Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 4.0 - Index [Cisco Services Modules]

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X -

Index

Symbols

/bits subnet masks E-3

?

command string C-4

help C-4

A

AAA

accounting 16-13

authentication

CLI access 22-10

CLI access, system 22-11

network access 16-1

privileged EXEC mode 22-13

authentication directly with the FWSM 16-3

authorization

commands 22-14

downloadable access lists 16-10

network access 16-9

clearing settings 25-6

local database support 11-6

maximum rules A-7

overview 11-1

password management 16-6

performance 16-1

prompts 16-6

server

adding 11-9

types 11-3

support summary 11-3

with web clients 16-6

abbreviating commands C-3

access lists

ACE logging, configuring 12-26

ACE order 12-2

comments 12-18

commitment 12-5

deny flows, managing 12-27

downloadable 16-10

EtherType, adding 12-10

expanded 12-6

extended, adding 12-6

extended, overview 12-6

implicit deny 12-3

inbound 14-1

interface, applying 14-4

IP address guidelines with NAT 12-3

logging 12-25

maximum rules 12-6

memory limits 12-6

NAT addresses 12-3

object grouping 12-11

outbound 14-1

overview 12-1

remarks 12-18

standard access lists, adding 12-11

accounting 16-13

ACEs

expanded 12-6

logging 12-25

maximum 12-6

order 12-2

Active/Active failover

about 13-13

actions 13-16

active state 13-13

command replication 13-14

configuration synchronization 13-14

configuring

failover 13-26

failover group preemption 13-29

HTTP replication 13-30

interface poll time 13-30

unit poll time 13-30

criteria for failover 13-30

device initialization 13-14

failover groups 13-13

primary status 13-13

saving the configuration 13-15

secondary status 13-13

standby state 13-13

status 13-35

synchronizing the configurations 13-15

triggers 13-15

Active/Standby failover

about 13-9

actions 13-12

active state 13-9

command replication 13-11

configuration synchronization 13-9

configuring

failover 13-21

HTTP replication 13-25

interface poll time 13-25

unit poll time 13-25

criteria for failover 13-25

device initializtion 13-9

primary status 13-9

saving the configuration 13-10

secondary status 13-9

standby state 13-9

status 13-32

synchronizing the configurations 13-10

triggers 13-11

Active Directory, password management 16-6

adaptive security algorithm 1-9

admin context

changing 4-33

overview 4-3

alternate-address (ICMP message) E-15

application inspection

about 21-2

applying 21-6

configuring 21-1, 21-6

inspection class map 19-10

inspection policy map 19-7

security level requirements 6-1

special actions 19-6

application partition passwords, clearing 25-6

ARP inspection

configuring 18-1

enabling 18-2

overview 18-1

static entry 18-2

ARP spoofing 18-2

ARP table, static entry 18-2

ASDM

allowing access 22-4

installation 23-9

maximum connections A-5

ASR 8-30

asymmetric routing support 8-30

AUS 23-19

authentication

CLI access 22-10

CLI access, system 22-11

FTP 16-3

HTTP 16-2

network access 16-1

overview 11-2

privileged EXEC mode 22-13

Telnet 16-2

web clients 16-6

authorization

commands 22-14

downloadable access lists 16-10

network access 16-9

overview 11-2

autostate messaging 2-9

Auto Update

configuring 23-18

status 23-20

B

bandwidth

limiting 4-21

maximum A-3

basic settings 7-1

BGP

configuring 8-7

limitations 8-7

monitoring 8-5, 8-8

restarting 8-9

support for 8-6

bits subnet masks E-3

booting

from the FWSM 25-6

from the switch 2-11

boot partitions 2-10

BPDUs

access list, EtherType 12-10

forwarding on the switch 2-9

bridge groups

IP addresses, assigning 6-5

overview 1-8

bridge table

See MAC address table

bufferwraps

save to interal Flash 24-10

send to FTP server 24-10

bypassing firewall checks 20-10

bypassing the firewall, in the switch 2-6

C

capturing packets 25-8

Catalyst 6500

See switch

CEF A-3

changing between contexts 4-31

Cisco 7600

See switch

Cisco IOS versions A-2

Cisco IP Phones

application inspection 21-89

with DHCP 8-38

Cisco VPN Client 22-6

Class A, B, and C addresses E-2

class-default class map 19-4

classes, logging

filtering messages by 24-12

message class variables 24-12

types 24-12

classes, MPF

See class map

classes, resource

See resource management

class map

inspection 19-10

Layer 3/4

match commands 19-5

through traffic 19-5

regular expression 19-14

clearing configuration settings 24-17

CLI

abbreviating commands C-3

adding comments C-5

authenticating access 22-10

command line editing C-3

command output paging C-5

displaying C-5

help C-4

paging C-5

syntax formatting C-3

command authorization

configuring 22-14

multiple contexts 22-15

overview 22-10

command prompts

configuring 7-4

overview C-2

comments

access lists 12-18

configuration C-5

Compact Flash 2-10

configuration

clearing 3-5

clearing settings 24-17

comments C-5

saving 3-3

switch 2-1

text file 3-6

URL for a context 4-29

viewing 3-5

configuration mode

accessing 3-2

prompt C-2

configuring 8-33

configuring RHI 8-33

connection

advanced features 20-1

blocking 20-15

deleting A-5

limits 20-1

rate-limiting 20-2

timeouts 20-1

connection limits

per context 4-26

console port, external 3-1

contexts

See security contexts

control plane path 1-9

conversion-error (ICMP message) E-15

crash dump 25-9

CTIQBE inspection

enabling 21-11

limitations and restrictions 21-10

monitoring 21-12

overview 21-10

cut-through proxy 16-1

D

data flow

routed firewall 5-2

transparent firewall 5-12

debug messages

failover 13-42

viewing 25-7

default class 4-23

default policy 19-3

deny flows, logging 12-27

device ID, including in messages 24-15

DHCP

Cisco IP Phones 8-38

configuring 8-35

relay 8-39

server 8-38

transparent firewall 12-7

disabling messages, specific message IDs 24-16

DMZ, definition 1-1

DNS and NAT 15-15

DNS inspection

configuring 21-24

managing 21-17

rewrite 21-18

domain name, setting 7-4

DoS attack, preventing 15-26

dotted decimal subnet masks E-3

downloadable access lists 16-10

DSCP bits 1-10

DUAL 8-23

dual IP stack 10-4

dynamic NAT

See NAT

E

eBGP 8-7

echo (ICMP message) E-15

echo-reply (ICMP message) E-15

editing command lines C-3

EIGRP 12-7

configuring 8-23

DUAL algorithm 8-23

hello interval 8-27

hello packets 8-22

hold time 8-23, 8-27

neighbor discovery 8-22

Overview 8-22

stub routing 8-24

stuck-in-active 8-23

EMBLEM format, using in logs 24-16

embryonic connection limits 20-2

ESMTP inspection

configuring 21-96

overview 21-94

established command

maximum rules A-7

security level requirements 6-2

EtherChannel, backplane

load-balancing 2-8

overview 2-8

EtherType access list

adding 12-10

applying in both directions 12-9

compatibilty with extended access lists 12-10

implicit deny 12-9

MPLS, allowing 12-10

supported EtherTypes 12-9

EtherType assigned numbers 12-10

F

facility, logging 24-5

failover

about 13-1

Active/Active

See Active/Active failover

Active/Standby

See Active/Standby failover

configuring

Active/Active 13-26

Active/Standby 13-21

debug messages 13-42

disabling 13-41

displaying the configuration 13-39

forcing 13-40

interface health monitoring 13-19

link

about 13-2

securing 13-31

module placement

inter-chassis 13-4

intra-chassis 13-3

PISA 20-6

requirements

license 13-2

software 13-2

restoring a failed unit 13-41

SNMP traps 13-42

Stateful

See Stateful Failover

switch configuration 2-9

system log messages 13-42

testing 13-39

transparent firewall considerations 13-7

trunk 2-9

unit health monitoring 13-19

upgrading software 23-9

failover groups

assigning contexts to 13-28

creating 13-27

definition of 13-13

preempt command 13-29

restoring to an unfailed state 13-41

filtering

ActiveX 17-1

exempting 17-8

FTP 17-9

HTTP 17-7

HTTPS 17-8

Java applets 17-3

long HTTP URLs

setting the size 17-7

truncating 17-8

maximum rules A-7

overview 17-1

security level requirements 6-1

servers supported 17-4

show command output C-4

URLs 17-4

firewall mode

configuring 5-1

overview 5-1

Flash memory

overview 2-10

partitions 2-10

size A-3

format of messages 24-18

fragments 1-5

limitations A-4

fragment size, configuring 20-15

FTP filtering 17-9

FTP inspection

configuring 21-32

overview 21-30

G

global addresses

guidelines 15-15

specifying 15-27

GRE tagging with PISA 20-5

GTP inspection

configuring 21-37

overview 21-35

H

H.225, configuring 21-50

H.245

monitoring 21-54

troubleshooting 21-54

H.323

transparent firewall guidelines 5-9

H.323 inspection

configuring 21-51

limitations 21-49

overview 21-48

troubleshooting 21-54

half-closed connection limits 20-3

help, command line C-4

hostname, setting 7-3

hosts, subnet masks for E-3

HSRP 5-8

HTTP(S)

