Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.2 - Index [Cisco Services Modules]

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - X -

Index

Symbols

/bits subnet masks D-3

A

AAA

accounting 12-25

authentication

CLI 12-8

enable 12-8

network access 12-20

authorization

command 12-10

downloadable ACLs 12-23

network access 12-22

clearing settings 17-9

local database support 12-4

maximum rules A-5

overview 12-1

performance 12-2

server

adding 12-6

types 12-4

abbreviating commands C-2

abbreviations E-1

access control entries

See ACEs

access control lists

See ACLs

accounting 12-25

ACEs

expanded 10-7

logging 10-26

maximum 10-7

order 10-6

ACLs

comments 10-25

commitment 10-6

compilation 10-6

downloadable 12-23

EtherType 10-16

expanded 10-7

guidelines 10-6

inbound 10-10

inserting lines 10-25

IP address guidelines 10-7

logging 10-26

manual commit 10-24

maximum rules 10-7

memory 10-7

NAT addresses 10-7

network access 10-13

object groups10-17to 10-24

order of ACEs 10-6

OSPF, route map 10-17

outbound 10-10

policy NAT 10-4

pools A-5

remarks 10-25

standard 10-17

acronyms E-1

activation key 5-10

Active Directory 13-11

active state, failover 15-2

adaptive security algorithm 1-5

address range, subnets D-4

admin context

changing 5-20

overview 5-1

alternate address, ICMP message D-9

Apple QuickTime 13-15

application inspection

See inspection engines

application partition passwords, clearing 17-9

ARP inspection

enabling 7-4

overview 7-3

static entry 7-4

ARP spoofing 7-3

ARP test, failover 15-13

ASA 1-5

attacks, protection from 1-6

audience profile xvii

authentication

CLI 12-8

enable 12-8

FTP 12-21

HTTP 12-21

network access 12-20

overview 12-2

Telnet 12-21

timeout 12-2

authorization

CLI 12-10

command 12-10

network access 12-22

overview 12-2

B

backing up configuration 16-5

bandwidth

limiting 5-12

maximum A-1

banners 6-5

BGP 10-3

bits subnet masks D-3

booting

from the module 17-8

from the switch 2-13

boot partitions 2-13

BPDUs

ACL, EtherType 10-16

forwarding on the switch 2-12

bridge entry timeout 7-2

bridge table

See MAC address table

Broadcast Ping test 15-13

buffering URL replies 14-3

bypassing the firewall 2-7

C

caching URLs 14-4

capturing packets 17-10

Catalyst 6500

See switch

Catalyst OS versions 1-2

CEF A-1

changing between contexts 5-20

Cisco 7600

See switch

Cisco CallManager 13-18

Cisco Firewall MC 1-4

Cisco IOS versions 1-2

Cisco IP/TV 13-15

Cisco IP Phones

inspection engine 13-18

with DHCP 8-20

Cisco PDM 1-4

Cisco VPN Client 11-7

Class A, B, and C addresses D-1

classes

See resource management

classifier 5-2

CLI

abbreviating commands C-2

adding comments C-4

authentication 12-8

authorization 12-10

command line editing C-3

command output paging C-4

displaying C-4

help C-6

paging C-4

privilege levels 12-11

