Cisco Security Appliance Command Line Configuration Guide, Version 8.0 - Index [Cisco ASA 5500 Series Adaptive Security Appliances]

Table Of Contents

Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z

Index

Symbols

/bits subnet masks C-3

?

command string B-4

help B-4

Numerics

4GE SSM

connector types 6-2

fiber 6-3

SFP 6-3

support 1-2

802.1Q tagging 5-11

802.1Q trunk 6-7

A

AAA

about 14-1

accounting 21-14

addressing, configuring 33-2

authentication

CLI access 42-5

network access 21-1

privileged EXEC mode 42-6

authorization

command 42-8

downloadable access lists 21-10

network access 21-8

local database support 14-6

performance 21-1

server

adding 14-9

types 14-3

support summary 14-3

web clients 21-5

abbreviating commands B-3

Access Control Server 35-2, 35-5, 35-8

access hours, username attribute 32-76

accessing the security appliance using SSL 39-3

accessing the security appliance using TKS1 39-3

access list filter, username attribute 32-78

access lists

about 18-1

ACE logging, configuring 18-20

comments 18-18

deny flows, managing 18-22

downloadable 21-10

EtherType, adding 18-8

exemptions from posture validation 35-7

extended

about 18-5

adding 18-7

group policy WebVPN filter 32-68

implicit deny 18-3

inbound 20-1

interface, applying 20-2

IP address guidelines 18-3

IPsec 29-20

logging 18-20

NAT guidelines 18-3

Network Admission Control, default 35-6

object groups 18-18

outbound 20-1

phone proxy 27-8

remarks 18-18

scheduling activation 18-19

standard, adding 18-11

types 18-2

username for Clientless SSL VPN 32-84

access ports 5-9

ACEs

See access lists

Active/Active failover

about 15-11

actions 15-14

command replication 15-13

configuration synchronization 15-12

configuring

asymmetric routing support 15-37

cable-based failover 15-29

failover criteria 15-36

failover group preemption 15-35

HTTP replication 15-35

interface monitoring 15-36

LAN-based failover 15-31

prerequisites 15-29

virtual MAC addresses 15-36

device initialization 15-12

duplicate MAC addresses, avoiding 15-11, 15-37

primary status 15-12

secondary status 15-12

triggers 15-14

Active/Standby failover

about 15-7

actions 15-10

command replication 15-8

configuration synchronization 15-8

configuring

cable-based 15-21

failover criteria 15-28

HTTP replication 15-26

interface monitoring 15-27

interface poll times 15-41

LAN-based 15-23

prerequisites 15-21

unit poll times 15-41

virtual MAC addresses 15-28

device initialization 15-8

primary unit 15-7

secondary unit 15-7

triggers 15-10

Active Directory, settings for password management 32-27

Active Directory proceduresD-14to ??

Adaptive Security Algorithm 1-16

admin context

about 4-3

changing 7-13

administrative distance 10-3

Advanced Encryption Standard (AES) 29-3

AIP SSM

about 23-1

checking status 23-18

configuration 23-4

loading an image 23-19

sending traffic to 23-8

sessioning to 23-5

support 1-2

alternate address, ICMP message C-15

Application Access Panel, WebVPN 39-54

application access using Clientless SSL VPN

group policy attribute for Clientless SSL VPN 32-69

username attribute for Clientless SSL VPN 32-85

application access using WebVPN

and e-mail proxy 39-76

and hosts file errors 39-41

and Web Access 39-76

configuring client applications 39-75

enabling cookies on browser 39-75

privileges 39-75

quitting properly 39-43

setting up on client 39-75

using e-mail 39-76

with IMAP client 39-76

application inspection

about 26-2

applying 26-5

configuring 26-5

inspection class map 16-12

inspection policy map 16-9

security level requirements 8-1

special actions 16-8

Application Profile Customization Framework 39-51

ARP inspection

about 28-1

enabling 28-2

static entry 28-2

ARP spoofing 28-2

ARP test, failover 15-19

ASA (Adaptive Security Algorithm) 1-16

ASA 5505

Base license 5-2

client

authentication 36-12

configuration restrictions, table 36-2

device pass-through 36-8

group policy attributes pushed to 36-10

mode 36-3

remote management 36-9

split tunneling 36-8

TCP 36-4

trustpoint 36-7

tunnel group 36-7

tunneling 36-5

Xauth 36-4

interfaces, about 5-1

MAC addresses 5-4

maximum VLANs 5-2

native VLAN support 5-11

non-forwarding interface 5-6

power over Ethernet 5-4

protected switch ports 5-9

Security Plus license 5-2

server (headend) 36-1

SPAN 5-4

Spanning Tree Protocol, unsupported 5-9

VLAN interface configuration 5-5

ASDM software

allowing access 42-3

installing 43-2

ASR 15-37

asymmetric routing support 15-37

attributes

RADIUS D-27

username 32-76

attribute-value pairs

TACACS+ D-35

attribute-value pairs (AVP) 32-35

authentication

about 14-2

ASA 5505 as Easy VPN client 36-12

CLI access 42-5

FTP 21-3

HTTP 21-2

network access 21-1

privileged EXEC mode 42-6

restrictions, WebVPN 39-6

Telnet 21-2

web clients 21-5

WebVPN users with digital certificates 39-21

authorization

about 14-2

command 42-8

downloadable access lists 21-10

network access 21-8

Auto-MDI/MDIX 6-2

auto-signon

group policy attribute for Clientless SSL VPN 32-67

username attribute for Clientless SSL VPN 32-86

Auto-Update, configuring 43-19

B

backup device, load balancing 31-6

backup server attributes, group policy 32-52

Baltimore Technologies, CA server support 41-5

banner message, group policy 32-45

basic threat detection

See threat detection

bits subnet masks C-3

Black Ice firewall 32-61

BPDUs

ACL, EtherType 18-10

BPDUs, EtherType access list 18-10

bridge

entry timeout 28-4

table, See MAC address table

broadcast Ping test 15-19

bypass authentication 36-8

C

CA

certificate validation, not done in WebVPN 39-2

CRs and 41-2

public key cryptography 41-1

revoked certificates 41-2

server support 41-5

supported servers 41-5

caching 39-49

capturing packets 45-12

cascading access lists 29-15

certificate

authentication, e-mail proxy 39-48

Cisco Unified Mobility 27-54

Cisco Unified Presence 27-59

enrollment protocol 41-7

group matching

configuring 29-9

rule and policy, creating 29-10

Certificate Revocation Lists

See CRLs

certificates

phone proxy 27-15

required by phone proxy 27-17

certification authority

See CA

changing between contexts 7-12

Cisco-AV-Pair LDAP attributes D-12

Cisco Integrated Firewall 32-60

Cisco IP Communicator 27-22

Cisco IP Phones

DHCP 11-4

Cisco IP Phones, application inspection 26-74

Cisco Security Agent 32-60

Cisco Trust Agent 35-8

Cisco UMA. See Cisco Unified Mobility.

Cisco Unified Mobility

architecture 27-51

ASA role 27-2, 27-3

certificate 27-54

functionality 27-50

NAT and PAT requirements 27-52, 27-53

sample configuration 27-73

trust relationship 27-54

Cisco Unified Presence

ASA role 27-2, 27-3

configuring the TLS Proxy 27-60

debugging the TLS Proxy 27-62

NAT and PAT requirements 27-58

sample configuration 27-76

trust relationship 27-59

Cisco UP. See Cisco Unified Presence.

Class A, B, and C addresses C-1

class-default class map 16-5

classes, logging

filtering messages by 44-18

message class variables 44-18, E-5

types 44-18, E-5

classes, MPF

See class map

classes, resource

See resource management

class map

inspection 16-12

Layer 3/4

management traffic 16-7

match commands 16-5

through traffic 16-5

regular expression 16-16

CLI

abbreviating commands B-3

adding comments B-7

command line editing B-3

command output paging B-6

displaying B-6

help B-4

paging B-6

syntax formatting B-3

client

VPN 3002 hardware, forcing client update 31-4

Windows, client update notification 31-4

client access rules, group policy 32-62

client firewall, group policy 32-59

clientless authentication 35-8

Clientless SSL VPN

configuring for specific users 32-80

client mode 36-3

client update, performing 31-4

cluster

IP address, load balancing 31-6

load balancing configurations 31-7

mixed scenarios 31-8

virtual 31-6

command authorization

about 42-9

configuring 42-8

multiple contexts 42-10

command prompts B-2

comments

access lists 18-18

configuration B-7

configuration

clearing 2-9

comments B-7

factory default

commands 2-1

restoring 2-2

saving 2-6

text file 2-9

URL for a context 7-9

viewing 2-8

configuration mode

accessing 2-5

prompt B-2

connection blocking 24-22

connection limits

configuring 24-17

per context 7-6

connect time, maximum, username attribute 32-78

console port logging 44-10

content transformation, WebVPN 39-49

contexts

See security contexts

conversion error, ICMP message C-16

cookies, enabling for WebVPN 39-6

CRACK protocol 29-28

crash dump 45-13

crypto map

acccess lists 29-20

applying to interfaces 29-20, 38-7

clearing configurations 29-28

creating an entry to use the dynamic crypto map 34-7

definition 29-12

dynamic 29-25

dynamic, creating 34-6

entries 29-12

examples 29-21

policy 29-13

crypto show commands 29-27

CSC SSM

about 23-10

checking status 23-18

failover 23-11

getting started 23-12

loading an image 23-19

sending traffic to 23-16

support 1-2

what to scan 23-13

custom firewall 32-61

customization, Clientless SSL VPN

group policy attribute 32-65

login windows for users 32-26

username attribute 32-82

username attribute for Clientless SSL VPN 32-23

cut-through proxy 21-1

D

data flow

routed firewall 17-1

transparent firewall 17-11

DDNS 11-6

debugging IPSec 30-8

debug messages 45-12

default

class 7-3

DefaultL2Lgroup 32-1

DefaultRAgroup 32-1

domain name, group policy 32-48

group policy 32-1, 32-35

LAN-to-LAN tunnel group 32-16

remote access tunnel group, configuring 32-6

routes, defining equal cost routes 10-4

tunnel group 29-11, 32-2

default configuration

commands 2-1

restoring 2-2

default policy 16-3

default routes

about 10-4

configuring 10-4

deny flows, logging 18-22

deny in a crypto map 29-15

deny-message

group policy attribute for Clientless SSL VPN 32-65

username attribute for Clientless SSL VPN 32-83

DES, IKE policy keywords (table) 29-3

device ID, including in messages 44-20

device pass-through, ASA 5505 as Easy VPN client 36-8

DfltGrpPolicy 32-36

DHCP

addressing, configuring 33-3

Cisco IP Phones 11-4

options 11-3

relay 11-5

server 11-1, 11-2

transparent firewall 18-6

DHCP Intercept, configuring 32-49

Diffie-Hellman

Group 5 29-4

groups supported 29-4

DiffServ preservation 25-5

digital certificates

authenticating WebVPN users 39-21

SSL 39-6

WebVPN authentication restrictions 39-6

directory hierarchy search D-4

disabling content rewrite 39-50

disabling messages, specific message IDs 44-22

DMZ, definition 1-13

DNS

dynamic 11-6

inspection

about 26-13

managing 26-13

rewrite, about 26-14

rewrite, configuring 26-15

NAT effect on 19-16

server, configuring 32-39

domain attributes, group policy 32-47

domain name 9-2

dotted decimal subnet masks C-3

downloadable access lists

configuring 21-10

converting netmask expressions 21-14

DSCP preservation 25-5

DUAL 10-25

dual IP stack, configuring 13-4

dual-ISP support 10-5

duplex, configuring 6-2

dynamic crypto map 29-25

creating 34-6

See also crypto map

Dynamic DNS 11-6

dynamic NAT

See NAT

E

Easy VPN

client

authentication 36-12

configuration restrictions, table 36-2

enabling and disabling 36-1

group policy attributes pushed to 36-10

mode 36-3

remote management 36-9

trustpoint 36-7

tunnels 36-9

Xauth 36-4

server (headend) 36-1

Easy VPN client

ASA 5505

device pass-through 36-8

split tunneling 36-8

TCP 36-4

tunnel group 36-7

tunneling 36-5

echo reply, ICMP message C-15

ECMP 10-3

editing command lines B-3

egress VLAN for VPN sessions 32-42

EIGRP 18-6

configuring 10-26

DUAL algorithm 10-25

hello interval 10-30

hello packets 10-25

hold time 10-25, 10-30

neighbor discovery 10-25

Overview 10-25

stub routing 10-27

stuck-in-active 10-25

e-mail

configuring for WebVPN 39-47

proxies, WebVPN 39-47

proxy, certificate authentication 39-48

WebVPN, configuring 39-47

EMBLEM format, using in logs 44-21

enable command 2-5

end-user interface, WebVPN, defining 39-53

Enterprises 11-4

Entrust, CA server support 41-5

established command, security level requirements 8-2

Ethernet

Auto-MDI/MDIX 6-2

duplex 6-2

speed 6-2

EtherType

assigned numbers 18-10

See also access lists

external group policy, configuring 32-37

F

facility, syslog 44-9

factory default configuration

commands 2-1

restoring 2-2

failover

about 15-1

Active/Active, configuring 15-29

Active/Active, See Active/Active failover

Active/Standby, configuring 15-21

Active/Standby, See Active/Standby failover

configuration file

terminal messages, Active/Active 15-12

terminal messages, Active/Standby 15-8

configuring 15-20

contexts 15-7

controlling 15-51

debug messages 15-53

disabling 15-52

displaying commands 15-50

encrypting failover communication 15-41

Ethernet failover cable 15-4

examples

Active/Active LAN-based failover A-24, A-29

Active/Standby cable-based failover A-33, A-34

Active/Standby LAN-based failover A-23, A-27

failover link 15-3

forcing 15-51

health monitoring 15-18

interface health 15-18

interface monitoring 15-18

interface tests 15-18

licenses 15-3

link communications 15-3

MAC addresses

about 15-7

automatically assigning 7-11

monitoring, configuration 15-51

monitoring, health 15-18

network tests 15-19

primary unit 15-7

redundant interfaces 6-5

restoring a failed group 15-52

restoring a failed unit 15-52

secondary unit 15-7

serial cable 15-5

SNMP syslog traps 15-53

software versions 15-3

Stateful Failover, See Stateful Failover

state link 15-5

subsecond 15-41

system log messages 15-53

system requirements 15-2

testing 15-51

type selection 15-15

understanding 15-1

unit health 15-18

verifying the configuration 15-42

fast path 1-16

fiber interfaces 6-3

filter (access list)

group policy attribute for Clientless SSL VPN 32-68

username attribute for Clientless SSL VPN 32-84

filtering

about 22-1

ActiveX 22-2

FTP 22-9

Java applets 22-3

security level requirements 8-2

servers supported 22-4

show command output B-4

URLs 22-4

firewall

Black Ice 32-61

Cisco Integrated 32-60

Cisco Security Agent 32-60

custom 32-61

Network Ice 32-61

none 32-61

Sygate personal 32-61

Zone Labs 32-61

firewall mode

about 17-1

configuring 2-5

firewall policy, group policy 32-59

FO (failover) license 15-3

FO_AA license 15-3

format of messages 44-24

fragmentation policy, IPsec 29-8

fragment protection 1-14

fragment size 24-22

FTP inspection

about 26-27

configuring 26-27

G

general attributes, tunnel group 32-3

general parameters, tunnel group 32-3

general tunnel-group connection parameters 32-3

generating RSA keys 41-6

global addresses

recommendations 19-16

specifying 19-26

global e-mail proxy attributes 39-47

global IPsec SA lifetimes, changing 29-22

group-lock, username attribute 32-79

group policy

address pools 32-59

attributes 32-39

backup server attributes 32-52

client access rules 32-62

configuring 32-37

default domain name for tunneled packets 32-48

definition 32-1, 32-35

domain attributes 32-47

Easy VPN client, attributes pushed to ASA 5505 36-10

external, configuring 32-37

firewall policy 32-59

hardware client user idle timeout 32-50

internal, configuring 32-38

IP phone bypass

	Cisco Security Appliance Command Line Configuration Guide, Version 8.0
	Index
Cisco Security Appliance Command Line Configuration Guide, Version 8.0 Index About This Guide Getting Started and General Information Introduction to the Security Appliance Getting Started Managing Feature Licenses Enabling Multiple Context Mode Configuring Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Ethernet Settings and Subinterfaces Adding and Managing Security Contexts Configuring Interface Parameters Configuring Basic Settings Configuring IP Routing Configuring Multicast Routing Configuring DHCP, DDNS, and WCCP Services Configuring IPv6 Configuring AAA Servers and the Local Database Configuring Failover Using Modular Policy Framework Configuring the Firewall Firewall Mode Overview Identifying Traffic With Access Lists Configuring NAT Permitting or Denying Network Access Applying AAA for Network Access Applying Filtering Services Managing AIP SSM and CSC SSM Preventing Network Attacks Applying QoS Policies Applying Application Layer Protocol Inspection Configuring Cisco Unified Communications Support Configuring ARP Inspection and Bridging Parameters in Transparent Mode Configuring VPN Configuring IPSec and ISAKMP Configuring L2TP over IPSec Setting General VPN Parameters Configuring Tunnel Groups, Group Policies, and Users Configuring IP Addresses for VPN Configuring Remote Access VPNs Configuring Network Admission Control Configuring Easy VPN on the ASA 5505 Configuring the PPPoE Client Configuring LAN-to-LAN VPNs Configuring Clientless SSL VPN Configuring AnyConnect VPN Client Connections Configuring Certificates System Administration Managing System Access Managing Software, Licenses, and Configurations Monitoring the Security Appliance Troubleshooting the Security Appliance Reference Sample Configurations Using the Command-Line Interface Addresses, Protocols, and Ports Configuring an External Server for Security Appliance User Authorization Configuring the Security Appliance for Use with MARS Glossary	Download this chapter Index Download the complete book Cisco Security Appliance Command Line Configuration Guide, 8.0 -- Whole Book PDF (PDF - 14 MB) Table Of Contents Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z Index Symbols /bits subnet masks C-3 ? command string B-4 help B-4 Numerics 4GE SSM connector types 6-2 fiber 6-3 SFP 6-3 support 1-2 802.1Q tagging 5-11 802.1Q trunk 6-7 A AAA about 14-1 accounting 21-14 addressing, configuring 33-2 authentication CLI access 42-5 network access 21-1 privileged EXEC mode 42-6 authorization command 42-8 downloadable access lists 21-10 network access 21-8 local database support 14-6 performance 21-1 server adding 14-9 types 14-3 support summary 14-3 web clients 21-5 abbreviating commands B-3 Access Control Server 35-2, 35-5, 35-8 access hours, username attribute 32-76 accessing the security appliance using SSL 39-3 accessing the security appliance using TKS1 39-3 access list filter, username attribute 32-78 access lists about 18-1 ACE logging, configuring 18-20 comments 18-18 deny flows, managing 18-22 downloadable 21-10 EtherType, adding 18-8 exemptions from posture validation 35-7 extended about 18-5 adding 18-7 group policy WebVPN filter 32-68 implicit deny 18-3 inbound 20-1 interface, applying 20-2 IP address guidelines 18-3 IPsec 29-20 logging 18-20 NAT guidelines 18-3 Network Admission Control, default 35-6 object groups 18-18 outbound 20-1 phone proxy 27-8 remarks 18-18 scheduling activation 18-19 standard, adding 18-11 types 18-2 username for Clientless SSL VPN 32-84 access ports 5-9 ACEs See access lists Active/Active failover about 15-11 actions 15-14 command replication 15-13 configuration synchronization 15-12 configuring asymmetric routing support 15-37 cable-based failover 15-29 failover criteria 15-36 failover group preemption 15-35 HTTP replication 15-35 interface monitoring 15-36 LAN-based failover 15-31 prerequisites 15-29 virtual MAC addresses 15-36 device initialization 15-12 duplicate MAC addresses, avoiding 15-11, 15-37 primary status 15-12 secondary status 15-12 triggers 15-14 Active/Standby failover about 15-7 actions 15-10 command replication 15-8 configuration synchronization 15-8 configuring cable-based 15-21 failover criteria 15-28 HTTP replication 15-26 interface monitoring 15-27 interface poll times 15-41 LAN-based 15-23 prerequisites 15-21 unit poll times 15-41 virtual MAC addresses 15-28 device initialization 15-8 primary unit 15-7 secondary unit 15-7 triggers 15-10 Active Directory, settings for password management 32-27 Active Directory proceduresD-14to ?? Adaptive Security Algorithm 1-16 admin context about 4-3 changing 7-13 administrative distance 10-3 Advanced Encryption Standard (AES) 29-3 AIP SSM about 23-1 checking status 23-18 configuration 23-4 loading an image 23-19 sending traffic to 23-8 sessioning to 23-5 support 1-2 alternate address, ICMP message C-15 Application Access Panel, WebVPN 39-54 application access using Clientless SSL VPN group policy attribute for Clientless SSL VPN 32-69 username attribute for Clientless SSL VPN 32-85 application access using WebVPN and e-mail proxy 39-76 and hosts file errors 39-41 and Web Access 39-76 configuring client applications 39-75 enabling cookies on browser 39-75 privileges 39-75 quitting properly 39-43 setting up on client 39-75 using e-mail 39-76 with IMAP client 39-76 application inspection about 26-2 applying 26-5 configuring 26-5 inspection class map 16-12 inspection policy map 16-9 security level requirements 8-1 special actions 16-8 Application Profile Customization Framework 39-51 ARP inspection about 28-1 enabling 28-2 static entry 28-2 ARP spoofing 28-2 ARP test, failover 15-19 ASA (Adaptive Security Algorithm) 1-16 ASA 5505 Base license 5-2 client authentication 36-12 configuration restrictions, table 36-2 device pass-through 36-8 group policy attributes pushed to 36-10 mode 36-3 remote management 36-9 split tunneling 36-8 TCP 36-4 trustpoint 36-7 tunnel group 36-7 tunneling 36-5 Xauth 36-4 interfaces, about 5-1 MAC addresses 5-4 maximum VLANs 5-2 native VLAN support 5-11 non-forwarding interface 5-6 power over Ethernet 5-4 protected switch ports 5-9 Security Plus license 5-2 server (headend) 36-1 SPAN 5-4 Spanning Tree Protocol, unsupported 5-9 VLAN interface configuration 5-5 ASDM software allowing access 42-3 installing 43-2 ASR 15-37 asymmetric routing support 15-37 attributes RADIUS D-27 username 32-76 attribute-value pairs TACACS+ D-35 attribute-value pairs (AVP) 32-35 authentication about 14-2 ASA 5505 as Easy VPN client 36-12 CLI access 42-5 FTP 21-3 HTTP 21-2 network access 21-1 privileged EXEC mode 42-6 restrictions, WebVPN 39-6 Telnet 21-2 web clients 21-5 WebVPN users with digital certificates 39-21 authorization about 14-2 command 42-8 downloadable access lists 21-10 network access 21-8 Auto-MDI/MDIX 6-2 auto-signon group policy attribute for Clientless SSL VPN 32-67 username attribute for Clientless SSL VPN 32-86 Auto-Update, configuring 43-19 B backup device, load balancing 31-6 backup server attributes, group policy 32-52 Baltimore Technologies, CA server support 41-5 banner message, group policy 32-45 basic threat detection See threat detection bits subnet masks C-3 Black Ice firewall 32-61 BPDUs ACL, EtherType 18-10 BPDUs, EtherType access list 18-10 bridge entry timeout 28-4 table, See MAC address table broadcast Ping test 15-19 bypass authentication 36-8 C CA certificate validation, not done in WebVPN 39-2 CRs and 41-2 public key cryptography 41-1 revoked certificates 41-2 server support 41-5 supported servers 41-5 caching 39-49 capturing packets 45-12 cascading access lists 29-15 certificate authentication, e-mail proxy 39-48 Cisco Unified Mobility 27-54 Cisco Unified Presence 27-59 enrollment protocol 41-7 group matching configuring 29-9 rule and policy, creating 29-10 Certificate Revocation Lists See CRLs certificates phone proxy 27-15 required by phone proxy 27-17 certification authority See CA changing between contexts 7-12 Cisco-AV-Pair LDAP attributes D-12 Cisco Integrated Firewall 32-60 Cisco IP Communicator 27-22 Cisco IP Phones DHCP 11-4 Cisco IP Phones, application inspection 26-74 Cisco Security Agent 32-60 Cisco Trust Agent 35-8 Cisco UMA. See Cisco Unified Mobility. Cisco Unified Mobility architecture 27-51 ASA role 27-2, 27-3 certificate 27-54 functionality 27-50 NAT and PAT requirements 27-52, 27-53 sample configuration 27-73 trust relationship 27-54 Cisco Unified Presence ASA role 27-2, 27-3 configuring the TLS Proxy 27-60 debugging the TLS Proxy 27-62 NAT and PAT requirements 27-58 sample configuration 27-76 trust relationship 27-59 Cisco UP. See Cisco Unified Presence. Class A, B, and C addresses C-1 class-default class map 16-5 classes, logging filtering messages by 44-18 message class variables 44-18, E-5 types 44-18, E-5 classes, MPF See class map classes, resource See resource management class map inspection 16-12 Layer 3/4 management traffic 16-7 match commands 16-5 through traffic 16-5 regular expression 16-16 CLI abbreviating commands B-3 adding comments B-7 command line editing B-3 command output paging B-6 displaying B-6 help B-4 paging B-6 syntax formatting B-3 client VPN 3002 hardware, forcing client update 31-4 Windows, client update notification 31-4 client access rules, group policy 32-62 client firewall, group policy 32-59 clientless authentication 35-8 Clientless SSL VPN configuring for specific users 32-80 client mode 36-3 client update, performing 31-4 cluster IP address, load balancing 31-6 load balancing configurations 31-7 mixed scenarios 31-8 virtual 31-6 command authorization about 42-9 configuring 42-8 multiple contexts 42-10 command prompts B-2 comments access lists 18-18 configuration B-7 configuration clearing 2-9 comments B-7 factory default commands 2-1 restoring 2-2 saving 2-6 text file 2-9 URL for a context 7-9 viewing 2-8 configuration mode accessing 2-5 prompt B-2 connection blocking 24-22 connection limits configuring 24-17 per context 7-6 connect time, maximum, username attribute 32-78 console port logging 44-10 content transformation, WebVPN 39-49 contexts See security contexts conversion error, ICMP message C-16 cookies, enabling for WebVPN 39-6 CRACK protocol 29-28 crash dump 45-13 crypto map acccess lists 29-20 applying to interfaces 29-20, 38-7 clearing configurations 29-28 creating an entry to use the dynamic crypto map 34-7 definition 29-12 dynamic 29-25 dynamic, creating 34-6 entries 29-12 examples 29-21 policy 29-13 crypto show commands 29-27 CSC SSM about 23-10 checking status 23-18 failover 23-11 getting started 23-12 loading an image 23-19 sending traffic to 23-16 support 1-2 what to scan 23-13 custom firewall 32-61 customization, Clientless SSL VPN group policy attribute 32-65 login windows for users 32-26 username attribute 32-82 username attribute for Clientless SSL VPN 32-23 cut-through proxy 21-1 D data flow routed firewall 17-1 transparent firewall 17-11 DDNS 11-6 debugging IPSec 30-8 debug messages 45-12 default class 7-3 DefaultL2Lgroup 32-1 DefaultRAgroup 32-1 domain name, group policy 32-48 group policy 32-1, 32-35 LAN-to-LAN tunnel group 32-16 remote access tunnel group, configuring 32-6 routes, defining equal cost routes 10-4 tunnel group 29-11, 32-2 default configuration commands 2-1 restoring 2-2 default policy 16-3 default routes about 10-4 configuring 10-4 deny flows, logging 18-22 deny in a crypto map 29-15 deny-message group policy attribute for Clientless SSL VPN 32-65 username attribute for Clientless SSL VPN 32-83 DES, IKE policy keywords (table) 29-3 device ID, including in messages 44-20 device pass-through, ASA 5505 as Easy VPN client 36-8 DfltGrpPolicy 32-36 DHCP addressing, configuring 33-3 Cisco IP Phones 11-4 options 11-3 relay 11-5 server 11-1, 11-2 transparent firewall 18-6 DHCP Intercept, configuring 32-49 Diffie-Hellman Group 5 29-4 groups supported 29-4 DiffServ preservation 25-5 digital certificates authenticating WebVPN users 39-21 SSL 39-6 WebVPN authentication restrictions 39-6 directory hierarchy search D-4 disabling content rewrite 39-50 disabling messages, specific message IDs 44-22 DMZ, definition 1-13 DNS dynamic 11-6 inspection about 26-13 managing 26-13 rewrite, about 26-14 rewrite, configuring 26-15 NAT effect on 19-16 server, configuring 32-39 domain attributes, group policy 32-47 domain name 9-2 dotted decimal subnet masks C-3 downloadable access lists configuring 21-10 converting netmask expressions 21-14 DSCP preservation 25-5 DUAL 10-25 dual IP stack, configuring 13-4 dual-ISP support 10-5 duplex, configuring 6-2 dynamic crypto map 29-25 creating 34-6 See also crypto map Dynamic DNS 11-6 dynamic NAT See NAT E Easy VPN client authentication 36-12 configuration restrictions, table 36-2 enabling and disabling 36-1 group policy attributes pushed to 36-10 mode 36-3 remote management 36-9 trustpoint 36-7 tunnels 36-9 Xauth 36-4 server (headend) 36-1 Easy VPN client ASA 5505 device pass-through 36-8 split tunneling 36-8 TCP 36-4 tunnel group 36-7 tunneling 36-5 echo reply, ICMP message C-15 ECMP 10-3 editing command lines B-3 egress VLAN for VPN sessions 32-42 EIGRP 18-6 configuring 10-26 DUAL algorithm 10-25 hello interval 10-30 hello packets 10-25 hold time 10-25, 10-30 neighbor discovery 10-25 Overview 10-25 stub routing 10-27 stuck-in-active 10-25 e-mail configuring for WebVPN 39-47 proxies, WebVPN 39-47 proxy, certificate authentication 39-48 WebVPN, configuring 39-47 EMBLEM format, using in logs 44-21 enable command 2-5 end-user interface, WebVPN, defining 39-53 Enterprises 11-4 Entrust, CA server support 41-5 established command, security level requirements 8-2 Ethernet Auto-MDI/MDIX 6-2 duplex 6-2 speed 6-2 EtherType assigned numbers 18-10 See also access lists external group policy, configuring 32-37 F facility, syslog 44-9 factory default configuration commands 2-1 restoring 2-2 failover about 15-1 Active/Active, configuring 15-29 Active/Active, See Active/Active failover Active/Standby, configuring 15-21 Active/Standby, See Active/Standby failover configuration file terminal messages, Active/Active 15-12 terminal messages, Active/Standby 15-8 configuring 15-20 contexts 15-7 controlling 15-51 debug messages 15-53 disabling 15-52 displaying commands 15-50 encrypting failover communication 15-41 Ethernet failover cable 15-4 examples Active/Active LAN-based failover A-24, A-29 Active/Standby cable-based failover A-33, A-34 Active/Standby LAN-based failover A-23, A-27 failover link 15-3 forcing 15-51 health monitoring 15-18 interface health 15-18 interface monitoring 15-18 interface tests 15-18 licenses 15-3 link communications 15-3 MAC addresses about 15-7 automatically assigning 7-11 monitoring, configuration 15-51 monitoring, health 15-18 network tests 15-19 primary unit 15-7 redundant interfaces 6-5 restoring a failed group 15-52 restoring a failed unit 15-52 secondary unit 15-7 serial cable 15-5 SNMP syslog traps 15-53 software versions 15-3 Stateful Failover, See Stateful Failover state link 15-5 subsecond 15-41 system log messages 15-53 system requirements 15-2 testing 15-51 type selection 15-15 understanding 15-1 unit health 15-18 verifying the configuration 15-42 fast path 1-16 fiber interfaces 6-3 filter (access list) group policy attribute for Clientless SSL VPN 32-68 username attribute for Clientless SSL VPN 32-84 filtering about 22-1 ActiveX 22-2 FTP 22-9 Java applets 22-3 security level requirements 8-2 servers supported 22-4 show command output B-4 URLs 22-4 firewall Black Ice 32-61 Cisco Integrated 32-60 Cisco Security Agent 32-60 custom 32-61 Network Ice 32-61 none 32-61 Sygate personal 32-61 Zone Labs 32-61 firewall mode about 17-1 configuring 2-5 firewall policy, group policy 32-59 FO (failover) license 15-3 FO_AA license 15-3 format of messages 44-24 fragmentation policy, IPsec 29-8 fragment protection 1-14 fragment size 24-22 FTP inspection about 26-27 configuring 26-27 G general attributes, tunnel group 32-3 general parameters, tunnel group 32-3 general tunnel-group connection parameters 32-3 generating RSA keys 41-6 global addresses recommendations 19-16 specifying 19-26 global e-mail proxy attributes 39-47 global IPsec SA lifetimes, changing 29-22 group-lock, username attribute 32-79 group policy address pools 32-59 attributes 32-39 backup server attributes 32-52 client access rules 32-62 configuring 32-37 default domain name for tunneled packets 32-48 definition 32-1, 32-35 domain attributes 32-47 Easy VPN client, attributes pushed to ASA 5505 36-10 external, configuring 32-37 firewall policy 32-59 hardware client user idle timeout 32-50 internal, configuring 32-38 IP phone bypass