authentication 22-12

filtering 17-4

maximum connections A-5

maximum rules A-7

HTTP replication

configuring in Active/Active failover 13-30

configuring in Active/Standby failover 13-25

I

iBGP 8-7

ICMP

management access 22-9

maximum rules A-7

testing connectivity 25-1

type numbers E-15

IGMP 9-2

IKE 22-5

ILS application inspection 21-64

IM 21-77

inbound access lists 14-1

information-reply (ICMP message) E-15

information-request (ICMP message) E-15

inside, definition 1-1

inspection_default class-map 19-4

installation

ASDM 23-9

maintenance software 23-12

module verification 2-2

software, using the CLI 23-4

software, using the maintenance partition 23-5

Instant Messaging 21-77

interfaces

configuring poll times 13-25, 13-30

global addresses 15-27

health monitoring 13-19

maximum A-4

naming 6-2, 6-4

shared 4-7

turning off 6-8

turning on 6-8

viewing monitored interface status 13-39

IOS

upgrading 2-1

IOS versions A-2

IP addresses

classes E-2

interface 6-3

overlapping between contexts 4-5

private E-2

routed mode 6-3

subnet mask E-4

translating 15-1

transparent mode 6-3

VPN client 22-7

IPSec

basic settings 22-5

client 22-6

management access 22-4

transforms 22-6

IP spoofing, preventing 20-14

IPv6

access lists 10-5

default and static routes 10-5

dual IP stack, configuring 10-4

duplicate address detection 10-4

enabled commands 10-1

neighbor discovery 10-6

router advertisement messages 10-8

static neighbor 10-10

verifying configuration 10-10

viewing routes 10-11

IPX 2-6

ISAKMP 22-5

ISNs, randomizing

using Modular Policy Framework 20-1

J

Java applet filtering 17-2

K

Kerberos

configuring 11-9

support 11-6

L

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

Layer 3/4

matching multiple policy maps 19-18

LDAP

application inspection 21-64

configuring 11-9

support 11-6

licenses 23-1

load-balancing, backplane EtherChannel 2-8

local user database

adding a user 11-7

configuring 11-7

logging in 22-13

support 11-6

system execution space 22-13

lockout recovery 22-23

log bufferwraps

save to internal Flash 24-10

send to FTP server 24-10

logging

access lists 12-25

class

filtering messages by 24-11

types 24-12

device-id, including in system log messages 24-15

email

configuring as output destination 24-5

destination address 24-6

source address 24-6

EMBLEM format 24-16

facility option 24-5

filtering messages

by message class 24-12

by message list 24-13

logging queue, configuring 24-14

multiple context mode 24-2

output destinations

ASDM 24-6

email address 24-5

internal buffer 24-8

SNMP 24-33

SSH 24-7

switch session 24-7

syslog server 24-4

Telnet 24-7

queue

changing the size of 24-14

configuring 24-14

viewing queue statistics 24-14

severity level

changing 24-17

severity level, changing 24-17

timestamp, including 24-15

logging queue

configuring 24-14

login

banner 7-5

command 22-13

FTP 16-3

local user 22-13

session 3-2

SSH 3-2

system execution space 22-13

Telnet 3-2

loops, avoiding 2-9

M

MAC address table

adding an address 18-3

entry timeout 18-3

MAC learning, disabling 18-4

overview 5-12, 18-3

resource management 4-26

static entry 18-3

viewing 18-4

MAC learning, disabling 18-4

maintenance partition

installing application software from 23-5

IP address 23-7

password

clearing 25-7

setting 7-2

software installation 23-12

management IP address, transparent firewall 6-3

man-in-the-middle attack 18-2

mapped interface name 4-28

mapping

MIBs to CLIs D-1

mask-reply (ICMP message) E-15

mask-request (ICMP message) E-15

match commands

inspection class map 19-8

Layer 3/4 class map 19-5

memory

access list use of 12-6

Flash A-3

RAM A-3

rules use of 12-6

memory partitions 4-12

reallocating rules 4-19

setting the total number 4-13

sizes 4-14

message classes

about 24-11

list of 24-12

message list

creating 24-13

filtering by 24-13

message severity levels, list of 24-19

metacharacters, regular expression 19-11

MGCP inspection

configuring 21-67

overview 21-65

MIBs

supported 24-20

mobile-redirect (ICMP message) E-15

mode

CLI C-2

context 4-10

firewall 5-1

Modular Policy Framework

See MPF

monitoring

OSPF 8-20

resource management 4-36

SNMP 24-20

more prompt

disabling 22-1

overview C-5

MPF

about 19-1

default policy 19-3

features 19-1

flows 19-18

matching multiple policy maps 19-18

service policy, applying 19-20

MPLS

LDP 12-10

router-id 12-10

TDP 12-10

MSFC

definition A-1

overview 1-7

SVIs 2-6

multicast routing 9-1

multicast traffic 5-8

Multilayer Switch Feature Card

See MSFC

multiple context mode

See security contexts

multiple SVIs 2-5

N

naming an interface 6-2, 6-4

NAT

bypassing NAT

configuration 15-33

overview 15-10

DNS 15-15

dynamic NAT

configuring 15-25

implementation 15-19

overview 15-6

examples 15-36

exemption from NAT

configuration 15-35

overview 15-10

identity NAT

configuration 15-33

overview 15-10

NAT ID 15-19

order of statements 15-14

overlapping addresses 15-37

overview 15-1

PAT

configuring 15-25

implementation 15-19

overview 15-8

static 15-30

policy NAT

dynamic, configuring 15-25

maximum rules A-7

overview 15-10

static, configuring 15-29

static PAT, configuring 15-31

port redirection 15-38

RPC not supported with 21-100

same security level 15-14

security level requirements 6-1

static identity, configuring 15-33

static NAT

configuring 15-28

overview 15-8

static PAT

configuring 15-30

overview 15-9

transparent mode 15-4

types 15-6

xlate bypass

configuring 15-18

overview 15-13

network processors 1-9

networks, overlapping 15-37

NPs 1-9

NTLM support 11-5

NT server

configuring 11-9

support 11-5

O

object groups

expanded 12-6

nesting 12-15

removing 12-17

open ports E-14

OSPF

area authentication 8-14

area MD5 authentication 8-14

area parameters 8-14