syntax formatting C-2

command authorization

local user database 12-10

TACACS+ 12-13

command-line interface

See CLI

command privilege levels 12-11

command prompts C-1

comments

ACLs 10-25

configuration C-4

Compact Flash 2-13

configuration

backing up 16-5

clearing 3-4

comments C-4

context files 5-2

downloading 16-5

examples B-1

failover 15-10

minimum xxiii

saving 3-3

switch 2-1

text file 3-4

URL for a context 5-18

viewing 3-3

configuration mode

accessing 3-2

prompt C-2

connection limits 6-9

console

authentication 12-8

port 3-1

contexts

See security contexts

control plane path 1-5

conventions xix

conversion error, ICMP message D-9

crash dump 17-11

D

data flow

routed firewall 4-3

transparent firewall 4-12

debug messages 17-10

default class 5-13

default route 8-2

denial of service attacks, protection 1-6

deny flows, logging 10-28

DHCP

relay 8-21

server

Cisco IP Phones 8-20

configuring 8-19

overview 8-19

transparent firewall 10-3

DMZ, definition 1-1

DNS

inspection engine 13-6

NAT effect on 9-13

protection from attacks 1-6

DNS Guard 1-6

domain name 6-5

dotted decimal subnet masks D-3

downloadable ACLs 12-23

dynamic NAT

See NAT

E

echo reply, ICMP message D-9

editing command lines C-3

EIGRP 10-3

embryonic limit

routed firewall 9-23

transparent firewall 6-10

enable

accessing 3-2

authentication 12-8

password

changing 6-2

default 6-2

established command

maximum rules A-5

security level requirements 6-7

EtherChannel

backplane

load-balancing 2-11

overview 2-11

EtherType

ACL 10-16

assigned numbers 10-16

examples B-1

extended ACL 10-13

F

failover

actions 15-12

active state 15-2

bandwidth 15-5

configuration file

Flash memory 15-11

replication 15-10

running memory 15-11

terminal messages 15-11

configuring 15-14

contexts 15-2

debugging 15-23

disabling 15-22

display 15-19

examples 15-26

FAQs 15-23

forcing 15-22

gratuitous ARPs 15-2

inter-chassis 15-4

interface monitoring 15-13

interface policy 15-15

interface tests 15-13

intra-chassis 15-4

IP addresses 15-2

link communications 15-3

MAC addresses 15-10

monitoring 15-12

network tests 15-13

primary unit 15-10

secondary unit 15-10

standby state 15-2

stateful failover

overview 15-2

state information 15-3

state link 15-3

statistics 15-21

switch configuration 2-11

system messages 15-23

testing 15-22

threshold 15-15

transparent firewall 15-9

triggers 15-11

trunk 2-12, 15-4

unit health 15-13

verifying 15-18

VLANs 15-3

fast path 1-5

features 1-3

filtering

adding a server 14-2

buffering replies 14-3

caching URLs 14-4

FTP 14-6

HTTP 14-5

HTTPS 14-6

long URL maximum 14-4

maximum rules A-5

overview 14-1

security level requirements 6-6

servers supported 14-1

show command output C-3

statistics 14-6

Firewall MC 1-4

firewall mode, setting 4-16

fixups

See inspection engines.

Flash memory

overview 2-13

partitions 2-13

size A-1

Flood Defender 1-6

Flood Guard 1-6

Frag Guard 1-6

fragment size 1-6

FTP

authentication 12-21

filtering 14-6

inspection engine 13-6

G

global addresses

recommendations 9-12

specifying 9-24

gratuitous ARPs, failover 15-2

guest user, maintenance partition 6-2

H

H.225, connection status 13-8

H.323

inspection engine 13-7

Skinny 13-18

version 13-7

help, command line C-6

host name 6-4

hosts, subnet masks for D-3

HSRP 4-9

HTTP

authentication 12-8

concurrent connections 11-4

filtering 14-5

inspection engine 13-10

long URL maximum 14-4

maximum rules A-5

HTTPS

filtering 14-6

management connection 11-4

maximum connections A-4

RSA key 11-4

I

ICMP

ACL 10-15

denied access 1-6

error inspection engine 13-11

inspection engine 13-10

management access 11-10

maximum rules A-5

object group 10-21

testing connectivity 17-4

type numbers D-9

IKE 11-5

ILS inspection engine 13-11

inbound ACLs 10-10

information reply, ICMP message D-9

information request, ICMP message D-9

inside, definition 1-1

inspection engines

configuring 13-4

DNS 13-6

FTP 13-6

H.323 13-7

HTTP 13-10

ICMP 13-10

ICMP error 13-11

ILS 13-11

LDAP 13-11

limitations 13-3

MGCP 13-12

NAT and PAT support 13-3

NetBIOS 13-14

OraServ 13-14

overview 13-1

RealAudio 13-14

RSH 13-15

RTSP 13-15

SCCP 13-18

security level requirements 6-6

SIP 13-16

Skinny 13-18

SMTP 13-19

SQL*Net 13-20

standards 13-3

static PAT 9-6

Sun RPC 13-21

TFTP 13-21

XDMCP 13-22

installation

module verification 2-2

software to any partition 16-3

software to current partition 16-2

interfaces

enabled status 6-7

failover monitoring 15-13

failover policy 15-15

global addresses 9-24

maximum A-2

naming 6-8

overview 1-7

security level

overview 6-6

setting 6-8

shared 5-5

standby address 15-16

turning off and on 6-9

IOS versions 1-2

IP addresses

classes D-1

configuring 8-2

management, transparent firewall 8-2

overlapping between contexts 5-3

private D-2

standby 15-16

subnet mask D-4

VPN client 11-7

IPSec

basic settings 11-5

client 11-7

management access 11-5

transforms 11-6

IP spoofing, protection from 1-6

IPX 2-7

ISAKMP 11-5

L

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

LDAP inspection engine 13-11

level

See security level

link up/down test 15-13

load-balancing, backplane EtherChannel 2-11

local user database

adding a user 12-6

command authorization 12-10

logging in 12-9

support 12-4

lockout, recovering 12-19

logging

ACLs 10-26

system messages 17-1

login

FTP 12-21

local user 12-9

session 3-2

SSH 3-2

Telnet 3-2

viewing the user 12-18

login banners 6-5

login command 12-9

login password

changing 6-2

default 6-2

M

MAC addresses, failover 15-10

MAC address table

entry timeout 7-2

MAC learning, disabling 7-2

overview 4-12

resource management 5-16

static entry 7-2

MAC learning, disabling 7-2

Mail Guard 1-6, 13-19

maintenance partition

guest user 6-2

installing application software 16-3

password

changing 6-2

clearing 17-10

default 6-2

root user 6-2

software installation 16-5

management access authentication 12-8

management IP address, transparent firewall 8-2

management support 1-4

man-in-the-middle attack 7-3

manual commit 10-24

mapped interface name 5-18

mask reply, ICMP message D-9

mask request, ICMP message D-9

maximum connections 9-23

memory

ACLs 10-7

Flash A-1

RAM A-1

rules 10-7

message-of-the-day banner 6-5

MGCP inspection engine 13-12

Microsoft Exchange 13-19

minimum configuration xxiii

mobile redirection, ICMP message D-9

mode

context 5-11

firewall 4-16

monitoring

failover 15-12

OSPF 8-16

resource management 5-24

security contexts 5-23

SNMP 17-2

More prompt C-4

MPLS

LDP 10-16

router-id 10-16

TDP 10-16

MSFC

definition 1-2

overview 1-9

SVIs 2-7

multicast traffic 4-9

Multilayer Switch Feature Card

See MSFC

multiple mode, enabling 5-11

multiple SVIs 2-6

N

N2H2 Sentian filtering server 14-1

naming an interface 6-8

NAT

bypassing NAT

configuration 9-28

overview 9-7

DNS 9-13

