Index
Numbers
10GE I/O feature, 62
A
AAA (authentication, authorization, and accounting), 191, 227
accounting, configuring, 219-222
administrative connections, troubleshooting, 222-227
attributes, DAP (dynamic access policies), 1063-1065
configuring of administrative sessions, 204-209
authentication
authorization, configuring, 215-219
customizing authentication prompts, 214-215
server group authentication protocols, 201
support matrix, 192
AAA Server Group Authentication Protocols example (7-1), 201
aaa-server command, 203
access control lists (ACLs). See ACLs (access control lists)
access deny message attribute (SSL VPN), 998
Access List to Allow Decrypted Traffic to Pass Through the ASA example (19-6), 817
Access List to Bypass NAT example (19-7), 818
Access Method tab (ASDM), 1073-1074
access policies, DAP (dynamic access policies), defining, 1068-1069
accessing
ASDM (Adaptive Security Device Manager), 94-97
clientless remote-access SSL VPNs, configuring, 1034-1040
Privileged and Configuration modes, 86
Accessing the Privileged and Configuration Modes example (4-3), 86
access-list option (match), 471
accounting, 191
RADIUS (Remote Authentication Dial In User Service), 220
TACACS+ (Terminal Access Controller Access Control System Plus), 221-222
ACI (Application Centric Infrastructure), 27
ACLs (access control lists), 229, 243
comparing features, 234
downloadable, 254
EtherType, 233
extended, 233
interface, transparent firewalls, 608-611
matching specific traffic, 468
NAT (Network Address Translation), integration, 359-362
Webtype, 234
web-type, configuring, 1031-1034
Action attribute (Add Access Rule dialog box), 235
Action attribute (Add Management Access Rule), 241
action option (transfer-encoding type command), 515
Activating the Identity Certificate on the Outside Interface example (22-4), 993
activation key option (system execution space), 534
activation keys
invalid, 72
Active Directory, Kerberos, 197
Active/Active failover, 654-656
Active/Standby failover, 654-656
ActiveX relay attribute (SSL VPN), 998
AD agent, connecting to, 312-313
Adaptive Inspection and Prevention Security Services Module (AIP-SSM) models, 53-54
Adaptive Security Device Manager (ASDM), 82
Add AAA Server dialog box, 199
Add Access Rule dialog box, 235-236
Add Authentication Rule dialog box, 210
Add Authorization Rule dialog box, 215-216
Add Automatic Address Translation Rules attribute (Add Network Object dialog box), 351
Add Customization Object dialog box, 1009
Add DNS Inspect dialog box, 478
Add Identity Certificate dialog box, 938
Add Management Access Rule dialog box, 241-242
Add NAT Rule dialog box, 366, 368, 370-371
Add Network Object dialog box, 351-352, 363, 365
Add Signature dialog box, 756-758
Adding New Local CA Users Through the CLI example (21-25), 965
Adding User Contexts in System Execution Space example (14-6), 549
Address Assignment from a DHCP Server example (20-9), 884
address translation
see also NAT (Network Address Translation); PAT (Port Address Translation)
enabling, 1116
identity NAT, 344
NAT (Network Address Translation), 3-4, 338-340, 377
ACL (access control lists) integration, 359-362
configuration use cases, 362-371
transparent firewall restrictions, 600-602
PAT (Port Address Translation), 4-5, 340
policy NAT/PAT, 344
security protection mechanisms, 345-346
addresses
admin context, virtual firewall, 535
Administration section (PRSM interface), 286
administrative connections, troubleshooting, 222-227
administrator accounts, IPS (intrusion prevention system), 769
ADSM (Adaptive Security Device Manager), 82
adding default routes, 392
adding static routes, 392
Advanced Endpoint Assessment feature, 64
Host Scan, 1055
Advanced Inspection and Prevention Security Services Module (AIP-SSM). See AIP-SSM (Advanced Inspection and Prevention Security Services Module)
Advanced NAT Settings dialog box, 352-353, 363-364, 365, 368, 370
advanced security features, 63-65
Advanced Endpoint Assessment, 64
AnyConnect for Cisco VPN Phone, 64
AnyConnect for Mobile, 64
Botnet Traffic Filter, 64
GTP/GPRS, 64
Intercompany Media Engine, 63-64
IPS Module, 65
Aggregated Cisco ASA License Information with Failover or Clustering example (3-8), 74
aggregation
time-based activation keys, 71
AIP-SSM (Adaptive Inspection and Prevention Security Services Module), 29
Alert Notes parameter (Add Signature dialog box), 758
Alert Severity parameter (Add Signature dialog box), 757
algorithms, support, 129
all FTP command, 485
Allocating Interfaces to a User Context example (14-8), 550
allow option
content-length command, 510
max-header-length command, 512
max-uri-length command, 512
port-misuse command, 512
request-method command, 514
strict-http command, 510
transfer-encoding type command, 515
Allowing VPN Clients for Internet Access example (20-23), 901
anomaly detection, IPS (intrusion prevention system), 763-766
Anti-Spyware endpoint attribute (DAP), 1067
AntiSpyware scans, Host Scan, configuring, 1059
Anti-Virus endpoint attribute (DAP), 1067
antivirus host scans, Host Scan, configuring, 1059
any option (match), 471
AnyConnect client
AnyConnect endpoint attribute (DAP), 1067
AnyConnect Essentials, 66
license, SSL VPNs, 984
AnyConnect for Cisco VPN Phone feature, 64
AnyConnect for Mobile feature, 64
AnyConnect Premium Peers feature, 66
AnyConnect Secure Mobility Client, 25-26
AnyConnect client, configuring, 1109-1112
defining attributes, 1098-1103
AnyConnect SSL VPNs
license, 984
AnyConnect tab (ASDM), 1074
appe FTP command, 485
clientless remote-access SSL VPNs, configuring, 1034-1040
Application Centric Infrastructure (ACI), 27
Application endpoint attribute (DAP), 1067
Application Inspection Engine module (CX), 276
application inspections, 465-468
Cisco Unified Communications (UC) advanced support, 499-506
CTIQBE (Computer Telephony Interface Quick Buffer Encoding), 473-475
Distributed Computing Environment Remote Procedure Calls (DCERPC), 476
DNS (Domain Name System), 476-480
ESMTP (Extended SMTP), 481-483
FTP (File Transfer Protocol), 484-486
GPRS (General Packet Radio Service), 486-492
GTP (GPRS Tunneling Protocol), 489-490
HTTP inspection engine, 507-515
ICMP (Internet Control Message Protocol) packets, 515-516
ILS (Internet Locator Service), 516
IM (Instant Messanger), 517-518
MGCP (Media Gateway Control Protocol), 519-521
NetBIOS, 521
PPTP (Point-to-Point Tunneling Protocol), 522
RSH (Remote Shell), 523
RTSP (Real-Time Streaming Protocol), 523-524
SCCP (Simple Client Control Protocol), 525-527
SIP (Session Initiation Protocol), 524-525
SNMP (Simple Network Management Protocol), 527-528
SQL*Net, 528
Sun Remote Procedure Call (RPC), 522-523
TFTP (Trivial File Transfer Protocol), 528
WAAS (Wide Area Application Services), 528
XDMCP (X Display Manager Control Protocol), 529
application objects (CX), 299-300
application proxies, 3
Application Types dashboard (CX), 330
Application Visibility and Control component (Data Plane), 275
Applications dashboard (CX), 330
application-service objects (CX), 303-304
Applying a Crypto Map to the Outside Interface example (20-12), 885
Applying QoS on the Outside Interface example (25-9), 1155
Applying Signature Updates example (17-4), 774
architecture
CSD (Cisco Secure Desktop), 1045-1046
CX (ConteXt Security) modules, 273-277
Application Inspection Engine, 276
Evening and Reporting module, 275
HTTP Inspection Engine module, 276
Management Plane module, 276
TLS (Transport Layer Security) Decryption Proxy module, 276
User Identity module, 275
DAP (dynamic access policies), 1061-1062
logical, IPS (intrusion prevention system), 735
QoS (Quality of Service), 1136-1142
ARP (Address Resolution Protocol), transparent firewalls, enabling inspection, 613-615
ARR metric (RR), 791
ASA (Adaptive Security Appliance)
configuring, for IPS traffic redirection, 778-780
5500-X Series Next-Generation Firewall, 57
CLI (command-line interface), 90-92
parameters and values, 91
management (PRSM), 283
ASA EtherChannel Configuration in Individual Mode example (16-16), 696
ASA IPS Image Recovery Process Debug example (17-1), 746
ASA Services Module (ASASM), 173
ASA’s Full Configuration Showing QoS for VoIP, Mail, and Web example (25-10), 1160-1162
ASA’s Full Configuration Using Inbound and Outbound ACLs example (8-9), 259-260
ASASM (ASA Services Module), 51, 173-176, 189
hardware architecture, 174-175
host chassis
internal segment firewalling, 181-182
trusted flow bypass with policy-based routing, 183-189
ASASM Initialization Message on Chassis example (6-1), 176
ASDM (Adaptive Security Device Manager)
AAA (authentication, authorization, and accounting) test utility, 226-227
AnyConnect tab, 1074
ASA CX Status tab, 97
Bookmarks tab, 1073
connections, authentication, 208-209
Content Security tab, 97
enabling RIP in, 401
Firewall Dashboard tab, 97
Functions tab, 1071
Intrusion Prevention tab, 97
Local CA (Certificate Authority)
enrolling users through, 963-965
logging, 150
monitoring IPS, 793
Network ACL Filters tab, 1069
PKI (Public Key Infrastructure) certificates, installing, 936-938
Port Forwarding Lists tab, 1072
QoS (Quality of Service), configuring, 1143-1151, 1157-1160
setting up for IPS management, 752
Webtype ACL Filters tab, 1070-1071
ASR metric (RR), 790
assigned IP address AAA attribute, 1063
assigning
IP addresses, 606
IPv6 addresses, 384
Management IP addresses, 606
Assigning a Management IP Address example (15-6), 606
Assigning an IP Address example (15-5), 606
Assigning IPv6 Addresses example (11-1), 384
asymmetric routing groups, failover, 662-664
Attack Response Controller (IPS), 742
attributes
AnyConnect Secure Mobility Client, defining, 1098-1103
ISAKMP, 802
SSL VPNs, configurable, 998
auth event class, 148
authentication, 191
see also AAA (authentication, authorization, and accounting)
authentication server, defining, 198-204
client-based remote-access SSL VPNs, 1094-1095
administrative sessions, 204-209
firewall sessions, cut-through proxy feature, 209-214
IPsec remote-access VPNs, 907-909
OSPF (Open Shortest Path First), configuring, 422-426
RADIUS (Remote Authentication Dial In User Service), 194-195
accounting, 220
RIP (Routing Information Protocol), 403-406
serial console connections, 207-208
server group authentication protocols, 201
service support, 192
SSH (Secure Shell) connections, 206-207
SSL VPNs, configuring, 987-1004
timeouts, 214
user identity services, tuning settings, 313-314
authentication, authorization, and accounting (AAA). See AAA (authentication, authorization, and accounting)
authentication server, defining, 198-204
AuthenticationApp (IPS), 741
authorization, 191
see also AAA (authentication, authorization, and accounting)
service support, 193
auth-prompt command, 215
Automatic Saving of Logs in Flash example (5-31), 155
Automatic Saving of Logs in the FTP Server example (5-32), 156
Available DSCP Options in Class Maps example (25-1), 1140
B
backing up IPS (intrusion prevention system) configuration, 776
Backing Up CIPS Configuration to FTP Server example (17-5), 776
banner attribute (SSL VPN), 998
banner option (system execution space), 534
Basic ASASM Interface Configuration example (6-9), 186
Basic Chassis Configuration example (6-10), 186
Basic CLI OSPF Configuration example (12-13), 418
Basic Failover Configuration on Primary Unit example (16-5), 670
Basic Failover Configuration on Secondary Unit example (16-6), 671
Basic Host Scan, 1055
Basic Management Configuration on Master Unit example (16-19), 709
Basic Management Configuration on Slave Unit example (16-20), 709
basic platform capabilities, 61-63
behavior, address translation, 346-350
blacklist data, BTF (Botnet Traffic Filter), dynamic and local, 781-782
bookmark list attribute (SSL VPN), 998
bookmarks, clientless remote-access SSL VPNs, configuring, 1024-1031
Bookmarks tab (ASDM), 1073
boot option (system execution space), 534
Botnet Traffic Filter (BTF). See BTF (Botnet Traffic Filter)
bridge event class, 148
browsers, SSL VPNs, requirements, 986-987
BTF (Botnet Traffic Filter), 64, 780-786
blacklist data, dynamic and local, 781-782
icon (Monitoring screen), 100
buffers, sizes, 166
bypassing NAT, site-to-site IPsec VPNs, 817-818
bytes option
content-length command, 510
max-header-length command, 512
max-uri-length command, 512
C
CA (Certificate Authority), 933-935
importing certificates manually, 989
installing certificates from files, 937-938
Local CA (Certificate Authority), 957-966
configuring with ASDM, 958-960
enrolling users through ASDM, 963-965
enrolling users through CLI, 965-966
ca event class, 148
Cache Cleaner, CSD (Cisco Secure Desktop), 1043-1044
CX (ConteXt Security) modules, 332-335
Capturing Traffic Toward ASASM with SPAN example (6-8), 180
CDA (Cisco Context Directory Agent), 275
cdup FTP command, 485
centralized connection processing, cluster packet flow, 702-703
centralized license mangement (PRSM), 283
Certificate Authority (CA). See CA (Certificate Authority)
Certificate Enrollment Invitation Email example (21-24), 965
CA (Certificate Authority), 933-935
importing certificates manually, 989
installing certificates from files, 937-938
Local CA (Certificate Authority), 957-966
Cisco ASA, configuring to accept remote-access IPsec VPN clients, 971-972
client-based remote-access SSL VPNs, digital certificates, 1090
configuring IPsec site-to-site tunnels, 966-971
CRLs (certificate revocation lists), 935-936
identity certificates,
identity
installing from a file, 938
installing using SCEP, 943-945
manually importing, 993
CA by copy-and-paste, 939
CLI (command-line interface), 945-957
SCEP (Simple Certificate Enrollment Protocol), 940-943
SCEP (Simple Certificate Enrollment Protocol), 936
Changing the Default Physical Media Type to Nonbroadcast example (12-22), 432
Changing to a User Context example (14-13), 554
Changing to an Admin Context example (14-10), 552
Chassis MAC Address Table for Firewall Backplane Link example (6-7), 179-180
Checking ASA IPS Module Installation Status example (9-2), 277
Checking the Interfaces for ARP Inspection example (15-20), 637
Checking the L2F Table example (15-19), 636
CIPS (Cisco Intrusion Prevention System)
IPS (intrusion prevention system), configuring on, 753-768
license key installation, 752-753
troubleshooting, 1082
CIPS Version and Process Information example (17-3), 771
cipsWebserver (IPS), 742
Cisco 5505 Easy VPN Client Configuration example (20-17), 895-896
Cisco AnyConnect Secure Mobility Client. See AnyConnect Secure Mobility Client
Cisco ASA 1000V Cloud Firewall, 26-27, 52-53
Cisco ASA 5500 Firewall, 57
Cisco ASA 5520, 41
Cisco ASA 5500-X Series 6-Port GE Interface cards, 57
Cisco ASA 5500-X Series Next-Generation Firewall models, 30-31
Cisco ASA 5515-X, 40
Cisco ASA 5525-X, 42
Cisco ASA 5555-X, 45
Cisco ASA 5585-X Series, 47-51
Cisco ASA 5580 expansion cards, 56-57
Cisco ASA CX, 53
Cisco ASA Gigabit Ethernet Modules, 55-57
Cisco ASA License Information example (3-1), 67-68
Cisco ASA Next-Generation Firewall Services, 53
Cisco ASA Phone Proxy feature, 500-504
Cisco ASA SSM-4GE, 55
Cisco ASA’s Relevant Configuration for Site-to-Site IPsec Tunnel example (19-18), 833-836
Cisco ASA’s Relevant Configuration to Allow IP Traffic example (15-16), 622-623
Cisco ASA’s Relevant Configuration with Multiple Security Contexts example (14-18), 569-572
Cisco ASA’s Relevant Configuration with Multiple Security Contexts example (14-19), 582-585
Cisco ASA’s Relevant Configuration with Multiple Security Contexts example (15-17), 632-636
Cisco Context Directory Agent (CDA), 275
Cisco Secure Desktop (CSD). See CSD (Cisco Secure Desktop)
Cisco Unified Communications (UC) advanced support, application inspections, 499-506
citrix event class, 148
class maps, QoS (Quality of Service), setting up, 1152-1153
Class Maps to Identify Mail and VoIP Traffic example (25-3), 1153
Class Maps to Identify Tunnel Traffic example (25-4), 1153
class Syslog Commands example (22-18), 1080-1081
classes, event, 148
classification, packet, virtual firewall, 536-541
clear access-list counters command, 261
Clearing All ikev1 Commands from the Running Configuration example (5-8), 125
Clearing IPS EventStore example (17-6), 778
Clearing the DF Bit for IPsec Packets example (19-17), 830
Clearing the L2F Table Associated with the Outside Interface example (15-26), 639
Clearing the Running Configuration example (5-9), 125
Clearing the Startup Configuration example (5-10), 126
CLI (command-line interface), 81, 85-87, 118
AAA (authentication, authorization, and accounting) test utility, 226-227
CIPS system software, accessing, 747-748
configuring AAA server, 201
defining management access rule, 241
displaying routing tables, 399-400
filtering incoming RIP routes, 408
installing PKI certificates from, 945-957
Local CA (Certificate Authority) users, enrolling, 965-966
QoS (Quality of Service), configuring, 1152-1155, 1157-1160
Split tunneling, 1105
CLI Commands for Filtering Incoming RIP Routes example (12-6), 408
CLI Split Tunneling Configuration example (23-7), 1105
client firewalling, IPsec remote-access VPNs, 904-907
client operating systems
client-based remote-access SSL VPNs, requirements, 1088-1089
SSL VPNs, requirements, 986-987
client-based remote-access SSL VPNs, 1085, 1118
AnyConnect secure mobility client
licenses, 1086
design considerations, 1086-1088
digital certificates, enrolling, 1090
group policies, configuring, 1090-1094
user authentication, setting up, 1094-1095
clientless connections, defining, 1076-1077
clientless remote-access SSL VPNs, 979-980, 1084
application access, configuring, 1034-1040
bookmarks, configuring, 1024-1031
clientless connections, defining, 1076-1077
client-server plug-ins, configuring, 1040-1041
CSD (Cisco Secure Desktop), 1041-1053
DAP (dynamic access policies), 1060-1074
sequence of events, 1062
design considerations, 980-982
enabling on interfaces, 1005-1006
portal customization, configuring, 1006-1024
smart tunnels, configuring, 1037-1040
web-type ACLs, configuring, 1031-1034
client-server plug-ins, clientless remote-access SSL VPNs, configuring, 1040-1041
cloud computing, security, 26-27
Cluster Interface Mode Selection example (16-18), 708
Cluster State Transition History example (16-25), 719
connection processing, 702-705
versus failover, 685
hardware requirements, 687-690
license aggregation, 685
NAT (Network Address Translation), 698-700
software requirements, 687-690
spanned EtherChannel deployment, 720-731
spanned EtherChannel mode, 693-695
stateful connection redundancy, 685
Zero Downtime upgrade, 688-689
clustering option (system execution space), 534
Cluster-Spanned EtherChannel Configuration example (16-22), 716
Cluster-wide EtherChannel Information example (16-26), 720
CollaborationApp, IPS (intrusion prevention system), 744
Complete Basic Cluster Configuration on Master Unit example (16-21), 712
Complete Cluster Configuration on Master Unit example (16-27), 729-731
Complete Failover Configuration on Primary example (16-15), 684
Complete Floating Static Route Configuration with Tracking example (16-3), 652
Components section (PRSM interface), 286
Computer Telephony Interface Quick Buffer Encoding (CTIQBE) inspections, 473-475
config event class, 148
configuration
ACE, 249
ACLs (access control lists), 11.101-11.111
basic, 251
extended, 240
Aironet LEAP bypass, 909
AnyConnect Secure Mobility Client, 1096-1112
ASA, accepting remote-access IPsec VPN clients with certificates, 971-972
HTTP for ASDM, 209
Serial console, 208
SSH to a TACACS+ server, 207
CA (Certificate Authority), Local CA, 960
central protection policy, 906-907
certificate lifetimes, 961
client-based remote-access SSL VPNs, 1090-1095
clientless remote-access SSL VPNs, 1004-1041
client-server plug-ins, 1040-1041
CSD (Cisco Secure Desktop), 1046-1053
CX (ConteXt Security) modules, preparing for, 277-282
CX policy element headers, 294
DAP (dynamic access policies), 1062-1074, 1077-1078
DHCPv6 relay functionality, 385
DNS Doctoring, 375
downloadable ACLs (access control lists), 218-219
MD5 authentication using CLI, 448
route filtering via the CLI, 447
static neighbor, 448
summary address, 449
email logging, 154
IP multicast routing, 1120-1127
IP Phone bypass, 909
IPS (intrusion prevention system)
backing up, 776
basic management settings, 748-752
IPsec remote-access VPNs
IPsec site-to-site tunnels, PKI certificates, 966-971
L2TP over IPsec remote-access VPN, configuring, 912-915
Local CA (Certificate Authority)
CLI (command-line interface), 960-963
management-only interface, 111
NAT (Network Address Translation)
static translation, 611
NTP server, 118
OSPF (Open Shortest Path First), 413-419
PBR (policy-based routing), 185-189
PFS DH-Group 5 for a peer, 820
PIM RP, 1126
QoS (Quality of Service), 1142-1155
via ASDM, 1143-1151, 1157-1160
via CLI (command-line interface), 1152-1155, 1157-1160
RIP (Routing Information Protocol), 401-403
server-based object groups, 247-248
site-to-site IPsec VPNs, 805-822
SMTP server, 960
SSL VPNs
transparent firewalls, 602-616
adding static L2F table entries, 612
enabling ARP inspection, 613-615
modifying L2F table parameters, 615-616
NAT (Network Address Translation), 611-612
trustpoints, 946
virtual firewall, security contexts, 544-559
configuration database (CX), backup, 292-293
Configuration of a Standard ACL example (8-5), 251
Configuration of an ACE Using Object Groups example (8-4), 249
Configuration of an Extended ACL example (8-1), 240
Configuration of Central Protection Policy example (20-25), 906-907
Configuration of Cisco Aironet LEAP Bypass example (20-29), 909
Configuration of Cisco IP Phone Bypass example (20-30), 909
Configuration of Data Interfaces in Transparent Firewall example (15-4), 605
Configuration of DNS Doctoring example (10-16), 375
Configuration of Email Logging example (5-30), 154
Configuration of Individual User Authentication example (20-27), 908
Configuration of Individual User Idle Timeout example (20-28), 908
Configuration of Interactive Client Authentication example (20-26), 908
Configuration of NTP Server example (4-18), 118
Configuration of Priority Queue example (25-2), 1152
Configuration of Reverse Route Injection example (19-10), 824
Configuration of Server-Based Object Group example (8-3), 247-248
Configuration of Telnet Access on the Management Interface example (5-11), 128
Configuration of Use Case 1 in Pre-8.3 Version of Software example (10-7), 364
Configuration of Use Case 1 in Version 8.3 and Later Software example (10-6), 364
Configuration of Use Case 2 in Pre-8.3 Version of Software example (10-9), 365
Configuration of Use Case 2 in Version 8.3 and Later Software example (10-8), 365
Configuration of Use Case 3 in Pre-8.3 Version of Software example (10-11), 367
Configuration of Use Case 3 in Version 8.3 and Later Software example (10-10), 367
Configuration of Use Case 4 in Pre-8.3 Version of Software example (10-13), 369
Configuration of Use Case 4 in Version 8.3 and Later Software example (10-12), 369
Configuration of Use Case 5 in Pre-8.3 Version of Software example (10-15), 371
Configuration of Use Case 5 in Version 8.3 and Later Software example (10-14), 371
Configuration screen (ASDM), 98-99
Configuration to Allow NEM example (20-31), 910
Configuration to Load-Balance Cisco IPsec Clients with Site-to-Site VPN example (20-32), 919-922
Configurations section (PRSM interface), 285
Configuring a Description on the Security Context example (14-7), 549
Configuring a Management-Only Interface example (4-15), 111
Configuring a PIM RP example (24-6), 1126
Configuring a Static EIGRP Neighbor example (12-37), 448
Configuring a Static NAT Translation example (15-10), 611
Configuring a Trustpoint example (21-4), 946
Configuring an EIGRP Summary Address example (12-38), 449
Configuring an EtherType ACL (15-9), 610-611
Configuring and Applying an IPv6 ACL on the Outside Interface example (11-4), 388
Configuring and Applying an IPv6 ACL on the Outside Interface example (11-5), 390
Configuring Authentication Exceptions by Using MAC Address Lists example (7-12), 213
Configuring Certificate Lifetimes example (21-19), 961
Configuring Cisco ASA for Manual Enrollment example (22-2), 991
Configuring Cut-Through Proxy Using the CLI example (7-10), 211
Configuring DHCP Service on the Inside Interface example (4-16), 113
Configuring DHCPv6 Relay Functionality example (11-2), 385
Configuring EIGRP MD5 Authentication Using the CLI example (12-36), 448
Configuring EIGRP Route Filtering via the CLI example (12-35), 447
Configuring Firewall Session Authentication Exceptions example (7-11), 212
Configuring HTTP Authentication for ASDM Users example (7-9), 209
Configuring Interfaces on ASA Services Module example (6-5), 178
Configuring NetFlow via CLI example (5-34), 158-159
Configuring PFS DH-Group 5 for a Peer example (19-8), 820
Configuring Serial Console Authentication example (7-8), 208
Configuring Speed and Duplex on an Interface example (4-11), 105
Configuring SSH Authentication to a TACACS+ Server example (7-7), 207
Configuring the AAA Server Using the CLI example (7-2), 201
Configuring the ASA to Enroll via SCEP example (21-5), 948
Configuring the Cisco ASA for Manual Enrollment example (21-9), 952
Configuring the Local CA Using the CLI example (21-17), 960
Configuring the SMTP Server example (21-18), 960
connection events, CX (ConteXt Security) modules, 331-332
Connection Profile AAA attribute, 1063
console
establishing connections, 82-85
logging, 150
port settings, 84
content area, SSL VPNs, 1014
content-length command, 510
content-type-verification command, 511
Context A Configuration with ASR Groups example (16-9), 677
Context B Configuration with ASR Groups example (16-10), 677-678
context-aware access policies, CX (ConteXt Security) modules, defining, 324-327
control interface, clustering, 690-697
Control Plane module (CX), 276-277
copy running-config startup-config command, 124
Copying a System Image from a TFTP Server to the Local Flash example (5-13), 134
Copying a System Image from an FTP Server to the Local Flash example (5-14), 134
Copying the Running Configuration to NVRAM example (5-17), 135
copyright area, SSL VPNs, 1011
CPUs (central processing units)
troubleshooting, 172
utilization traps, 162
Creating a Subinterface example (4-13), 108
Creating an EtherChannel example (4-14), 110-111
Creating an ISAKMP IKEv2 Policy example (19-2), 808
Creating an ISAKMP Policy example (20-2), 874
CRL Checking Example (21-14), 955
crl configure Subcommand example (21-13), 955
CRL Manual Retrieval via the CLI example (21-16), 957
CRLs (certificate revocation lists)
checking, 955
manual retrieval via the CLI, 957
PKI (Public Key Infrastructure), 935-936
retrieval problems, troubleshooting, 975-976
Crypto Map Configuration example (19-5), 815
Crypto Map Configuration example (21-29), 968
crypto maps, creating, 812-816, 884-885
assigning policy, 1051
clientless remote-access SSL VPNs, 1041-1053
host emulators, identifying, 1052-1053
keystroke loggers, identifying, 1052-1053
prelogin policies, defining, 1048-1051
prelogin sequences, defining, 1048
registry checks, setting up, 1114
Secure Desktop, 1043
Secure Desktop Manager, 1043
troubleshooting, 1083
csd event class, 148
CSM Event Manager, monitoring IPS, 794
CSM Event Vieweer, event tables, removing false positive IPS events, 794
CTIQBE (Computer Telephony Interface Quick Buffer Encoding) inspections, 473-475
CtlTransSource (IPS), 743
Customizing PIM Values at the Interface Level example (24-5), 1125
cut-and-paste method, installing CA certificates with, 939
cut-through proxy feature
configuring, 211
firewall sessions, authentication, 209-214
CX (ConteXt Security) modules, 268, 335
Application Inspection Engine, 276
Evening and Reporting module, 275
HTTP Inspection Engine module, 276
Management Plane module, 276
TLS (Transport Layer Security) Decryption Proxy module, 276
User Identity module, 275
component and software updates, 290-292
configuration database backup, 292-293
defining context-aware access policies, defining, 324-327
failover support (PRSM), 283
hardware modules, 270
health monitoring, 272
interfaces, 270
ASA management, 283
centralized license management, 283
configuring user accounts, 286-288
CX failover support, 283
Deployment Manager, 283
shared objects and policies, 282
unified monitoring, 282
universal policies, 282
connection and system events, 331-332
objects, 293
policy elements
application-service objects, 303-304
configuring header, 294
destination object groups, 305-306
file filtering profiles, 306
object groups, 293
profiles, 294
properties, 295
secure mobility objects, 300-301
URL objects, 298
user agent objects, 299
web reputation profiles, 306-307
preparing for configuration, 277-282
software modules, 271
solutions, 268
TLS (Transport Layer Security) Decryption, enabling, 316-322
traffic redirection, configuring, 327-329
user identity services
configuring directory servers, 310-312
connecting to AD agent or CDA, 312-313
defining user identity discovery policy, 314-316
tuning authentication settings, 313-314
D
AAA (authentication, authorization, and accounting) attributes, 1063-1065
Access Method tab (ASDM), 1073-1074
access policies, defining, 1068-1069
AnyConnect tab (ASDM), 1074
Bookmarks tab (ASDM), 1073
clientless remote-access SSL VPNs, 1060-1074
configuring, 1062-1074, 1077-1078
endpoint attributes, 1066-1068
Functions tab (ASDM), 1071
Network ACL Filters tab (ASDM), 1069
Port Forwarding Lists tab (ASDM), 1072
sequence of events, 1062
troubleshooting, 1083
Webtype ACL Filters tab (ASDM), 1070-1071
dap event class, 148
dashboard reports, CX (ConteXt Security) modules, 329-331
Dashboard section (PRSM interface), 285
data interface addressing, failover, 660-662
data interfaces
transparent firewalls, configuring, 605
Data Plane module (CX), 274-275
Datagram Transport Layer Security (DTLS), AnyConnect Secure Mobility Client, configuring, 1108
data-passing interfaces, configuring, 102-106
date, system clock, setting, 116
DCERPC (Distributed Computing Environment Remote Procedure Calls) inspections, 476
deactivating, time-based activation keys, 72
Deactivating a Time-Based Key exapmple (3-5), 72
debug crypto ca command, 973-974
debug crypto ca messages command, 976
debug crypto ca transactions command, 976
debug crypto ikev1 127 command, 973-974
debug dap trace command, 1083-1084
debug dap trace Command example (22-19), 1083-1084
debug disk command, 589
debug eigrp fsm command, 457-460
debug eigrp packets command, 462
debug ftp client command, 589
debug menu dap command, 1079
debug menu dap Command example (22-17), 1079
debug mrib client command, 1129
debug mrib io command, 1129
debug mrib route [group] command, 1129
debug mrib table command, 1129
debug ospf events command, 439
debug Output to Show IPsec SAs Are Activated example (20-45), 928
debug Output to Show ISAKMP Proposal Is Acceptable example (20-39), 926-927
debug Output to Show Mode-Config Requests example (20-42), 927
debug Output to Show NAT-T Discovery Process example (20-40), 927
debug Output to Show Phase 1 Negotiations Are Completed example (20-43), 928
debug Output to Show Proxy Identities and Phase 2 Proposal Are Accepted example (20-44), 928
debug Output to Show User Is Authenticated example (20-41), 927
debug pim command, 1129
debug pim df-election command, 1129
debug pim group group command, 1129
debug pim interface interface command, 1129
debug pim neighbor command, 1129
debug webvpn svc Command example (23-15), 1117
debugging, L2F table entries, 638
Debugging the L2F Table Entries example (15-23), 638
Debugs Showing IPsec SAs Are Activated example (19-27), 853
Debugs to Show ISAKMP Proposal Is Acceptable example (19-24), 852
Debugs to Show Mismatched ISAKMP Policies example (19-28), 854
Debugs to Show Mismatched Preshared Keys example (19-29), 854
Debugs to Show Mismatched Proxy Identities example (19-31), 855
Debugs to Show Phase 1 Negotiations Are Completed example (19-25), 853
Debugs to Show Proxy Identities and Phase 2 Proposals Are Accepted example (19-26), 853
Debugs When Incompatible IPsec Transform Set Is Used example (19-30), 855
decryption, TLS (Transport Layer Security) Decryption, enabling, 316-322
deep packet inspection, 8
Default Class and Policy Maps example (13-2), 469
Default Configuration for Cisco ASA 5505 Appliance example (4-2), 83
Default Configuration for Cisco ASA 5510 or Later Appliances example (4-1), 82
Default Information Filtering in EIGRP example (12-40), 453
default option (port-misuse command), 512
Default Per-Session PAT Translation Configuration example (16-17), 700
default post login selection attribute (SSL VPN), 998
default-inspection-traffic option (match), 471
Defining a DAP Record example (22-16), 1074
Defining a Management Access Rule Through CLI example (8-2), 241
Defining a Static ARP Entry via CLI example (15-13), 615
Defining a Web-Type ACL example (22-12), 1034
Defining an ICMP Policy example (8-8), 255
Defining an L2F Table and Disabling MAC Learning example (15-15), 616
Defining an NetFlow Export Policy (5-35), 159
Defining DNS and WINS Servers for Cisco AnyConnect Secure Mobility Clients example (23-8), 1107
Defining DNS and WINS Servers for IPsec VPN Clients example (20-16), 889
Defining Dynamic Crypto Map example (20-10), 885
Defining Pool of Addresses example (20-8), 883
Defining Pool of Addresses example (23-6), 1103
Defining Port-Forwarding via CLI example (22-13), 1037
Defining RADIUS for IPsec Authentication example (20-7), 882
Defining RADIUS for IPsec Authentication example (22-9), 1003
Defining RADIUS for IPsec Authentication example (23-3), 1095
Defining Smart Tunnel via the CLI example (22-14), 1039
Defining Static Crypto Map example (20-11), 885
Defining the Config URL example (14-9), 551
Defining the IGMP Version example (24-4), 1124
deny option (prefix-list command), 431
Denying Specific FTP Commands example (13-10), 484
deployment
Active/Standby failover, 680-684
ASASM (ASA Services Module), 180-183
client-based remote-access SSL VPNs, 1086-1088
clientless remote-access SSL VPNs, 1075-1078
IPsec remote-access VPNs, 916-922
QoS (Quality of Service), 1155-1162
site-to-site IPsec VPNs, 830
single site-to-site tunnel configuration, 831-836
transparent firewalls, 616-636
MMTFs (multimode transparent firewalls), 623-636
SMTFs (single-mode transparent firewalls), 617-623
Deployment Manager (PRSM), 283
Description attribute (Add Access Rule dialog box), 236
Description attribute (Add Management Access Rule), 241
description command (GTP map), 492
design, clientless remote-access SSL VPNs, 980-982
destination address field (IPv6 header), 381
Destination attribute (Add Access Rule dialog box), 236
Destination Interface option (Advanced NAT Settings dialog box), 353
destination object groups (CX), 305-306
Device Dashboard tab (ASDM), 96-97
Device endpoint attribute (DAP), 1067
Device Information section (Device Dashboard tab), 96
Device Management Feature icon (Configuration screen), 99
Device Setup Feature icon (Configuration screen), 98
devices
configuration
remote system management, 126-132
setting up names and passwords, 100-102
software installation, 132-137
troubleshooting issues, 168-172
DHCP (Dynamic Host Configuration Protocol), 112-113
dialog boxes
Add AAA Server, 199
Add Authentication Rule, 210
Add Authorization Rule, 215-216
Add Customization Object, 1009
Add DNS Inspect, 478
Add Identity Certificate, 938
Add Management Access Rule, 241-242
Add NAT Rule, 366, 368, 370-371
Add Network Object, 351-352, 363, 365
Advanced NAT Settings, 352-353, 363-365, 368, 370
Edit Interface, 104
Edit Network Object, 370
Edit Service Policy Rule, 470, 474-476
Install Certificate, 937
Network Rule, 407
Differentiated Services Code Point (DSCP), 1138-1141
digital certificates
client-based remote-access SSL VPNs, enrolling, 1090
dir command, 135
direct call signaling, H.323, 499
Direction parameter (Add Signature dialog box), 758
directory servers, configuring, 310-312
Disable Proxy ARP on Egress Interface option (Advanced NAT Settings dialog box), 352
disabling
DTLS, 1108
features, reload requirement, 72
IKEv1 processing, outside interface, 124
message IDs, 118
NAT-T for a peer, 827
password recovery process, 141-144
Disabling a Feature with Reload Requirement example (3-6), 72
Disabling a Message ID example (5-33), 118
Disabling DTLS example (23-10), 1108
Disabling IKEv1 Processing on the Outside Interface example (5-7), 124
Disabling NAT-T for a Peer example (19-14), 827
Disabling Password Recovery Using Initial Setup example (5-23), 141
Disabling Sysopt and Configuring ACLs example (20-13), 886
Disabling Sysopt and Configuring ACLs example (23-11), 1109
Disabling the Password Recovery Process example (5-22), 141
Displaying the EIGRP Topology example (12-41), 454
Displaying the Routing Table via the CLI (12-2), 399
Distributed Computing Environment Remote Procedure Calls (DCERPC) inspections, 476
DMZ (demilitarized zones)
firewalls, 7
web server, dynamic PAT for inside network with static NAT, 363-364
DNS (Domain Name System)
AnyConnect Secure Mobility Client, assignment, 1106-1107
application inspections, 476-480
snooping, BTF (Botnet Traffic Filter), 782-783
downloadable ACLs (access control lists), 254
drop command (GTP map), 492
drop option
content-length command, 510
max-header-length command, 512
max-uri-length command, 512
port-misuse command, 512
request-method command, 514
strict-http command, 510
transfer-encoding type command, 515
dropped packets, monitoring, 171
DSCP (Differentiated Services Code Point), 1138-1141
dscp option (match), 471
DTLS (Datagram Transport Layer Security), AnyConnect Secure Mobility Client, configuring, 1108
Dual ISPs feature, 62
dynamic access policies (DAP). See DAP (dynamic access policies)
dynamic blacklist data, BTF (Botnet Traffic Filter), 781-782
remote-access VPN clients, 369-371
with static NAT for DMZ web server, 363-364
dynamic routing over VPN tunnel, OSPF (Open Shortest Path First), 430-433
E
eap event class, 148
eapoudp event class, 148
edge protection, ASASM (ASA Services Module), 182-183
Edit Interface dialog box, 104
Edit Network Object dialog box, 370
Edit Service Policy Rule dialog box, 470, 474-476
EIGRP (Enhanced Interior Gateway Protocol), 441
controlling default information, 453
split horizon, 450
static neighbors, defining, 448
eigrp event class, 148
email event class, 148
email logging, 150
email servers, defining, 154
Enable ISAKMP Captures example (19-32), 856-857
Enable Logging attribute (Add Access Rule dialog box), 236
Enable Logging attribute (Add Management Access Rule), 242
Enable Rule attribute (Add Management Access Rule), 242
Enabling Accounting by Using an ACL to Define Interesting Traffic example (7-13), 220
Enabling an Interface example (4-10), 104
Enabling ARP Inspection example (15-12), 614
Enabling Cisco AnyConnect Secure Mobility Client SSL VPN example (23-4), 1098
Enabling Command Accounting example (7-14), 222
Enabling CTIQBE Inspection example (13-5), 475
Enabling DCERPC Inspection example (13-7), 476
Enabling DNS Inspection example (13-8), 480
Enabling EIGRP via the CLI example (12-33), 444
Enabling ESMTP Inspection via the CLI example (13-9), 483
Enabling ISAKMP on the Outside Interface example (19-1), 806
Enabling ISAKMP on the Outside Interface example (20-1), 872
Enabling NAT-T Globally example (20-19), 898
Enabling Routed Firewalls example (15-2), 604
Enabling Security Contexts example (14-2), 545
Enabling SSL VPN on the Outside Interface example (22-10), 1006
Enabling SSL VPN on the Outside Interface example (23-5), 1100
Enabling Syslog example (5-24), 147
Enabling Syslog Timestamps example (5-25), 147
Enabling the HTTP Server example (4-8), 93
Enabling the Local CA example (21-20), 961
Enabling Transparent Firewalls example (15-1), 603
encoding_types option (transfer-encoding type command), 515
Encryption-3DES-AES feature, 63
Encryption-DES feature, 62
Endpoint Assessment scans (Host Scan), 1055
enabling, 1058
endpoint attributes, DAP (dynamic access policies), 1066-1068
Enhanced MGCP Inspection example (13-21), 520
enrolling digital certificates, SSL VPNs, 988-993
enrollment problems, SCEP (Simple Certificate Enrollment Protocol), troubleshooting, 975-976
entity MIB notifications, 162
environmental traps, 162
Errors Due to Incorrect Time and Date Settings During Enrollment example (21-35), 976
ESMTP (Extended SMTP), application inspections, 481-483
Establishing Serial Console Session to ASA Services Module example (6-3), 177
EtherChannel interfaces, configuring, 109-111
EtherType ACLs (access control lists), 233
Evening and Reporting module (CX), 275
Event Action parameter (Add Signature dialog box), 758
event classes, supported, 148
events, IPS (intrusion prevention system)
clearing, 778
Events section (PRSM interface), 285
EventStore, IPS (intrusion prevention system), 744
clearing, 778
Example of Auto NAT (10-2), 355
Example of Manual NAT (10-3), 359
Example of NAT and ACL Integration in Pre-8.3 Software (10-4), 361
Example of NAT and ACL Integration in Version 8.3 and Later Software (10-5), 361-362
Example of TCP Intercept (10-1), 346
expiration, time-based activation keys, 70-71
ext option (request-method command), 514
ext_method option (request-method command), 514
extended ACLs (access control lists), 233
Extended SMTP (ESMTP), application inspections, 481-483
F
versus clustering, 685
hardware requirements, 656-658
asymmetric routing groups, 662-664
stateful link, 659
software requirements, 656-658
Failover Event Syslog Message example (16-13), 680
failover option (system execution space), 534
Failover Policy and Timer Configuration example (16-7), 674
Failover State Transition History example (16-14), 680
Failover Status section (Device Dashboard tab), 97
features
Advanced Endpoint Assessment, 64
AnyConnect for Cisco VPN Phone, 64
AnyConnect for Mobile, 64
Botnet Traffic Filter, 64
GTP/GPRS, 64
Intercompany Media Engine, 63-64
IPS Module, 65
basic platform capabilities
10GE I/O, 62
Firewall Connections, 61
Inside Hosts, 62
Maximum Physical Interfaces, 61
Maximum VLANs, 61
VLAN Trunk Ports, 62
Encryption-3DES-AES, 63
Encryption-DES, 62
Failover, 62
Other VPN Peers, 63
Total VPN Peers, 63
AnyConnect Essentials, 66
AnyConnect Premium Peers, 66
Security Contexts, 65
Total UC Proxy Sessions, 66
UC Phone Proxy Sessions, 65-66
file browser attribute (SSL VPN), 998
File endpoint attribute (DAP), 1067
file filtering profiles (CX), 306
file management option (system execution space), 534
file server entry attribute (SSL VPN), 998
File Transfer Protocol (FTP). See FTP (File Transfer Protocol)
files, identity certificates, installing from, 938
filtering
PIM (Protocol Independent Multicast) neighbors, 1126-1127
route, RIP (Routing Information Protocol), 406-409
SSL VPN traffic, 1109
IPv6, 387
Filtering PIM Neighbors example (24-7), 1127
Filtering SSL VPN Traffic example (23-12), 1109
Final Chassis Configuration example (6-11), 188
Firewall Connections feature, 61
Firewall Feature icon (Configuration screen), 98
firewall host scans, Host Scan, configuring, 1059
firewall mode option (system execution space), 534
Cisco ASA 1000V Cloud Firewall, 26-27
deep packet inspection, 8
DMZ (demilitarized zones), 7
internal segment firewalling, ASASM (ASA Services Module), 181-182
multiple-mode, 537
next-generation context-aware, 8
Next-Generation Firewall Services, 268
personal, 9
versus transparent firewalls, 593-594
sessions
single-mode, 537
stateful, 267
MMTFs (multimode transparent firewalls), 597-599
versus routed firewalls, 593-594
setting up interfaces, 604-605
SMTFs (single-mode transparent firewalls), 593-597
virtual firewall, 531-533, 535, 590
configuring security contexts, 544-559
monitoring security contexts, 586-588
non-shared interfaces, 559-572
packet classification, 536-541
system execution space, 533
flags, show conn command, 263
flash logging, 155
floating connection timeout, static routes, 649
flow
ASASM traffic, managing, 178-180
flow director, clustering, 686-687
flow forwarding, clustering, 686-687
flow label field (IPv6 header), 381
flow option (match), 471
flow owner, clustering, 686
fragmentation policies, site-to-site IPsec VPNs, 829-830
front panels
Cisco ASA 5510 model, 36
Cisco ASA 5512-X model, 38
Cisco ASA 5540 model, 36
Cisco ASA 5550 model, 36
FTP (File Transfer Protocol), application inspections, 484-486
Full Configuration of the Chicago, London, and Paris ASAs example (19-19), 842-848
Fully Initialized ASA Services Module example (6-2), 176-177
Functions tab (ASDM), 1071
G
gateway option (route command), 394
ge option (prefix-list command), 431
General Packet Radio Service (GPRS), application inspections, 486-492
Generating RSA Key Pair and Enabling SSH Version 2 example (7-6), 207
Generating the ID Certificate Request example (21-11), 953
Generating the RSA Key Pair example (21-1), 945
global correlation, IPS (intrusion prevention system), 766-768
global threat correlation capabilities, IPS (intrusion prevention system), 14
global unicast addresses, 382
globally enabling security contexts, virtual firewall, 544-546
GPRS (General Packet Radio Service), application inspections, 486-492
GPRS Tunneling Protocol (GTP). See GTP (GPRS Tunneling Protocol)
group policies, 876
client-based remote-access SSL VPNs, configuring, 1090-1094
SSL VPNs, configuring, 994-998
Group Policy AAA attribute, 1063
Group Policy Definition example (20-3), 876
Group Policy Definition example (23-1), 1092
Group-Policy Definition example (22-5), 996
groups, tunnel, configuring, 997-1000
GTP (GPRS Tunneling Protocol), application inspections, 486-492
GTP Inspection Example (13-12), 491
GTP/GPRS feature, 64
H
H.323
application inspections, 492-499
direct call signaling, 499
T.38 protocol, 499
version compatibility, 495-496
H.323 Inspection Commands example (13-13), 498
H.323 Inspection Commands Sent by ASDM example (13-14), 498
HA (high availability), 641
hardware requirements, 687-690
NAT (Network Address Translation), 698-700
software requirements, 687-690
spanned EtherChannel deployment, 720-731
CX (ConteXt Security) modules, 272-273
Active/Standby, 654-656, 680-684
hardware requirements, 656-658
software requirements, 656-658
IPS (intrusion prevention system), 739
static routes
backup ISP deployment, 649-652
configuring with SLA monitor, 647-648
floating connection timeout, 649
ha event class, 148
hardware modules
CX (ConteXt Security), 270
IPS (intrusion prevention system), 735-736
hardware requirements
headers
CX (ConteXt Security) policy elements, configuring, 294
IPv6, 380
health monitoring
CX (ConteXt Security) modules, 272
help FTP command, 485
heuristic-based analysis, 12
hidden share access attribute (SSL VPN), 998
high availability (HA). See HA (high availability)
homepage URL (optional) attribute (SSL VPN), 998
hop limit field (IPv6 header), 381
host chasis, ASASM (ASA Services Module)
Host Scan
Advanced Endpoint Assessment feature, configuring, 1058-1059
antispyware scans, configuring, 1059
antivirus host scans, configuring, 1059
Basic Host Scan, configuring, 1057-1058
clientless remote-access SSL VPNs, 1054-1060
Endpoint Assessment scans, enabling, 1058
firewall host scans, configuring, 1059
HTTP compression attribute (SSL VPN), 998
HTTP inspection engine, 507-515
HTTP Inspection Engine module (CX), 276
HTTP Inspection Using an HTTP Map (13-18), 509
HTTP proxy attribute (SSL VPN), 998
hub and spoke deployment, site-to-site IPsec VPNs, 836-848
I
ICMP (Internet Control Message Protocol) packets
ICMP-Type object groups, 244-245
identity certificates
installing, 938
manually importing, 993
identity NAT, 344
site-to-site VPN tunnels, 367-369
identity objects (CX), 296-297
idle timeout, modifying, 131
idle timeout attribute (SSL VPN), 998
IDS (intrusion detection systems), 9-14
global threat correlation capabilities, 14
heuristic-based analysis, 12
pattern matching, 11
protocol analysis, 12
stateful pattern-matching recognition, 11
ids event class, 148
IGMP (Internet Group Management Protocol)
IP multicast routing, 1120
query timeout, 1123
IGMP group, statically assigning, 1122
IGMP Query Timeout example (24-3), 1123
IGP (Interior Gateway Protocol), 400
IKE (Internet Key Exchange) protocol, 16-23
IPsec remote-access VPNs
site-to-site IPsec VPNs, single site-to-site tunnel configuration, 831-836
IKEv2 traps, 162
ILS (Internet Locator Service), inspections, 516
IM (Instant Messanger), inspections, 517-518
IM Inspection CLI Configuration example (13-19), 518
im option (port-misuse command), 512
image upgrade
CLI (command-line interface), 133-136
image upload, ROMMON mode (Read-Only-Memory Monitor mode), 136-137
IME, monitoring IPS, 793
Importing the CA Certificate Manually example (21-10), 952
Importing the CA Certificate Manually example (22-1), 989
inbound packet filtering, 230
inbound traffic filtering, ACLs (access control lists), 255-260
individual mode, clustering, 695-697
information area, SSL VPNs, 1011
infrastructure requirements
client-based remote-access SSL VPNs, requirements, 1089-1090
in-interface-name option (mroute command), 1127
CLI (command-line interface), 90-92
configuring interfaces, 102-106
configuring system clock, 114-118
parameters and values, 91
Initial Setup Menu example (4-5), 90-91
inline mode, IPS (intrusion prevention system), 737-738
Inside Hosts feature, 62
inside NAT (Network Address Translation), 338
inspections
see also application inspections
deep packet, 8
Install Certificate dialog box, 937
installing
PKI (Public Key Infrastructure) certificates, 936-957
Instant Messenger (IM), inspections, 517-518
Intercompany Media Engine feature, 63-64
Interface attribute (Add Access Rule dialog box), 235
Interface attribute (Add Management Access Rule), 241
interface option (route command), 394
Interface Status section (Device Dashboard tab), 97
interfaces, 118
ACLs (access control lists), transparent firewalls, 608-611
CLI (command-line interface), 81, 85-87, 118
clientless remote-access SSL VPNs, enabling, 1005-1006
CX (ConteXt Security) modules, 270
EtherChannel, configuring, 109-111
asymmetric routing groups, 662-664
stateful link, 659
management, configuring, 111
non-shared, virtual firewall, 559-572
shared, virtual firewall, 572-585
subinterfaces, configuring, 106-108
transparent firewalls, setting up, 604-605
Interfaces Feature icon (Monitoring screen), 99
interfaces option (system execution space), 534
Interior Gateway Protocol (IGP), 400
internal segment firewalling, ASASM (ASA Services Module), 181-182
internal-control interface (CX), 270
internal-data interface (CX), 270
Internet access, enabling address translation, 1116
Internet Control Message Protocol (ICMP) packets, inspections, 515-516
Internet Key Exchange (IKE) protocol, 16-23
Internet Locator Service (ILS), inspections, 516
Intrusion Prevention System (IPS). See IPS (intrusion prevention system)
Invalid Activation Key Rejected example (3-7), 72
invalid activation keys, 72
IP Address attribute (Add Network Object dialog box), 351
IP (Internet Protocol)
addresses
servers, assignments, 256
transparent firewalls, configuring, 605-606
IP DSCP field (QoS), 1138-1141
ip event class, 148
IP precedence field (QoS), 1137-1138
IP (Internet Protocol) routing, 391, 463
EIGRP, 441
enabling multicast routing, 1121-1124
IGMP support, 1120
PIM (Protocol Independent Multicast), enabling, 1124-1127
PIM-SM (Protocol Independent Multicast-Sparse Mode), 1120
OSPF (Open Shortest Path First), 412-441
configuring authentication, 422-426
configuring redistribution, 426-427
dynamic routing over VPN tunnel, 430-433
OSPFv3, 433
RIP (Routing Information Protocol), 400-411
configuring redistribution, 409
routing tables, displaying, 399-400
static routes
IP Version attribute (Add Network Object dialog box), 351
ipaa event class, 148
IPS (intrusion prevention system), 9-14, 733, 786, 787, 799
accessing from ASA CLI, 747-748
ASDM, setting up, 752
backing up configuration, 776
basic management settings, configuring, 748-752
BTF (Botnet Traffic Filter), 780-786
CIPS (Cisco intrusion Prevention System)
license key installation, 752-753
troubleshooting, 1082
CMS event tables, removing false positive events, 794
CollaborationApp, 744
displaying statistics, 795-799
events
clearing, 778
EventStore, 744
global threat correlation capabilities, 14
HA (high availability), 739
heuristic-based analysis, 12
logical architecture, 735
pattern matching, 11
preparing for configuration, 744-753
process information, displaying, 771-772
protocol analysis, 12
SensorApp, 743
signatures
software architecture, 739-740
software modules, 736
stateful pattern-matching recognition, 11
traffic redirection, configuring for ASA, 778-780
user accounts, administration, 769-770
IPS Feature icon (Configuration screen), 98
IPS Feature icon (Monitoring screen), 100
IPS Module feature, 65
IPsec
IPsec remote-access VPNs, 859-862, 929
assigning IP addresses, 882-884
bypassing NAT, 886
Cisco IP phone bypass, 909
crypto maps, creating, 884-885
DNS (Domain Name System), 888-889
hardware client network extension mode, 909-910
individual user authentication, 908-909
interactive client authentication, 907-908
traffic filtering, 886
transparent tunneling, 897-899
tunnel and group policies, 874-875
tunnel default gateway, 896-897
OSPF (Open Shortest Path First) updates over, 823-824
site-to-site IPsec VPNs, 801-802, 857
configuring traffic filtering, 816-817
creating ISAKMP policy, 807-808
defining IPsec policy, 810-812
enabling ISAKMP, 806
fragmentation policies, 829-830
NAT-T (NAT Transversal), 826-827
preconfiguration checklist, 802-804
RRI (reverese route injection), 824-826
setting up tunnel groups, 808-810
tunnel default gateway, 827-828
site-to-site tunnels, configuring, 966-971
tunnels, transparent firewall restrictions, 599-600
traps, 162
VPNs (Virtual Private Networks), 16-23
IPsec over TCP Configuration example (20-21), 899
IPsec over UDP Configuration example (20-20), 899
IPsec pass-through, inspection, 518-519
IPsec Pass-Through Inspection CLI Configuration example (13-20), 519
ACLs (access control lists), configuring, 386-388
addresses
headers, 380
NAT topology, 389
router advertisement transmission interval, 385-386
topology, 386
traffic filtering, configuring, 387
ISAKMP (Internet Security Association and Key Management Protocol)
attributes, 802
policy configuration, 968
ISAKMP Policy Configuration example (21-28), 968
J-L
Java TAPI (JTAPI), 473
JTAPI (Java TAPI), 473
Kerberos, Active Directory,
L2F Table Aging Time example (15-14), 616
L2F table entries
debugging, 638
modifying parameters, transparent firewalls, 615-616
transparent firewalls, adding static, 612
L2TP over IPsec remote-access VPN, 910-916
Windows L2TP over IPsec client configuration, 915-916
LACP (Link Aggregation Control Protocol), 644
Latest ASDM Syslog Messages section (Device Dashboard tab), 97
LDAP (Lightweight Directory Access Protocol), 197-198
le option (prefix-list command), 431
levels, security, 145
license aggregation, clustering, 685
license keys, CIPS, installing, 752-753
10GE I/O, 62
advanced security
Advanced Endpoint Assessment, 64
AnyConnect for Mobile, 64
AnyConnect for VPN Phone, 64
Botnet Traffic Filter, 64
GTP/GPRS, 64
Intercompany Media Engine, 63-64
IPS Module, 65
Dual ISPs, 62
Encryption-3DES-AES, 63
Encryption-DES, 62
Failover, 62
Firewall Connections, 61
Inside Hosts, 62
Maximum Physical Interfaces, 61
Maximum VLANs, 61
Other VPN Peers, 63
tiered capacity
AnyConnect Essentials, 66
AnyConnect Premium Peers, 66
Security Contexts, 65
UC Phone Proxy Sessions, 65-66
Total VPN Peers, 63
VLAN Trunk Ports, 62
licenses
clientless remote-access SSL VPNs, 983-986
combined in failover and clustering, 73-75
time-based, aggregated countdown, 75
CX (ConteXt Security) modules, 288-290
failover, 658
shared
Lightweight Directory Access Protocol (LDAP). See LDAP (Lightweight Directory Access Protocol)
Limiting IGMP States example (24-2), 1123
Link Aggregation Control Protocol (LACP), 644
link security, failover, 659-660
link-local addresses, 382
list-name option (prefix-list command), 431
load balancing
Cisco IPsec clients and site-to-site integration, 916-922
VPNs (Virtual Private Networks), 901-904
Loading and Applying Client Profile example (23-14), 1112
Loading CSD example (22-15), 1047
local blacklist data, BTF (Botnet Traffic Filter), 781-782
Local CA (Certificate Authority), 957-966
configuring
CLI (command-line interface), 960-963
ASDM (Adaptive Security Device Manager), 958-960
enrolling users
ASDM (Adaptive Security Device Manager), 963-965
CLI (command-line interface), 965-966
Local CA Certificate Chain example (21-21), 961-962
Local User Accounts example (20-6), 880
Local User Accounts example (22-8), 1001
local user object groups, 244
log option
content-length command, 510
max-header-length command, 512
max-uri-length command, 512
port-misuse command, 512
request-method command, 514
strict-http command, 510
transfer-encoding type command, 515
Logger (IPS), 742
logging
ASDM (Adaptive Security Device Manager), 150
console, 150
email, 150
flash, 155
FTP (File Transfer Protocol), 155-156
lists, setting up, 149
NSEL (NetFlow Secure Event Logging), 156-160
SNMP trap, 151
storing logs, 154
syslog server, 150
ASDM logging, 150
console, 150
email logging, 150
flash logging, 155
logging types, 149
SNMP trap logging, 151
storing logs internally and externally, 154
syslog server logging, 150
terminal logging, 150
terminal, 150
Logging Feature icon (Monitoring screen), 100
Logging in to ASA IPS CLI for the First Time example (17-2), 747-748
Logging Interval attribute (Add Management Access Rule), 242
logical architecture
CX (ConteXt Security) modules, 269-270
IPS (intrusion prevention system), 735
login screen, PRSM, 283
logon area, SSL VPNs, 1010-1011
logon page, SSL VPNs, 1006-1008
logout page, SSL VPNs, 1015
London’s ASA Site-to-Site IPsec Configuration example (21-31), 969-971
Lookup Route Table to Locate Egress Interface option (Advanced NAT Settings dialog box), 353
M
mac-address option (system execution space), 534
MainApp, IPS (intrusion prevention system), 741-743
Malware Traffic dashboard (CX), 330
Management Access on the Inside Interface example (19-16), 829
management interfaces
configuring, 111
CX (ConteXt Security), 270
management IP addresses, transparent firewalls, assigning, 606
Management Plane module (CX), 276
Manually Importing the ID Certificate example (21-12), 954
Manually Importing the ID Certificate example (22-3), 993
Mapped Port option (Advanced NAT Settings dialog box), 353
mask option (mroute command), 1127
master units, clustering, 685-686
match command, 470
Matching Specific Traffic Using an ACL example (13-1), 468
max option (content-length command), 510
max-header-length command, 511-512
maximum connect time attribute (SSL VPN), 998
Maximum Physical Interfaces feature, 61
Maximum VLANs feature, 61
max-uri-length command, 512
max-value option (prefix-list command), 431
mcc command (GTP map), 492
MD5 authentication, OSPF (Open Shortest Path First), 424
Media Gateway Control Protocol (MGCP), inspections, 519-521
Member Class to Context Mapping example (14-17), 559
memberOf AAA attribute, 1063
message-length command (GTP map), 492
metric option (route command), 394
MGCP (Media Gateway Control Protocol), inspections, 519-521
mini option (content-length command), 510
min-value option (prefix-list command), 431
Mismatched OSPF Areas example (12-30), 440
Mismatched OSPF Authentication Parameters example (12-31), 440
MMP Inspection Commands Sent by ASDM example (13-17), 506
MMTFs (multimode transparent firewalls), 597-599
Mobility Proxy feature, 506
modes, NAT (Network Address Translation), 349-350
Modular Policy Framework (MPF), 468
modules
CX (ConteXt Security), 268, 335
component and software updates, 290-292
configuration database backup, 292-293
defining context-aware access policies, 324-327
failover support (PRSM), 283
hardware modules, 270
health monitoring, 272
interfaces, 270
objects, 293
preparing for configuration, 277-282
software modules, 271
solutions, 268
TLS (Transport Layer Security) decryption, 316-322
user identity services, 310-316
monitoring
ACLs (access control lists), 260-265, 637
Active Telnet sessions, 129
ASASM traffic flow, 179
clientless remote-access SSL VPNs, 1078-1081
CX (ConteXt Security) modules, 329-335
connection and system events, 331-332
IPS (intrusion prevention system), tools, 793-794
IPsec remote-access VPNs, 922-926
NetFlow exports, 160
QoS (Quality of Service), 1162-1164
shared licensing operations, 80
site-to-site IPsec VPNs, 848-851
TACACS+ transactions, 225
transparent firewalls, 636-637
Monitoring ACLs example (15-21), 637
Monitoring and Clearing Active Telnet Sessions example (5-12), 129
Monitoring and Troubleshooting TACACS+ Transactions with the show aaa-server Command example (7-18), 225
Monitoring ASASM Traffic Flow from Chassis example (6-6), 179
Monitoring Cluster Status example (16-24), 718
Monitoring Failover Status example (16-11), 678-679
Monitoring NetFlow Exports example (5-36), 160
Monitoring Redundant Interface Statistics example (16-2), 646
Monitoring screen (ASDM), 99-100
More Options drop-down menu, 236-237
MPF (Modular Policy Framework), 468
mroute command, 1127
MSN Messenger, inspections, 517-518
multicast routing (IP), 1119, 1129
IGMP support, 1120
PIM (Protocol Independent Multicast), enabling, 1124-1127
PIM-SM (Protocol Independent Multicast-Sparse Mode), 1120
Multiple Device mode (PRSM), 282
multiple-mode firewalls, MMTFs (multimode transparent firewalls), 597-599
multiple-mode virtual firewalls, 537
N
NAC endpoint attribute (DAP), 1067
nac event class, 148
nacpolicy event class, 148
nacsettings event class, 148
Name attribute (Add Network Object dialog box), 351
NAT (Network Address Translation), 3-4, 337-340, 377
ACLs (access control lists), integration, 359-362
configuration
identity, 344
inside, 338
monitoring translations, 375-377
NAT-T (NAT Transversal), 826-827
order of operation, 350
outside, 339
policy, 344
security protection mechanisms, 345-346
configuring, 611
transparent firewalls
traps, 162
NAT-T (NAT Transversal), 826-827
site-to-site IPsec VPNs, single site-to-site tunnel configuration, 831-836
navigation panel, SSL VPNs, 1013
negotiations, SSL (Secure Sockets Layer), troubleshooting, 1081
neighbor reachable time (IPv6), 385
Neighbor Solicitation messages (IPv6), 385
neighbors, PIM (Protocol Independent Multicast), filtering, 1126-1127
NetBIOS, inspections, 521
NetFlow Secure Event Logging (NSEL), 156-160
Netmask attribute (Add Network Object dialog box), 351
netmask option (route command), 394
network access, 265
ACLs (access control lists), 243
controlling, 229
traffic filtering
Network ACL Filters tab (ASDM), 1069
Network Address Translation (NAT). See NAT (Network Address Translation)
network option (route command), 394
Network Overview dashboard (CX), 330
Network Rule dialog box, 407
Network Time Protocol (NTP), 116
network-based object groups, 244
networks. See VPNs (Virtual Private Networks)
New York ASA Trustpoint Configuration example (21-27), 967
next header field (IPv6 header), 381
next-generation context-aware firewalls, 8, 268
NG Intrusion Prevention dashboard (CX), 330
no mask-syst-reply Subcommand example (13-11), 486
non-shared interfaces, virtual firewall, 559-572
NotificationApp (IPS), 743
np event class, 148
NSEL (NetFlow Secure Event Logging), 156-160
NSSA (not-so-stubby areas), OSPF (Open Shortest Path First), 428-429
NTP option (system execution space), 534
O
object group policy element (CX), 293
object grouping, ACLs (access control lists), 243-250
object policy elements (CX), 293
Obtaining the CA Certificate from the CA Server example (21-6), 949
Obtaining the ID Certificate from the CA Server example (21-7), 949
Operating System endpoint attribute (DAP), 1067
operator accounts, IPS (intrusion prevention system), 769
optional parameters, IPv6, 385-386
Options Available in the show service-policy Command example (25-11), 1162
order of operation, NAT (Network Address Translation), 350
OSPF (Open Shortest Path First), 412-441
ASA configuration, 825
authentication, configuring, 422-426
dynamic routing over VPN tunnel, 430-433
NSSAs (not-so-stubby areas), 428-429
OSPFv3, 433
redistribution, configuring, 426-427
static neighbors, 432
OSPF Configuration on the ASA example (19-12), 825
ospf event class, 148
OSPF MD5 Authentication CLI Commands example (12-18), 424
OSPF Static Neighbors example (12-21), 432
OSPF Updates over IPsec example (19-9), 824
OSPF Virtual Link CLI Configuration example (12-16), 421
OSPF Virtual Link MD5 Authentication CLI Commands example (12-19), 426
OSPF Virtual Link MD5 Authentication CLI Commands example (12-20), 427
OSPFv3, 433
Other VPN Peers feature, 63
outbound packet filtering, 231
out-interface-name option (mroute command), 1127
outside NAT (Network Address Translation), 339
overlapping subnets, static NAT, 366-367
P
p2p option (port-misuse command), 512
Packet Capturing example (5-43), 170
Packet Capturing example (8-13), 264
packet classification, QoS (Quality of Service), 1137-1141
Packet Dispatcher component (Data Plane), 274
packet flow sequence, QoS (Quality of Service), 1136-1137
packets
CX (ConteXt Security) modules, 332-335
classification, virtual firewall, 536-541
deep inspection, 8
inbound, 230
outbound, 231
flow
multiple-mode virtual firewalls, 541-544
SMTFs (single-mode transparent firewalls), 595-597
Internet Control Message Protocol (ICMP), inspections, 515-516
MMTFs (multimode transparent firewalls), flow, 597-599
monitoring dropped, 171
parameters
initial setup, 91
Partial Output of show running-config example (5-2), 122
participants, licensing, 79
passwords, recovery process, 137-140
PAT (Port Address Translation), 4-5, 338, 340
with static NAT for DMZ web server, 363-364
policy, 344
pattern matching
IDS (intrusion detection systems), 11
IPS (intrusion prevention system), 11
payload length field (IPv6 header), 381
PBR (policy-based routing)
ASASM (ASA Services Module), trusted flow bypass, 183-189
PD metric (RR), 791
Perfect Forward Secrecy (PFS), enabling, 819-820
permanent activation keys, 68-71
permit command (GTP map), 492
permit option (prefix-list command), 431
Personal Firewall endpoint attribute (DAP), 1067
personal firewalls, 9
PFS (Perfect Forward Secrecy), enabling, 819-820
Phone Proxy Commands Sent by ASDM example (13-15), 503-504
PIM (Protocol Independent Multicast)
filtering neighbors, 1126-1127
rendezvous points, configuring, 1125-1126
static multicast routes, configuring, 1127
PIM (Protocol Independent Multicast) sparse mode, PIM-SM (Protocol Independent Multicast-Sparse Mode), IP multicast routing, 1120
PKI (Public Key Infrastructure), 931-932, 977
CA (Certificate Authority), 933-935
configuring Cisco ASA to accept remote-access IPsec VPN clients, 971-972
configuring IPsec site-to-site tunnels, 966-971
CRLs (certificate revocation lists), 935-936
installing CA certificates with copy-and-paste, 939
installing identity from a file, 938
installing identity using SCEP, 943-945
installing through ASDM, 936-938
installing using SCEP, 940-943
SCEP (Simple Certificate Enrollment Protocol), 936
Point-to-Point Tunneling Protocol (PPTP), inspections, 522
policies
context-aware access, defining, 324-327
DAP (dynamic access policies), 1060-1074
sequence of events, 1062
group
client-based remote-access SSL VPNs, 1090-1094
configuring for SSL VPNs, 994-998
tunnel, client-based remote-access SSL VPNs, 1090-1094
Policies dashboard (CX), 330
policing traffic, QoS (Quality of Service), 1134-1135, 1149-1150
policy elements, CX (ConteXt Security) modules
application-service objects, 303-304
configuring header, 294
destination object groups, 305-306
file filtering profiles, 306
object groups, 293
objects, 293
profiles, 294
properties, 295
secure mobility objects, 300-301
URL objects, 298
user agent objects, 299
web reputation profiles, 306-307
Policy endpoint attribute (DAP), 1067
policy maps, QoS (Quality of Service)
applying to interface, 1155
policy NAT/PAT, 344
Policy Table component (Data Plane), 274
policy-based routing (PBR), ASASM (ASA Services Module), trusted flow bypass, 186
pools of addresses, defining, 1101-1103
Port Address Translation (PAT). See PAT (Port Address Translation)
port forwarding, clientless remote-access SSL VPNs, configuring, 1035-1037
Port Forwarding Lists tab (ASDM), 1072
port option (match), 471
port settings, consoles, 84
portal customization, SSL VPNs, configuring, 1006-1024
portal customization attribute (SSL VPN), 998
portal page, SSL VPNs, 1012
port-forwarding list attribute (SSL VPN), 998
port-misuse command, 512
post login setting attribute (SSL VPN), 998
PPTP (Point-to-Point Tunneling Protocol), inspections, 522
precedence option (match), 471
preconfiguration checklist, site-to-site IPsec VPNs, 802-804
prefix/length option (prefix-list command), 431
prerequisites, clientless remote-access SSL VPNs, 982-987
Presence Federation Proxy feature, 506
prioritization, traffic, QoS (Quality of Service), 1133, 1148
priority queuing, QoS (Quality of Service), tuning, 1143-1144, 1152
Process endpoint attribute (DAP), 1067
profile policy element (CX), 294
Promiscuous Delta parameter (Add Signature dialog box), 757
promiscuous mode, IPS (intrusion prevention system), 738-739
prompt option (system execution space), 534
properties, CX policy elements, 295
Properties Feature icon (Monitoring screen), 100
protocol analysis, 12
Protocol option (Advanced NAT Settings dialog box), 353
protocol-based object groups, 244
protocols
AAA (authentication, authorization, and accounting), 192-198
ARP (Address Resolution Protocol), enabling inspection, 613-615
DHCP (Dynamic Host Configuration Protocol), 112-113
EIGRP (Enhanced Interior Gateway Protocol), 441
controlling default information, 453
split horizon, 450
static neighbors, defining, 448
ICMP (Internet Control Message Protocol), 254-255, 515-516
IGMP (Internet Group Management Protocol)
IP multicast routing, 1120
query timeout, 1123
IGP (Interior Gateway Protocol), 400
IKE (Internet Key Exchange), 16-23
IPsec remote-access VPNs, 862-896
site-to-site IPsec VPNs, single site-to-site tunnel configuration, 831-836
IP (Internet Protocol)
addresses, 256
transparent firewalls, 605-606
IPsec
IPsec remote-access VPNs, 859-862, 929
site-to-site IPsec VPNs, 801-802, 857
VPNs (Virtual Private Networks), 16-23
ACLs (access control lists), 386-388
headers, 380
NAT topology, 389
router advertisement transmission interval, 385-386
topology, 386
traffic filtering, 387
ISAKMP (Internet Security Association and Key Management Protocol)
attributes, 802
policy configuration, 968
LACP (Link Aggregation Control Protocol), 644
LDAP (Lightweight Directory Access Protocol), 197-198
MGCP (Media Gateway Control Protocol), inspections, 519-521
OSPF (Open Shortest Path First), 412-441
ASA configuration, 825
dynamic routing over VPN tunnel, 430-433
NSSAs (not-so-stubby areas), 428-429
OSPFv3, 433
static neighbors, 432
PIM (Protocol Independent Multicast), enabling, 1124-1127
PPTP (Point-to-Point Tunneling Protocol), inspections, 522
RIP (Routing Information Protocol)
configuring redistribution, 409
SCEP (Simple Certificate Enrollment Protocol), 936
installing certificates, 940-943
SIP (Session Initiation Protocol)
timeout, 525
SNMP (Simple Network Management Protocol)
VPNs (Virtual Private Networks), 14-15
proxies, application, 3
PRSM (Prime Security Manager)
login screen, 283
managing CX (ConteXt Security) modules, 282-293
ASA management, 283
centralized license mangement, 283
component and software updates, 290-292
configuration database backup, 292-293
configuring user accounts, 286-288
CX failover support, 283
Deployment Manager, 283
Multiple Device mode (PRSM), 282
shared objects and policies, 282
Single Device mode, 282
unified monitoring, 282
universal policies, 282
Public Key Infrastructure (PKI). See PKI (Public Key Infrastructure)
Q
QoS (Quality of Service), 1131-1132
action rules, applying, 1148
class maps, setting up, 1152-1153
via ASDM, 1143-1151, 1157-1160
via CLI (command-line interface), 1152-1155, 1157-1160
IP ACLs (access control lists), 1141
packet classification, 1137-1141
packet flow sequence, 1136-1137
policy maps
applying to interface, 1155
priority queuing, tuning, 1143-1144, 1152
service policies, defining, 1144
traffic
IP flow, 1141
policing, 1134-1135, 1149-1150
Traffic Classification Criteria wizard, 1145-1147
VPN tunnel group, 1141
VPN tunnels, 1142
Quality of Service (QoS). See QoS (Quality of Service)
query timeout, IGMP, 1123
R
RADIUS (Remote Authentication Dial In User Service), 191, 194-195
accounting, 220
authentication, setting up, 1114-1115
RADIUS attribute ID, 1063
randomization, sequence numbers, 345
Rate-Limiting of Tunnel Traffic example (25-7), 1154
Read-Only-Memory Montor mode (ROMMON mode), 87
Real Port option (Advanced NAT Settings dialog box), 353
Real-Time Streaming Protocol (RTSP), inspections, 523-524
Real-time Transport Control Protocol (RTCP), 494-495
Real-time Transport Protocol (RTP), 494
rear panels
Cisco ASA 5510 model, 36
Cisco ASA 5512-X model, 38
Cisco ASA 5520 model, 41
recovery process, passwords, 137-140
redesigning address translation, 349-350
Redistributing Static Routes into EIGRP example (12-39), 452
redistribution
configuring, RIP (Routing Information Protocol), 409
OSPF (Open Shortest Path First), configuring, 426-427
Redundant Interface Configuration example (16-1), 645
Regex String parameter (Add Signature dialog box), 758
registry checks, CSD (Cisco Secure Desktop), setting up, 1114
Registry endpoint attribute (DAP), 1067
Release parameter (Add Signature dialog box), 758
Reloading the Security Appliance example (5-18), 135
remote access traps, 162
Remote Access VPN Feature icon (Configuration screen), 98
remote access VPNs. See also IPsec remote-access VPNs
remote blocking, IPS (intrusion prevention system), 758-762
Remote Shell (RSH), inspections, 523
remote system management, 126-132
remote-access VPN clients
Cisco ASA, configuring to accept, 971-972
Removing a Security Context example (14-14), 554
Removing All Security Contexts example (14-15), 554
Removing Existing RSA Key Pair example (21-2), 946
rendezvous points, PIM (Protocol Independent Multicast), configuring, 1125-1126
request option (max-header-length command), 512
request-method command, 513-514
request-queue command (GTP map), 492
requirements, CSD (Cisco Secure Desktop), 1044-1045
reset option
content-length command, 510
max-header-length command, 512
max-uri-length command, 512
port-misuse command, 512
request-method command, 514
strict-http command, 510
transfer-encoding type command, 515
Resetting Hit-Count Counters with clear access-list counters example (8-11), 261
Resource Allocation for a Member Class example (14-16), 557
resource management, virtual firewall, 555-559
resource management option (system execution space), 534
resource traps, 162
response option (max-header-length command), 512
restrict access to VLAN attribute (SSL VPN), 998
restrictions, transparent firewalls, 599-602
retiring IPS signatures, 792-793
retr FTP command, 485
reverse route injection (RRI), site-to-site IPsec VPNs, 824-826
Reverting to Single-Mode Firewall example (14-4), 546
rfc option (request-method command), 514
rfc_method option (request-method command), 514
RIP (Routing Information Protocol), 400-411
configuring redistribution, 409
RIP Authentication Commands Sent to the Cisco ASA example (12-5), 406
RIP CLI Commands example (12-3), 403
rip event class, 148
risk rating (RR), IPS (intrusion prevention system), 789-791
rm event class, 148
rnfr FTP command, 485
rnto FTP command, 485
role transition, failover, 666-667
ROMMON mode (Read-Only-Memory Monitor mode), 87
route filtering, EIGRP, configuring, 445-447
Route Map Using a Standard ACL example (8-6), 251
route summarization, EIGRP, 448-450
versus transparent firewalls, 593-594
router advertisement transmission interval, IPv6, 385-386
routes
redistribution, EIGRP, 450-452
static
backup ISP deployment, 649-652
configuring with SLA monitor, 647-648
floating connection timeout, 649
tracking, 652
transparent firewalls, setting up, 606-607
routing
IP (Internet Protocol), 391
configuring static routes, 392-400
displaying routing tables, 399-400
monitoring static routes, 395-398
OSPF (Open Shortest Path First), 412-441
RIP (Routing Information Protocol), 400-411
IP multicast, 1119, 1120-1127, 1129
IGMP support, 1120
PIM-SM (Protocol Independent Multicast-Sparse Mode), 1120
PBR (policy-based routing), ASASM (ASA Services Module), 183-189
PUT IP ROUTING UNDER HERE, 463
Routing Feature icon (Monitoring screen), 100
Routing Information Protocol (RIP). See RIP (Routing Information Protocol)
Routing Table After Application of Route Filtering Rules example (12-7), 408
Routing Table on Internal Router example (19-13), 826
Routing Table on the ASA example (19-11), 825
routing tables, displaying, 399-400
RR (risk rating), IPS (intrusion prevention system), 789-791
RRI (reverese route injection), site-to-site IPsec VPNs, 824-826
single site-to-site tunnel configuration, 831-836
RSA Security Analytics, 794
RSH (Remote Shell), inspections, 523
RTCP (Real-time Transport Control Protocol), 494-495
RTP (Real-time Transport Protocol), 494
rtp option (match), 471
S
Sample CX Redirection Policy example (9-3), 329
Sample IPS Redirection Policy example (17-7), 780
SCCP (Simple Client Control Protocol), inspections, 525-527
SCEP (Simple Certificate Enrollment Protocol), PKI (Public Key Infrastructure), 936
certificates, installing, 940-943
SCEP Required AAA attribute, 1063
SCP file transfer protocol, 132
Secure Desktop (CSD), 1043
Secure Desktop Manager (CSD), 1043
secure mobility objects (CX), 300-301
Secure Shell (SSH), remote system management, 129-132
AAA (authentication, authorization, and accounting)
accounting
TACACS+ (Terminal Access Controller Access Control System Plus), 221-222
algorithms, support, 129
AnyConnect Secure Mobility, 25-26
ASDM (Adaptive Security Device Manager)
AAA (authentication, authorization, and accounting) test utility, 226-227
AnyConnect tab, 1074
ASA CX Status tab, 97
Bookmarks tab, 1073
Content Security tab, 97
enabling RIP in, 401
Firewall Dashboard tab, 97
Functions tab, 1071
Intrusion Prevention tab, 97
Local CA (Certificate Authority), 958-960, 963-965
logging, 150
monitoring IPS, 793
Network ACL Filters tab, 1069
PKI (Public Key Infrastructure) certificates, 936-938
Port Forwarding Lists tab, 1072
QoS (Quality of Service), 1143-1151, 1157-1160
setting up for IPS management, 752
Webtype ACL Filters tab, 1070-1071
authentication
configuring of administrative sessions, 204-209
RADIUS (Remote Authentication Dial In User Service), 194-195
RIP (Routing Information Protocol), 403-406
serial console connections, 207-208
service support, 192
SSH (Secure Shell) connections, 206-207
timeouts, 214
authorization
service support, 193
CX (ConteXt Security) modules, 268
hardware modules, 270
preparing for configuration, 277-282
software modules, 271
solutions, 268
deep packet inspection, 8
DMZ (demilitarized zones), 7
next-generation context-aware, 8
personal, 9
IDS (intrusion detection systems), 9-14
IPS (intrusion prevention system), 9-14, 733, 786, 787, 799
accessing CIPS from ASA CLI, 747-748
ASDM, setting up, 752
backing up configuration, 776
basic management settings, 748-752
BTF (Botnet Traffic Filter), 780-786
CMS event tables, 794
CollaborationApp, 744
configuring basic management settings, 748-752
configuring traffic redirection, 778-780
EventStore, 744
global threat correlation capabilities, 14
HA (high availability), 739
heuristic-based analysis, 12
installing CIPS license key, 752-753
installing CIPS system software, 744-747
integration, 733
logical architecture, 735
pattern matching, 11
preparing for configuration, 744-753
process information, displaying, 771-772
SensorApp, 743
setting up ASDM for, 752
software architecture, 739-740
software modules, 736
stateful pattern-matching recognition, 11
user account administration, 769-770
PKI (Public Key Infrastructure), 931-932, 977
CA (Certificate Authority), 933-935
configuring Cisco ASA to accept remote-access IPsec VPN clients, 971-972
configuring IPsec site-to-site tunnels, 966-971
installing certificates, 936-957
Local CA (Certificate Authority), 957-966
PRSM (Prime Security Manager)
login screen, 283
managing CX (ConteXt Security) modules, 282-293
QoS (Quality of Service), 1131-1132
versus transparent firewalls, 593-594
SSL VPNs, authentication, 987-1004
SSPs (Security Services Processors), 47
transparent firewalls, 591-594, 640
MMTFs (multimode transparent firewalls), 597-599
versus routed firewalls, 593-594
setting up interfaces, 604-605
SMTFs (single-mode transparent firewalls), 593-597
virtual firewall, 531-533, 590
admin context, 535
configuring security contexts, 544-559
monitoring security contexts, 586-588
non-shared interfaces, 559-572
packet classification, 536-541
system execution space, 533
VPNs (Virtual Private Networks), 14-25
security appliances, supported subinterfaces, 107
Security Context Creation Failure example (14-26), 588
security contexts
site-to-site IPsec VPNs, hub and spoke deployment, 836-848
virtual firewall
managing, 554
VLANs, 538
Security Contexts feature, 65
Security Group attribute (Add Access Rule dialog box), 236
Security Group attribute (Add Management Access Rule), 241
security levels
descriptions, 145
NAT (Network Address Translation), 346-349
security object groups, 244
security protection mechanisms, address translation, 345-346
Security Services Processors (SSPs), 47
selective application inspection, 469-473
Selective Output of show running-config example (5-3), 122
SensorApp, IPS (intrusion prevention system), 743
seq seq-value option (prefix-list command), 431
sequence numbers, randomization, 345
sequence of events, DAP (dynamic access policies), 1062
serial console connections, authentication, 207-208
server-based object groups, configuring, 247-248
servers
authentication, defining, 198-204
email, defining, 154
IP address assignments, 256
shared licenses, 76
syslog
logging, 150
service accounts, IPS (intrusion prevention system), 770
Service attribute (Add Access Rule dialog box), 236
Service attribute (Add Management Access Rule), 241
service policies, QoS (Quality of Service), defining, 1144
Service Ports parameter (Add Signature dialog box), 758
service-based object group, 244
services
AAA (authentication, authorization, and accounting), 192-198
session event class, 148
Session Initiation Protocol (SIP)
timeout, 525
Setting the Boot Parameter example (5-16), 135
Setting the System Clock and Time Zone example (4-17), 114-116
Setting Up a Default Gateway Toward the Inside Interface (15-8), 607
Setting Up a Default Gateway Toward the Management Interface example (15-7), 607
Setting Up a Logging List example (5-26), 149
Setting Up a Logging List for Multiple Destinations example (5-27), 152
Setting Up an Admin Context example (14-11), 552
Setting Up Optional IPv6 Parameters example (11-3), 386
Setting Up SNMP Version 3 (5-37), 164
Setting Up Syslog Servers example (5-29), 154
Setting Up TFTP Parameters example (5-20), 136
Setting Up the Hostname, Domain Name, and Passwords example (4-9), 102
shaping traffic, QoS (Quality of Service), 1135-1136, 1150-1151
shared interfaces
Shared License Server Statistics example (3-10), 80
shared licensing
monitoring operation, 80
shared objects and policies (PRSM), 282
Shared Premium licensing, SSL VPNs, 985
shared premium VPN licensing, 75-80
show aaa-server command, 225
show aaa-server protocol command, 202-203
show access-list outside_access_in command, 261
show admin-context command, 586
show asp drop command, 171, 587-588
show block command, 167
show cluster command, 717
show cluster Command Options example (16-23), 717
flags, 263
show conn state ctiqbe command, 475
show context command, 586, 587
show cpu usage command, 165
show cpu usage context command, 587
show crypto accelerator statistics command, 850-851, 924-925
show crypto accelerator statistics Command Output example (20-37), 924-925
show crypto ca certificates command, 974-975
show crypto ca crls command, 957
show crypto ca server certificate command, 962-963
show crypto ca server command, 962-963
show crypto ca server user-db username user1 command, 966
show crypto ikev1 sa detail command, 924
show crypto ikev1 sa detail Command Output example (20-35), 924
show crypto ipsec sa command, 849-850, 924
show crypto ipsec sa Command Output example (20-36), 924
show crypto isakmp sa detail command, 848-849
show crypto protocol statistics ikev1/ipsec commands, 925-926
show eigrp events command, 455, 461-462
show eigrp interfaces command, 456
show eigrp neighbors command, 454
show eigrp traffic command, 456
show firewall command, 636
show igmp groups command, 1128
show igmp interface command, 1128
show igmp traffic command, 1128
show interface command, 105-106
show local-host command, 376
show logging command, 152
show memory command, 166
show mfib command, 1128
show mode command, 586
show mroute command, 1128
show mroute summary command, 1128
show nat detail command, 377
show ntp status command, 118
show ospf [process-id] command, 434
show ospf command, 419
show ospf database command, 437
show ospf interface command, 434-435
show ospf neighbor command, 435
show ospf neighbor detail command, 435
show ospf virtual-links command, 422, 440-441
show pim df command, 1128
show pim group-map command, 1128
show pim interface command, 1128
show pim join-prune statistic command, 1128
show pim neighbor command, 1128
show pim range-list command, 1128
show pim topology command, 1128
show pim traffic command, 1128
show pim tunnel command, 1128
show priority-queue statistics command, 1163-1164
show route inside command, 418, 445
show running-config command
from interface configuration, 123
partial output, 122
selective output, 122
show service-policy command, 472-473, 1162
show service-policy interface outside command, 1163
show snmp-server statistics command, 165
show startup-config command, output, 123-124
show statistics analysis-engine command, 795-796
show statistics analysis-engine Command Output example (18-2), 795-796
show statistics authentication command, 796
show statistics authentication Command Output example (18-3), 796
show statistics command, 795
show statistics Command Options example (18-1), 795
show statistics event-server Command, 796
show statistics event-server Command Output example (18-4), 796
show statistics event-store Command, 797
show statistics event-store Command Output example (18-5), 797
show statistics host Command, 797-798
show statistics host Command Output example (18-6), 797-798
show statistics logger command, 798-799
show statistics logger Command Output example (18-7), 799
show uauth command, 226
show version command, 136
show vpn-sessiondb detail command, 922-923
show vpn-sessiondb detail Command Output example (20-33), 922-923
show vpn-sessiondb remote command, 923
show vpn-sessiondb remote Command Output example (20-34), 923
show vpn-sessiondb summary command, 851
show vpn-sessiondb summary Command Output example (19-23), 851
show xlate command, 375
Sig Fidelity Rating parameter (Add Signature dialog box), 757
Signature ID parameter (Add Signature dialog box), 757
Signature Name parameter (Add Signature dialog box), 758
signatures, IPS (intrusion prevention system)
Simple Certificate Enrollment Protocol (SCEP), PKI (Public Key Infrastructure), 936
Simple Client Control Protocol (SCCP), inspections, 525-527
Simple Network Management Protocol (SNMP). See SNMP (Simple Network Management Protocol)
simultaneous logins attribute (SSL VPN), 998
Single Device mode (PRSM), 282
Single Sign-on Definition via the CLI example (22-11), 1031
single sign-on server attribute (SSL VPN), 998
single site-to-site tunnel configuration, site-to-site IPsec VPNs, 831-836
single-mode firewalls
reverting to, 546
SMTFs (single-mode transparent firewalls), 593-597
single-mode virtual firewalls, 537
SIP (Session Initiation Protocol)
timeout, 525
SIP Timeout Example example (13-22), 525
site FTP command, 485
site-local addresses, 382
site-to-site IPsec VPNs, 801-802, 857
crypto maps, creating, 812-816
deployment, 830
single site-to-site tunnel configuration, 831-836
fragmentation policies, 829-830
IPsec, defining policy, 810-812
ISAKMP
enabling, 806
NAT (Network Address Translation), bypassing, 817-818
NAT-T (NAT Transversal), 826-827
OSPF (Open Shortest Path First) updates over IPsec, 823-824
PFS (Perfect Forward Secrecy), enabling, 819-820
preconfiguration checklist, 802-804
RRI (reverese route injection), 824-826
traffic filtering, configuring, 816-817
tunnel default gateway, 827-828
tunnel groups, setting up, 808-810
Site-to-Site VPN Feature icon (Configuration screen), 98
site-to-site VPN tunnels, identity NAT, 367-369
sizes, buffers, 166
Skinny (SCCP), inspections, 525-527
SLA monitor, static routes, configuring, 647-648
slave units, clustering, 685-686
smart tunnel attribute (SSL VPN), 998
smart tunnels, clientless remote-access SSL VPNs, configuring, 1037-1040
SMTFs (single-mode transparent firewalls), 593-597
deploying, SMTFs (single-mode transparent firewalls), 617-623
SNMP (Simple Network Management Protocol)
snmp event class, 148
SNMP Inspection example (13-23), 527-528
SNMP trap logging, 151
software architecture, IPS (intrusion prevention system), 739-740
software modules, IPS (intrusion prevention system), 736
software modules (CX), 271
software requirements
client-based remote-access SSL VPNs, 1088-1089
source address field (IPv6 header), 381
Source attribute (Add Access Rule dialog box), 235
Source attribute (Add Management Access Rule), 241
Source Information option (Advanced NAT Settings dialog box), 353
source object groups (CX), 304-305
Source Service attribute (Add Management Access Rule), 242
spanned EtherChannel deployment, clustering, 720-731
spanned EtherChannel mode, clustering, 693-695
Specifying the ASDM Location example (4-7), 93
split horizon, EIGRP, 450
Split Tunnel Configuration example (20-15), 888
split tunneling, AnyConnect Secure Mobility Client, 1103-1106
Splunk, 794
SQL*Net, inspections, 528
src option (mroute command), 1127
SSH (Secure Shell)
connections, authentication, 206-207
monitoring sessions, 131
remote system management, 129-132
SSL (Secure Sockets Layer)
clientless remote-access SSL VPNs, prerequisites, 982-987
negotiations, troubleshooting, 1081
SSL (Secure Sockets Layer) VPNs, 979-980, 987-988
AnyConnect SSL VPNs
attributes, configurable, 998
authentication, configuring, 987-1004
client-based remote-access SSL VPNs, 1085, 1118
AnyConnect secure mobility client configuration, 1096-1112
configuring, 1090-1095, 1090-1094
enrolling digital certificates, 1090
user authentication, 1094-1095
clientless remote-access SSL VPNs, 1084
configuring application access, 1034-1040
configuring bookmarks, 1024-1031
configuring client-server plug-ins, 1040-1041
configuring smart tunnels, 1037-1040
configuring web-type ACLs, 1031-1034
CSD (Cisco Secure Desktop), 1041-1053
DAP (dynamic access policies), 1060-1074
enabling on interfaces, 1005-1006
content area, 1014
copyright area, 1011
design considerations, 980-982
digital certificates, enrolling, 988-993
group policies, configuring, 994-998
information area, 1011
logout page, 1015
navigation panel, 1013
portal customization, configuring, 1006-1024
portal page, 1012
servers, 1004
title panel, 1012
Toolbar screen, 1013
tunnel groups, configuring, 997-1000
tunnel policies, configuring, 994-995
user portal page, full customization, 1021-1024
SSL-based VPNs (Virtual Private Networks), 23-25
ssl event class, 148
SSPs (Security Services Processors), 47
standard ACLs (access control lists), 233, 250-251
standard SNMP traps, 162
Standby MAC and IP Address Configuration example (16-4), 661
startup configuration, 123-124
state transition
stateful connection redundancy, clustering, 685
stateful firewalls, 267
stateful inspection firewalls, 6-7
stateful links, failover, 659
stateful pattern-matching recognition
IDS (intrusion detection systems), 11
IPS (intrusion prevention system), 11
Stateful Session Creation Failure on Standby ASA example (16-12), 679
static address translation, 5-6
static IP routes, configuring, 392-400
Static L2F Entry entry (15-11), 612
static L2F table entries, transparent firewalls, adding, 612
static multicast routes, PIM (Protocol Independent Multicast), configuring, 1127
configuring, 611
with dynamic PAT for DMZ web server, 363-364
static neighbors, EIGRP, defining, 448
web servers on DMZ networks, 364-365
static routes
backup ISP deployment, 649-652
configuring with SLA monitor, 647-648
floating connection timeout, 649
Static Routing Commands Sent by ASDM (12-1), 398
Statically Assigning an IGMP Group example (24-1), 1122
statistics, IPS (intrusion prevention system), displaying, 795-799
status LEDs
Cisco ASA 5505 model, 32
Cisco ASA 5510 model, 36
Cisco ASA 5520 model, 36
Cisco ASA 5540 model, 36
Cisco ASA 5550 model, 36
Cisco ASA 5585-X Series model, 48
stor FTP command, 485
storage key attribute (SSL VPN), 998
storage objects attribute (SSL VPN), 998
storing, logs internally and externally, 154
stou FTP command, 485
strict-http command, 510
stub areas, OSPF (Open Shortest Path First), 428-429
subinterfaces, configuring, 106-108
SubSignature ID parameter (Add Signature dialog box), 757
Successfully Activated Permanent Key example (3-2), 71
Sun Remote Procedure Call (RPC), inspections, 522-523
supported address types, IPv6, 380-382
Supported Traffic Classification Options example (13-3), 470
svc event class, 148
SVC Logging example (23-16), 1118
Switching to System Execution Space example (14-5), 548
sys event class, 148
syslog
enabling timestamps, 147
traps, 162
syslog message ID tuning, 156
Syslog Message with a Fail-Close Policy and ASA CX Down example (9-1), 273
syslog servers
logging, 150
system clock
automatic clock adjustment, 116-118
date, setting, 116
System Context Configuration with Failover Groups example (16-8), 676-677
system events, CX (ConteXt Security) modules, 331-332
system execution space, virtual firewall, 533
adding user contexts, 549
switching to, 548
ASDM logging, 150
console, 150
email logging, 150
flash logging, 155
logging types, 149
SNMP trap logging, 151
storing logs internally and externally, 154
syslog server logging, 150
terminal logging, 150
system maintenance, 119, 132-144
software installation, 132-137
NSEL (NetFlow Secure Event Logging), 156-160
SNMP (Simple Network Management Protocol), 160-165
System Resources Status section (Device Dashboard tab), 97
T
T.38 protocol, 499
TACACS+ (Terminal Access Controller Access Control System Plus), 191, 195-196
TAPI (Telephony Application Programming Interface), 473
TCP connection processing, cluster packet flow, 702-703
TCP Intercept, 346
TCP Proxy component (Data Plane), 275
Telephony Application Programming Interface (TAPI), 473
Telnet
connections, authentication, 204-206
remote system management, 126-132
Terminal Access Controller Access Control System Plus (TACACS+). See TACACS+ (Terminal Access Controller Access Control System Plus)
terminal logging, 150
test aaa-server authentication command, 227
test aaa-server authentication Command example (7-20), 227
TFTP (Trivial File Transfer Protocol), inspections, 528
through-the-box traffic filtering, 235-240
tiered capacity features, 65-66
AnyConnect Essentials, 66
AnyConnect Premium Peers, 66
Security Contexts, 65
tiered capacity, Security Contexts, 65
UC Phone Proxy Sessions, 65-66
time, system clock, setting, 116
time and date mismatch, PKI (Public Key Infrastructure), troubleshooting, 972-975
Time Range attribute (Add Management Access Rule), 242
time zone, system clock, setting, 114-115
time-based ACLs (access control lists), 251-253
Time-Based Activation Key Aggregation (3-4), 71
time-based activation keys, 68-70, 71
aggregation, 71
deactivating, 72
time-based license countdown, aggregated, 75
timeout
floating connection, static routes, 649
SIP (Session Initiation Protocol), 525
timeout command (GTP map), 492
timeouts, authentication, 214
Time-Range Configuration example (8-7), 253
timestamps, syslog, enabling, 147
title area, SSL VPNs, 1008-1010
title panel, SSL VPNs, 1012
TLS (Transport Layer Security) Decryption
CX (ConteXt Security) modules, enabling, 316-322
defining decryption policy, 320-322
TLS (Transport Layer Security) Decryption Proxy module, 276
TLS Proxy Commands Sent by ASDM example (13-16), 506
Toolbar screen, SSL VPNs, 1013
topologies
EIGRP, displaying, 454
IPv6, 386
NAT, 389
Total UC Proxy Sessions feature, 66
Total VPN Peers feature, 63
Tracing Packet Through the CLI example (5-42), 169
track number option (route command), 394
tracking static routes, 652
traffic
filtering
AnyConnect Secure Mobility Client, 1108
IPv6, 387
matching specific, ACLs (access control lists), 468
QoS (Quality of Service), 1131-1132
policing, 1134-1135, 1149-1150
redirection
CX (ConteXt Security) modules, 327-329
IPS (intrusion prevention system), 778-780
shaping, 1154
QoS (Quality of Service), 1150-1151
traffic class field (IPv6 header), 381
Traffic Classification Criteria wizard, QoS (Quality of Service), 1145-1147
traffic flow, ASASM (ASA Services Module), managing, 178-180
Traffic Prioritization for the VoIP Traffic example (25-6), 1154
traffic selection, BTF (Botnet Traffic Filter), 783-786
Traffic Shaping and Hierarchical Traffic Priority example (25-8), 1154
Traffic Status section (Device Dashboard tab), 97
transaction size attribute (SSL VPN), 998
transfer-encoding type command, 515
Transform Set Configuration example (19-4), 811
Transform Set Configuration example (20-5), 879
Translate DNS Replies for Rule option (Advanced NAT Settings dialog box), 352
translation, IPv6 addresses, 389-390
Translation Addr attribute (Add Network Object dialog box), 351
transparent firewalls, 591-594, 640
adding static L2F table entries, 612
enabling ARP inspection, 613-615
modifying L2F table parameters, 615-616
NAT (Network Address Translation), 611-612
setting up interfaces, 604-605
MMTFs (multimode transparent firewalls), 623-636
SMTFs (single-mode transparent firewalls), 617-623
MMTFs (multimode transparent firewalls), 597-599
versus routed firewalls, 593-594
SMTFs (single-mode transparent firewalls), 593-597
transparent mode option (system execution space), 534
transparent tunneling, IPsec remote-access VPNs, 897-899
traps, SNMP (Simple Network Management Protocol), configuring, 162-164
Trend Micro Content Security (CSC-SSM) Feature icon (Configuration screen), 99
Trend Micro Content Security Feature icon (Monitoring screen), 100
Trivial File Transfer Protocol (TFTP), inspections, 528
troubleshooting
administrative connections, 222-227
AnyConnect SSL VPNs, 1116-1118
clientless remote-access SSL VPNs, 1081-1084
CPUs, 172
IP multicast routing, 1127-1129
IPsec remote-access VPNs, 926-928
OSPF (Open Shortest Path First), 433-441
PKI (Public Key Infrastructure), 972-977
RIP (Routing Information Protocol), 409-411
site-to-site IPsec VPNs, 852-857
transparent firewalls, 637-640
trusted flow bypass, ASASM (ASA Services Module), PBR (policy-based routing), 183-189
tuning IPS (intrusion prevention system), 787-789
tunnel default gateway
IPsec remote-access VPNs, 896-897
site-to-site IPsec VPNs, 827-828
Tunnel Default Gateway Configuration example (19-15), 828
Tunnel Default Gateway Configuration example (20-18), 897
Tunnel Group Configuration example (21-30), 968
Tunnel Group Definition example (19-3), 810
Tunnel Group Definition example (20-4), 877
Tunnel Group Definition example (22-6), 999
Tunnel Group Definition example (23-2), 1093
Tunnel Group URL Definition example (22-7), 1000
tunnel groups
configuration, 968
definition, 810, 877, 999, 1093
SSL VPNs, configuring, 997-1000
tunnel policies, client-based remote-access SSL VPNs, 1090-1094
tunneled option (route command), 394
tunnel-group option (match), 471
tunneling, AnyConnect Secure Mobility Client, features, 1103-1109
tunneling option (port-misuse command), 512
tunneling protocols attribute (SSL VPN), 998
tunnel-limit command (GTP map), 492
tunnels
VPN (Virtual Private Network), QoS (Quality of Service), 1142
TVR metric (RR), 790
Type 3 LSA filtering, OSPF (Open Shortest Path First), 429-430
Type attribute (Add Network Object dialog box), 351
U
UC (Unifed Communications) advanced support, application inspections, 499-506
UC Phone Proxy Sessions feature, 65-66
UDP connection processing, cluster packet flow, 702-703
Unified Communications (UC) advanced support, application inspections, 499-506
unified monitoring (PRSM), 282
Uninstalling AnyConnect Client After Session Disconnects example (23-9), 1108
unit roles
universal policies (PRSM), 282
Universal Resource Identifier (URI), 512
updates, CX (ConteXt Security) modules, 290-292
upgrading CIPS system software, 772-776
Uploading the ASDM Image to the Local Flash example (4-6), 92-93
URI (Universal Resource Identifier), 512
URL entry attribute (SSL VPN), 998
URL objects (CX), 298
user accounts
IPS (intrusion prevention system), administration, 769-770
user agent objects (CX), 299
User attribute (Add Access Rule dialog box), 236
User attribute (Add Management Access Rule), 241
user authentication, client-based remote-access SSL VPNs, 1094-1095
User Comments parameter (Add Signature dialog box), 758
user context, virtual firewall, 535-538
adding, 549
User Devices dashboard (CX), 330
User Identity module (CX), 275
user identity services, CX (ConteXt Security) modules
configuring directory servers, 310-312
connecting to AD agent or CDA, 312-313
defining user identity discovery policy, 314-316
tuning authentication settings, 313-314
user portal page, SSL VPNs, full customization, 1021-1024
user storage location attribute (SSL VPN), 998
Username AAA attribute, 1063
Users dashboard (CX), 330
Using the CLI to Configure Authentication for Telnet Connections example (7-5), 206
V
values, initial setup, 91
Verifying Chassis Is Redirecting Traffic to the ASA Services Module example (6-12), 189
Verifying Firewalls Mode example (15-3), 604
Verifying the Admin Context example (14-12), 553
Verifying the Maximum Number of Security Contexts example (14-27), 588
Verifying the Number of Security Contexts example (14-1), 536
Verifying the TFTP Parameters example (5-21), 137
Verifying Virtual Firewall Mode example (14-3), 546
Verifying VPN Client Use of IPsec over TCP example (20-22), 899
version field (IPv6 header), 381
viewer accounts, IPS (intrusion prevention system), 769
Viewing RSA Key Pair Information example (21-3), 946
virtual firewall, 531-533, 590
admin context, 535
configuration URL, specifying, 550-551
interfaces, configuring, 549-550
multiple-mode, 537
non-shared interfaces, 559-572
packet classification, 536-541
security contexts
managing, 554
single-mode, 537
reverting to, 546
system execution space, 533
adding user contexts, 549
switching to, 548
virtual links, OSPF (Open Shortest Path First), 419-422
VLAN Assignment to ASA Services Modules example (6-4), 178
VLAN Trunk Ports feature, 62
VLANs (virtual LANs)
supported security contexts, 538
interfaces, assigning, 177-178
vm event class, 148
vpdn event class, 148
vpn event class, 148
VPN Feature icon (Monitoring screen), 100
VPN Filters example (20-14), 886
VPN Flex licenses, SSL VPNs, 985-986
VPN Load-Balancing Configuration with Encryption example (20-24), 904
VPN Sessions section (Device Dashboard tab), 97
vpnc event class, 148
vpnfo event class, 148
vpnlb event class, 148
VPNs (Virtual Private Networks), 14-25
AnyConnect SSL VPNs,
client-based remote-access SSL VPNs, 1085, 1118
AnyConnect secure mobility client configuration, 1096-1112
configuring, 1090-1095, 1090-1094
enrolling digital certificates, 1090
user authentication, 1094-1095
clientless remote-access SSL VPNs, 1084
configuring application access, 1034-1040
configuring bookmarks, 1024-1031
configuring smart tunnels, 1037-1040
CSD (Cisco Secure Desktop), 1041-1053
DAP (dynamic access policies), 1060-1074
enabling on interfaces, 1005-1006
IPsec remote-access VPNs, 859-862, 929
Cisco IP phone bypass, 909
hardware client network extension mode, 909-910
individual user authentication, 908-909
interactive client authentication, 907-908
transparent tunneling, 897-899
tunnel default gateway, 896-897
site-to-site IPsec VPNs, 801-802, 857
configuring traffic filtering, 816-817
creating ISAKMP policy, 807-808
defining IPsec policy, 810-812
enabling ISAKMP, 806
fragmentation policies, 829-830
NAT-T (NAT Transversal), 826-827
OSPF (Open Shortest Path First) updates over IPsec, 823-824
preconfiguration checklist, 802-804
RRI (reverese route injection), 824-826
setting up tunnel groups, 808-810
tunnel default gateway, 827-828
clientless remote-access SSL VPNs, 1004-1041
configurable attributes, 998
configuring authentication, 987-1004
configuring portal customization, 1006-1024
configuring tunnel groups, 997-1000
content area, 1014
copyright area, 1011
customized logon page, 1016-1018
customized portal page, 1018-1019
design considerations, 980-982
full customization of logon page, 1019-1021
full customization of user portal page, 1021-1024
information area, 1011
logout page, 1015
navigation panel, 1013
portal page, 1012
title panel, 1012
Toolbar screen, 1013
tunnels, QoS (Quality of Service), 1142
W-Z
WAAS (Wide Area Application Services), inspections, 528
web ACL attribute (SSL VPN), 998
Web Categories dashboard (CX), 330
Web Destinations dashboard (CX), 330
web reputation profiles (CX), 306-307
webfo event class, 148
Webtype ACL Filters tab (ASDM), 1070-1071
Webtype ACLs, 234
clientless remote-access SSL VPNs, configuring, 1031-1034
webvpn event class, 148
Wide Area Application Services (WAAS), inspections, 528
Windows NTLM, 197
WINS, AnyConnect Secure Mobility Client, assignment, 1106-1107
WLR metric (RR),
Yahoo! IM (Instant Messenger), inspections, 517