authentication key 8-12

cost 8-12

dead interval 8-12

default route 8-18

displaying update packet pacing 8-19

enabling 8-10

hello interval 8-12

interface parameters 8-12

link-state advertisement 8-10

logging neighbor states 8-19

MD5 authentication 8-12

monitoring 8-20

NSSA 8-15

overview 8-9

packet pacing 8-19

processes 8-10

redistributing routes 8-11

route calculation timers 8-18

route map 8-5

route summarization 8-17

stub area 8-14

summary route cost 8-14

outbound access lists 14-1

outside, definition 1-1

oversubscribing resources 4-22

P

packet

capture 25-8

classifier 4-3

flow

routed firewall 5-2

transparent firewall 5-12

paging screen displays C-5

parameter-problem (ICMP message) E-15

parameter problem, ICMP message E-15

partitions

application 2-10

boot 2-10

crash dump 2-10

Flash memory 2-10

maintenance 2-10

network configuration 2-10

password management, AAA 16-6

passwords

changing 7-1

clearing

application 25-6

maintenance 25-7

recovery 25-6

troubleshooting 25-6

PAT

See NAT

PIM features, configuring 9-6

ping

See ICMP

PISA integration 20-4

policy map

inspection 19-7

Layer 3/4

about 19-15

adding 19-18

default policy 19-18

flows 19-18

policy NAT

about 15-10

See NAT

pools, addresses

DHCP 8-36

global NAT 15-27

VPN 22-7

PORT command, FTP 21-31

ports

open on device E-14

redirection, NAT 15-38

private networks E-2

privileged EXEC mode

accessing 3-2

authentication 22-13

prompt C-2

prompts

command C-2

more C-5

setting 7-4

protocol numbers and literal values E-11

proxy servers, SIP 21-76

Q

QoS compatibility 1-10

question mark

command string C-4

help C-4

queue, logging

changing the size of 24-14

viewing statistics 24-14

R

RADIUS

configuring a server 11-9

downloadable access lists 16-10

network access authentication 16-3

network access authorization 16-10

password management 16-6

support 11-4

rapid link failure detection 2-9

RAS H.323 troubleshooting 21-55

rate-limiting connections 20-2

RealPlayer 21-73

rebooting

from the FWSM CLI 25-6

from the switch 2-11

redirect (ICMP message) E-15

redirect, ICMP message E-15

regular expression 19-11

Related Documentation 3-xxx

reloading

contexts 4-34

from the FWSM CLI 25-6

from the switch 2-11

remarks

access lists 12-18

configuration C-5

remote management

ASDM 22-4

SSH 22-2

Telnet 22-1

VPN 22-4

requirements A-1

resetting

from the FWSM CLI 25-6

from the switch 2-11

resource management

assigning a context to a class 4-30

class 4-24

configuring 4-21

default class 4-23

monitoring 4-36

oversubscribing 4-22

overview 4-22

resource types 4-26

unlimited 4-22

resource usage 4-39

RHI 8-32, 8-33

RIP

default route updates 8-21

enabling 8-21

overview 8-21

passive 8-21

routed firewall

data flow 5-2

interfaces, configuring 6-2

setting 5-17

route health injection 8-32

router

advertisement, ICMP message E-15

solicitation, ICMP message E-15

router-advertisement (ICMP message) E-15

router-solicitation (ICMP message) E-15

routes

configuring 8-2

generating a default 8-18

logging neighbors 8-19

monitoring OSPF 8-20

summarization 8-17

routing

BGP stub 8-6

OSPF 8-21

other protocols 12-7

RIP 8-22

RSA keys, generating 22-3

RSH connections A-5

RTSP inspection

configuring 21-74

overview 21-73

rules

default allocation A-7

maximum 12-6

memory partitions 4-12

pools for contexts A-7

reallocating memory A-8

reallocating memory per partition 4-19

running configuration

backing up 23-17

clearing 3-5

downloading 23-16

saving 3-3

viewing 3-5

S

same security level communication

configuring 6-6

NAT 15-14

SCCP (Skinny) inspection

Cisco IP Phones, supporting 21-90

configuration 21-89

SDI

configuring 11-9

support 11-5

secure computing smartfilter 17-4

security contexts

adding 4-28

admin context

changing 4-33

overview 4-3

assigning to a resource class 4-30

changing between 4-31

classifier 4-3

command authorization 22-15

configuration

URL, changing 4-33

URL, setting 4-29

logging 24-2

logging in 4-9

managing 4-32

mapped interface name 4-28

memory partitions 4-12

monitoring 4-35

MSFC compatibility 1-8

multiple mode, enabling 4-10

overview 4-1

prompt C-2

reloading 4-34

removing 4-32

resource management 4-22

resource usage 4-39

saving all configurations 3-4

unsupported features 4-2

VLAN allocation 4-28

security level

configuring 6-3

overview 6-1

service policy

applying 19-20

default 19-20

global 19-20

interface 19-20

sessioning from the switch 3-1

session management path 1-9

severity levels of system log messages

definition 24-19

list of 24-19

shared interfaces 4-7

shared VLANs 4-7

show command, filtering output C-4

shunning 20-15

single mode

backing up configuration 4-10

configuration 4-11

enabling 4-10

restoring 4-11

SIP inspection

instant messaging 21-77

overview 21-77

timeout values, configuring 21-82

troubleshooting 21-86

site-to-site tunnel 22-8

SMTP inspection

configuring 21-96

overview 21-94

SNMP

MIBs 24-20

overview 24-20

traps 24-31

software installation

any partition 23-5

current partition 23-4

maintenance 23-12

source-quench (ICMP message) E-15

source quench, ICMP message E-15

SPAN session 2-2

specifications A-1

SSH

authentication 22-12

concurrent connections 22-2

login 22-3

maximum rules A-7

RSA key 22-3

username 22-4

startup configuration

backing up 23-17

copying to the running configuration 3-5

downloading 23-16

saving 3-3

viewing 3-5

Stateful Failover

overview 13-18

state information passed 13-18

state link 13-3

stateful inspection

bypassing 20-10

overview 1-9

state link

See Stateful Failover

static ARP entry 18-2

static MAC address entry 18-3

static NAT

See NAT

static PAT

See NAT

stealth firewall

See transparent firewall

Stub Multicast Routing 9-5

stuck-in-active 8-23

subnet masks

/bits E-3

address range E-4

dotted decimal E-3

number of hosts E-3

overview E-2

Sun RPC inspection

configuring 21-100

overview 21-100

supervisor engine versions A-2

supervisor IOS A-1

SVIs

configuring 2-7

multiple 2-5

overview 2-5

switch

assigning VLANs to module 2-2

autostate messaging 2-9

BPDU forwarding 2-9

configuration 2-1

failover compatibility with transparent firewall 2-9

failover configuration 2-9

maximum modules A-3

resetting the module 2-11

sessioning to the module 3-1

system requirements A-1

trunk for failover 2-9

verifying module installation 2-2

switched virtual interfaces

See SVIs

Switch Fabric Module A-3

SYN attacks, monitoring 4-40

SYN cookies 4-40

syntax formatting C-3

syslog server

as output destination 24-4

designating 24-4

designating more than one 24-4

EMBLEM format

configuring 24-16

enabling 24-4

system execution space

configuration 4-2

local user database 11-7

login command 22-13

session authentication 22-11

username command 11-7

system log messages

classes 24-12

classes of

list of classes 24-12

configuring in groups

by message list 24-13

creating lists of 24-11

device ID, including 24-15

failover 13-42

filtering

by list 24-13

by message class 24-11

format of 24-18

managing in groups

by message class 24-12

creating a message list 24-11

multiple context mode 24-2

severity levels 24-19

timestamp, including 24-15

variables used in 24-19

system requirements A-1

T

TACACS+

command authorization 22-18

configuring a server 11-9

network access authorization 16-9

support 11-4

TCP

back-to-back connections A-5

connection, deleting A-5

connection limits 20-2

connection limits per context 4-26

ports and literal values E-11

sequence number randomization

disabling using Modular Policy Framework 20-2

sequence randomization 20-2

TCP Intercept

configuring for transparent mode 15-26

monitoring 4-40

TCP normalization, disabling 20-14

TCP state bypass 20-10

Telnet

authentication

enabling 22-12

session from switch 22-11

system execution space 22-11

concurrent connections 22-1

maximum rules A-7

testing configuration 25-1

time-exceeded (ICMP message) E-15

time exceeded, ICMP message E-15

time ranges, access lists 12-24

timestamp

reply, ICMP message E-15

timestamp, including in system log messages 24-15

timestamp-reply (ICMP message) E-15

traffic flow

routed firewall 5-2

transparent firewall 5-12

transparent firewall

ARP inspection

enabling 18-2

overview 18-1

static entry 18-2

data flow 5-12

DHCP packets, allowing 12-7

failover considerations 13-7

guidelines 5-10

H.323 guidelines 5-9

HSRP 5-8

interfaces, configuring 6-3

MAC address timeout 18-3

MAC learning, disabling 18-4

management IP address 6-3

multicast traffic 5-8

overview 5-7

packet handling 12-7

setting 5-17

static MAC address entry 18-3

unsupported features 5-11

VRRP 5-8

transparent mode

NAT 15-4

traps, SNMP 24-31

troubleshooting

capturing packets 25-8

common problems 25-10

configuration 25-1

crash dump 25-9

debug messages 25-7

H.323 21-54

H.323 RAS 21-55

password recovery 25-6

SIP 21-86

tunnels

basic settings, configuring 22-5

site-to-site, configuring 22-8

VPN client access, configuring 22-6

U

UDP

connection limits 20-2

connection limits per context 4-26

connection state information 1-10

ports and literal values E-11

Unicast Reverse Path Forwarding 20-14

unit health monitoring 13-19

unit poll time, configuring

Active/Active 13-30

Active/Standby 13-25

unprivileged mode

accessing 3-2

prompt C-2

unreachable (ICMP message) E-15

upgrading

IOS 2-1

URLs

context configuration, changing 4-33

context configuration, setting 4-29

filtering 17-4

V

viewing logs 24-3

virtual firewalls

See security contexts

virtual HTTP 16-3

virtual reassembly 1-5

virtual SSH 16-3

virtual Telnet 16-3

VLANs

allocating to a context 4-28

assigning to FWSM 2-2

interfaces 2-2

mapped interface name 4-28

maximum A-4

shared 4-7

VoIP

proxy servers 21-76

troubleshooting 21-54

VPN

basic settings 22-5

client tunnel 22-6

management access 22-4

site-to-site tunnel 22-8

transforms 22-6

VRRP 5-8

W

WAN ports A-1

web clients, secure authentication 16-6

X

xlate bypass

configuring 15-18

overview 15-13

	Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 4.0
	Index
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 4.0 About This Guide Quick Start Steps Getting Started and General Information Introduction to the Firewall Services Module Configuring the Switch for the Firewall Services Module Getting Started Managing Security Contexts Configuring the Firewall Mode Configuring Interface Parameters Configuring Basic Settings Configuring IP Routing and DHCP Services Configuring Multicast Routing Configuring IPv6 Configuring AAA Servers and the Local Database Configuring Certificates Identifying Traffic with Access Lists Configuring Failover Configuring the Security Policy Permitting and Denying Network Access Configuring NAT Applying AAA for Network Access Applying Filtering Services Configuring ARP Inspection and Bridging Parameters Using Modular Policy Framework Configuring Advanced Connection Features Applying Application Layer Protocol Inspection System Administration Configuring Management Access Managing Software, Licenses, and Configurations Monitoring the Firewall Services Module Troubleshooting the Firewall Services Module Reference Specifications Sample Configurations Using the Command-Line Interface Mapping MIBs to CLI Commands Addresses, Protocols, and Ports Glossary Index	Download this chapter Index Download the complete book Book-Level PDF: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 4.0 (PDF - 5 MB) Feedback Table Of Contents Symbols - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Index Symbols /bits subnet masks E-3 ? command string C-4 help C-4 A AAA accounting 16-13 authentication CLI access 22-10 CLI access, system 22-11 network access 16-1 privileged EXEC mode 22-13 authentication directly with the FWSM 16-3 authorization commands 22-14 downloadable access lists 16-10 network access 16-9 clearing settings 25-6 local database support 11-6 maximum rules A-7 overview 11-1 password management 16-6 performance 16-1 prompts 16-6 server adding 11-9 types 11-3 support summary 11-3 with web clients 16-6 abbreviating commands C-3 access lists ACE logging, configuring 12-26 ACE order 12-2 comments 12-18 commitment 12-5 deny flows, managing 12-27 downloadable 16-10 EtherType, adding 12-10 expanded 12-6 extended, adding 12-6 extended, overview 12-6 implicit deny 12-3 inbound 14-1 interface, applying 14-4 IP address guidelines with NAT 12-3 logging 12-25 maximum rules 12-6 memory limits 12-6 NAT addresses 12-3 object grouping 12-11 outbound 14-1 overview 12-1 remarks 12-18 standard access lists, adding 12-11 accounting 16-13 ACEs expanded 12-6 logging 12-25 maximum 12-6 order 12-2 Active/Active failover about 13-13 actions 13-16 active state 13-13 command replication 13-14 configuration synchronization 13-14 configuring failover 13-26 failover group preemption 13-29 HTTP replication 13-30 interface poll time 13-30 unit poll time 13-30 criteria for failover 13-30 device initialization 13-14 failover groups 13-13 primary status 13-13 saving the configuration 13-15 secondary status 13-13 standby state 13-13 status 13-35 synchronizing the configurations 13-15 triggers 13-15 Active/Standby failover about 13-9 actions 13-12 active state 13-9 command replication 13-11 configuration synchronization 13-9 configuring failover 13-21 HTTP replication 13-25 interface poll time 13-25 unit poll time 13-25 criteria for failover 13-25 device initializtion 13-9 primary status 13-9 saving the configuration 13-10 secondary status 13-9 standby state 13-9 status 13-32 synchronizing the configurations 13-10 triggers 13-11 Active Directory, password management 16-6 adaptive security algorithm 1-9 admin context changing 4-33 overview 4-3 alternate-address (ICMP message) E-15 application inspection about 21-2 applying 21-6 configuring 21-1, 21-6 inspection class map 19-10 inspection policy map 19-7 security level requirements 6-1 special actions 19-6 application partition passwords, clearing 25-6 ARP inspection configuring 18-1 enabling 18-2 overview 18-1 static entry 18-2 ARP spoofing 18-2 ARP table, static entry 18-2 ASDM allowing access 22-4 installation 23-9 maximum connections A-5 ASR 8-30 asymmetric routing support 8-30 AUS 23-19 authentication CLI access 22-10 CLI access, system 22-11 FTP 16-3 HTTP 16-2 network access 16-1 overview 11-2 privileged EXEC mode 22-13 Telnet 16-2 web clients 16-6 authorization commands 22-14 downloadable access lists 16-10 network access 16-9 overview 11-2 autostate messaging 2-9 Auto Update configuring 23-18 status 23-20 B bandwidth limiting 4-21 maximum A-3 basic settings 7-1 BGP configuring 8-7 limitations 8-7 monitoring 8-5, 8-8 restarting 8-9 support for 8-6 bits subnet masks E-3 booting from the FWSM 25-6 from the switch 2-11 boot partitions 2-10 BPDUs access list, EtherType 12-10 forwarding on the switch 2-9 bridge groups IP addresses, assigning 6-5 overview 1-8 bridge table See MAC address table bufferwraps save to interal Flash 24-10 send to FTP server 24-10 bypassing firewall checks 20-10 bypassing the firewall, in the switch 2-6 C capturing packets 25-8 Catalyst 6500 See switch CEF A-3 changing between contexts 4-31 Cisco 7600 See switch Cisco IOS versions A-2 Cisco IP Phones application inspection 21-89 with DHCP 8-38 Cisco VPN Client 22-6 Class A, B, and C addresses E-2 class-default class map 19-4 classes, logging filtering messages by 24-12 message class variables 24-12 types 24-12 classes, MPF See class map classes, resource See resource management class map inspection 19-10 Layer 3/4 match commands 19-5 through traffic 19-5 regular expression 19-14 clearing configuration settings 24-17 CLI abbreviating commands C-3 adding comments C-5 authenticating access 22-10 command line editing C-3 command output paging C-5 displaying C-5 help C-4 paging C-5 syntax formatting C-3 command authorization configuring 22-14 multiple contexts 22-15 overview 22-10 command prompts configuring 7-4 overview C-2 comments access lists 12-18 configuration C-5 Compact Flash 2-10 configuration clearing 3-5 clearing settings 24-17 comments C-5 saving 3-3 switch 2-1 text file 3-6 URL for a context 4-29 viewing 3-5 configuration mode accessing 3-2 prompt C-2 configuring 8-33 configuring RHI 8-33 connection advanced features 20-1 blocking 20-15 deleting A-5 limits 20-1 rate-limiting 20-2 timeouts 20-1 connection limits per context 4-26 console port, external 3-1 contexts See security contexts control plane path 1-9 conversion-error (ICMP message) E-15 crash dump 25-9 CTIQBE inspection enabling 21-11 limitations and restrictions 21-10 monitoring 21-12 overview 21-10 cut-through proxy 16-1 D data flow routed firewall 5-2 transparent firewall 5-12 debug messages failover 13-42 viewing 25-7 default class 4-23 default policy 19-3 deny flows, logging 12-27 device ID, including in messages 24-15 DHCP Cisco IP Phones 8-38 configuring 8-35 relay 8-39 server 8-38 transparent firewall 12-7 disabling messages, specific message IDs 24-16 DMZ, definition 1-1 DNS and NAT 15-15 DNS inspection configuring 21-24 managing 21-17 rewrite 21-18 domain name, setting 7-4 DoS attack, preventing 15-26 dotted decimal subnet masks E-3 downloadable access lists 16-10 DSCP bits 1-10 DUAL 8-23 dual IP stack 10-4 dynamic NAT See NAT E eBGP 8-7 echo (ICMP message) E-15 echo-reply (ICMP message) E-15 editing command lines C-3 EIGRP 12-7 configuring 8-23 DUAL algorithm 8-23 hello interval 8-27 hello packets 8-22 hold time 8-23, 8-27 neighbor discovery 8-22 Overview 8-22 stub routing 8-24 stuck-in-active 8-23 EMBLEM format, using in logs 24-16 embryonic connection limits 20-2 ESMTP inspection configuring 21-96 overview 21-94 established command maximum rules A-7 security level requirements 6-2 EtherChannel, backplane load-balancing 2-8 overview 2-8 EtherType access list adding 12-10 applying in both directions 12-9 compatibilty with extended access lists 12-10 implicit deny 12-9 MPLS, allowing 12-10 supported EtherTypes 12-9 EtherType assigned numbers 12-10 F facility, logging 24-5 failover about 13-1 Active/Active See Active/Active failover Active/Standby See Active/Standby failover configuring Active/Active 13-26 Active/Standby 13-21 debug messages 13-42 disabling 13-41 displaying the configuration 13-39 forcing 13-40 interface health monitoring 13-19 link about 13-2 securing 13-31 module placement inter-chassis 13-4 intra-chassis 13-3 PISA 20-6 requirements license 13-2 software 13-2 restoring a failed unit 13-41 SNMP traps 13-42 Stateful See Stateful Failover switch configuration 2-9 system log messages 13-42 testing 13-39 transparent firewall considerations 13-7 trunk 2-9 unit health monitoring 13-19 upgrading software 23-9 failover groups assigning contexts to 13-28 creating 13-27 definition of 13-13 preempt command 13-29 restoring to an unfailed state 13-41 filtering ActiveX 17-1 exempting 17-8 FTP 17-9 HTTP 17-7 HTTPS 17-8 Java applets 17-3 long HTTP URLs setting the size 17-7 truncating 17-8 maximum rules A-7 overview 17-1 security level requirements 6-1 servers supported 17-4 show command output C-4 URLs 17-4 firewall mode configuring 5-1 overview 5-1 Flash memory overview 2-10 partitions 2-10 size A-3 format of messages 24-18 fragments 1-5 limitations A-4 fragment size, configuring 20-15 FTP filtering 17-9 FTP inspection configuring 21-32 overview 21-30 G global addresses guidelines 15-15 specifying 15-27 GRE tagging with PISA 20-5 GTP inspection configuring 21-37 overview 21-35 H H.225, configuring 21-50 H.245 monitoring 21-54 troubleshooting 21-54 H.323 transparent firewall guidelines 5-9 H.323 inspection configuring 21-51 limitations 21-49 overview 21-48 troubleshooting 21-54 half-closed connection limits 20-3 help, command line C-4 hostname, setting 7-3 hosts, subnet masks for E-3 HSRP 5-8 HTTP(S) authentication 22-12 filtering 17-4 maximum connections A-5 maximum rules A-7 HTTP replication configuring in Active/Active failover 13-30 configuring in Active/Standby failover 13-25 I iBGP 8-7 ICMP management access 22-9 maximum rules A-7 testing connectivity 25-1 type numbers E-15 IGMP 9-2 IKE 22-5 ILS application inspection 21-64 IM 21-77 inbound access lists 14-1 information-reply (ICMP message) E-15 information-request (ICMP message) E-15 inside, definition 1-1 inspection_default class-map 19-4 installation ASDM 23-9 maintenance software 23-12 module verification 2-2 software, using the CLI 23-4 software, using the maintenance partition 23-5 Instant Messaging 21-77 interfaces configuring poll times 13-25, 13-30 global addresses 15-27 health monitoring 13-19 maximum A-4 naming 6-2, 6-4 shared 4-7 turning off 6-8 turning on 6-8 viewing monitored interface status 13-39 IOS upgrading 2-1 IOS versions A-2 IP addresses classes E-2 interface 6-3 overlapping between contexts 4-5 private E-2 routed mode 6-3 subnet mask E-4 translating 15-1 transparent mode 6-3 VPN client 22-7 IPSec basic settings 22-5 client 22-6 management access 22-4 transforms 22-6 IP spoofing, preventing 20-14 IPv6 access lists 10-5 default and static routes 10-5 dual IP stack, configuring 10-4 duplicate address detection 10-4 enabled commands 10-1 neighbor discovery 10-6 router advertisement messages 10-8 static neighbor 10-10 verifying configuration 10-10 viewing routes 10-11 IPX 2-6 ISAKMP 22-5 ISNs, randomizing using Modular Policy Framework 20-1 J Java applet filtering 17-2 K Kerberos configuring 11-9 support 11-6 L Layer 2 firewall See transparent firewall Layer 2 forwarding table See MAC address table Layer 3/4 matching multiple policy maps 19-18 LDAP application inspection 21-64 configuring 11-9 support 11-6 licenses 23-1 load-balancing, backplane EtherChannel 2-8 local user database adding a user 11-7 configuring 11-7 logging in 22-13 support 11-6 system execution space 22-13 lockout recovery 22-23 log bufferwraps save to internal Flash 24-10 send to FTP server 24-10 logging access lists 12-25 class filtering messages by 24-11 types 24-12 device-id, including in system log messages 24-15 email configuring as output destination 24-5 destination address 24-6 source address 24-6 EMBLEM format 24-16 facility option 24-5 filtering messages by message class 24-12 by message list 24-13 logging queue, configuring 24-14 multiple context mode 24-2 output destinations ASDM 24-6 email address 24-5 internal buffer 24-8 SNMP 24-33 SSH 24-7 switch session 24-7 syslog server 24-4 Telnet 24-7 queue changing the size of 24-14 configuring 24-14 viewing queue statistics 24-14 severity level changing 24-17 severity level, changing 24-17 timestamp, including 24-15 logging queue configuring 24-14 login banner 7-5 command 22-13 FTP 16-3 local user 22-13 session 3-2 SSH 3-2 system execution space 22-13 Telnet 3-2 loops, avoiding 2-9 M MAC address table adding an address 18-3 entry timeout 18-3 MAC learning, disabling 18-4 overview 5-12, 18-3 resource management 4-26 static entry 18-3 viewing 18-4 MAC learning, disabling 18-4 maintenance partition installing application software from 23-5 IP address 23-7 password clearing 25-7 setting 7-2 software installation 23-12 management IP address, transparent firewall 6-3 man-in-the-middle attack 18-2 mapped interface name 4-28 mapping MIBs to CLIs D-1 mask-reply (ICMP message) E-15 mask-request (ICMP message) E-15 match commands inspection class map 19-8 Layer 3/4 class map 19-5 memory access list use of 12-6 Flash A-3 RAM A-3 rules use of 12-6 memory partitions 4-12 reallocating rules 4-19 setting the total number 4-13 sizes 4-14 message classes about 24-11 list of 24-12 message list creating 24-13 filtering by 24-13 message severity levels, list of 24-19 metacharacters, regular expression 19-11 MGCP inspection configuring 21-67 overview 21-65 MIBs supported 24-20 mobile-redirect (ICMP message) E-15 mode CLI C-2 context 4-10 firewall 5-1 Modular Policy Framework See MPF monitoring OSPF 8-20 resource management 4-36 SNMP 24-20 more prompt disabling 22-1 overview C-5 MPF about 19-1 default policy 19-3 features 19-1 flows 19-18 matching multiple policy maps 19-18 service policy, applying 19-20 MPLS LDP 12-10 router-id 12-10 TDP 12-10 MSFC definition A-1 overview 1-7 SVIs 2-6 multicast routing 9-1 multicast traffic 5-8 Multilayer Switch Feature Card See MSFC multiple context mode See security contexts multiple SVIs 2-5 N naming an interface 6-2, 6-4 NAT bypassing NAT configuration 15-33 overview 15-10 DNS 15-15 dynamic NAT configuring 15-25 implementation 15-19 overview 15-6 examples 15-36 exemption from NAT configuration 15-35 overview 15-10 identity NAT configuration 15-33 overview 15-10 NAT ID 15-19 order of statements 15-14 overlapping addresses 15-37 overview 15-1 PAT configuring 15-25 implementation 15-19 overview 15-8 static 15-30 policy NAT dynamic, configuring 15-25 maximum rules A-7 overview 15-10 static, configuring 15-29 static PAT, configuring 15-31 port redirection 15-38 RPC not supported with 21-100 same security level 15-14 security level requirements 6-1 static identity, configuring 15-33 static NAT configuring 15-28 overview 15-8 static PAT configuring 15-30 overview 15-9 transparent mode 15-4 types 15-6 xlate bypass configuring 15-18 overview 15-13 network processors 1-9 networks, overlapping 15-37 NPs 1-9 NTLM support 11-5 NT server configuring 11-9 support 11-5 O object groups expanded 12-6 nesting 12-15 removing 12-17 open ports E-14 OSPF area authentication 8-14 area MD5 authentication 8-14 area parameters 8-14 authentication key 8-12 cost 8-12 dead interval 8-12 default route 8-18 displaying update packet pacing 8-19 enabling 8-10 hello interval 8-12 interface parameters 8-12 link-state advertisement 8-10 logging neighbor states 8-19 MD5 authentication 8-12 monitoring 8-20 NSSA 8-15 overview 8-9 packet pacing 8-19 processes 8-10 redistributing routes 8-11 route calculation timers 8-18 route map 8-5 route summarization 8-17 stub area 8-14 summary route cost 8-14 outbound access lists 14-1 outside, definition 1-1 oversubscribing resources 4-22 P packet capture 25-8 classifier 4-3 flow routed firewall 5-2 transparent firewall 5-12 paging screen displays C-5 parameter-problem (ICMP message) E-15 parameter problem, ICMP message E-15 partitions application 2-10 boot 2-10 crash dump 2-10 Flash memory 2-10 maintenance 2-10 network configuration 2-10 password management, AAA 16-6 passwords changing 7-1 clearing application 25-6 maintenance 25-7 recovery 25-6 troubleshooting 25-6 PAT See NAT PIM features, configuring 9-6 ping See ICMP PISA integration 20-4 policy map inspection 19-7 Layer 3/4 about 19-15 adding 19-18 default policy 19-18 flows 19-18 policy NAT about 15-10 See NAT pools, addresses DHCP 8-36 global NAT 15-27 VPN 22-7 PORT command, FTP 21-31 ports open on device E-14 redirection, NAT 15-38 private networks E-2 privileged EXEC mode accessing 3-2 authentication 22-13 prompt C-2 prompts command C-2 more C-5 setting 7-4 protocol numbers and literal values E-11 proxy servers, SIP 21-76 Q QoS compatibility 1-10 question mark command string C-4 help C-4 queue, logging changing the size of 24-14 viewing statistics 24-14 R RADIUS configuring a server 11-9 downloadable access lists 16-10 network access authentication 16-3 network access authorization 16-10 password management 16-6 support 11-4 rapid link failure detection 2-9 RAS H.323 troubleshooting 21-55 rate-limiting connections 20-2 RealPlayer 21-73 rebooting from the FWSM CLI 25-6 from the switch 2-11 redirect (ICMP message) E-15 redirect, ICMP message E-15 regular expression 19-11 Related Documentation 3-xxx reloading contexts 4-34 from the FWSM CLI 25-6 from the switch 2-11 remarks access lists 12-18 configuration C-5 remote management ASDM 22-4 SSH 22-2 Telnet 22-1 VPN 22-4 requirements A-1 resetting from the FWSM CLI 25-6 from the switch 2-11 resource management assigning a context to a class 4-30 class 4-24 configuring 4-21 default class 4-23 monitoring 4-36 oversubscribing 4-22 overview 4-22 resource types 4-26 unlimited 4-22 resource usage 4-39 RHI 8-32, 8-33 RIP default route updates 8-21 enabling 8-21 overview 8-21 passive 8-21 routed firewall data flow 5-2 interfaces, configuring 6-2 setting 5-17 route health injection 8-32 router advertisement, ICMP message E-15 solicitation, ICMP message E-15 router-advertisement (ICMP message) E-15 router-solicitation (ICMP message) E-15 routes configuring 8-2 generating a default 8-18 logging neighbors 8-19 monitoring OSPF 8-20 summarization 8-17 routing BGP stub 8-6 OSPF 8-21 other protocols 12-7 RIP 8-22 RSA keys, generating 22-3 RSH connections A-5 RTSP inspection configuring 21-74 overview 21-73 rules default allocation A-7 maximum 12-6 memory partitions 4-12 pools for contexts A-7 reallocating memory A-8 reallocating memory per partition 4-19 running configuration backing up 23-17 clearing 3-5 downloading 23-16 saving 3-3 viewing 3-5 S same security level communication configuring 6-6 NAT 15-14 SCCP (Skinny) inspection Cisco IP Phones, supporting 21-90 configuration 21-89 SDI configuring 11-9 support 11-5 secure computing smartfilter 17-4 security contexts adding 4-28 admin context changing 4-33 overview 4-3 assigning to a resource class 4-30 changing between 4-31 classifier 4-3 command authorization 22-15 configuration URL, changing 4-33 URL, setting 4-29 logging 24-2 logging in 4-9 managing 4-32 mapped interface name 4-28 memory partitions 4-12 monitoring 4-35 MSFC compatibility 1-8 multiple mode, enabling 4-10 overview 4-1 prompt C-2 reloading 4-34 removing 4-32 resource management 4-22 resource usage 4-39 saving all configurations 3-4 unsupported features 4-2 VLAN allocation 4-28 security level configuring 6-3 overview 6-1 service policy applying 19-20 default 19-20 global 19-20 interface 19-20 sessioning from the switch 3-1 session management path 1-9 severity levels of system log messages definition 24-19 list of 24-19 shared interfaces 4-7 shared VLANs 4-7 show command, filtering output C-4 shunning 20-15 single mode backing up configuration 4-10 configuration 4-11 enabling 4-10 restoring 4-11 SIP inspection instant messaging 21-77 overview 21-77 timeout values, configuring 21-82 troubleshooting 21-86 site-to-site tunnel 22-8 SMTP inspection configuring 21-96 overview 21-94 SNMP MIBs 24-20 overview 24-20 traps 24-31 software installation any partition 23-5 current partition 23-4 maintenance 23-12 source-quench (ICMP message) E-15 source quench, ICMP message E-15 SPAN session 2-2 specifications A-1 SSH authentication 22-12 concurrent connections 22-2 login 22-3 maximum rules A-7 RSA key 22-3 username 22-4 startup configuration backing up 23-17 copying to the running configuration 3-5 downloading 23-16 saving 3-3 viewing 3-5 Stateful Failover overview 13-18 state information passed 13-18 state link 13-3 stateful inspection bypassing 20-10 overview 1-9 state link See Stateful Failover static ARP entry 18-2 static MAC address entry 18-3 static NAT See NAT static PAT See NAT stealth firewall See transparent firewall Stub Multicast Routing 9-5 stuck-in-active 8-23 subnet masks /bits E-3 address range E-4 dotted decimal E-3 number of hosts E-3 overview E-2 Sun RPC inspection configuring 21-100 overview 21-100 supervisor engine versions A-2 supervisor IOS A-1 SVIs configuring 2-7 multiple 2-5 overview 2-5 switch assigning VLANs to module 2-2 autostate messaging 2-9 BPDU forwarding 2-9 configuration 2-1 failover compatibility with transparent firewall 2-9 failover configuration 2-9 maximum modules A-3 resetting the module 2-11 sessioning to the module 3-1 system requirements A-1 trunk for failover 2-9 verifying module installation 2-2 switched virtual interfaces See SVIs Switch Fabric Module A-3 SYN attacks, monitoring 4-40 SYN cookies 4-40 syntax formatting C-3 syslog server as output destination 24-4 designating 24-4 designating more than one 24-4 EMBLEM format configuring 24-16 enabling 24-4 system execution space configuration 4-2 local user database 11-7 login command 22-13 session authentication 22-11 username command 11-7 system log messages classes 24-12 classes of list of classes 24-12 configuring in groups by message list 24-13 creating lists of 24-11 device ID, including 24-15 failover 13-42 filtering by list 24-13 by message class 24-11 format of 24-18 managing in groups by message class 24-12 creating a message list 24-11 multiple context mode 24-2 severity levels 24-19 timestamp, including 24-15 variables used in 24-19 system requirements A-1 T TACACS+ command authorization 22-18 configuring a server 11-9 network access authorization 16-9 support 11-4 TCP back-to-back connections A-5 connection, deleting A-5 connection limits 20-2 connection limits per context 4-26 ports and literal values E-11 sequence number randomization disabling using Modular Policy Framework 20-2 sequence randomization 20-2 TCP Intercept configuring for transparent mode 15-26 monitoring 4-40 TCP normalization, disabling 20-14 TCP state bypass 20-10 Telnet authentication enabling 22-12 session from switch 22-11 system execution space 22-11 concurrent connections 22-1 maximum rules A-7 testing configuration 25-1 time-exceeded (ICMP message) E-15 time exceeded, ICMP message E-15 time ranges, access lists 12-24 timestamp reply, ICMP message E-15 timestamp, including in system log messages 24-15 timestamp-reply (ICMP message) E-15 traffic flow routed firewall 5-2 transparent firewall 5-12 transparent firewall ARP inspection enabling 18-2 overview 18-1 static entry 18-2 data flow 5-12 DHCP packets, allowing 12-7 failover considerations 13-7 guidelines 5-10 H.323 guidelines 5-9 HSRP 5-8 interfaces, configuring 6-3 MAC address timeout 18-3 MAC learning, disabling 18-4 management IP address 6-3 multicast traffic 5-8 overview 5-7 packet handling 12-7 setting 5-17 static MAC address entry 18-3 unsupported features 5-11 VRRP 5-8 transparent mode NAT 15-4 traps, SNMP 24-31 troubleshooting capturing packets 25-8 common problems 25-10 configuration 25-1 crash dump 25-9 debug messages 25-7 H.323 21-54 H.323 RAS 21-55 password recovery 25-6 SIP 21-86 tunnels basic settings, configuring 22-5 site-to-site, configuring 22-8 VPN client access, configuring 22-6 U UDP connection limits 20-2 connection limits per context 4-26 connection state information 1-10 ports and literal values E-11 Unicast Reverse Path Forwarding 20-14 unit health monitoring 13-19 unit poll time, configuring Active/Active 13-30 Active/Standby 13-25 unprivileged mode accessing 3-2 prompt C-2 unreachable (ICMP message) E-15 upgrading IOS 2-1 URLs context configuration, changing 4-33 context configuration, setting 4-29 filtering 17-4 V viewing logs 24-3 virtual firewalls See security contexts virtual HTTP 16-3 virtual reassembly 1-5 virtual SSH 16-3 virtual Telnet 16-3 VLANs allocating to a context 4-28 assigning to FWSM 2-2 interfaces 2-2 mapped interface name 4-28 maximum A-4 shared 4-7 VoIP proxy servers 21-76 troubleshooting 21-54 VPN basic settings 22-5 client tunnel 22-6 management access 22-4 site-to-site tunnel 22-8 transforms 22-6 VRRP 5-8 W WAN ports A-1 web clients, secure authentication 16-6 X xlate bypass configuring 15-18 overview 15-13
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks