Cisco PIX Firewall and VPN Configuration Guide, Version 6.3 - Index [Cisco PIX Firewall Software]

Table Of Contents

A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - R - S - T - U - V - W - X -

Index

A

AAA

configuring3-8

exemption for MAC addresses3-13

support for1-6

with web clients3-10

abbreviating commands1-27

access control

example3-14

features1-6

services3-16

access control lists

See ACLs

access modes1-25

ACLs

applying to object groups3-27

comments3-18

conversion tool1-7

downloading3-20

ICMP2-22

instead of conduits and outbounds1-7

IPSec6-17

named3-21

TurboACL

configuring3-18

description1-7

active state, failover10-3

ActiveX controls

blocking1-10

ACT light10-21

Adaptive Security Algorithm

See ASA

addresses

global2-11

IP2-5

IP classes2-5

Address Resolution Protocol

See ARP

address translation

See NAT

See PAT

AES1-16, 6-3

AH

configuring6-27

standardE-1

application inspection

configuring5-1to 5-31

feature1-11

ARP

clearing2-4

packet capture, example9-30

ARP test10-8

ASA1-3, 5-1

attacks

protection from1-8

authenticating web clients3-10

authentication, accounting, and authorization

See AAA

Authentication Header

See AH

Auto-Update

configuring9-25to 9-27

description1-22

B

backing up configurations1-27

Baltimore Technologies

CA server support6-9

blocking

ActiveX controls1-10

Java applets1-10

boot diskette

creating11-12

Broadcast Ping test10-8

broadcasts

See multicasts

buffer usage

SNMP9-42

C

CA

configuring in-house7-13

configuring VeriSign7-7

CRs. and6-9

defined1-16

public key cryptography6-8

revoked certificates6-9

supported servers6-9

validating signature6-8

cable-based failover

See failover

capturing packets

feature1-22

procedure9-27

CBCE-2

certificate enrollment protocol6-9

Certificate Revocation Lists

See CRLs

certification authority

See CA

CHAP8-20

Cipher Block Chaining

See CBC

Cisco Catalyst 6500 VPN Service Module7-25

Cisco Intrusion Detection System

See IDS

Cisco IOS CLI1-25

Cisco IP Phones

AAA exemption3-13

application inspection5-20

with DHCP4-19

Cisco Secure Intrusion Detection System

See IDS

Cisco Secure VPN Client

configuringB-16to B-20

using with Telnet9-19

Cisco VPN 3000 Client

configuring8-19

downloading network parameters to8-8

Cisco Works for Windows9-45

CLI

abbreviating commands1-27

configuration mode1-26

editing with1-27

paging1-29

using PIX Firewall1-25

client mode

configuring4-4

description4-3

clients

Cisco Secure VPN ClientB-19

Cisco VPN 3000 Client8-19

Easy VPN Remote device4-1

Windows 2000B-11

clock, system9-15

Command Authorization9-5to 9-7

caution when using9-6

description1-21

recovering from lockout9-9

command line interface

See CLI

commands

command line editing1-28

command output paging1-29

configuring privilege levels9-2to 9-3

creating comments1-29

displaying1-29

commenting

ACLs3-18

compiling MIBs9-45

Computer Telephony Interface Quick Buffer Encoding

See CTIQBE

conduits

converting to ACLs1-8

defined1-8

using ACLs instead1-8

Configurable Proxy Pinging

description1-11

configuration examples

See examples

configuration file, failover

See failover

configuration mode1-26

configurations1-29

backing up1-27

comments1-29

copying with HTTP11-5

maximum size1-29

saving2-3, 2-24

connection states1-4

connectivity

inbound3-2

outbound3-4

testing2-22

conversion tool

conduits to ACLs1-7

copying

configurations11-5

software11-5

CPU utilization

SNMP9-42

CRLs

time restrictions6-9

crypto maps

applying to interfaces6-17

entries6-15

load sharing6-28

See also dynamic crypto maps

CTIQBE1-12, 5-14

CU-SeeMe application inspection5-15

cut-through proxy1-6

D

database application inspection5-27

Data Encryption Standard

See DES

debug failover command10-21

debugging

IPSecB-15

SMR2-47

default configurations1-30

default routes2-3

demilitarized zone

See DMZ

denial of service attacks

protection from1-9

DES

descriptionE-2

IKE policy keywords (table)6-3

DHCP clients

configuration4-21to 4-22

default route4-21

described1-20

PAT global address4-21

DHCP leases

renewing4-22

viewing4-22

DHCP Relay1-20, 4-20

DHCP servers1-19, 4-15

configuring4-17

with Cisco IP Phones4-19

Diffie-Hellman

definedE-2

groups supported6-3

directory application inspection5-27

DMZ

configuration example2-29

DNS

application inspection5-6

inbound access3-4

protection from attacks1-10

downgrading software11-13

downloading

ACLs3-20

IP addresses to VPN Clients8-7

network parameters to Cisco VPN 3000 Client8-8

dynamic crypto maps

adding to crypto maps6-23

entries6-23

referencing6-23

See also crypto maps6-24

sets6-23

Dynamic Host Configuration Protocol

See DHCP clients

See DHCP leases

See DHCP servers

dynamic NAT2-8

dynamic PAT2-8

E

Easy VPN Remote device

configuring4-1to 4-5

described1-18

Easy VPN Server8-1to 8-6

described1-18

identifying4-4

load balancing1-18

using PIX Firewall with4-2, 8-3

editing command lines1-28

EIGRP

not supportedB - 2

Encapsulating Security Payload

See ESP

Enhanced Interior Gateway Routing Protocol

See EIGRP

Entrust VPN Connector CA7-14

ESP

configuring6-28

standardE-2

examples

access control3-14

Cisco Catalyst 6500 VPN Service Module7-25

crypto maps6-18

IKE Mode ConfigB-16

IPSec with manual keys7-35

OSPF2-17

outside NAT2-38

outside NAT with overlapping networks2-39

packet capture9-30

port redirection3-6

pre-shared keys7-2

RADIUS authorization8-8

three interfaces with NAT and PAT2-31

three interfaces without NAT2-29

two interfaces with NAT and PAT2-27

two interfaces without NAT2-25

VeriSign CA7-7

VLANs2-35

VPN with manual keys7-35

wildcard pre-shared keyB-16

Windows 2000 VPN clientB-12

XauthB-16

Extended Authentication

see Xauth

F

factory defaults

See default configurations1-30

failover

active state10-3

cable-based10-9

changing from cable to LAN-based10-12

changing from LAN to cable-based10-20

configuration file

console messages10-7

Flash memory10-6

LAN-based differences10-6

replication10-6

running memory10-6

debugging10-21

disabling10-20

display10-17

enabling10-11

encrypting communications10-15

Ethernet failover cable10-5

Ethernet interface settings10-9

examples10-24

FAQs10-21

forcing10-20

interface tests10-7

IP addresses10-3

LAN-based10-11

link communications10-4

MAC addresses10-6

models, supported10-2

models supporting1-24

network connections10-4

network tests10-8

power loss10-7

prerequisites10-8

primary unit10-6

secondary unit10-6

serial cable10-5

software versions10-2

standby state10-3

Stateful Failover10-3

identifying the link10-11

overview10-3

state information10-3

state link requirements10-5

statistics10-19

switch configuration10-8

syslog messages10-21

syslog messages, SNMP9-42

system requirements10-2

testing10-19

triggers10-7

verifying10-17

File Transfer Protocol

See FTP

filtering

ActiveX controls1-10

FTP3-34

HTTPS3-34

Java applets1-10

servers supported1-10

show command output1-28

URLs1-10

fixup

See application inspection

Flood Defender1-9

Flood Guard1-9

FO license10-2

FragGuard1-10

FTP

application inspection5-7

downloading software using11-8

filtering3-34

logging1-23

packet capture, example9-30

redirecting3-7

secondary ports1-12

full duplex2-6

G

gateway addresses2-12

generating RSA keys6-10

global addresses

specifying2-11

global lifetimes

changing6-19

Group 5

Diffie Hellman6-3

H

H.245 tunneling5-16

H.3235-10, 5-16

changing default port assignments5-7

hardware clients

See Easy VPN Remote device

using in SOHO networks4-3

hardware speed

requirements for Stateful Failover2-6

help, command line1-30

home offices

See SOHO networks

HTTP

application inspection5-9

copying configurations11-5

copying software11-5

filtering1-10, 3-34

filtering HTTPS3-34

packet capture, example9-30

redirecting3-7

server access3-1

Hyptertext Translation Protocol

See HTTP

I

IANA URLD - 5

ICMP

application inspection5-9, 5-31

Configurable Proxy Pinging1-11

configuring object groups3-29

message reassembly1-10

testing connectivity2-21

testing default routes2-24

ICMP-type object groups

configuring3-29

IDS

support for1-23

using9-39to 9-41

IGMP

support for1-14

IKE

benefits6-2

creating policies6-4

description1-16

disabling6-6

policy parameters6-3

policy priority numbers6-4

using with pre-shared keys6-6

Xauth8-5, 8-6, 8-17, B-17

IKE Mode Config

exceptions for security gatewaysB-21

standardE-2

IKE Mode Configuration

See IKE Mode Config

ILS

application inspection5-28

feature1-14

IM 5-24

images, software

See also software images

upgrading1-24, 11-5to 11-16

inbound connectivity3-2

Individual user authentication

See IUA

in-house CA, configuring7-13

Instant Messaging

See IM

interfaces

assigning names2-5

changing names2-6

configuring2-4

global address2-11

logical2-34

perimeter2-10

security levels and1-4

speed2-6

Internet Group Management Protocol

See IGMP

Internet Key Exchange

See IKE

Internet Locator Service

See ILS

Internet Security Association and Key Management Protocol

See ISAKMP

Intrusion Detection System

See IDS

IOS

See Cisco IOS CLI

IP

datagramsB-9

viewing configuration2-5

IP addresses

configuring

address, IP addresses2-5

IP Phones

See Cisco IP Phones

IPSec

ACLs6-17

clearing SAs6-29

configuring6-13

crypto map entries6-15

crypto map load sharing6-28

defined1-15

enabling debugB-15

manual6-19

manual SAs using pre-shared keys6-15

modesB-9

proxiesB-9

viewing configuration6-29

viewing information6-29

IP Security Protocol

See IPSec

IP spoofing

protection from1-9

ISAKMPE-2

IUA

described1-18

Easy VPN Remote device4-8

enabled on Easy VPN Server8-4

J

Java applets

filtering1-10, 3-31

L

L2TP

configuringB-10

configuring Windows 2000 clientB-11, B-14

descriptionB-9

transport modeB-10

LAN-based failover

See failover

LAN-to-LAN VPNs

See site-to-site VPNs

Layer 2 Tunneling Protocol

See L2TPB-9

LDAP

application inspection5-28

ILS1-14

lease

releasing DHCP4-22

renewing DHCP4-22

licenses, software

See also UR licenses

upgrading1-24, 11-2to 11-5

Link Up/Down test10-7

link up and link down, SNMP9-42

load sharing with crypto maps6-28

LOCAL database

Command Authorization with9-6

user authentication to the PIX Firewall with9-3

lockout

recovering from9-9

logging

ACL activity9-35

FTP1-23

Syslog9-33

URLs1-23

logical interfaces2-34

M

MAC addresses, failover10-6

MAC-based AAA exemption3-13

manual configuration of SAs6-26

MD56-3

descriptionE-1, E-2

IKE policy keywords (table)6-3

Message Digest 5

See MD5

MIBs9-41

MIB II groups9-41

updating file9-45

Microsoft Challenge Handshake Authentication Protocol

See MS-CHAP

Microsoft Exchange

configuringC - 1

Microsoft Remote Procedure Call

See MSRPC

Microsoft Windows 2000 CA

supported6-9, 7-14

modes

See access modes

monitor mode

description1-26

using11-9

More prompt1-29

MS-CHAP8-20

MSRPC

See also RPC

multicasts

forwarding2-46

receiving2-44

support for1-14

multimedia applications

supported1-13, D - 6

multiple interfaces

configuring, example of2-29

security levels with1-4

N

N2H2 filtering server

identifying3-32

supported1-10

URL for website1-10

named ACLs

downloading3-21

NAT

application inspection1-11

configuring2-9

description1-5

dynamic2-8

function2-7

outside2-37, 2-38

overlapping networks2-39

policy2-40

RCP not supported with5-29

RTSP not supported with1-14

server access3-1

static2-8

three interfaces2-31

two interfaces (figure)2-27

NAT Traversal6-25

nesting object groups3-29

NetBIOS

support for1-14

netmask

See subnet mask

Netshow

application inspection5-25

Network Activity test10-8

Network Address Translation

See NAT

network extension mode

configuring4-4

description4-3

Network File System

See NFS

network object groups

configuring3-28

Network Time Protocol

See NTP

NFS

access5-29

application inspection5-29

testing with showmount5-29

NT

See Windows NT

NTP

configuring9-11to 9-15

feature1-22

O

Oakley key exchange protocolE-2

object groups

applying ACLs to3-27

configuring3-24to 3-30

feature1-8

ICMP-type3-29

nesting3-29

network3-28

port3-28

protocols3-28

removing3-30

service3-28

subcommand mode3-25

verifying3-27

OSPF2-14to 2-21

outbound connectivity3-4

outside NAT

configuring2-37to 2-40

example2-38

overlapping networks

configuring2-39

example2-39

P

packet capture

configuring9-27to 9-31

feature1-22

formats (table)9-29

viewing buffer9-28

paging screen displays1-29

PAP

supported8-20

Password Authentication Protocol

See PAP

PAT

addresses2-11

application inspection1-11

configuring2-9

DHCP clients and4-21

dynamic2-8

function2-3, 2-7

RTSP5-26

server access3-1

static2-8

three interfaces2-31

two interfaces2-27

PCNFSD, tracking activity5-29

perimeter interfaces2-10

perimeter networks

See DMZ

per-user access lists1-7

PFSS

executable file11-7

phases, of IPSec1-16

ping

See ICMP

PIX 501

DHCP client configuration4-21

DHCP client feature support1-20

failover not supported1-24

using as Easy VPN Remote device4-2, 8-3

PIX 506/506E

DHCP client configuration4-21

DHCP client feature support1-20

failover not supported1-24

using as Easy VPN Remote device4-2, 8-3

PIX 520

backing up configuration1-27

PIX Firewall Syslog Server

See PFSS

PIX Firewall VPN Client4-3

See Easy VPN Remote device

PKCSE-3

PKI protocol6-9

Point-to-Point Tunneling Protocol

See PPTP

policy NAT2-40

Port Address Translation

See PAT1-32, 2-11

PORT command, FTP5-7

port redirection3-5

ports

object groups3-28

PPPoE

configuring4-11to 4-15

description1-19

packet capture, example9-31

PPTP

inbound access3-4

VPNs8-20

pre-shared keys

configuring7-1

description1-16

example7-2

using with IKE6-6

primary Easy VPN Server4-4

primary unit, failover10-6

Private Certificate Services (PCS)7-14

privilege levels

configuring9-2to 9-3

description1-21

viewing9-5

protocols

object groups3-28

packet capture formats (table)9-29

port numbersD - 5

supported1-11

proxy servers

SIP and5-23

public key cryptography6-8

Public-Key Cryptography Standard

See PKCS

Public Key Infrastructure Protocol

See PKI protocol

R

RADIUS

configuring3-9

support for1-6

viewing user accounts for Command Authorization9-5

VPN example8-8

Xauth8-5

RAS

support for1-13

Real Time Streaming Protocol

See RTSP

recovering from lockout9-9

redirecting service requests3-5

redundancy

See failover

Registration, Adminission, and Status

See RAS

Registration Authority

description6-9

releasing DHCP lease4-22

remote access VPN

configuring8-1to 8-21

description1-18

Remote Authentication Dial-In User Server

See RADIUS

Remote Procedure Call

See RPC

renewing DHCP lease4-22

reverse route lookup

See Unicast RPF

revoked certificates6-9

RFC 26378-20

RIP

PIX Firewall listening2-12

support for1-6

routing

default routes2-3

enabling SMR2-43

simplifying with outside NAT2-38

static routes2-12

Routing Information Protocol

See RIP

RPC

application inspection5-29

Sun5-29

testing with rpcinfo5-29

See also MSRPC

RS-232 cable

See failover10-5

RSA keys

describedE-3

generating6-10

RSA signatures

IKE authentication method6-8, E-2

RTSP

changing default port assignments5-26

restrictions5-26

support for1-14

S

SAs

clearing IPSec6-29

description1-16

establishing manual with pre-shared keys6-15

lifetimes6-19

saving configurations2-3, 2-24

Command Authorization (caution)9-6

upgrading versions (caution)11-1

SCCP

support for1-13

secondary Easy VPN Server4-4

secondary unit, failover10-6

Secure Hash Algorithm

See SHA

Secure Shell

See SSH

Secure unit authentication

See SUA

security associations

See SAs

security gateways

exceptions to IKE Mode ConfigB-21

exception to XauthB-21

security levels1-4

interfaces2-6

values2-7

serial cable

See failover

server access3-1

services

access control3-16

object groups3-28

Session Initiation Protocol

See SIP

SHA

IKE policy keywords (table)6-3

show command

filtering output1-28

show commands6-29

show failover command10-17

showmount command

application inspection with5-29

Simple Client Control Protocol

See SCCP

Simple Mail Transfer Protocol

See SMTP

Simple Network Management Protocol

See SNMP

SIP 1-13, 5-22

application inspection5-22

site-to-site VPNs

description1-17

examples7-1to 7-38

exception to IKE Mode ConfigB-21

exception to XauthB-21

redundancy6-25

See also VPNs

Skeme key exchange protocolE-2

Skinny Client Control Protocol

See SCCP

small office, home office networks

See SOHO networks

SMR

description1-14

enabling2-43

SMTP

application inspection5-11

protection from attacks1-9

sniffing packets

See packet capture

SNMP

Cisco syslog MIB9-45

read-only (RO) values9-41

SNMPc (Cisco Works for Windows)9-45

support for1-22

traps9-41

using9-41to 9-51

software

copying with HTTP11-5

downgrading11-13

downloading11-6

downloading with FTP11-8

downloading with HTTP11-7

upgrading system1-24

SOHO networks

configuring4-1to 4-22

features1-19

SSH9-21to 9-25

standby state, failover10-3

Stateful Failover1-3

See failover

state information1-4, 10-3

state link10-5

static

NAT for server access3-1

translation1-5

static NAT

description2-8

static PAT

description2-8

static routes

configuring2-13

stub multicast routing

See SMR

SUA

described1-18

Easy VPN Remote device4-6

subcommand mode1-26

subnet masksD - 8

configuring2-5

subnets2-11

Sun RPC5-29

switch configuration, failover10-8

SYN packet attack

protection from1-9

syslog

Cisco MIB9-45

MIB files9-45

SNMP9-42

SNMP traps9-44

support for1-23

system clock9-15

system recovery11-12

T

TACACS+

caution when using with Command Authorization9-8

inbound access3-4

using with Command Authorization9-8

viewing user accounts for Command Authorization9-5

Xauth8-5

TCP

Intercept feature1-9

Telephony API

See CTIQBE

Telnet

configuring9-16to 9-21

interfaces1-22

outside interfaces9-18

redirecting3-7

Terminal Access Controller Access Control System Plus

See TACACS+

testing connectivity2-3, 2-22

TFTP servers

downloading with HTTP11-7

using to download software1-24

time, setting system9-15

tools

conversion for conduits to ACLs1-8

Trace Channel

description9-21

disadvantages (note)9-21

transform sets

configuring6-26

description6-15

transport mode

descriptionB-9

traps, SNMP9-41

Triple DES

descriptionE-2

IKE policy keyword (table)6-3

Trivial File Transfer Protocol servers

See TFTP servers

troubleshooting

connectivity2-3, 2-22

license upgrades11-4

See also packet capture

tunnel modeB-9

TurboACL1-7, 3-18

configuring3-18to 3-20

viewing configuration3-20

U

UDP

connection state information1-4

Unicast Reverse Path Forwarding

See Unicast RPF

Unicast RPF1-9

UniCERT Certificate Management System

configuring, example7-14

supported6-9

Universal Resource Locators

See URLs

unprivileged mode1-25

upgrading

feature licenses1-24

image11-6to 11-16

images1-24

UR license10-2

URLs

filtering1-10

filtering, configuration3-39

logging1-23

user authentication

See also Xauth

to the PIX Firewall9-3

User Datagram Protocol

See UDP

V

validating CAs6-8

VDO LIVE5-27

VeriSign

CA7-7

CA example7-7

configuring CAs, example6-9

video conferencing applications, supportedD - 6

viewing

Command Authorization settings9-7

default configurations1-30

IPSec configuration6-29

NTP9-12

privilege levels9-5

RMS9-26

SMR configuration2-47

SSH9-24

user accounts for Command Authorization9-5

Virtual Private Networks

See VPNs

Virtual Re-assembly1-10

VLANs

configuration2-33to 2-37

defined1-8

Voice over IP

See VoIP

VOIP

SCCP1-13

VoIP

application inspection5-14, 5-23

gateways and gatekeepers5-16

proxy servers5-23

SIP

description1-13

VPN clients

Easy VPN Remote device4-1

modes4-3

SOHO networks and4-1

VPNs

configuration examples7-35

Easy VPN Remote device in4-1

overview1-15to 1-18

peer identity6-7

PPTP8-20

remote access8-1to 8-21

site-to-site1-17, 7-1to 7-38

split tunnel8-7, 8-9

Windows 2000 clientB-11

VPN Service Module7-25

W

web clients

secure authentication3-10

Websense filtering server1-10

web server access3-1

Windows 2000 VPN client

configuringB-11

write standby command10-7

X

X.509v3 certificatesE-3

Xauth

configuring8-5, 8-6

configuring Cisco VPN client, exampleB-17

enabling8-17

exception for security gatewaysB-21

IKE8-5, E-2

X Display Manager Control Protocol

See XDMCP

XDMCP

application inspection5-31

support for1-23

	Cisco PIX Firewall and VPN Configuration Guide, Version 6.3
	Index
Cisco PIX Firewall and VPN Configuration Guide, Version 6.3 About This Guide Getting Started Establishing Connectivity Controlling Network Access and Use Using PIX Firewall in SOHO Networks Configuring Application Inspection (Fixup) Configuring IPSec and Certification Authorities Site-to-Site VPN Configuration Examples Managing VPN Remote Access Accessing and Monitoring PIX Firewall Using PIX Firewall Failover Changing Feature Licenses and System Software Acronyms and Abbreviations Configuration Examples for Other Remote Access Clients MS-Exchange Firewall Configuration TCP/IP Reference Information Supported VPN Standards Index	Download this chapter Index Download the complete book Cisco PIX Firewall and VPN Configuration Guide (PDF - 11 MB) Feedback Table Of Contents A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - R - S - T - U - V - W - X - Index A AAA configuring3-8 exemption for MAC addresses3-13 support for1-6 with web clients3-10 abbreviating commands1-27 access control example3-14 features1-6 services3-16 access control lists See ACLs access modes1-25 ACLs applying to object groups3-27 comments3-18 conversion tool1-7 downloading3-20 ICMP2-22 instead of conduits and outbounds1-7 IPSec6-17 named3-21 TurboACL configuring3-18 description1-7 active state, failover10-3 ActiveX controls blocking1-10 ACT light10-21 Adaptive Security Algorithm See ASA addresses global2-11 IP2-5 IP classes2-5 Address Resolution Protocol See ARP address translation See NAT See PAT AES1-16, 6-3 AH configuring6-27 standardE-1 application inspection configuring5-1to 5-31 feature1-11 ARP clearing2-4 packet capture, example9-30 ARP test10-8 ASA1-3, 5-1 attacks protection from1-8 authenticating web clients3-10 authentication, accounting, and authorization See AAA Authentication Header See AH Auto-Update configuring9-25to 9-27 description1-22 B backing up configurations1-27 Baltimore Technologies CA server support6-9 blocking ActiveX controls1-10 Java applets1-10 boot diskette creating11-12 Broadcast Ping test10-8 broadcasts See multicasts buffer usage SNMP9-42 C CA configuring in-house7-13 configuring VeriSign7-7 CRs. and6-9 defined1-16 public key cryptography6-8 revoked certificates6-9 supported servers6-9 validating signature6-8 cable-based failover See failover capturing packets feature1-22 procedure9-27 CBCE-2 certificate enrollment protocol6-9 Certificate Revocation Lists See CRLs certification authority See CA CHAP8-20 Cipher Block Chaining See CBC Cisco Catalyst 6500 VPN Service Module7-25 Cisco Intrusion Detection System See IDS Cisco IOS CLI1-25 Cisco IP Phones AAA exemption3-13 application inspection5-20 with DHCP4-19 Cisco Secure Intrusion Detection System See IDS Cisco Secure VPN Client configuringB-16to B-20 using with Telnet9-19 Cisco VPN 3000 Client configuring8-19 downloading network parameters to8-8 Cisco Works for Windows9-45 CLI abbreviating commands1-27 configuration mode1-26 editing with1-27 paging1-29 using PIX Firewall1-25 client mode configuring4-4 description4-3 clients Cisco Secure VPN ClientB-19 Cisco VPN 3000 Client8-19 Easy VPN Remote device4-1 Windows 2000B-11 clock, system9-15 Command Authorization9-5to 9-7 caution when using9-6 description1-21 recovering from lockout9-9 command line interface See CLI commands command line editing1-28 command output paging1-29 configuring privilege levels9-2to 9-3 creating comments1-29 displaying1-29 commenting ACLs3-18 compiling MIBs9-45 Computer Telephony Interface Quick Buffer Encoding See CTIQBE conduits converting to ACLs1-8 defined1-8 using ACLs instead1-8 Configurable Proxy Pinging description1-11 configuration examples See examples configuration file, failover See failover configuration mode1-26 configurations1-29 backing up1-27 comments1-29 copying with HTTP11-5 maximum size1-29 saving2-3, 2-24 connection states1-4 connectivity inbound3-2 outbound3-4 testing2-22 conversion tool conduits to ACLs1-7 copying configurations11-5 software11-5 CPU utilization SNMP9-42 CRLs time restrictions6-9 crypto maps applying to interfaces6-17 entries6-15 load sharing6-28 See also dynamic crypto maps CTIQBE1-12, 5-14 CU-SeeMe application inspection5-15 cut-through proxy1-6 D database application inspection5-27 Data Encryption Standard See DES debug failover command10-21 debugging IPSecB-15 SMR2-47 default configurations1-30 default routes2-3 demilitarized zone See DMZ denial of service attacks protection from1-9 DES descriptionE-2 IKE policy keywords (table)6-3 DHCP clients configuration4-21to 4-22 default route4-21 described1-20 PAT global address4-21 DHCP leases renewing4-22 viewing4-22 DHCP Relay1-20, 4-20 DHCP servers1-19, 4-15 configuring4-17 with Cisco IP Phones4-19 Diffie-Hellman definedE-2 groups supported6-3 directory application inspection5-27 DMZ configuration example2-29 DNS application inspection5-6 inbound access3-4 protection from attacks1-10 downgrading software11-13 downloading ACLs3-20 IP addresses to VPN Clients8-7 network parameters to Cisco VPN 3000 Client8-8 dynamic crypto maps adding to crypto maps6-23 entries6-23 referencing6-23 See also crypto maps6-24 sets6-23 Dynamic Host Configuration Protocol See DHCP clients See DHCP leases See DHCP servers dynamic NAT2-8 dynamic PAT2-8 E Easy VPN Remote device configuring4-1to 4-5 described1-18 Easy VPN Server8-1to 8-6 described1-18 identifying4-4 load balancing1-18 using PIX Firewall with4-2, 8-3 editing command lines1-28 EIGRP not supportedB - 2 Encapsulating Security Payload See ESP Enhanced Interior Gateway Routing Protocol See EIGRP Entrust VPN Connector CA7-14 ESP configuring6-28 standardE-2 examples access control3-14 Cisco Catalyst 6500 VPN Service Module7-25 crypto maps6-18 IKE Mode ConfigB-16 IPSec with manual keys7-35 OSPF2-17 outside NAT2-38 outside NAT with overlapping networks2-39 packet capture9-30 port redirection3-6 pre-shared keys7-2 RADIUS authorization8-8 three interfaces with NAT and PAT2-31 three interfaces without NAT2-29 two interfaces with NAT and PAT2-27 two interfaces without NAT2-25 VeriSign CA7-7 VLANs2-35 VPN with manual keys7-35 wildcard pre-shared keyB-16 Windows 2000 VPN clientB-12 XauthB-16 Extended Authentication see Xauth F factory defaults See default configurations1-30 failover active state10-3 cable-based10-9 changing from cable to LAN-based10-12 changing from LAN to cable-based10-20 configuration file console messages10-7 Flash memory10-6 LAN-based differences10-6 replication10-6 running memory10-6 debugging10-21 disabling10-20 display10-17 enabling10-11 encrypting communications10-15 Ethernet failover cable10-5 Ethernet interface settings10-9 examples10-24 FAQs10-21 forcing10-20 interface tests10-7 IP addresses10-3 LAN-based10-11 link communications10-4 MAC addresses10-6 models, supported10-2 models supporting1-24 network connections10-4 network tests10-8 power loss10-7 prerequisites10-8 primary unit10-6 secondary unit10-6 serial cable10-5 software versions10-2 standby state10-3 Stateful Failover10-3 identifying the link10-11 overview10-3 state information10-3 state link requirements10-5 statistics10-19 switch configuration10-8 syslog messages10-21 syslog messages, SNMP9-42 system requirements10-2 testing10-19 triggers10-7 verifying10-17 File Transfer Protocol See FTP filtering ActiveX controls1-10 FTP3-34 HTTPS3-34 Java applets1-10 servers supported1-10 show command output1-28 URLs1-10 fixup See application inspection Flood Defender1-9 Flood Guard1-9 FO license10-2 FragGuard1-10 FTP application inspection5-7 downloading software using11-8 filtering3-34 logging1-23 packet capture, example9-30 redirecting3-7 secondary ports1-12 full duplex2-6 G gateway addresses2-12 generating RSA keys6-10 global addresses specifying2-11 global lifetimes changing6-19 Group 5 Diffie Hellman6-3 H H.245 tunneling5-16 H.3235-10, 5-16 changing default port assignments5-7 hardware clients See Easy VPN Remote device using in SOHO networks4-3 hardware speed requirements for Stateful Failover2-6 help, command line1-30 home offices See SOHO networks HTTP application inspection5-9 copying configurations11-5 copying software11-5 filtering1-10, 3-34 filtering HTTPS3-34 packet capture, example9-30 redirecting3-7 server access3-1 Hyptertext Translation Protocol See HTTP I IANA URLD - 5 ICMP application inspection5-9, 5-31 Configurable Proxy Pinging1-11 configuring object groups3-29 message reassembly1-10 testing connectivity2-21 testing default routes2-24 ICMP-type object groups configuring3-29 IDS support for1-23 using9-39to 9-41 IGMP support for1-14 IKE benefits6-2 creating policies6-4 description1-16 disabling6-6 policy parameters6-3 policy priority numbers6-4 using with pre-shared keys6-6 Xauth8-5, 8-6, 8-17, B-17 IKE Mode Config exceptions for security gatewaysB-21 standardE-2 IKE Mode Configuration See IKE Mode Config ILS application inspection5-28 feature1-14 IM 5-24 images, software See also software images upgrading1-24, 11-5to 11-16 inbound connectivity3-2 Individual user authentication See IUA in-house CA, configuring7-13 Instant Messaging See IM interfaces assigning names2-5 changing names2-6 configuring2-4 global address2-11 logical2-34 perimeter2-10 security levels and1-4 speed2-6 Internet Group Management Protocol See IGMP Internet Key Exchange See IKE Internet Locator Service See ILS Internet Security Association and Key Management Protocol See ISAKMP Intrusion Detection System See IDS IOS See Cisco IOS CLI IP datagramsB-9 viewing configuration2-5 IP addresses configuring address, IP addresses2-5 IP Phones See Cisco IP Phones IPSec ACLs6-17 clearing SAs6-29 configuring6-13 crypto map entries6-15 crypto map load sharing6-28 defined1-15 enabling debugB-15 manual6-19 manual SAs using pre-shared keys6-15 modesB-9 proxiesB-9 viewing configuration6-29 viewing information6-29 IP Security Protocol See IPSec IP spoofing protection from1-9 ISAKMPE-2 IUA described1-18 Easy VPN Remote device4-8 enabled on Easy VPN Server8-4 J Java applets filtering1-10, 3-31 L L2TP configuringB-10 configuring Windows 2000 clientB-11, B-14 descriptionB-9 transport modeB-10 LAN-based failover See failover LAN-to-LAN VPNs See site-to-site VPNs Layer 2 Tunneling Protocol See L2TPB-9 LDAP application inspection5-28 ILS1-14 lease releasing DHCP4-22 renewing DHCP4-22 licenses, software See also UR licenses upgrading1-24, 11-2to 11-5 Link Up/Down test10-7 link up and link down, SNMP9-42 load sharing with crypto maps6-28 LOCAL database Command Authorization with9-6 user authentication to the PIX Firewall with9-3 lockout recovering from9-9 logging ACL activity9-35 FTP1-23 Syslog9-33 URLs1-23 logical interfaces2-34 M MAC addresses, failover10-6 MAC-based AAA exemption3-13 manual configuration of SAs6-26 MD56-3 descriptionE-1, E-2 IKE policy keywords (table)6-3 Message Digest 5 See MD5 MIBs9-41 MIB II groups9-41 updating file9-45 Microsoft Challenge Handshake Authentication Protocol See MS-CHAP Microsoft Exchange configuringC - 1 Microsoft Remote Procedure Call See MSRPC Microsoft Windows 2000 CA supported6-9, 7-14 modes See access modes monitor mode description1-26 using11-9 More prompt1-29 MS-CHAP8-20 MSRPC See also RPC multicasts forwarding2-46 receiving2-44 support for1-14 multimedia applications supported1-13, D - 6 multiple interfaces configuring, example of2-29 security levels with1-4 N N2H2 filtering server identifying3-32 supported1-10 URL for website1-10 named ACLs downloading3-21 NAT application inspection1-11 configuring2-9 description1-5 dynamic2-8 function2-7 outside2-37, 2-38 overlapping networks2-39 policy2-40 RCP not supported with5-29 RTSP not supported with1-14 server access3-1 static2-8 three interfaces2-31 two interfaces (figure)2-27 NAT Traversal6-25 nesting object groups3-29 NetBIOS support for1-14 netmask See subnet mask Netshow application inspection5-25 Network Activity test10-8 Network Address Translation See NAT network extension mode configuring4-4 description4-3 Network File System See NFS network object groups configuring3-28 Network Time Protocol See NTP NFS access5-29 application inspection5-29 testing with showmount5-29 NT See Windows NT NTP configuring9-11to 9-15 feature1-22 O Oakley key exchange protocolE-2 object groups applying ACLs to3-27 configuring3-24to 3-30 feature1-8 ICMP-type3-29 nesting3-29 network3-28 port3-28 protocols3-28 removing3-30 service3-28 subcommand mode3-25 verifying3-27 OSPF2-14to 2-21 outbound connectivity3-4 outside NAT configuring2-37to 2-40 example2-38 overlapping networks configuring2-39 example2-39 P packet capture configuring9-27to 9-31 feature1-22 formats (table)9-29 viewing buffer9-28 paging screen displays1-29 PAP supported8-20 Password Authentication Protocol See PAP PAT addresses2-11 application inspection1-11 configuring2-9 DHCP clients and4-21 dynamic2-8 function2-3, 2-7 RTSP5-26 server access3-1 static2-8 three interfaces2-31 two interfaces2-27 PCNFSD, tracking activity5-29 perimeter interfaces2-10 perimeter networks See DMZ per-user access lists1-7 PFSS executable file11-7 phases, of IPSec1-16 ping See ICMP PIX 501 DHCP client configuration4-21 DHCP client feature support1-20 failover not supported1-24 using as Easy VPN Remote device4-2, 8-3 PIX 506/506E DHCP client configuration4-21 DHCP client feature support1-20 failover not supported1-24 using as Easy VPN Remote device4-2, 8-3 PIX 520 backing up configuration1-27 PIX Firewall Syslog Server See PFSS PIX Firewall VPN Client4-3 See Easy VPN Remote device PKCSE-3 PKI protocol6-9 Point-to-Point Tunneling Protocol See PPTP policy NAT2-40 Port Address Translation See PAT1-32, 2-11 PORT command, FTP5-7 port redirection3-5 ports object groups3-28 PPPoE configuring4-11to 4-15 description1-19 packet capture, example9-31 PPTP inbound access3-4 VPNs8-20 pre-shared keys configuring7-1 description1-16 example7-2 using with IKE6-6 primary Easy VPN Server4-4 primary unit, failover10-6 Private Certificate Services (PCS)7-14 privilege levels configuring9-2to 9-3 description1-21 viewing9-5 protocols object groups3-28 packet capture formats (table)9-29 port numbersD - 5 supported1-11 proxy servers SIP and5-23 public key cryptography6-8 Public-Key Cryptography Standard See PKCS Public Key Infrastructure Protocol See PKI protocol R RADIUS configuring3-9 support for1-6 viewing user accounts for Command Authorization9-5 VPN example8-8 Xauth8-5 RAS support for1-13 Real Time Streaming Protocol See RTSP recovering from lockout9-9 redirecting service requests3-5 redundancy See failover Registration, Adminission, and Status See RAS Registration Authority description6-9 releasing DHCP lease4-22 remote access VPN configuring8-1to 8-21 description1-18 Remote Authentication Dial-In User Server See RADIUS Remote Procedure Call See RPC renewing DHCP lease4-22 reverse route lookup See Unicast RPF revoked certificates6-9 RFC 26378-20 RIP PIX Firewall listening2-12 support for1-6 routing default routes2-3 enabling SMR2-43 simplifying with outside NAT2-38 static routes2-12 Routing Information Protocol See RIP RPC application inspection5-29 Sun5-29 testing with rpcinfo5-29 See also MSRPC RS-232 cable See failover10-5 RSA keys describedE-3 generating6-10 RSA signatures IKE authentication method6-8, E-2 RTSP changing default port assignments5-26 restrictions5-26 support for1-14 S SAs clearing IPSec6-29 description1-16 establishing manual with pre-shared keys6-15 lifetimes6-19 saving configurations2-3, 2-24 Command Authorization (caution)9-6 upgrading versions (caution)11-1 SCCP support for1-13 secondary Easy VPN Server4-4 secondary unit, failover10-6 Secure Hash Algorithm See SHA Secure Shell See SSH Secure unit authentication See SUA security associations See SAs security gateways exceptions to IKE Mode ConfigB-21 exception to XauthB-21 security levels1-4 interfaces2-6 values2-7 serial cable See failover server access3-1 services access control3-16 object groups3-28 Session Initiation Protocol See SIP SHA IKE policy keywords (table)6-3 show command filtering output1-28 show commands6-29 show failover command10-17 showmount command application inspection with5-29 Simple Client Control Protocol See SCCP Simple Mail Transfer Protocol See SMTP Simple Network Management Protocol See SNMP SIP 1-13, 5-22 application inspection5-22 site-to-site VPNs description1-17 examples7-1to 7-38 exception to IKE Mode ConfigB-21 exception to XauthB-21 redundancy6-25 See also VPNs Skeme key exchange protocolE-2 Skinny Client Control Protocol See SCCP small office, home office networks See SOHO networks SMR description1-14 enabling2-43 SMTP application inspection5-11 protection from attacks1-9 sniffing packets See packet capture SNMP Cisco syslog MIB9-45 read-only (RO) values9-41 SNMPc (Cisco Works for Windows)9-45 support for1-22 traps9-41 using9-41to 9-51 software copying with HTTP11-5 downgrading11-13 downloading11-6 downloading with FTP11-8 downloading with HTTP11-7 upgrading system1-24 SOHO networks configuring4-1to 4-22 features1-19 SSH9-21to 9-25 standby state, failover10-3 Stateful Failover1-3 See failover state information1-4, 10-3 state link10-5 static NAT for server access3-1 translation1-5 static NAT description2-8 static PAT description2-8 static routes configuring2-13 stub multicast routing See SMR SUA described1-18 Easy VPN Remote device4-6 subcommand mode1-26 subnet masksD - 8 configuring2-5 subnets2-11 Sun RPC5-29 switch configuration, failover10-8 SYN packet attack protection from1-9 syslog Cisco MIB9-45 MIB files9-45 SNMP9-42 SNMP traps9-44 support for1-23 system clock9-15 system recovery11-12 T TACACS+ caution when using with Command Authorization9-8 inbound access3-4 using with Command Authorization9-8 viewing user accounts for Command Authorization9-5 Xauth8-5 TCP Intercept feature1-9 Telephony API See CTIQBE Telnet configuring9-16to 9-21 interfaces1-22 outside interfaces9-18 redirecting3-7 Terminal Access Controller Access Control System Plus See TACACS+ testing connectivity2-3, 2-22 TFTP servers downloading with HTTP11-7 using to download software1-24 time, setting system9-15 tools conversion for conduits to ACLs1-8 Trace Channel description9-21 disadvantages (note)9-21 transform sets configuring6-26 description6-15 transport mode descriptionB-9 traps, SNMP9-41 Triple DES descriptionE-2 IKE policy keyword (table)6-3 Trivial File Transfer Protocol servers See TFTP servers troubleshooting connectivity2-3, 2-22 license upgrades11-4 See also packet capture tunnel modeB-9 TurboACL1-7, 3-18 configuring3-18to 3-20 viewing configuration3-20 U UDP connection state information1-4 Unicast Reverse Path Forwarding See Unicast RPF Unicast RPF1-9 UniCERT Certificate Management System configuring, example7-14 supported6-9 Universal Resource Locators See URLs unprivileged mode1-25 upgrading feature licenses1-24 image11-6to 11-16 images1-24 UR license10-2 URLs filtering1-10 filtering, configuration3-39 logging1-23 user authentication See also Xauth to the PIX Firewall9-3 User Datagram Protocol See UDP V validating CAs6-8 VDO LIVE5-27 VeriSign CA7-7 CA example7-7 configuring CAs, example6-9 video conferencing applications, supportedD - 6 viewing Command Authorization settings9-7 default configurations1-30 IPSec configuration6-29 NTP9-12 privilege levels9-5 RMS9-26 SMR configuration2-47 SSH9-24 user accounts for Command Authorization9-5 Virtual Private Networks See VPNs Virtual Re-assembly1-10 VLANs configuration2-33to 2-37 defined1-8 Voice over IP See VoIP VOIP SCCP1-13 VoIP application inspection5-14, 5-23 gateways and gatekeepers5-16 proxy servers5-23 SIP description1-13 VPN clients Easy VPN Remote device4-1 modes4-3 SOHO networks and4-1 VPNs configuration examples7-35 Easy VPN Remote device in4-1 overview1-15to 1-18 peer identity6-7 PPTP8-20 remote access8-1to 8-21 site-to-site1-17, 7-1to 7-38 split tunnel8-7, 8-9 Windows 2000 clientB-11 VPN Service Module7-25 W web clients secure authentication3-10 Websense filtering server1-10 web server access3-1 Windows 2000 VPN client configuringB-11 write standby command10-7 X X.509v3 certificatesE-3 Xauth configuring8-5, 8-6 configuring Cisco VPN client, exampleB-17 enabling8-17 exception for security gatewaysB-21 IKE8-5, E-2 X Display Manager Control Protocol See XDMCP XDMCP application inspection5-31 support for1-23
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks