14

secondary status 13-12

standby state 13-12

status 13-32

synchronizing the configurations 13-13

triggers 13-14

Active/Standby failover

about 13-9

actions 13-11

active state 13-9

command replication 13-10

configuration synchronization 13-9

configuring

failover 13-19

HTTP replication 13-22

interface poll time 13-22

unit poll time 13-22

criteria for failover 13-22

device initializtion 13-9

primary status 13-9

saving the configuration 13-10

secondary status 13-9

standby state 13-9

status 13-28

synchronizing the configurations 13-10

triggers 13-10

adaptive security algorithm 1-6

admin context

changing 4-23

overview 1-7, 4-2

alternate address, ICMP message D-15

application inspection

applying 20-6

configuring 20-1

map, using 20-7

overview 20-2

security level requirements 6-1

supported protocols 20-4

application partition passwords, clearing 24-7

ARP inspection

configuring 17-1

enabling 17-2

overview 17-1

static entry 17-2

ARP spoofing 17-2

ARP table, static entry 17-2

ASDM

allowing access 21-4

installation 22-8

maximum connections A-4

ASR 8-26

asymmetric routing support 8-26

AUS 22-17

authentication

CLI access 21-11

FTP 15-2

HTTP 15-2

network access 15-1

overview 14-2

privileged EXEC mode 21-12

Telnet 15-2

web clients 15-4

authorization

commands 21-13

downloadable access lists 15-7

network access 15-6

overview 14-2

Auto Update

configuring 22-17

status 22-18

B

bandwidth

limiting 4-11

maximum A-2

basic settings 7-1

BGP 10-6

bits subnet masks D-3

booting

from the FWSM 24-6

from the switch 2-13

boot partitions 2-13

BPDUs

access list, EtherType 10-9

forwarding on the switch 2-12

bridge groups

IP addresses, assigning 6-5

overview 1-5

bridge table

See MAC address table

bufferwraps

save to Flash 23-5

save to interal Flash 23-13

send to FTP server 23-13

bypassing the firewall 2-7

C

capturing packets 24-8

Catalyst 6500

See switch

Catalyst OS versions A-2

CEF A-2

changing between contexts 4-22

Cisco 7600

See switch

Cisco IOS versions A-2

Cisco IP Phones

application inspection 20-66

with DHCP 8-31

Cisco VPN Client 21-6

class

filtering messages by 23-15

message class variables 23-15

types 23-15

Class A, B, and C addresses D-2

classes

See resource management

clearing configuration settings 23-20

CLI

abbreviating commands C-3

adding comments C-5

authenticating access 21-11

command line editing C-3

command output paging C-5

displaying C-5

help C-4

paging C-5

syntax formatting C-3

command authorization

configuring 21-13

multiple contexts 21-14

overview 21-11

command prompts

configuring 7-4

overview C-2

comments

access lists 10-16

configuration C-5

Compact Flash 2-12

configuration 23-16

clearing 3-5

clearing settings 23-20

comments C-5

minimum 1-xxvii

saving 3-3

switch 2-1

text file 3-6

URL for a context 4-19

viewing 3-5

configuration mode

accessing 3-2

prompt C-2

configuration mode prompt C-2

connection

deleting A-4

connection limits

per context 4-15

console port, external 3-1

contexts

See security contexts

control plane path 1-6

conversion error, ICMP message D-15

crash dump 24-8

CTIQBE inspection

enabling 20-9

limitations and restrictions 20-8

monitoring 20-10

overview 20-8

cut-through proxy 15-1

D

data flow

routed firewall 5-3

transparent firewall 5-13

debug messages 24-8

failover 13-39

default class 4-12

deny flows, logging 10-21

device ID, including in messages 23-18

DHCP

Cisco IP Phones 8-31

configuring 8-28

relay 8-32

server 8-31

transparent firewall 10-6

disabling messages, specific message IDs 23-19

DMZ, definition 1-1

DNS and NAT 12-14

DNS inspection

configuring 20-20

managing 20-13

rewrite 20-14

domain name, setting 7-4

DoS attack, preventing 7-6, 12-24

dotted decimal subnet masks D-3

downloadable access lists 15-8

DSCP bits 1-7

dual IP stack 9-4

dynamic NAT

See NAT

E

echo reply, ICMP message D-15

editing command lines C-3

EIGRP 10-6

EMBLEM format, using in logs 23-19

ESMTP inspection

configuring 20-72

overview 20-71

established command

maximum rules A-6

security level requirements 6-1

EtherChannel, backplane

load-balancing 2-11

overview 2-11

EtherType access list

adding 10-9

overview 10-8

EtherType assigned numbers 10-9

F

facility

setting 23-8

failover

about 13-1

Active/Active

See Active/Active failover

Active/Standby

See Active/Standby failover

configuring

Active/Active 13-23

Active/Standby 13-18

debug messages 13-39

disabling 13-37

displaying the configuration 13-36

forcing 13-37

interface health monitoring 13-17

link

about 13-2

securing 13-27

module placement

inter-chassis 13-5

intra-chassis 13-3

requirements

license 13-2

software 13-2

restoring a failed unit 13-38

SNMP traps 13-39

Stateful

See Stateful Failover

switch configuration 2-11

system messages 13-39

testing 13-36

transparent firewall considerations 13-7

trunk 2-12

unit health monitoring 13-17

failover groups

assigning contexts to 13-24

creating 13-24

definition of 13-12

preempt command 13-26

restoring to an unfailed state 13-38

fast path 1-6

filtering

ActiveX 16-1

exempting 16-7

FTP 16-8

HTTP 16-6

HTTPS 16-7

Java applets 16-3

long HTTP URLs

setting the size 16-7

truncating 16-7

maximum rules A-6

overview 16-1

security level requirements 6-1

servers supported 16-4

show command output C-4

URLs 16-4

firewall mode

configuring 5-1

overview 5-1

Flash memory

overview 2-12

partitions 2-12

size A-2

format of messages 23-22

FTP filtering 16-8

FTP inspection

configuring 20-24

overview 20-22

FWSM

connecting to 3-1

resetting 2-13

G

global addresses

guidelines 12-13

specifying 12-25

GTP inspection

configuring 20-29

overview 20-27

H

H.225, configuring 20-34

H.245

monitoring 20-38

troubleshooting 20-38

H.323

transparent firewall guidelines 5-10

H.323 inspection

configuring 20-35

limitations 20-33

overview 20-32

troubleshooting 20-38

help, command line C-4

hostname, setting 7-3

hosts, subnet masks for D-3

HSRP 5-9

HTTP(S)

authentication 21-11

filtering 16-4

maximum connections A-4

maximum rules A-6

HTTP inspection

configuring 20-43

overview 20-42

HTTP replication

configuring in Active/Active failover 13-26

configuring in Active/Standby failover 13-22

I

ICMP

management access 21-10

maximum rules A-6

testing connectivity 24-1

type numbers D-15

IGMP 8-20

IKE 21-5

ILS application inspection 20-45

IM 20-58

inbound access lists 11-1

information

reply, ICMP message D-15

request, ICMP message D-15

inside, definition 1-1

inspection

See application inspection

installation

module verification 2-2

software to any partition 22-5

software to current partition 22-3, 22-8

Instant Messaging 20-58

interfaces

configuring poll times 13-22, 13-27

global addresses 12-25

health monitoring 13-17

maximum A-3

naming 6-2, 6-4

shared 4-6

turning off 6-6

turning on 6-6

viewing monitored interface status 13-36

IOS versions A-2

IP addresses

classes D-2

interface 6-3

overlapping between contexts 4-4

private D-2

routed mode 6-3

subnet mask D-4

transparent mode 6-3

VPN client 21-8

IPSec

basic settings 21-5

client 21-6

management access 21-4

transforms 21-6

IPv6

access lists 9-5

default and static routes 9-5

dual IP stack, configuring 9-4

duplicate address detection 9-4

enabled commands 9-1

neighbor discovery 9-6

router advertisement messages 9-8

static neighbor 9-10

verifying configuration 9-10

viewing routes 9-11

IPX 2-7

ISAKMP 21-5

ISNs, randomizing

transparent firewall 7-6

J

Java applet filtering 16-2

K

Kerberos

configuring 14-11

support 14-7

L

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

LDAP

application inspection 20-45

configuring 14-11

support 14-7

licenses 22-1

load-balancing, backplane EtherChannel 2-11

local user database

adding a user 14-9

configuring 14-9

logging in 21-12

support 14-8

lockout recovery 21-22

log bufferwraps

save to internal Flash 23-13

send to FTP server 23-13

logging

access lists 10-18

class

filtering messages by 23-15

types 23-15

device-id, including in system messages 23-18

email

configuring as output destination 23-8

destination address 23-9

source address 23-9

EMBLEM format 23-19

facility option 23-8

filtering

by message list 23-16

by severity level 23-5

filtering messages

by message class 23-15

logging queue, configuring 23-18

output destinations

ASDM 23-9

email address 23-8, 23-9

internal buffer 23-5

syslog server 23-7

Telnet or SSH session 23-5

queue

changing the size of 23-18

configuring 23-18

viewing queue statistics 23-18

severity level

changing 23-20

timestamp, including 23-18

logging queue

configuring 23-18

login

FTP 15-2

local user 21-12

session 3-2

SSH 3-2

Telnet 3-2

login banner 7-5

log output destinations

ASDM 23-9

email address 23-8

internal buffer 23-5

syslog server 23-5

Telnet or SSH session 23-5

loops, avoiding 2-12

M

MAC address table

adding an address 17-3

entry timeout 17-3

MAC learning, disabling 17-4

overview 5-13, 17-3

resource management 4-14

static entry 17-3

viewing 17-4

MAC learning, disabling 17-4

maintenance partition

installing application software 22-5

installing maintenance software 22-5

password

clearing 24-7

setting 7-2

software installation 22-10

management IP address, transparent firewall 6-3

man-in-the-middle attack 17-2

mapped interface name 4-19

mask

reply, ICMP message D-15

request, ICMP message D-15

memory

access lists 10-5

Flash A-2

partitions 4-16

RAM A-2

rules 10-5

message classes

about 23-15

list of 23-15

message list

creating 23-16

filtering by 23-16

message severity levels, list of 23-22

MGCP inspection

configuring 20-48

overview 20-46

MIBs 23-1

minimum configuration 1-xxvii

mobile redirection, ICMP message D-15

mode

context 4-10

firewall 5-1

monitoring

OSPF 8-17

resource management 4-27

SNMP 23-1

more prompt C-5

MPLS

LDP 10-9

router-id 10-9

TDP 10-9

MSFC

definition A-1

overview 1-4

SVIs 2-7

multicast routing 8-19

multicast traffic 5-9

Multilayer Switch Feature Card

See MSFC

multiple context mode

See security contexts

multiple SVIs 2-6

N

N2H2 filtering server

supported 16-4

URL for website 16-4

naming an interface 6-2, 6-4

NAT

bypassing NAT

configuration 12-31

overview 12-9

DNS 12-14

dynamic NAT

configuring 12-23

implementation 12-17

overview 12-5

examples 12-34

exemption from NAT

configuration 12-33

overview 12-9

identity NAT

configuration 12-31

overview 12-9

NAT ID 12-17

order of statements 12-13

overlapping addresses 12-35

overview 12-1

PAT

configuring 12-23

implementation 12-17

overview 12-7

policy NAT

maximum rules A-6

overview 12-9

port redirection 12-36

RPC not supported with 20-76

same security level 12-12

security level requirements 6-1

static identity, configuring 12-32

static NAT

configuring 12-26

overview 12-7

static PAT

configuring 12-28

overview 12-7

transparent firewall 5-12

types 12-5

Network Address Translation

See NAT

network processors 1-6

networks, overlapping 12-35

NPs 1-6

NTLM support 14-7

NT server

configuring 14-11

support 14-7

O

object groups

expanded 10-5

nesting 10-14

removing 10-16

open ports D-14

OSPF

area authentication 8-11

area MD5 authentication 8-11

area parameters 8-11

authentication key 8-9

cost 8-9

dead interval 8-9

default route 8-15

displaying update packet pacing 8-16

enabling 8-6

hello interval 8-9

interface parameters 8-9

link-state advertisement 8-5

logging neighbor states 8-16

MD5 authentication 8-9

monitoring 8-17

NSSA 8-12

overview 8-5

packet pacing 8-16

processes 8-5

redistributing routes 8-6

route calculation timers 8-15

route map 8-7

route summarization 8-14

stub area 8-11

summary route cost 8-11

outbound access lists 11-1

output destinations 23-5

e-mail address 23-5, 23-8

internal buffer 23-5

SNMP management station 23-5

specifying 23-8

syslog server 23-5, 23-7

Telnet or SSH session 23-5

viewing logs 23-6

outside, definition 1-1

oversubscribing resources 4-11

P

packet

capture 24-8

classifier 4-3

flow

routed firewall 5-3

transparent firewall 5-13

paging screen displays C-5

parameter problem, ICMP message D-15

partitions

application 2-12

boot 2-13

crash dump 2-12

Flash memory 2-12

maintenance 2-12

network configuration 2-12

passwords

changing 7-1

clearing

application 24-7

maintenance 24-7

recovery 24-6

troubleshooting 24-7

PAT (Port Address Translation)

limitations 20-55

static 12-28

See also NAT

PIM features, configuring 8-24

ping

See ICMP

policy NAT

dynamic, configuring 12-24

maximum rules A-6

overview 12-9

static, configuring 12-27

static PAT, configuring 12-28

pools, addresses

DHCP 8-29

global NAT 12-25

VPN 21-8

PORT command, FTP 20-23

ports

open on device D-14

redirection, NAT 12-36

private networks D-2

privileged EXEC mode

accessing 3-2

authentication 21-12

prompt C-2

prompts

command C-2

more C-5

setting 7-4

protocol numbers and literal values D-11

proxy servers, SIP 20-57

Q

QoS compatibility 1-7

question mark

command string C-4

help C-4

queue, logging

changing the size of 23-18

viewing statistics 23-18

quick start 1-xxvii

R

RADIUS

configuring a server 14-11

downloadable access lists 15-8

network access authentication 15-2

network access authorization 15-7

support 14-4

RAS H.323 troubleshooting 20-39

RealPlayer 20-54

rebooting

from the FWSM CLI 24-6

from the switch 2-13

redirect, ICMP message D-15

Related Documentation 1-xxvi

reloading

contexts 4-24

from the FWSM CLI 24-6

from the switch 2-13

remarks

access lists 10-16

configuration C-5

remote management

ASDM 21-4

SSH 21-2

Telnet 21-1

VPN 21-4

requirements A-1

resetting

from the FWSM CLI 24-6

from the switch 2-13

resource management

assigning a context 4-21

class 4-14

configuring 4-11

default class 4-12

monitoring 4-27

oversubscribing 4-11

overview 4-11

resource types 4-14

unlimited 4-12

resource usage 4-29

RIP

default route updates 8-18

enabling 8-18

overview 8-18

passive 8-18

routed firewall

data flow 5-3

interfaces, configuring 6-2

setting 5-16

router

advertisement, ICMP message D-15

solicitation, ICMP message D-15

routes

configuring 8-2

generating a default 8-15

logging neighbors 8-16

monitoring OSPF 8-17

summarization 8-14

routing

OSPF 8-18

other protocols 10-6

RIP 8-19

RSA keys, generating 21-3

RSH connections A-4

RTSP inspection

configuring 20-55

overview 20-54

rules

maximum 10-5

running configuration

backing up 22-15

clearing 3-5

downloading 22-14

saving 3-3

viewing 3-5

S

same security level communication

configuring 6-5

NAT 12-12

SCCP (Skinny) inspection

Cisco IP Phones, supporting 20-66

configuration 20-66

SDI

configuring 14-11

support 14-6

security contexts

adding 4-18

admin context

changing 4-23

overview 1-7, 4-2

assigning to a resource class 4-21

changing between 4-22

classifier 4-3

command authorization 21-14

configuration

URL, changing 4-24

URL, setting 4-19

logging in 4-9

managing 4-22

mapped interface name 4-19

monitoring 4-25

MSFC compatibility 1-5

multiple mode, enabling 4-10

overview 4-1

prompt C-2

reloading 4-24

removing 4-23

resource management 4-11

resource usage 4-29

saving all configurations 3-4

unsupported features 4-2

VLAN allocation 4-18

security level

configuring 6-2

overview 6-1

sessioning from the switch 3-1

session management path 1-6

severity levels, of system messages

changing 23-5

definition 23-22

filtering by 23-5

list of 23-22

shared interfaces 4-6

shared VLANs 4-6

show command, filtering output C-4

single mode

backing up configuration 4-10

configuration 4-10

enabling 4-10

restoring 4-10

SIP inspection

configuring 20-59

instant messaging 20-58

overview 20-58

timeout values, configuring 20-61

troubleshooting 20-61

site-to-site tunnel 21-9

SMTP inspection

configuring 20-72

overview 20-71

SNMP

management station 23-5

MIBs 23-1

overview 23-1

traps 23-2

software installation

any partition 22-5

current partition 22-3

maintenance 22-10

source quench, ICMP message D-15

SPAN session 2-1

specifications A-1

SSH

authentication 21-11

concurrent connections 21-2

login 21-3

maximum rules A-6

RSA key 21-3

username 21-4

startup configuration

backing up 22-15

copying to the running configuration 3-5

downloading 22-14

saving 3-3

viewing 3-5

Stateful Failover

overview 13-16

state information passed 13-16

state link 13-3

stateful inspection 1-6

state link

See Stateful Failover

static ARP entry 17-2

static MAC address entry 17-3

static NAT

See NAT

static PAT

See NAT

stealth firewall

See transparent firewall

Stub Multicast Routing 8-23

subnet masks

/bits D-3

address range D-4

dotted decimal D-3

number of hosts D-3

overview D-2

Sun RPC inspection

configuring 20-76

overview 20-76

supervisor engine versions A-2

supervisor IOS A-1

SVIs

configuring 2-8

multiple 2-6

overview 2-6

switch

assigning VLANs to module 2-2

BPDU forwarding 2-12

configuration 2-1

failover compatibility with transparent firewall 2-12

failover configuration 2-11

maximum modules A-2

resetting the module 2-13

sessioning to the module 3-1

system requirements A-1

trunk for failover 2-12

verifying module installation 2-2

switched virtual interfaces

See SVIs

Switch Fabric Module A-2

SYN attacks, monitoring 4-31

SYN cookies 4-31

syntax formatting C-3

syslog server

as output destination 23-7

designating 23-7

designating more than one 23-7

EMBLEM format

configuring 23-19

enabling 23-7

system configuration

overview 4-2

system messages

classes of 23-15

list of classes 23-15

configuring in groups

by message list 23-16

by severity level 23-5

creating lists of 23-14

device ID, including 23-18

disabling logging of 23-5

failover 13-39

filtering

by message class 23-14

format of 23-22

managing in groups

by message class 23-15

creating a message list 23-14

output destinations 23-5

email address 23-8

internal buffer 23-5

syslog message server 23-5

Telnet or SSH session 23-5

severity levels 23-22

changing the severity level of a message 23-5

list of 23-22

timestamp, including 23-18

system requirements A-1

T

TACACS+

command authorization 21-17

configuring a server 14-11

network access authorization 15-6

support 14-5

TCP

back-to-back connections A-4

connection, deleting A-4

connection limits per context 4-15

ports and literal values D-11

TCP Intercept

configuring for transparent mode 7-6, 12-24

monitoring 4-31

Telnet

authentication 21-11

concurrent connections 21-1

maximum rules A-6

testing configuration 24-1

time exceeded, ICMP message D-15

time ranges, access lists 10-17

timestamp

reply, ICMP message D-15

request, ICMP message D-15

timestamp, including in system messages 23-18

traffic flow

routed firewall 5-3

transparent firewall 5-13

transparent firewall

ARP inspection

enabling 17-2

overview 17-1

static entry 17-2

data flow 5-13

DHCP packets, allowing 10-6

failover considerations 13-7

guidelines 5-11

H.323 guidelines 5-10

HSRP 5-9

interfaces, configuring 6-3

MAC address timeout 17-3

MAC learning, disabling 17-4

management IP address 6-3

multicast traffic 5-9

NAT 5-12

overview 5-8

packet handling 10-6

setting 5-16

static MAC address entry 17-3

unsupported features 5-12

VRRP 5-9

traps, SNMP 23-2

troubleshooting

capturing packets 24-8

common problems 24-8

configuration 24-1

crash dump 24-8

debug messages 24-8

H.323 20-38

H.323 RAS 20-39

password recovery 24-6

SIP 20-61

tunnels

basic settings, configuring 21-5

site-to-site, configuring 21-9

VPN client access, configuring 21-6

U

UDP

connection limits per context 4-15

connection state information 1-6

ports and literal values D-11

unit health monitoring 13-17

unit poll time, configuring 13-22, 13-27

unprivileged mode

accessing 3-2

prompt C-2

unreachable, ICMP message D-15

URLs

context configuration, changing 4-24

context configuration, setting 4-19

filtering 16-4

V

viewing logs 23-6

virtual firewalls

See security contexts

VLANs

allocating to a context 4-18

assigning to FWSM 2-2

interfaces 2-2

mapped interface name 4-19

maximum A-3

shared 4-6

VoIP

proxy servers 20-57

troubleshooting 20-38

VPN

basic settings 21-5

client tunnel 21-6

management access 21-4

site-to-site tunnel 21-9

transforms 21-6

VRRP 5-9

W

WAN ports A-1

web clients, secure authentication 15-4

	Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 3.1
	Index
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 3.1 About This Guide Quick Start Steps Introduction to the Firewall Services Module Configuring the Switch for the Firewall Services Module Getting Started Managing Security Contexts Configuring the Firewall Mode Configuring Interface Parameters Configuring Basic Settings Configuring IP Routing and DHCP Services Configuring IPv6 Identifying Traffic with Access Lists Permitting and Denying Network Access Configuring NAT Configuring Failover Configuring AAA Servers and the Local Database Configuring Certificates Applying AAA for Network Access Applying Filtering Services Configuring ARP Inspection and Bridging Parameters Using Modular Policy Framework Preventing Network Attacks Applying Application Layer Protocol Inspection Configuring Management Access Managing Software, Licenses, and Configurations Monitoring the Firewall Services Module Troubleshooting the Firewall Services Module Specifications Sample Configurations Using the Command-Line Interface Addresses, Protocols, and Ports Open Source License Acknowledgements Glossary Index	Download this chapter Index Download the complete book Book-Level PDF: Firewall Services Module Configuration Guide, 3.1 (PDF - 10 MB) Feedback Table Of Contents Symbols - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - Index Symbols /bits subnet masks D-3 ? command string C-4 help C-4 A AAA accounting 15-10 authentication CLI access 21-11 network access 15-1 privileged EXEC mode 21-12 authorization commands 21-13 downloadable access lists 15-7 network access 15-6 clearing settings 24-7 local database support 14-8 maximum rules A-5 overview 14-1 performance 15-1 server adding 14-11 types 14-3 support summary 14-3 with web clients 15-4 abbreviating commands C-3 access lists ACE logging, configuring 10-20 ACE order 10-2 comments 10-16 commitment 10-5 deny flows, managing 10-21 downloadable 15-8 EtherType, adding 10-9 EtherType, overview 10-8 expanded 10-5 extended, adding 10-5 extended, overview 10-6 implicit deny 10-3 inbound 11-1 interface, applying 11-4 IP address guidelines with NAT 10-3 logging 10-18 maximum rules 10-5 memory limits 10-5 memory partitions 4-16 NAT addresses 10-3 object grouping 10-10 outbound 11-1 overview 10-1 remarks 10-16 standard access lists, adding 10-10 accounting 15-10 ACEs expanded 10-5 logging 10-18 maximum 10-5 order 10-2 Active/Active failover about 13-12 actions 13-14 active state 13-12 command replication 13-13 configuration synchronization 13-12 configuring failover 13-23 failover group preemption 13-26 HTTP replication 13-26 interface poll time 13-27 unit poll time 13-27 criteria for failover 13-27 device initialization 13-12 failover groups 13-12 primary status 13-12 saving the configuration 13-14 secondary status 13-12 standby state 13-12 status 13-32 synchronizing the configurations 13-13 triggers 13-14 Active/Standby failover about 13-9 actions 13-11 active state 13-9 command replication 13-10 configuration synchronization 13-9 configuring failover 13-19 HTTP replication 13-22 interface poll time 13-22 unit poll time 13-22 criteria for failover 13-22 device initializtion 13-9 primary status 13-9 saving the configuration 13-10 secondary status 13-9 standby state 13-9 status 13-28 synchronizing the configurations 13-10 triggers 13-10 adaptive security algorithm 1-6 admin context changing 4-23 overview 1-7, 4-2 alternate address, ICMP message D-15 application inspection applying 20-6 configuring 20-1 map, using 20-7 overview 20-2 security level requirements 6-1 supported protocols 20-4 application partition passwords, clearing 24-7 ARP inspection configuring 17-1 enabling 17-2 overview 17-1 static entry 17-2 ARP spoofing 17-2 ARP table, static entry 17-2 ASDM allowing access 21-4 installation 22-8 maximum connections A-4 ASR 8-26 asymmetric routing support 8-26 AUS 22-17 authentication CLI access 21-11 FTP 15-2 HTTP 15-2 network access 15-1 overview 14-2 privileged EXEC mode 21-12 Telnet 15-2 web clients 15-4 authorization commands 21-13 downloadable access lists 15-7 network access 15-6 overview 14-2 Auto Update configuring 22-17 status 22-18 B bandwidth limiting 4-11 maximum A-2 basic settings 7-1 BGP 10-6 bits subnet masks D-3 booting from the FWSM 24-6 from the switch 2-13 boot partitions 2-13 BPDUs access list, EtherType 10-9 forwarding on the switch 2-12 bridge groups IP addresses, assigning 6-5 overview 1-5 bridge table See MAC address table bufferwraps save to Flash 23-5 save to interal Flash 23-13 send to FTP server 23-13 bypassing the firewall 2-7 C capturing packets 24-8 Catalyst 6500 See switch Catalyst OS versions A-2 CEF A-2 changing between contexts 4-22 Cisco 7600 See switch Cisco IOS versions A-2 Cisco IP Phones application inspection 20-66 with DHCP 8-31 Cisco VPN Client 21-6 class filtering messages by 23-15 message class variables 23-15 types 23-15 Class A, B, and C addresses D-2 classes See resource management clearing configuration settings 23-20 CLI abbreviating commands C-3 adding comments C-5 authenticating access 21-11 command line editing C-3 command output paging C-5 displaying C-5 help C-4 paging C-5 syntax formatting C-3 command authorization configuring 21-13 multiple contexts 21-14 overview 21-11 command prompts configuring 7-4 overview C-2 comments access lists 10-16 configuration C-5 Compact Flash 2-12 configuration 23-16 clearing 3-5 clearing settings 23-20 comments C-5 minimum 1-xxvii saving 3-3 switch 2-1 text file 3-6 URL for a context 4-19 viewing 3-5 configuration mode accessing 3-2 prompt C-2 configuration mode prompt C-2 connection deleting A-4 connection limits per context 4-15 console port, external 3-1 contexts See security contexts control plane path 1-6 conversion error, ICMP message D-15 crash dump 24-8 CTIQBE inspection enabling 20-9 limitations and restrictions 20-8 monitoring 20-10 overview 20-8 cut-through proxy 15-1 D data flow routed firewall 5-3 transparent firewall 5-13 debug messages 24-8 failover 13-39 default class 4-12 deny flows, logging 10-21 device ID, including in messages 23-18 DHCP Cisco IP Phones 8-31 configuring 8-28 relay 8-32 server 8-31 transparent firewall 10-6 disabling messages, specific message IDs 23-19 DMZ, definition 1-1 DNS and NAT 12-14 DNS inspection configuring 20-20 managing 20-13 rewrite 20-14 domain name, setting 7-4 DoS attack, preventing 7-6, 12-24 dotted decimal subnet masks D-3 downloadable access lists 15-8 DSCP bits 1-7 dual IP stack 9-4 dynamic NAT See NAT E echo reply, ICMP message D-15 editing command lines C-3 EIGRP 10-6 EMBLEM format, using in logs 23-19 ESMTP inspection configuring 20-72 overview 20-71 established command maximum rules A-6 security level requirements 6-1 EtherChannel, backplane load-balancing 2-11 overview 2-11 EtherType access list adding 10-9 overview 10-8 EtherType assigned numbers 10-9 F facility setting 23-8 failover about 13-1 Active/Active See Active/Active failover Active/Standby See Active/Standby failover configuring Active/Active 13-23 Active/Standby 13-18 debug messages 13-39 disabling 13-37 displaying the configuration 13-36 forcing 13-37 interface health monitoring 13-17 link about 13-2 securing 13-27 module placement inter-chassis 13-5 intra-chassis 13-3 requirements license 13-2 software 13-2 restoring a failed unit 13-38 SNMP traps 13-39 Stateful See Stateful Failover switch configuration 2-11 system messages 13-39 testing 13-36 transparent firewall considerations 13-7 trunk 2-12 unit health monitoring 13-17 failover groups assigning contexts to 13-24 creating 13-24 definition of 13-12 preempt command 13-26 restoring to an unfailed state 13-38 fast path 1-6 filtering ActiveX 16-1 exempting 16-7 FTP 16-8 HTTP 16-6 HTTPS 16-7 Java applets 16-3 long HTTP URLs setting the size 16-7 truncating 16-7 maximum rules A-6 overview 16-1 security level requirements 6-1 servers supported 16-4 show command output C-4 URLs 16-4 firewall mode configuring 5-1 overview 5-1 Flash memory overview 2-12 partitions 2-12 size A-2 format of messages 23-22 FTP filtering 16-8 FTP inspection configuring 20-24 overview 20-22 FWSM connecting to 3-1 resetting 2-13 G global addresses guidelines 12-13 specifying 12-25 GTP inspection configuring 20-29 overview 20-27 H H.225, configuring 20-34 H.245 monitoring 20-38 troubleshooting 20-38 H.323 transparent firewall guidelines 5-10 H.323 inspection configuring 20-35 limitations 20-33 overview 20-32 troubleshooting 20-38 help, command line C-4 hostname, setting 7-3 hosts, subnet masks for D-3 HSRP 5-9 HTTP(S) authentication 21-11 filtering 16-4 maximum connections A-4 maximum rules A-6 HTTP inspection configuring 20-43 overview 20-42 HTTP replication configuring in Active/Active failover 13-26 configuring in Active/Standby failover 13-22 I ICMP management access 21-10 maximum rules A-6 testing connectivity 24-1 type numbers D-15 IGMP 8-20 IKE 21-5 ILS application inspection 20-45 IM 20-58 inbound access lists 11-1 information reply, ICMP message D-15 request, ICMP message D-15 inside, definition 1-1 inspection See application inspection installation module verification 2-2 software to any partition 22-5 software to current partition 22-3, 22-8 Instant Messaging 20-58 interfaces configuring poll times 13-22, 13-27 global addresses 12-25 health monitoring 13-17 maximum A-3 naming 6-2, 6-4 shared 4-6 turning off 6-6 turning on 6-6 viewing monitored interface status 13-36 IOS versions A-2 IP addresses classes D-2 interface 6-3 overlapping between contexts 4-4 private D-2 routed mode 6-3 subnet mask D-4 transparent mode 6-3 VPN client 21-8 IPSec basic settings 21-5 client 21-6 management access 21-4 transforms 21-6 IPv6 access lists 9-5 default and static routes 9-5 dual IP stack, configuring 9-4 duplicate address detection 9-4 enabled commands 9-1 neighbor discovery 9-6 router advertisement messages 9-8 static neighbor 9-10 verifying configuration 9-10 viewing routes 9-11 IPX 2-7 ISAKMP 21-5 ISNs, randomizing transparent firewall 7-6 J Java applet filtering 16-2 K Kerberos configuring 14-11 support 14-7 L Layer 2 firewall See transparent firewall Layer 2 forwarding table See MAC address table LDAP application inspection 20-45 configuring 14-11 support 14-7 licenses 22-1 load-balancing, backplane EtherChannel 2-11 local user database adding a user 14-9 configuring 14-9 logging in 21-12 support 14-8 lockout recovery 21-22 log bufferwraps save to internal Flash 23-13 send to FTP server 23-13 logging access lists 10-18 class filtering messages by 23-15 types 23-15 device-id, including in system messages 23-18 email configuring as output destination 23-8 destination address 23-9 source address 23-9 EMBLEM format 23-19 facility option 23-8 filtering by message list 23-16 by severity level 23-5 filtering messages by message class 23-15 logging queue, configuring 23-18 output destinations ASDM 23-9 email address 23-8, 23-9 internal buffer 23-5 syslog server 23-7 Telnet or SSH session 23-5 queue changing the size of 23-18 configuring 23-18 viewing queue statistics 23-18 severity level changing 23-20 timestamp, including 23-18 logging queue configuring 23-18 login FTP 15-2 local user 21-12 session 3-2 SSH 3-2 Telnet 3-2 login banner 7-5 log output destinations ASDM 23-9 email address 23-8 internal buffer 23-5 syslog server 23-5 Telnet or SSH session 23-5 loops, avoiding 2-12 M MAC address table adding an address 17-3 entry timeout 17-3 MAC learning, disabling 17-4 overview 5-13, 17-3 resource management 4-14 static entry 17-3 viewing 17-4 MAC learning, disabling 17-4 maintenance partition installing application software 22-5 installing maintenance software 22-5 password clearing 24-7 setting 7-2 software installation 22-10 management IP address, transparent firewall 6-3 man-in-the-middle attack 17-2 mapped interface name 4-19 mask reply, ICMP message D-15 request, ICMP message D-15 memory access lists 10-5 Flash A-2 partitions 4-16 RAM A-2 rules 10-5 message classes about 23-15 list of 23-15 message list creating 23-16 filtering by 23-16 message severity levels, list of 23-22 MGCP inspection configuring 20-48 overview 20-46 MIBs 23-1 minimum configuration 1-xxvii mobile redirection, ICMP message D-15 mode context 4-10 firewall 5-1 monitoring OSPF 8-17 resource management 4-27 SNMP 23-1 more prompt C-5 MPLS LDP 10-9 router-id 10-9 TDP 10-9 MSFC definition A-1 overview 1-4 SVIs 2-7 multicast routing 8-19 multicast traffic 5-9 Multilayer Switch Feature Card See MSFC multiple context mode See security contexts multiple SVIs 2-6 N N2H2 filtering server supported 16-4 URL for website 16-4 naming an interface 6-2, 6-4 NAT bypassing NAT configuration 12-31 overview 12-9 DNS 12-14 dynamic NAT configuring 12-23 implementation 12-17 overview 12-5 examples 12-34 exemption from NAT configuration 12-33 overview 12-9 identity NAT configuration 12-31 overview 12-9 NAT ID 12-17 order of statements 12-13 overlapping addresses 12-35 overview 12-1 PAT configuring 12-23 implementation 12-17 overview 12-7 policy NAT maximum rules A-6 overview 12-9 port redirection 12-36 RPC not supported with 20-76 same security level 12-12 security level requirements 6-1 static identity, configuring 12-32 static NAT configuring 12-26 overview 12-7 static PAT configuring 12-28 overview 12-7 transparent firewall 5-12 types 12-5 Network Address Translation See NAT network processors 1-6 networks, overlapping 12-35 NPs 1-6 NTLM support 14-7 NT server configuring 14-11 support 14-7 O object groups expanded 10-5 nesting 10-14 removing 10-16 open ports D-14 OSPF area authentication 8-11 area MD5 authentication 8-11 area parameters 8-11 authentication key 8-9 cost 8-9 dead interval 8-9 default route 8-15 displaying update packet pacing 8-16 enabling 8-6 hello interval 8-9 interface parameters 8-9 link-state advertisement 8-5 logging neighbor states 8-16 MD5 authentication 8-9 monitoring 8-17 NSSA 8-12 overview 8-5 packet pacing 8-16 processes 8-5 redistributing routes 8-6 route calculation timers 8-15 route map 8-7 route summarization 8-14 stub area 8-11 summary route cost 8-11 outbound access lists 11-1 output destinations 23-5 e-mail address 23-5, 23-8 internal buffer 23-5 SNMP management station 23-5 specifying 23-8 syslog server 23-5, 23-7 Telnet or SSH session 23-5 viewing logs 23-6 outside, definition 1-1 oversubscribing resources 4-11 P packet capture 24-8 classifier 4-3 flow routed firewall 5-3 transparent firewall 5-13 paging screen displays C-5 parameter problem, ICMP message D-15 partitions application 2-12 boot 2-13 crash dump 2-12 Flash memory 2-12 maintenance 2-12 network configuration 2-12 passwords changing 7-1 clearing application 24-7 maintenance 24-7 recovery 24-6 troubleshooting 24-7 PAT (Port Address Translation) limitations 20-55 static 12-28 See also NAT PIM features, configuring 8-24 ping See ICMP policy NAT dynamic, configuring 12-24 maximum rules A-6 overview 12-9 static, configuring 12-27 static PAT, configuring 12-28 pools, addresses DHCP 8-29 global NAT 12-25 VPN 21-8 PORT command, FTP 20-23 ports open on device D-14 redirection, NAT 12-36 private networks D-2 privileged EXEC mode accessing 3-2 authentication 21-12 prompt C-2 prompts command C-2 more C-5 setting 7-4 protocol numbers and literal values D-11 proxy servers, SIP 20-57 Q QoS compatibility 1-7 question mark command string C-4 help C-4 queue, logging changing the size of 23-18 viewing statistics 23-18 quick start 1-xxvii R RADIUS configuring a server 14-11 downloadable access lists 15-8 network access authentication 15-2 network access authorization 15-7 support 14-4 RAS H.323 troubleshooting 20-39 RealPlayer 20-54 rebooting from the FWSM CLI 24-6 from the switch 2-13 redirect, ICMP message D-15 Related Documentation 1-xxvi reloading contexts 4-24 from the FWSM CLI 24-6 from the switch 2-13 remarks access lists 10-16 configuration C-5 remote management ASDM 21-4 SSH 21-2 Telnet 21-1 VPN 21-4 requirements A-1 resetting from the FWSM CLI 24-6 from the switch 2-13 resource management assigning a context 4-21 class 4-14 configuring 4-11 default class 4-12 monitoring 4-27 oversubscribing 4-11 overview 4-11 resource types 4-14 unlimited 4-12 resource usage 4-29 RIP default route updates 8-18 enabling 8-18 overview 8-18 passive 8-18 routed firewall data flow 5-3 interfaces, configuring 6-2 setting 5-16 router advertisement, ICMP message D-15 solicitation, ICMP message D-15 routes configuring 8-2 generating a default 8-15 logging neighbors 8-16 monitoring OSPF 8-17 summarization 8-14 routing OSPF 8-18 other protocols 10-6 RIP 8-19 RSA keys, generating 21-3 RSH connections A-4 RTSP inspection configuring 20-55 overview 20-54 rules maximum 10-5 running configuration backing up 22-15 clearing 3-5 downloading 22-14 saving 3-3 viewing 3-5 S same security level communication configuring 6-5 NAT 12-12 SCCP (Skinny) inspection Cisco IP Phones, supporting 20-66 configuration 20-66 SDI configuring 14-11 support 14-6 security contexts adding 4-18 admin context changing 4-23 overview 1-7, 4-2 assigning to a resource class 4-21 changing between 4-22 classifier 4-3 command authorization 21-14 configuration URL, changing 4-24 URL, setting 4-19 logging in 4-9 managing 4-22 mapped interface name 4-19 monitoring 4-25 MSFC compatibility 1-5 multiple mode, enabling 4-10 overview 4-1 prompt C-2 reloading 4-24 removing 4-23 resource management 4-11 resource usage 4-29 saving all configurations 3-4 unsupported features 4-2 VLAN allocation 4-18 security level configuring 6-2 overview 6-1 sessioning from the switch 3-1 session management path 1-6 severity levels, of system messages changing 23-5 definition 23-22 filtering by 23-5 list of 23-22 shared interfaces 4-6 shared VLANs 4-6 show command, filtering output C-4 single mode backing up configuration 4-10 configuration 4-10 enabling 4-10 restoring 4-10 SIP inspection configuring 20-59 instant messaging 20-58 overview 20-58 timeout values, configuring 20-61 troubleshooting 20-61 site-to-site tunnel 21-9 SMTP inspection configuring 20-72 overview 20-71 SNMP management station 23-5 MIBs 23-1 overview 23-1 traps 23-2 software installation any partition 22-5 current partition 22-3 maintenance 22-10 source quench, ICMP message D-15 SPAN session 2-1 specifications A-1 SSH authentication 21-11 concurrent connections 21-2 login 21-3 maximum rules A-6 RSA key 21-3 username 21-4 startup configuration backing up 22-15 copying to the running configuration 3-5 downloading 22-14 saving 3-3 viewing 3-5 Stateful Failover overview 13-16 state information passed 13-16 state link 13-3 stateful inspection 1-6 state link See Stateful Failover static ARP entry 17-2 static MAC address entry 17-3 static NAT See NAT static PAT See NAT stealth firewall See transparent firewall Stub Multicast Routing 8-23 subnet masks /bits D-3 address range D-4 dotted decimal D-3 number of hosts D-3 overview D-2 Sun RPC inspection configuring 20-76 overview 20-76 supervisor engine versions A-2 supervisor IOS A-1 SVIs configuring 2-8 multiple 2-6 overview 2-6 switch assigning VLANs to module 2-2 BPDU forwarding 2-12 configuration 2-1 failover compatibility with transparent firewall 2-12 failover configuration 2-11 maximum modules A-2 resetting the module 2-13 sessioning to the module 3-1 system requirements A-1 trunk for failover 2-12 verifying module installation 2-2 switched virtual interfaces See SVIs Switch Fabric Module A-2 SYN attacks, monitoring 4-31 SYN cookies 4-31 syntax formatting C-3 syslog server as output destination 23-7 designating 23-7 designating more than one 23-7 EMBLEM format configuring 23-19 enabling 23-7 system configuration overview 4-2 system messages classes of 23-15 list of classes 23-15 configuring in groups by message list 23-16 by severity level 23-5 creating lists of 23-14 device ID, including 23-18 disabling logging of 23-5 failover 13-39 filtering by message class 23-14 format of 23-22 managing in groups by message class 23-15 creating a message list 23-14 output destinations 23-5 email address 23-8 internal buffer 23-5 syslog message server 23-5 Telnet or SSH session 23-5 severity levels 23-22 changing the severity level of a message 23-5 list of 23-22 timestamp, including 23-18 system requirements A-1 T TACACS+ command authorization 21-17 configuring a server 14-11 network access authorization 15-6 support 14-5 TCP back-to-back connections A-4 connection, deleting A-4 connection limits per context 4-15 ports and literal values D-11 TCP Intercept configuring for transparent mode 7-6, 12-24 monitoring 4-31 Telnet authentication 21-11 concurrent connections 21-1 maximum rules A-6 testing configuration 24-1 time exceeded, ICMP message D-15 time ranges, access lists 10-17 timestamp reply, ICMP message D-15 request, ICMP message D-15 timestamp, including in system messages 23-18 traffic flow routed firewall 5-3 transparent firewall 5-13 transparent firewall ARP inspection enabling 17-2 overview 17-1 static entry 17-2 data flow 5-13 DHCP packets, allowing 10-6 failover considerations 13-7 guidelines 5-11 H.323 guidelines 5-10 HSRP 5-9 interfaces, configuring 6-3 MAC address timeout 17-3 MAC learning, disabling 17-4 management IP address 6-3 multicast traffic 5-9 NAT 5-12 overview 5-8 packet handling 10-6 setting 5-16 static MAC address entry 17-3 unsupported features 5-12 VRRP 5-9 traps, SNMP 23-2 troubleshooting capturing packets 24-8 common problems 24-8 configuration 24-1 crash dump 24-8 debug messages 24-8 H.323 20-38 H.323 RAS 20-39 password recovery 24-6 SIP 20-61 tunnels basic settings, configuring 21-5 site-to-site, configuring 21-9 VPN client access, configuring 21-6 U UDP connection limits per context 4-15 connection state information 1-6 ports and literal values D-11 unit health monitoring 13-17 unit poll time, configuring 13-22, 13-27 unprivileged mode accessing 3-2 prompt C-2 unreachable, ICMP message D-15 URLs context configuration, changing 4-24 context configuration, setting 4-19 filtering 16-4 V viewing logs 23-6 virtual firewalls See security contexts VLANs allocating to a context 4-18 assigning to FWSM 2-2 interfaces 2-2 mapped interface name 4-19 maximum A-3 shared 4-6 VoIP proxy servers 20-57 troubleshooting 20-38 VPN basic settings 21-5 client tunnel 21-6 management access 21-4 site-to-site tunnel 21-9 transforms 21-6 VRRP 5-9 W WAN ports A-1 web clients, secure authentication 15-4
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks