- About This Guide
-
- Introduction to the Security Appliance
- Getting Started
- Enabling Multiple Context Mode
- Configuring Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
- Configuring Ethernet Settings and Subinterfaces
- Adding and Managing Security Contexts
- Configuring Interface Parameters
- Configuring Basic Settings
- Configuring IP Routing
- Configuring Multicast Routing
- Configuring DHCP, DDNS, and WCCP Services
- Configuring IPv6
- Configuring AAA Servers and the Local Database
- Configuring Failover
-
- Firewall Mode Overview
- Identifying Traffic With Access Lists
- Applying NAT
- Permitting or Denying Network Access
- Applying AAA for Network Access
- Applying Filtering Services
- Using Modular Policy Framework
- Managing AIP SSM and CSC SSM
- Preventing Network Attacks
- Applying QoS Policies
- Applying Application Layer Protocol Inspection
- Configuring ARP Inspection and Bridging Parameters
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring WebVPN
- Configuring SSL VPN Client
- Configuring Certificates
- Glossary
- Index
Symbols -
Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
J -
K -
L -
M -
N -
O -
P -
Q -
R -
S -
T -
U -
V -
W -
X -
Z
e-mail
e-mail
Index
Symbols
/bits subnet masks D-3
?
command string C-4
help C-4
Numerics
4GE SSM
connector types 5-1
fiber 5-3
SFP 5-3
support A-9
802.1Q tagging 4-11
802.1Q trunk 5-3
A
AAA
about 13-1
accounting 19-13
addressing, configuring 31-2
authentication
CLI access 40-5
network access 19-1
privileged EXEC mode 40-6
authorization
command 40-7
downloadable access lists 19-8
network access 19-6
local database support 13-9
performance 19-1
server
adding 13-12
types 13-2
support summary 13-3
web clients 19-5
abbreviating commands C-3
Access Control Server 33-1, 33-2, 33-5
access hours, username attribute 30-74
accessing the security appliance using SSL 37-3
accessing the security appliance using TKS1 37-3
access list filter, username attribute 30-76
access lists
about 16-1
ACE logging, configuring 16-20
comments 16-18
deny flows, managing 16-22
downloadable 19-9
EtherType, adding 16-8
exemptions from posture validation 33-4
extended
about 16-5
adding 16-6
group policy WebVPN filter 30-66
implicit deny 16-3
inbound 18-1
interface, applying 18-2
IP address guidelines 16-3
IPsec 27-20
logging 16-20
NAT guidelines 16-3
Network Admission Control, default 33-3
object groups 16-18
outbound 18-1
remarks 16-18
scheduling activation 16-18
standard, adding 16-11
types 16-2
WebVPN username connections 30-83
access ports 4-9
ACEs
See access lists
Active/Active failover
about 14-10
actions 14-14
command replication 14-12
configuration synchronization 14-12
configuring
asymmetric routing support 14-36
cable-based failover 14-28
failover criteria 14-35
failover group preemption 14-34
HTTP replication 14-35
interface monitoring 14-35
LAN-based failover 14-30
prerequisites 14-28
virtual MAC addresses 14-36
device initialization 14-12
duplicate MAC addresses, avoiding 14-11, 14-36
primary status 14-11
secondary status 14-11
triggers 14-14
Active/Standby failover
about 14-7
actions 14-9
command replication 14-8
configuration synchronization 14-7
configuring
cable-based 14-21
failover criteria 14-27
HTTP replication 14-26
interface monitoring 14-26
interface poll times 14-40
LAN-based 14-22
prerequisites 14-21
unit poll times 14-40
virtual MAC addresses 14-27
device initialization 14-7
primary unit 14-7
secondary unit 14-7
triggers 14-9
Active Directory, settings for password management 30-24
Active Directory proceduresE-19to E-22
Adaptive Security Algorithm 1-4
admin context
about 3-2
changing 6-13
administrative distance 9-3
Advanced Encryption Standard (AES) 27-3
AIP SSM
about 22-1
checking status 22-13
configuration 22-2
initial setup 22-4
loading an image 22-14
sending traffic to 22-2
support A-9
alternate address, ICMP message D-15
Application Access Panel, WebVPN 37-34
application access using WebVPN
and e-mail proxy 37-51
and hosts file errors 37-18
and Web Access 37-51
configuring client applications 37-50
enabling cookies on browser 37-50
group policy WebVPN attribute 30-67
privileges 37-50
quitting properly 37-19
re-enabling 37-20
setting up on client 37-50
username WebVPN attribute 30-84
using e-mail 37-51
with IMAP client 37-51
application inspection
about 25-2
applying 25-5
configuring 25-5
inspection class map 21-11
inspection policy map 21-8
security level requirements 7-1
special actions 21-7
Application Profile Customization Framework 37-30
ARP inspection
about 26-1
enabling 26-2
static entry 26-2
ARP spoofing 26-2
ARP test, failover 14-18
ASA (Adaptive Security Algorithm) 1-4
ASA 5505
Base license 4-2
client
authentication 34-12
configuration restrictions, table 34-2
device pass-through 34-8
group policy attributes pushed to 34-10
mode 34-3
remote management 34-9
split tunneling 34-8
TCP 34-4
trustpoint 34-7
tunnel group 34-7
tunneling 34-5
Xauth 34-4
interfaces, about 4-1
MAC addresses 4-4
maximum VLANs 4-2
native VLAN support 4-11
non-forwarding interface 4-6
power over Ethernet 4-4
protected switch ports 4-9
Security Plus license 4-2
server (headend) 34-1
SPAN 4-4
Spanning Tree Protocol, unsupported 4-9
VLAN interface configuration 4-5
ASDM software
allowing access 40-4
configuring ASDM and WebVPN on the same interface 40-4
installing 41-3
ASR 14-36
asymmetric routing support 14-36
attributes
LDAP E-5
policy E-2
RADIUS E-25
username 30-74
attribute-value pairs
TACACS+ E-32
attribute-value pairs (AVP) 30-31
authentication
about 13-1
ASA 5505 as Easy VPN client 34-12
CLI access 40-5
FTP 19-3
HTTP 19-2
network access 19-1
privileged EXEC mode 40-6
restrictions, WebVPN 37-5
Telnet 19-2
web clients 19-5
WebVPN users with digital certificates 37-15
authorization
about 13-2
command 40-7
downloadable access lists 19-8
network access 19-6
Auto-MDI/MDIX 5-1
auto-signon
group policy WebVPN attribute 30-66
username WebVPN attribute 30-85
Auto-Update, configuring 41-10
B
backup device, load balancing 29-6
backup server attributes, group policy 30-48
Baltimore Technologies, CA server support 39-5
banner message, group policy 30-41
bits subnet masks D-3
Black Ice firewall 30-58
BPDUs
ACL, EtherType 16-10
BPDUs, EtherType access list 16-10
bridge
entry timeout 26-4
table, See MAC address table
broadcast Ping test 14-19
bypass authentication 34-8
C
CA
certificate validation, not done in WebVPN 37-2
CRs and 39-2
public key cryptography 39-1
revoked certificates 39-2
server support 39-5
supported servers 39-5
caching 37-28
capturing packets 43-11
cascading access lists 27-15
certificate
authentication, e-mail proxy 37-27
enrollment protocol 39-7
group matching
configuring 27-9
rule and policy, creating 27-10
Certificate Revocation Lists
See CRLs
certification authority
See CA
changing between contexts 6-11
Cisco-AV-Pair LDAP attributes E-14
Cisco Integrated Firewall 30-58
Cisco IP Phones
DHCP 10-4
Cisco IP Phones, application inspection 25-74
Cisco LDAP attributes E-5
Cisco Security Agent 30-58
Cisco Trust Agent 33-5
Class A, B, and C addresses D-1
class-default class map 21-4
classes, logging
filtering messages by 42-16
message class variables 42-16
types 42-16
classes, MPF
See class map
classes, resource
See resource management
class map
inspection 21-11
Layer 3/4
management traffic 21-7
match commands 21-5
through traffic 21-5
regular expression 21-14
CLI
abbreviating commands C-3
adding comments C-6
command line editing C-3
command output paging C-5
displaying C-5
help C-4
paging C-5
syntax formatting C-3
client
VPN 3002 hardware, forcing client update 29-4
Windows, client update notification 29-4
client access rules, group policy 30-59
client firewall, group policy 30-55
clientless authentication 33-5
client mode 34-3
client update, performing 29-4
cluster
IP address, load balancing 29-6
load balancing configurations 29-8
mixed scenarios 29-8
virtual 29-6
command authorization
about 40-7
configuring 40-7
command prompts C-2
comments
access lists 16-18
configuration C-6
configuration
clearing 2-9
comments C-6
factory default
commands 2-1
restoring 2-2
saving 2-6
text file 2-9
URL for a context 6-9
viewing 2-8
configuration mode
accessing 2-5
prompt C-2
connection blocking 23-11
connection limits
configuring 23-6
per context 6-6
connect time, maximum, username attribute 30-76
console port logging 42-8
content transformation, WebVPN 37-28
contexts
See security contexts
conversion error, ICMP message D-16
cookies, enabling for WebVPN 37-5
CRACK protocol 27-28
crash dump 43-11
crypto map
acccess lists 27-20
applying to interfaces 27-20, 36-7
clearing configurations 27-27
creating an entry to use the dynamic crypto map 32-7
definition 27-12
dynamic 27-24
dynamic, creating 32-6
entries 27-12
examples 27-21
policy 27-13
crypto show commands 27-26
CSC SSM
about 22-5
checking status 22-13
failover 22-7
getting started 22-7
loading an image 22-14
sending traffic to 22-11
support A-9
what to scan 22-9
CSD support A-11
custom firewall 30-58
customization, WebVPN
group policy WebVPN attribute 30-63
login windows for WebVPN users 30-23
username WebVPN attribute 30-21, 30-82
cut-through proxy 19-1
D
data flow
routed firewall 15-3
transparent firewall 15-13
DDNS 10-6
debugging IPSec 28-7
debug messages 43-11
default
class 6-3
DefaultL2Lgroup 30-1
DefaultRAgroup 30-1
domain name, group policy 30-43
LAN-to-LAN tunnel group 30-13
remote access tunnel group, configuring 30-5
routes, defining equal cost routes 9-4
default configuration
commands 2-1
restoring 2-2
default policy 21-3
default routes
about 9-4
configuring 9-4
deny flows, logging 16-22
deny in a crypto map 27-15
deny-message
group policy WebVPN attribute 30-64
username WebVPN attribute 30-83
DES, IKE policy keywords (table) 27-3
device ID, including in messages 42-19
device pass-through, ASA 5505 as Easy VPN client 34-8
DfltGrpPolicy 30-32
DHCP
addressing, configuring 31-3
Cisco IP Phones 10-4
options 10-3
relay 10-5
transparent firewall 16-6
DHCP Intercept, configuring 30-44
Diffie-Hellman
Group 5 27-4
groups supported 27-4
DiffServ preservation 24-5
digital certificates
authenticating WebVPN users 37-15
SSL 37-5
WebVPN authentication restrictions 37-5
directory hierarchy search E-4
disabling content rewrite 37-29
disabling messages, specific message IDs 42-20
DMZ, definition 1-1
DNS
configuring for WebVPN 37-16
dynamic 10-6
inspection
about 25-14
managing 25-13
rewrite, about 25-14
rewrite, configuring 25-15
NAT effect on 17-15
server, configuring 30-35
domain attributes, group policy 30-43
domain name 8-2
dotted decimal subnet masks D-3
downloadable access lists
configuring 19-9
converting netmask expressions 19-12
DSCP preservation 24-5
dual IP stack, configuring 12-4
dual-ISP support 9-5
duplex, configuring 5-1
dynamic crypto map 27-24
creating 32-6
See also crypto map
Dynamic DNS 10-6
dynamic NAT
See NAT
E
Easy VPN
client
authentication 34-12
configuration restrictions, table 34-2
enabling and disabling 34-1
group policy attributes pushed to 34-10
mode 34-3
remote management 34-9
trustpoint 34-7
tunnels 34-9
Xauth 34-4
server (headend) 34-1
Easy VPN client
ASA 5505
device pass-through 34-8
split tunneling 34-8
TCP 34-4
tunnel group 34-7
tunneling 34-5
echo reply, ICMP message D-15
ECMP 9-3
editing command lines C-3
EIGRP 16-6
closing the Outlook connection 37-27
configuring for WebVPN 37-26
proxies, WebVPN 37-26
proxy, certificate authentication 37-27
WebVPN, configuring 37-26
EMBLEM format, using in logs 42-20
enable command 2-5
end-user interface, WebVPN, defining 37-33
Enterprises 10-4
Entrust, CA server support 39-5
established command, security level requirements 7-2
Ethernet
Auto-MDI/MDIX 5-1
duplex 5-1
speed 5-1
EtherType
assigned numbers 16-10
See also access lists
external group policy, configuring 30-34
F
facility, syslog 42-8
factory default configuration
commands 2-1
restoring 2-2
failover
about 14-1
Active/Active, configuring 14-28
Active/Active, See Active/Active failover
Active/Standby, configuring 14-20
Active/Standby, See Active/Standby failover
configuration file
terminal messages, Active/Active 14-12
terminal messages, Active/Standby 14-8
configuring 14-20
contexts 14-7
controlling 14-50
debug messages 14-52
disabling 14-51
displaying commands 14-49
encrypting failover communication 14-40
Ethernet failover cable 14-4
examples
Active/Active LAN-based failover B-22, B-28
Active/Standby cable-based failover B-20, B-26
Active/Standby LAN-based failover B-21, B-27
failover link 14-3
forcing 14-50
health monitoring 14-17
interface health 14-18
interface monitoring 14-18
interface tests 14-18
licenses 14-3
link communications 14-3
MAC addresses
about 14-7
automatically assigning 6-11
monitoring, configuration 14-50
monitoring, health 14-17
network tests 14-18
primary unit 14-7
restoring a failed group 14-51
restoring a failed unit 14-51
secondary unit 14-7
serial cable 14-4
SNMP syslog traps 14-52
software versions 14-3
Stateful Failover, See Stateful Failover
state link 14-5
subsecond 14-40
system log messages 14-52
system requirements 14-2
testing 14-50
type selection 14-15
understanding 14-1
unit health 14-18
verifying the configuration 14-41
fast path 1-4
fiber interfaces 5-3
filter (access list)
group policy WebVPN attribute 30-66
username WebVPN attribute 30-83
filtering
about 20-1
ActiveX 20-2
FTP 20-9
Java applets 20-3
security level requirements 7-2
servers supported 20-4
show command output C-4
URLs 20-4
firewall
Black Ice 30-58
Cisco Integrated 30-58
Cisco Security Agent 30-58
custom 30-58
Network Ice 30-58
none 30-58
Sygate personal 30-58
Zone Labs 30-58
firewall mode
about 15-1
configuring 2-5
firewall policy, group policy 30-55
FO (failover) license 14-3
FO_AA license 14-3
format of messages 42-23
fragmentation policy, IPsec 27-8
fragment size 23-11
FTP inspection
about 25-27
configuring 25-27
functions, WebVPN
username WebVPN attribute 30-79
WebVPN group policy attribute 30-62
G
general attributes, tunnel group 30-2
general parameters, tunnel group 30-2
general tunnel-group connection parameters 30-2
generating RSA keys 39-6
global addresses
recommendations 17-14
specifying 17-24
global e-mail proxy attributes 37-26
global IPsec SA lifetimes, changing 27-22
group-lock, username attribute 30-77
group policy
address pools 30-54
attributes 30-35
backup server attributes 30-48
client access rules 30-59
configuring 30-34
default domain name for tunneled packets 30-43
domain attributes 30-43
Easy VPN client, attributes pushed to ASA 5505 34-10
external, configuring 30-34
firewall policy 30-55
hardware client user idle timeout 30-46
internal, configuring 30-35
IP phone bypass 30-46
IPSec over UDP attributes 30-41
LEAP Bypass 30-47
network extension mode 30-47
security attributes 30-39
split tunneling attributes 30-42
split-tunneling domains 30-44
user authentication 30-45
VPN attributes 30-36
VPN hardware client attributes 30-45
webvpn attributes 30-61
WINS and DNS servers 30-35
group policy, default 30-31
group policy, secure unit authentication 30-45
group policy WebVPN attributes
application access 30-67
auto-signon 30-66
customization 30-63
deny-message 30-64
filter 30-66
home page 30-65
html-content filter 30-64
keep-alive-ignore 30-68
port forward 30-67
port-forward-name 30-68
sso-server 30-69
svc 30-70
url-list 30-67
GTP inspection
about 25-35
configuring 25-34
H
H.225 timeouts 25-45
H.245 troubleshooting 25-46
H.323 inspection
about 25-41
configuring 25-40
limitations 25-42
troubleshooting 25-47
hairpinning 27-20
hardware client, group policy attributes 30-45
help, command line C-4
HMAC hashing method 27-3
hold-period 33-8
homepage
group policy WebVPN attribute 30-65
username WebVPN attribute 30-82
hostname
configuring 8-2
in banners 8-2
multiple context mode 8-2
hosts, subnet masks for D-3
hosts file
errors 37-18
reconfiguring 37-20
WebVPN 37-19
HSRP 15-9
html-content-filter
group policy WebVPN attribute 30-64
username WebVPN attribute 30-81
HTTP(S)
authentication 40-5
filtering 20-4
HTTP/HTTPS Web VPN proxy, setting 37-5
HTTP compression, WebVPN, enabling 30-69, 30-86
HTTP inspection
about 25-47
configuring 25-47
HTTP redirection for login, Easy VPN client on the ASA 5505 34-12
HTTPS for WebVPN sessions 37-3
hub-and-spoke VPN scenario 27-20
I
ICMP
testing connectivity 43-1
type numbers D-15
idle timeout
hardware client user, group policy 30-46
username attribute 30-75
ID method for ISAKMP peers, determining 27-6
IKE
benefits 27-2
creating policies 27-4
keepalive setting, tunnel group 30-3
pre-shared key, Easy VPN client on the ASA 5505 34-7
See also ISAKMP
ILS inspection 25-56
inbound access lists 18-1
Individual user authentication 34-12
information reply, ICMP message D-15
information request, ICMP message D-15
inheritance
tunnel group 30-1
username attribute 30-74
inside, definition 1-1
inspection_default class-map 21-4
inspection engines
See application inspection
Instant Messaging inspection 25-69
intercept DHCP, configuring 30-44
interfaces
ASA 5505
about 4-1
enabled status 4-9
IP address 4-7
MAC addresses 4-4
maximum VLANs 4-2
non-forwarding 4-6
protected switch ports 4-9
switch port configuration 4-9
trunk ports 4-11
VLAN interface configuration 4-5
configuring for remote access 32-2
configuring IPv6 on 12-3
duplex 5-1
enabled status 5-1
enabling 5-2
failover monitoring 14-18
fiber 5-3
global addresses 17-24
IDs 5-2
IP address 7-4
MAC addresses
automatically assigning 6-11
manually assigning to interfaces 7-4
mapped name 6-8
naming, physical and subinterface 7-3
naming, VLAN 4-6
SFP 5-3
speed 5-1
subinterfaces 5-3
viewing monitored interface status 14-49
internal group policy, configuring 30-35
Internet Security Association and Key Management Protocol
See ISAKMP
intrusion prevention configuration 22-2
IP addresses
ASA 5505 4-7
classes D-1
configuring an assignment method for remote access clients 31-1
configuring for VPNs 31-1
configuring local IP address pools 31-2
interface 7-4
management, transparent firewall 8-5
private D-2
subnet mask D-4
IP phone 34-8
IP phone bypass, group policy 30-46
IPS configuration 22-2
IPSec
anti-replay window 24-12
enabling debug 28-7
modes 28-2
over UDP, group policy, configuring attributes 30-41
remote-access tunnel group 30-6
setting maximum active VPN sessions 29-3
IPsec
access list 27-20
basic configuration with static crypto maps 27-22
Cisco VPN Client 27-2
crypto map entries 27-12
fragmentation policy 27-8
over NAT-T, enabling 27-7
over TCP, enabling 27-8
SA lifetimes, changing 27-22
tunnel 27-11
viewing configuration 27-26
IPSec parameters, tunnel group 30-3
ipsec-ra, creating an IPSec remote-access tunnel 30-6
IP spoofing, preventing 23-10
IPv6
access lists 12-6
commands 12-1
configuring alongside IPv4 12-4
default route 12-5
dual IP stack 12-4
duplicate address detection 12-4
enabling 12-3
neighbor discovery 12-7
router advertisement messages 12-9
static neighbor 12-11
static routes 12-5
verifying 12-11
IPv6 addresses
anycast D-9
command support for 12-1
format D-5
multicast D-8
prefixes D-10
required D-10
types of D-6
unicast D-6
ISAKMP
about 27-2
determining an ID method for peers 27-6
disabling in aggressive mode 27-6
enabling on the outside interface 27-6, 32-3
keepalive setting, tunnel group 30-3
policies, configuring 27-5
See also IKE
J
Java applets, filtering 20-2
Java object signing 37-29
java-trustpoint 37-29
K
keep-alive-ignore
group policy WebVPN attribute 30-68
username WebVPN attribute 30-85
Kerberos
configuring 13-12
support 13-5
L
L2TP description 28-1
LAN-to-LAN tunnel group, configuring 30-13
latency
about 24-1
reducing 24-8
Layer 2 firewall
See transparent firewall
Layer 2 forwarding table
See MAC address table
Layer 2 Tunneling Protocol 28-1
Layer 3/4
matching multiple policy maps 21-18
LDAP
AAA support 13-6
application inspection 25-56
attribute mapping 13-8
Cisco attributes E-5
Cisco-AV-pair E-14
configuring 13-12
configuring a AAA serverE-2to E-18
directory about E-3
directory search E-4
example configuration proceduresE-19to E-22
hierarchy example E-3
permissions policy E-2
SASL 13-6
schema example E-15
schema loading E-18
server configuration about E-3
server type 13-7
user authentication 13-6
user authorization 13-7
user permissions E-18
LEAP Bypass, group policy 30-47
licenses
FO 14-3
FO_AA 14-3
managing 41-1
per model A-1
UR 14-3
link up/down test 14-18
LLQ
See low-latency queue
load balancing
cluster configurations 29-8
concepts 29-6
eligible clients 29-7
eligible platforms 29-7
implementing 29-6
mixed cluster scenarios 29-8
platforms 29-7
prerequisites 29-7
local user database
adding a user 13-11
configuring 13-10
logging in 40-6
support 13-9
lockout recovery 40-16
log buffer
save to internal Flash 42-13
send to FTP server 42-14
logging
access lists 16-20
classes
filtering messages by 42-15
types 42-16
device-id, including in system log messages 42-19
configuring as output destination 42-9
destination address 42-10
source address 42-9
EMBLEM format 42-20
facility option 42-8
filtering
by message class 42-16
by message list 42-17
by severity level 42-5
logging queue, configuring 42-19
output destinations
ASDM 42-10
console port 42-8
email address 42-9
internal buffer 42-5
SNMP 42-4
syslog server 42-7
Telnet or SSH session 42-5
queue
changing the size of 42-19
configuring 42-19
viewing queue statistics 42-19
severity level
changing 42-21
severity level, changing 42-21
timestamp, including 42-19
login
banner, configuring 40-17
console 2-5
enable 2-5
FTP 19-3
global configuration mode 2-5
local user 40-6
password 8-1
simultaneous, username attribute 30-75
SSH 40-3
Telnet 8-1
windows, customizing for WebVPN users 30-23
low-latency queue
M
MAC addresses
ASA 5505 4-4
ASA 5505 device pass-through 34-8
automatically assigning 6-11
failover 14-7
manually assigning to interfaces 7-4
security context classification 3-3
MAC address table
about 15-13
built-in-switch 26-3
entry timeout 26-4
MAC learning, disabling 26-4
resource management 6-6
static entry 26-3
MAC learning, disabling 26-4
management IP address, transparent firewall 8-5
man-in-the-middle attack 26-2
MAPI, configuring 37-27
mapped interface name 6-8
mask
reply, ICMP message D-16
request, ICMP message D-15
match commands
inspection class map 21-9
Layer 3/4 class map 21-5
matching, certificate group 27-9
maximum active IPSec VPN sessions, setting 29-3
maximum connect time,username attribute 30-76
maximum object size to ignore username WebVPN attribute 30-85
maximum sessions, IPSec 29-12
MD5, IKE policy keywords (table) 27-3
message list
filtering by 42-17
message-of-the-day banner 40-17
messages, logging
classes
about 42-15
list of 42-16
component descriptions 42-23
filtering by message list 42-17
format of 42-23
message list, creating 42-17
severity levels 42-23
metacharacters, regular expression 21-12
MGCP inspection
about 25-59
configuring 25-58
MIBs 42-1
Microsoft Active Directory, settings for password management 30-24
Microsoft Internet Explorer client parameters, configuring 30-49
Microsoft Windows 2000 CA, supported 39-5
mixed cluster scenarios, load balancing 29-8
mobile redirection, ICMP message D-16
mode
context 3-10
firewall 2-5
Modular Policy Framework
See MPF
monitoring
failover 14-17
OSPF 9-19
resource management 6-16
SNMP 42-1
monitoring switch traffic, ASA 5505 4-4
More prompt C-5
MPF
about 21-1
default policy 21-3
examples 21-21
feature directionality 21-17
features 21-1
flows 21-18
matching multiple policy maps 21-18
service policy, applying 21-21
See also class map
See also policy map
MPLS
LDP 16-9
router-id 16-9
TDP 16-9
MSIE client parameters, configuring 30-49
MTU size, Easy VPN client, ASA 5505 34-5
multicast traffic 15-10
multiple context mode
See security contexts
N
NAC
See Network Admission Control
naming an interface
ASA 5505 4-6
other models 7-3
NAT
bypassing NAT
about 17-9
configuration 17-30
DNS 17-15
dynamic NAT
about 17-5
configuring 17-23
implementation 17-17
examples 17-33
exemption from NAT
about 17-9
configuration 17-32
identity NAT
about 17-9
configuration 17-30
NAT ID 17-17
order of statements 17-14
overlapping addresses 17-34
PAT
about 17-7
configuring 17-23
implementation 17-17
policy NAT
about 17-9
port redirection 17-35
RPC not supported with 25-81
same security level 17-13
security level requirements 7-2
static identify, configuring 17-31
static NAT
about 17-7
configuring 17-26
static PAT
about 17-8
configuring 17-27
transparent firewall 15-12
types 17-5
native VLAN support 4-11
NAT-T
enabling IPsec over NAT-T 27-7
using 27-7
Netscape CMS, CA server support 39-5
Network Activity test 14-18
Network Address Translation
See NAT
Network Admission Control
Access Control Server 33-2
ACL, default 33-3
clientless authentication 33-5
configuring 30-51
enabling and disabling 33-2
exemptions 33-4
port 33-7
retransmission retries 33-7
retransmission retry timer 33-7
revalidation timer 33-9
session reinitialization timer 33-8
uses, requirements, and limitations 33-1
network extension mode 34-3
network extension mode, group policy 30-47
Network Ice firewall 30-58
networks, overlapping 17-34
Nokia VPN Client 27-28
NTLM support 13-5
NT server
configuring 13-12
support 13-5
O
object groups
nesting 16-15
removing 16-17
open ports D-14
operating systems, posture validation exemptions 33-4
OSPF
about 9-9
area authentication 9-14
area MD5 authentication 9-14
area parameters 9-13
authentication key 9-11
cost 9-12
dead interval 9-12
default route 9-17
displaying update packet pacing 9-19
enabling 9-10
hello interval 9-12
interface parameters 9-11
link-state advertisement 9-9
logging neighbor states 9-18
MD5 authentication 9-12
monitoring 9-19
NSSA 9-14
packet pacing 9-19
processes 9-9
redistributing routes 9-10
route calculation timers 9-17
route map 9-7
route summarization 9-15
stub area 9-14
summary route cost 9-14
outbound access lists 18-1
Outlook connection, closing 37-27
Outlook Exchange proxy, configuring 37-27
Outlook Web Access (OWA) and WebVPN 37-51
output destinations 42-5
SNMP management station 42-5
specifying 42-9
Telnet or SSH session 42-5
viewing logs 42-7
outside, definition 1-1
oversubscribing resources 6-2
P
packet
capture 43-11
classifier 3-3
packet flow
routed firewall 15-3
transparent firewall 15-13
paging screen displays C-5
parameter problem, ICMP message D-15
password
resetting on SSM hardware module 43-10
password management, Active Directory settings 30-24
passwords
changing 8-1
clientless authentication 33-6
recovery 43-7
security appliance 8-1
username, setting 30-73
WebVPN 37-44
password-storage, username attribute 30-78
PAT
Easy VPN client mode 34-3
See also NAT
static 17-27
PDA support for WebVPN 37-25
peers
alerting before disconnecting 27-9
ISAKMP, determining ID method 27-6
performance, optimizing for WebVPN 37-28
permit in a crypto map 27-15
ping
See ICMP
PKI protocol 39-7
PoE 4-4
policing
flow within a tunnel 24-11
policy, QoS 24-1
policy map
inspection 21-8
Layer 3/4
about 21-15
adding 21-19
default policy 21-18
feature directionality 21-17
flows 21-18
policy NAT
about 17-9
dynamic, configuring 17-24
static, configuring 17-26
static PAT, configuring 17-28
pools, address
DHCP 10-2
global NAT 17-24
port-forward
group policy WebVPN attribute 30-67
username WebVPN attribute 30-84
port forwarding
automatic applet download 37-18
configuring client applications 37-50
port-forward-name
group policy WebVPN attribute 30-68
username WebVPN attribute 30-85
ports
open on device D-14
redirection, NAT 17-35
TCP and UDP D-11
posture validation
exemptions 33-4
port 33-7
revalidation timer 33-9
uses, requirements, and limitations 33-1
power over Ethernet 4-4
pre-shared key, Easy VPN client on the ASA 5505 34-7
primary unit, failover 14-7
printers 34-8
private networks D-2
privileged EXEC mode, accessing 2-5
privileged mode
accessing 2-5
prompt C-2
privilege level, username, setting 30-73
prompts
command C-2
more C-5
protocol numbers and literal values D-11
proxy
See e-mail proxy
proxy bypass 37-29
proxy servers
SIP and 25-68
public key cryptography 39-1
Q
QoS
DiffServ preservation 24-5
DSCP preservation 24-5
feature interaction 24-4
policies 24-1
priority queueing
IPSec anti-replay window 24-12
statistics 24-15
token bucket 24-2
traffic shaping
overview 24-4
viewing statistics 24-15
Quality of Service
See QoS
question mark
command string C-4
help C-4
queue, logging
changing the size of 42-19
viewing statistics 42-19
queue, QoS
latency, reducing 24-8
R
RADIUS
attribute policy E-2
attributes E-25
Cisco AV pair E-14
configuring a AAA server E-24
configuring a server 13-12
downloadable access lists 19-9
network access authentication 19-3
network access authorization 19-8
permissions policy E-2
support 13-3
RAS, H.323 troubleshooting 25-47
rate limiting 24-3
RealPlayer 25-67
reboot, waiting until active sessions end 27-9
redirect, ICMP message D-15
redundancy, in site-to-site VPNs, using crypto maps 27-26
Registration Authority description 39-2
regular expression 21-12
reloading
context 6-14
security appliance 43-6
remarks 16-18
remote access
configuration summary 32-1
IPSec tunnel group, configuring 30-6
restricting 30-77
tunnel group, configuring default 30-5
user, adding 32-4
VPN, configuring 32-1
remote management, ASA 5505 34-9
resetting the SSM hardware module password 43-10
resource management
about 6-2
assigning a context 6-10
class 6-4
configuring 6-1
default class 6-3
monitoring 6-16
oversubscribing 6-2
resource types 6-6
unlimited 6-2
resource usage 6-19
retransmission retries, Network Admission Control 33-7
retransmission retry timer, Network Admission Control 33-7
revalidation timer, Network Admission Control 33-9
revoked certificates 39-2
rewrite, disabling 37-29
RIP
about 9-20
enabling 9-20
routed mode
about 15-1
setting 2-5
route maps
defining 9-7
uses 9-7
router
advertisement, ICMP message D-15
solicitation, ICMP message D-15
routes
about default 9-4
about static 9-2
configuring default routes 9-4
configuring IPv6 default 12-5
configuring IPv6 static 12-5
configuring static routes 9-3
routing
OSPF 9-20
other protocols 16-6
RS-232 cable
See failover 14-4
RSA
KEON, CA server support 39-5
signatures, IKE authentication method 39-2
RTSP inspection
about 25-67
configuring 25-66
running configuration
copying 41-8
saving 2-6
S
same security level communication
enabling 7-6
NAT 17-13
SAs, lifetimes 27-22
SCCP (Skinny) inspection
about 25-74
configuration 25-74
configuring 25-74
SDI
configuring 13-12
support 13-4
secondary device, virtual cluster 29-6
secondary unit, failover 14-7
secure unit authentication 34-12
secure unit authentication, group policy 30-45
Security Agent, Cisco 30-58
security appliance
CLI C-1
connecting to 2-4
managing licenses 41-1
managing the configuration 2-6
reloading 43-6
upgrading software 41-3
viewing files in Flash memory 41-2
security association
clearing 27-27
See also SAs
security attributes, group policy 30-39
security contexts
about 3-1
adding 6-7
admin context
about 3-2
changing 6-13
assigning to a resource class 6-10
cascading 3-8
changing between 6-11
classifier 3-3
configuration
URL, changing 6-13
URL, setting 6-9
logging in 3-9
MAC addresses
automatically assigning 6-11
classifying using 3-3
mapped interface name 6-8
monitoring 6-15
multiple mode, enabling 3-10
nesting or cascading 3-9
prompt C-2
reloading 6-14
removing 6-12
resource management 6-2
resource usage 6-19
saving all configurations 2-7
unsupported features 3-2
VLAN allocation 6-7
security level
about 7-1
interface 7-3
interface, ASA 5505 4-6
serial cable
See failover
server group 33-2
service policy
applying 21-21
default 21-21
global 21-21
interface 21-21
session management path 1-4
session reinitialization timer, Network Admission Control 33-8
severity levels, of system log messages
changing 42-5
filtering by 42-5
list of 42-23
severity levels, of system messages
definition 42-23
SHA, IKE policy keywords (table) 27-3
show command, filtering output C-4
simultaneous logins, username attribute 30-75
single mode
backing up configuration 3-10
configuration 3-10
enabling 3-10
restoring 3-11
single sign-on
See SSO
single-signon
group policy WebVPN attribute 30-69
username WebVPN attribute 30-87
SIP inspection
about 25-68
configuring 25-68
instant messaging 25-69
timeouts 25-73
troubleshooting 25-73
site-to-site VPNs, redundancy 27-26
SMTP inspection 25-78
SNMP
about 42-1
management station 42-5
MIBs 42-1
traps 42-2
source quench, ICMP message D-15
SPAN 4-4
Spanning Tree Protocol, unsupported 4-9
speed, configuring 5-1
split tunneling
ASA 5505 as Easy VPN client 34-8
group policy 30-42
group policy, domains 30-44
SSH
authentication 40-5
concurrent connections 40-2
password 8-1
RSA key 40-2
username 40-3
SSL
certificate 37-5
used to access the security appliance 37-3
SSL/TLS encryption protocols
configuring 37-4
WebVPN 37-4
SSL VPN Client
benefits 38-1
compression 38-6
DPD 38-5
enabling 38-3
address assignment 38-3
groups and users 38-4
permanent installation 38-4
tunnel group 38-3
group policy WebVPN attribute 30-70
installing 38-2
images 38-2
order 38-2
keepalive messages 38-6
logging out sessions 38-8
username WebVPN attribute 30-87
viewing sessions 38-7
SSM
checking status 22-13
configuration
AIP SSM 22-2
CSC SSM 22-7
loading an image 22-14
See also AIP SSM
See also CSC SSM
sso-server
group policy WebVPN attribute 30-69
username WebVPN attribute 30-87
configuring HTTP Basic and NTLM authentication 37-6
configuring HTTP form protocol 37-9
configuring SiteMinder 37-7
startup configuration
copying 41-8
saving 2-6
Stateful Failover
about 14-16
state information 14-16
state link 14-5
stateful inspection 1-4
state information 14-16
state link 14-5
static ARP entry 26-2
static bridge entry 26-3
static NAT
See NAT
static PAT
See PAT
static routes
about 9-2
configuring 9-3
tracking 9-5
statistics, QoS 24-15
stealth firewall
See transparent firewall
subcommand mode prompt C-2
subinterfaces, adding 5-3
subnet masks
/bits D-3
about D-2
address range D-4
determining D-3
dotted decimal D-3
number of hosts D-3
Sun Microsystems Java Runtime Environment and WebVPN 37-50
Sun RPC inspection
about 25-80
configuring 25-80
SVC
See SSL VPN Client
svc
group policy WebVPN attribute 30-70
username WebVPN attribute 30-87
switch MAC address table 26-3
switch ports
access ports 4-9
default configuration 4-4
protected 4-9
SPAN 4-4
trunk ports 4-11
Sygate Personal Firewall 30-58
SYN attacks, monitoring 6-20
SYN cookies 6-20
syntax formatting C-3
syslog server
as output destination 42-7
designating 42-7
designating more than one 42-8
EMBLEM format
configuring 42-20
enabling 42-7
system configuration 3-2
system log messages
classes 42-16
classes of 42-15
configuring in groups
by message list 42-17
by severity level 42-5
creating lists of 42-15
device ID, including 42-19
disabling logging of 42-5
filtering by message class 42-15
managing in groups
by message class 42-16
creating a message list 42-15
output destinations 42-5
email address 42-9
SNMP 42-4
syslog message server 42-5
Telnet or SSH session 42-5
severity levels
about 42-23
changing the severity level of a message 42-5
timestamp, including 42-19
T
TACACS+
command authorization, configuring 40-11
configuring a server 13-12
network access authorization 19-7
support 13-4
tail drop 24-3
TCP
ASA 5505 as Easy VPN client 34-4
connection limits per context 6-6
ports and literal values D-11
sequence number randomization
disabling in NAT configuration 17-24
disabling using Modular Policy Framework 23-8
TCP Intercept
enabling using Modular Policy Framework 23-8
enabling using NAT 17-24
monitoring 6-20
TCP normalization 23-1
Telnet
allowing management access 40-1
authentication 40-5
concurrent connections 40-1
password 8-1
testing configuration 43-1
time exceeded, ICMP message D-15
time ranges, access lists 16-18
timestamp, including in system log messages 42-19
timestamp reply, ICMP message D-15
timestamp request, ICMP message D-15
TLS1, used to access the security appliance 37-3
tocken bucket 24-2
toolbar, floating, WebVPN 37-35
traffic flow
routed firewall 15-3
transparent firewall 15-13
traffic shaping
overview 24-4
Transform 27-12
transform set
creating 32-4
definition 27-12
transmit queue ring limit 24-2, 24-3
transparent firewall
about 15-8
ARP inspection
about 26-1
enabling 26-2
static entry 26-2
data flow 15-13
DHCP packets, allowing 16-6
guidelines 15-10
HSRP 15-9
MAC address timeout 26-4
MAC learning, disabling 26-4
Management 0/0 IP address 7-4
management IP address 8-5
multicast traffic 15-10
NAT 15-12
packet handling 16-6
static bridge entry 26-3
unsupported features 15-11
VRRP 15-9
traps, SNMP 42-2
troubleshooting
H.323 25-46
H.323 RAS 25-47
SIP 25-73
trunk, 802.1Q 5-3
trunk ports 4-11
trustpoint 39-3
trustpoint, ASA 5505 client 34-7
tunnel
ASA 5505 as Easy VPN client 34-5
IPsec 27-11
security appliance as a tunnel endpoint 27-1
tunnel group
ASA 5505 as Easy VPN client 34-7
configuring 30-5
creating 30-6
default, remote access, configuring 30-5
default LAN-to-LAN, configuring 30-13
general parameters 30-2
inheritance 30-1
IPSec parameters 30-3
LAN-to-LAN, configuring 30-13
name and type 30-6
remote access, configuring 32-5
remote-access, configuring 30-6
tunnel-group
general attributes 30-2
webvpn attributes 30-4
tunnel-group ISAKMP/IKE keepalive settings 30-3
tunneling, about 27-1
tunnel mode 28-2
U
UDP
connection limits per context 6-6
connection state information 1-5
ports and literal values D-11
unreachable, ICMP message D-15
UR (unrestricted) license 14-3
url-list
group policy WebVPN attribute 30-67
username WebVPN attribute 30-84
URLs
context configuration, changing 6-13
context configuration, setting 6-9
filtering, about 20-4
filtering, configuration 20-6
user, VPN
definition 30-1
remote access, adding 32-4
user access, restricting remote 30-77
user authentication, group policy 30-45
user EXEC mode
accessing 2-5
prompt C-2
username
adding 13-10
clientless authentication 33-6
encrypted 13-11
management tunnels 34-9
password 13-11
WebVPN 37-44
Xauth for Easy VPN client 34-4
username attributes
access hours 30-74
group-lock 30-77
inheritance 30-74
password, setting 30-73
password-storage 30-78
privilege level, setting 30-73
simultaneous logins 30-75
vpn-filter 30-76
vpn-framed-ip-address 30-76
vpn-idle timeout 30-75
vpn-session-timeout 30-76
vpn-tunnel-protocol 30-77
username configuration, viewing 30-73
username WebVPN attributes
auto-signon 30-85
deny message 30-83
filter (access list) 30-83
functions 30-79
homepage 30-82
html-content-filter 30-81
keep-alive ignore 30-85
port-forward 30-84
port-forward-name 30-85
sso-server 30-87
svc 30-87
url-list 30-84
username WebVPN mode 30-78
U-turn 27-20
V
VeriSign, configuring CAs example 39-5
viewing logs 42-7
viewing QoS statistics 24-15
viewing RMS 41-13
virtual cluster 29-6
IP address 29-6
master 29-6
virtual firewalls
See security contexts
virtual HTTP 19-3
VLANs 5-4
802.1Q trunk 5-3
allocating to a context 6-7
ASA 5505
configuring 4-5
MAC addresses 4-4
maximum 4-2
mapped interface name 6-8
subinterfaces 5-3
VoIP
proxy servers 25-68
troubleshooting 25-46
VPN
address pool, configuring 32-4
address pool, configuring (group-policy) 30-54
address range, subnets D-4
parameters, general, setting 29-1
setting maximum number of IPSec sessions 29-3
VPN attributes, group policy 30-36
VPN Client, IPsec attributes 27-2
vpn-filter username attribute 30-76
vpn-framed-ip-address username attribute 30-76
VPN hardware client, group policy attributes 30-45
vpn-idle-timeout username attribute 30-75
vpn load balancing
See load balancing 29-6
vpn-session-timeout username attribute 30-76
vpn-tunnel-protocol username attribute 30-77
VRRP 15-9
W
WCCP 10-9
web browsing with WebVPN 37-48
web caching 10-9
web clients, secure authentication 19-5
web e-Mail (Outlook Web Access), Outlook Web Access 37-27
WebVPN
assigning users to group policies 37-16
authenticating with digital certificates 37-15
CA certificate validation not done 37-2
client application requirements 37-45
client requirements 37-45
for file management 37-49
for network browsing 37-49
for port forwarding 37-50
for using applications 37-50
for web browsing 37-48
start-up 37-47
configuring
DNS globally 37-16
e-mail 37-26
configuring for specific users 30-78
configuring WebVPN and ASDM on the same interface 37-3
cookies 37-5
defining the end-user interface 37-33
definition 37-1
digital certificate authentication restrictions 37-5
e-mail 37-26
e-mail proxies 37-26
enable cookies for 37-50
end user set-up 37-33
establishing a session 37-3
floating toolbar 37-35
group policy attributes, configuring 37-17
hosts file 37-19
hosts files, reconfiguring 37-20
HTTP/HTTPS proxy, setting 37-5
Java object signing 37-29
PDA support 37-25
printing and 37-47
remote system configuration and end-user requirements 37-47
security preautions 37-2, 37-6
security tips 37-45
setting HTTP/HTTPS proxy 37-4
SSL/TLS encryption protocols 37-4
supported applications 37-45
supported browsers 37-47
supported types of Internet connections 37-47
troubleshooting 37-18
unsupported features 37-2
URL 37-47
use of HTTPS 37-3
username and password required 37-47
usernames and passwords 37-44
WebVPN, Application Access Panel 37-34
webvpn attributes
group policy 30-61
tunnel-group 30-4
WebVPN group policy attributes functions 30-62
WebVPN tunnel-group connection parameters 30-4
welcome message, group policy 30-41
WINS server, configuring 30-35
X
Xauth, Easy VPN client 34-4
Z
Zone Labs firewalls 30-58
Zone Labs Integrity Server 30-56
Feedback