dynamic NAT

configuring 9-22

implementation 9-16

overview 9-3

embryonic limit 9-23

examples 9-31

exemption from NAT

configuration 9-30

overview 9-7

identity NAT

configuration 9-28

overview 9-7

inspection engine support 13-3

maximum connections 9-23

NAT ID 9-16

order of statements 9-12

outside NAT 9-10

overlapping addresses 9-32

overview 9-1, 9-2

PAT

configuring 9-22

implementation 9-16

overview 9-4

policy NAT

maximum rules A-5

overview 9-8

port redirection 9-33

same security level 9-11

security level requirements 6-6

static NAT

configuring 9-25

overview 9-5

static PAT

configuring 9-26

overview 9-5

transparent firewall 4-11

types 9-3

NetBIOS inspection engine 13-14

NetMeeting 13-11

Network Activity test 15-13

Network Address Translation

See NAT

network processors 1-5

NPs 1-5

O

object groups

adding

ICMP 10-21

network 10-19

protocol 10-19

service 10-20

displaying 10-24

expanded 10-7

nesting 10-22

overview 10-18

removing 10-24

operating system 1-8

OraServ inspection engine 13-14

OSPF

ACL for route map 10-17

area authentication 8-11

area MD5 authentication 8-11

area parameters 8-11

authentication key 8-9

cost 8-9

dead interval 8-9

default route 8-14

displaying update packet pacing 8-16

enabling 8-5

hello interval 8-9

interface parameters 8-9

link-state advertisment 8-5

logging neighbor states 8-15

MD5 authentication 8-10

monitoring 8-16

NSSA 8-12

overview 8-4

packet pacing 8-16

processes 8-5

redistributing routes 8-6

route calculation timers 8-15

route map 8-6

route summarization 8-13

stub area 8-12

summary route cost 8-12

outbound ACLs 10-10

outside, definition 1-1

outside NAT 9-10

oversubscribing resources 5-12

P

packet capture 17-10

packet classifier 5-2

packet flow

routed firewall 4-3

transparent firewall 4-12

paging screen displays C-4

parameter problem, ICMP message D-9

partitions

application 2-13

boot 2-13

crash dump 2-13

Flash memory 2-13

maintenance 2-13

network configuration 2-13

passwords

clearing

application 17-9

maintenance 17-10

enable

changing 6-2

default 6-2

login

changing 6-2

default 6-2

maintenance partition

changing 6-2

default 6-2

troubleshooting 17-9

PAT

See NAT

PDM

allowing connections 11-4

installation 16-2

maximum connections A-4

version 1-4

ping

See ICMP

PIX

implicit permit 1-7

operating system 1-8

security levels 6-7

policy NAT

ACLs 10-4

dynamic, configuring 9-22

inspection engines 9-6

maximum rules A-5

overview 9-8

static, configuring 9-25

static PAT, configuring 9-27

pools

address

DHCP 8-19

global NAT 9-24

addresses

VPN 11-7

context rules A-5

port redirection, NAT 9-33

primary unit, failover

overview 15-10

setting 15-15

private networks D-2

privileged mode

accessing 3-2

authentication 12-8

prompt C-2

privilege levels, for commands 12-11

prompts

command C-1

more C-4

protocol numbers and literal values D-5

Q

quick start xxiii

R

RADIUS

adding a server 12-6

CLI authentication 12-8

downloadable ACLs 12-23

enable command authentication 12-9

network access authentication 12-21

network access authorization 12-23

support 12-4

RealAudio

inspection engine 13-14

RTSP 13-15

RealNetworks 13-15

RealPlayer 13-15

rebooting

from the module 17-8

from the switch 2-13

redirect, ICMP message D-9

redundancy

See failover

reloading

context 5-22

module 17-8

remarks 10-25

requirements 1-2

resetting

from the module 17-8

from the switch 2-13

resource management

assigning a context 5-19

configuring 5-14

default class 5-13

monitoring 5-24

oversubscribing 5-12

overview 5-12

resource types 5-16

unlimited 5-13

reverse route lookup

See Unicast RPF

RIP

default route updates 8-18

enabling 8-18

overview 8-18

passive 8-18

root user, maintenance partition 6-2

routed firewall mode, setting 4-16

route map ACL 10-17

router advertisement, ICMP message D-9

router solicitation, ICMP message D-9

routing

default route 8-2

OSPF8-4to 8-17

other protocols 10-3

RIP8-18to 8-19

static 8-3

RSA key 11-3, 11-4

RSH, inspection engine 13-15

RTSP, inspection engine 13-15

RTSP restrictions 13-15

rules

manually committing 10-24

maximum 10-7

pools for contexts A-5

S

same security level communication

embryonic connections 6-9

enabling 6-8

maximum connections 6-9

NAT 9-11

SCCP

fragmented packets 13-19

H.323 13-18

inspection engine 13-18

secondary unit, failover 15-10

security contexts

adding 5-17

admin context

changing 5-20

overview 5-1

assigning to a resource class 5-19

changing between 5-20

classifier 5-2

configuration

files 5-2

URL, changing 5-21

URL, setting 5-18

IP address overlap 5-3

logging in 5-9

mapped interface name 5-18

monitoring 5-23

multiple mode, enabling 5-11

name guidelines 5-17

nesting or cascading 5-9

overview 5-1

prompt C-1

reloading 5-22

removing 5-20

resource management 5-12

VLAN allocation 5-18

security level

allowing communication between the same level 6-8

overview 6-6

PIX comparison 6-7

same security 6-8

setting 6-8

security policy 1-7

Sentian filtering server 14-1

serial number 5-10

server

AAA 12-6

filtering 14-2

sessioning from the switch 3-1

session management path 1-5

shared VLANs 5-5

show command, filtering output C-3

shutting down an interface 6-9

Simple Network Management Protocol

See SNMP

single mode

backing up configuration 5-10

configuration 5-11

enabling 5-11

restoring 5-11

SIP inspection engine 13-16

SiteServer 13-11

site-to-site tunnel 11-8

Skinny

fragmented packets 13-19

H.323 13-18

inspection engine 13-18

SMTP

inspection engine 13-19

protection from attacks 1-6

SNMP

overview 17-2

traps 17-2

software installation

any partition 16-3

current partition 16-2

maintenance 16-5

source quench, ICMP message D-9

SPAN session 2-1

specifications A-1

SQL*Net inspection engine 13-20

SSH

authentication 12-8

concurrent connections 11-2

login 11-3

management access 11-2

maximum rules A-5

RSA key 11-3

username 11-4

version 11-2

standard ACL 10-17

standby state, failover 15-2

startup configuration 5-2

stateful failover

See failover

stateful inspection 1-5

state information 15-3

state link 15-3

static ARP entry 7-4

static bridge entry 7-2

static NAT

See NAT

static PAT

See NAT

static routes 8-3

stealth firewall

See transparent firewall

subcommand mode prompt C-2

subnet masks

/bits D-3

address range D-4

dotted decimal D-3

number of hosts D-3

overview D-2

Sun RPC, inspection engine 13-21

supervisor engine versions 1-2

supervisor IOS 1-2

SVIs

configuring 2-8

multiple 2-6

overview 2-6

switch

adding VLANs 2-3

assigning VLANs to module 2-2

assigning VLANs to ports 2-3

BPDU forwarding 2-12

configuration 2-1

failover compatibility with transparent firewall 2-12

failover configuration 2-11

maximum modules A-1

resetting the module 2-13

sessioning to the module 3-1

system requirements 1-2

trunk for failover 2-12

verifying module installation 2-2

switched virtual interfaces

See SVIs

Switch Fabric Module A-1

SYN packet attack protection 1-6

syntax formatting C-2

system configuration

network settings 5-2

overview 5-1

system requirements 1-2

T

TACACS+

adding a server 12-6

command authorization 12-13

network access authorization 12-22

support 12-4

TCP intercept

overview 1-6

security level requirements 6-6

TCP ports and literal values D-5

TCP sequence number randomization

disabling

routed mode 9-22

same security level 6-10

transparent firewall 6-10

security level requirements 6-7

Telnet

authentication 12-8

concurrent connections 11-1

management access 11-1

maximum rules A-5

test 15-13

testing configuration 17-4

TFTP inspection engine 13-21

time exceeded, ICMP message D-9

timestamp reply, ICMP message D-9

timestamp request, ICMP message D-9

traffic flow

routed firewall 4-3

transparent firewall 4-12

transparent firewall

ARP inspection

enabling 7-4

overview 7-3

static entry 7-4

data flow 4-12

DHCP packets, allowing 10-3

embryonic limit 6-10

EtherType ACL 10-16

examples B-15

failover 15-9

guidelines 4-11

HSRP 4-9

MAC address timeout 7-2

MAC learning, disabling 7-2

management IP address 8-2

maximum connections 6-10

mode, setting 4-16

multicast traffic 4-9

NAT 4-11

overview 4-9

packet handling 10-3

static bridge entry 7-2

TCP sequence number randomization, disabling 6-10

VLANs 4-9

VRRP 4-9

traps, SNMP 17-2

trunk, failover 15-4

U

UDP

connection state information 1-5

ports and literal values D-5

Unicast Reverse Path Forwarding 1-6

Unicast RPF 1-6

unprivileged mode

accesssing 3-2

password 6-2

prompt C-1

unreachable, ICMP message D-9

URL

context configuration, changing 5-21

context configuration, setting 5-18

filtering 14-1

user, logged in 12-18

V

virtual firewalls

See security contexts

Virtual Re-assembly 1-6

VLANs

adding to switch 2-3

allocating to a context 5-18

assiging to switch ports 2-3

assigning to FWSM 2-2

failover interface 15-3

interfaces 2-2

mapped interface name 5-18

maximum A-2

overview 1-7

shared 5-5

VoIP

gateways and gatekeepers 13-7

H.323 13-7

MGCP 13-12

SCCP 13-18

Skinny 13-18

VPN

basic settings 11-5

client tunnel 11-7

management access 11-5

site-to-site tunnel 11-8

transforms 11-6

VRRP 4-9

W

WAN ports 1-2

Websense Enterprise filtering server 14-1

X

XDMCP, inspection engine 13-22

	Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.2
	Index
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.2 About This Guide Quick Start Steps Introduction to the Firewall Services Module Configuring the Switch for the Firewall Services Module Connecting to the Firewall Services Module and Managing the Configuration Configuring the Firewall Mode Managing Security Contexts Configuring Basic Settings Configuring Bridging Parameters and ARP Inspection Configuring IP Addresses, Routing, and DHCP Configuring Network Address Translation Controlling Network Access with Access Control Lists Allowing Remote Management Configuring AAA Configuring Application and Protocol Inspection Filtering HTTP, HTTPS, or FTP Requests Using an External Server Using Failover Managing Software and Configuration Files Monitoring and Troubleshooting the Firewall Services Module Specifications Sample Configurations Understanding the Command-Line Interface Addresses, Protocols, and Ports Reference Acronyms and Abbreviations Index	Download this chapter Index Download the complete book Book-level PDF: Firewall Services Module Configuration Guide, 2.2 (PDF - 4 MB) Feedback Table Of Contents Symbols - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - X - Index Symbols /bits subnet masks D-3 A AAA accounting 12-25 authentication CLI 12-8 enable 12-8 network access 12-20 authorization command 12-10 downloadable ACLs 12-23 network access 12-22 clearing settings 17-9 local database support 12-4 maximum rules A-5 overview 12-1 performance 12-2 server adding 12-6 types 12-4 abbreviating commands C-2 abbreviations E-1 access control entries See ACEs access control lists See ACLs accounting 12-25 ACEs expanded 10-7 logging 10-26 maximum 10-7 order 10-6 ACLs comments 10-25 commitment 10-6 compilation 10-6 downloadable 12-23 EtherType 10-16 expanded 10-7 guidelines 10-6 inbound 10-10 inserting lines 10-25 IP address guidelines 10-7 logging 10-26 manual commit 10-24 maximum rules 10-7 memory 10-7 NAT addresses 10-7 network access 10-13 object groups10-17to 10-24 order of ACEs 10-6 OSPF, route map 10-17 outbound 10-10 policy NAT 10-4 pools A-5 remarks 10-25 standard 10-17 acronyms E-1 activation key 5-10 Active Directory 13-11 active state, failover 15-2 adaptive security algorithm 1-5 address range, subnets D-4 admin context changing 5-20 overview 5-1 alternate address, ICMP message D-9 Apple QuickTime 13-15 application inspection See inspection engines application partition passwords, clearing 17-9 ARP inspection enabling 7-4 overview 7-3 static entry 7-4 ARP spoofing 7-3 ARP test, failover 15-13 ASA 1-5 attacks, protection from 1-6 audience profile xvii authentication CLI 12-8 enable 12-8 FTP 12-21 HTTP 12-21 network access 12-20 overview 12-2 Telnet 12-21 timeout 12-2 authorization CLI 12-10 command 12-10 network access 12-22 overview 12-2 B backing up configuration 16-5 bandwidth limiting 5-12 maximum A-1 banners 6-5 BGP 10-3 bits subnet masks D-3 booting from the module 17-8 from the switch 2-13 boot partitions 2-13 BPDUs ACL, EtherType 10-16 forwarding on the switch 2-12 bridge entry timeout 7-2 bridge table See MAC address table Broadcast Ping test 15-13 buffering URL replies 14-3 bypassing the firewall 2-7 C caching URLs 14-4 capturing packets 17-10 Catalyst 6500 See switch Catalyst OS versions 1-2 CEF A-1 changing between contexts 5-20 Cisco 7600 See switch Cisco CallManager 13-18 Cisco Firewall MC 1-4 Cisco IOS versions 1-2 Cisco IP/TV 13-15 Cisco IP Phones inspection engine 13-18 with DHCP 8-20 Cisco PDM 1-4 Cisco VPN Client 11-7 Class A, B, and C addresses D-1 classes See resource management classifier 5-2 CLI abbreviating commands C-2 adding comments C-4 authentication 12-8 authorization 12-10 command line editing C-3 command output paging C-4 displaying C-4 help C-6 paging C-4 privilege levels 12-11 syntax formatting C-2 command authorization local user database 12-10 TACACS+ 12-13 command-line interface See CLI command privilege levels 12-11 command prompts C-1 comments ACLs 10-25 configuration C-4 Compact Flash 2-13 configuration backing up 16-5 clearing 3-4 comments C-4 context files 5-2 downloading 16-5 examples B-1 failover 15-10 minimum xxiii saving 3-3 switch 2-1 text file 3-4 URL for a context 5-18 viewing 3-3 configuration mode accessing 3-2 prompt C-2 connection limits 6-9 console authentication 12-8 port 3-1 contexts See security contexts control plane path 1-5 conventions xix conversion error, ICMP message D-9 crash dump 17-11 D data flow routed firewall 4-3 transparent firewall 4-12 debug messages 17-10 default class 5-13 default route 8-2 denial of service attacks, protection 1-6 deny flows, logging 10-28 DHCP relay 8-21 server Cisco IP Phones 8-20 configuring 8-19 overview 8-19 transparent firewall 10-3 DMZ, definition 1-1 DNS inspection engine 13-6 NAT effect on 9-13 protection from attacks 1-6 DNS Guard 1-6 domain name 6-5 dotted decimal subnet masks D-3 downloadable ACLs 12-23 dynamic NAT See NAT E echo reply, ICMP message D-9 editing command lines C-3 EIGRP 10-3 embryonic limit routed firewall 9-23 transparent firewall 6-10 enable accessing 3-2 authentication 12-8 password changing 6-2 default 6-2 established command maximum rules A-5 security level requirements 6-7 EtherChannel backplane load-balancing 2-11 overview 2-11 EtherType ACL 10-16 assigned numbers 10-16 examples B-1 extended ACL 10-13 F failover actions 15-12 active state 15-2 bandwidth 15-5 configuration file Flash memory 15-11 replication 15-10 running memory 15-11 terminal messages 15-11 configuring 15-14 contexts 15-2 debugging 15-23 disabling 15-22 display 15-19 examples 15-26 FAQs 15-23 forcing 15-22 gratuitous ARPs 15-2 inter-chassis 15-4 interface monitoring 15-13 interface policy 15-15 interface tests 15-13 intra-chassis 15-4 IP addresses 15-2 link communications 15-3 MAC addresses 15-10 monitoring 15-12 network tests 15-13 primary unit 15-10 secondary unit 15-10 standby state 15-2 stateful failover overview 15-2 state information 15-3 state link 15-3 statistics 15-21 switch configuration 2-11 system messages 15-23 testing 15-22 threshold 15-15 transparent firewall 15-9 triggers 15-11 trunk 2-12, 15-4 unit health 15-13 verifying 15-18 VLANs 15-3 fast path 1-5 features 1-3 filtering adding a server 14-2 buffering replies 14-3 caching URLs 14-4 FTP 14-6 HTTP 14-5 HTTPS 14-6 long URL maximum 14-4 maximum rules A-5 overview 14-1 security level requirements 6-6 servers supported 14-1 show command output C-3 statistics 14-6 Firewall MC 1-4 firewall mode, setting 4-16 fixups See inspection engines. Flash memory overview 2-13 partitions 2-13 size A-1 Flood Defender 1-6 Flood Guard 1-6 Frag Guard 1-6 fragment size 1-6 FTP authentication 12-21 filtering 14-6 inspection engine 13-6 G global addresses recommendations 9-12 specifying 9-24 gratuitous ARPs, failover 15-2 guest user, maintenance partition 6-2 H H.225, connection status 13-8 H.323 inspection engine 13-7 Skinny 13-18 version 13-7 help, command line C-6 host name 6-4 hosts, subnet masks for D-3 HSRP 4-9 HTTP authentication 12-8 concurrent connections 11-4 filtering 14-5 inspection engine 13-10 long URL maximum 14-4 maximum rules A-5 HTTPS filtering 14-6 management connection 11-4 maximum connections A-4 RSA key 11-4 I ICMP ACL 10-15 denied access 1-6 error inspection engine 13-11 inspection engine 13-10 management access 11-10 maximum rules A-5 object group 10-21 testing connectivity 17-4 type numbers D-9 IKE 11-5 ILS inspection engine 13-11 inbound ACLs 10-10 information reply, ICMP message D-9 information request, ICMP message D-9 inside, definition 1-1 inspection engines configuring 13-4 DNS 13-6 FTP 13-6 H.323 13-7 HTTP 13-10 ICMP 13-10 ICMP error 13-11 ILS 13-11 LDAP 13-11 limitations 13-3 MGCP 13-12 NAT and PAT support 13-3 NetBIOS 13-14 OraServ 13-14 overview 13-1 RealAudio 13-14 RSH 13-15 RTSP 13-15 SCCP 13-18 security level requirements 6-6 SIP 13-16 Skinny 13-18 SMTP 13-19 SQLNet 13-20 standards 13-3 static PAT 9-6 Sun RPC 13-21 TFTP 13-21 XDMCP 13-22 installation module verification 2-2 software to any partition 16-3 software to current partition 16-2 interfaces enabled status 6-7 failover monitoring 15-13 failover policy 15-15 global addresses 9-24 maximum A-2 naming 6-8 overview 1-7 security level overview 6-6 setting 6-8 shared 5-5 standby address 15-16 turning off and on 6-9 IOS versions 1-2 IP addresses classes D-1 configuring 8-2 management, transparent firewall 8-2 overlapping between contexts 5-3 private D-2 standby 15-16 subnet mask D-4 VPN client 11-7 IPSec basic settings 11-5 client 11-7 management access 11-5 transforms 11-6 IP spoofing, protection from 1-6 IPX 2-7 ISAKMP 11-5 L Layer 2 firewall See transparent firewall Layer 2 forwarding table See MAC address table LDAP inspection engine 13-11 level See security level link up/down test 15-13 load-balancing, backplane EtherChannel 2-11 local user database adding a user 12-6 command authorization 12-10 logging in 12-9 support 12-4 lockout, recovering 12-19 logging ACLs 10-26 system messages 17-1 login FTP 12-21 local user 12-9 session 3-2 SSH 3-2 Telnet 3-2 viewing the user 12-18 login banners 6-5 login command 12-9 login password changing 6-2 default 6-2 M MAC addresses, failover 15-10 MAC address table entry timeout 7-2 MAC learning, disabling 7-2 overview 4-12 resource management 5-16 static entry 7-2 MAC learning, disabling 7-2 Mail Guard 1-6, 13-19 maintenance partition guest user 6-2 installing application software 16-3 password changing 6-2 clearing 17-10 default 6-2 root user 6-2 software installation 16-5 management access authentication 12-8 management IP address, transparent firewall 8-2 management support 1-4 man-in-the-middle attack 7-3 manual commit 10-24 mapped interface name 5-18 mask reply, ICMP message D-9 mask request, ICMP message D-9 maximum connections 9-23 memory ACLs 10-7 Flash A-1 RAM A-1 rules 10-7 message-of-the-day banner 6-5 MGCP inspection engine 13-12 Microsoft Exchange 13-19 minimum configuration xxiii mobile redirection, ICMP message D-9 mode context 5-11 firewall 4-16 monitoring failover 15-12 OSPF 8-16 resource management 5-24 security contexts 5-23 SNMP 17-2 More prompt C-4 MPLS LDP 10-16 router-id 10-16 TDP 10-16 MSFC definition 1-2 overview 1-9 SVIs 2-7 multicast traffic 4-9 Multilayer Switch Feature Card See MSFC multiple mode, enabling 5-11 multiple SVIs 2-6 N N2H2 Sentian filtering server 14-1 naming an interface 6-8 NAT bypassing NAT configuration 9-28 overview 9-7 DNS 9-13 dynamic NAT configuring 9-22 implementation 9-16 overview 9-3 embryonic limit 9-23 examples 9-31 exemption from NAT configuration 9-30 overview 9-7 identity NAT configuration 9-28 overview 9-7 inspection engine support 13-3 maximum connections 9-23 NAT ID 9-16 order of statements 9-12 outside NAT 9-10 overlapping addresses 9-32 overview 9-1, 9-2 PAT configuring 9-22 implementation 9-16 overview 9-4 policy NAT maximum rules A-5 overview 9-8 port redirection 9-33 same security level 9-11 security level requirements 6-6 static NAT configuring 9-25 overview 9-5 static PAT configuring 9-26 overview 9-5 transparent firewall 4-11 types 9-3 NetBIOS inspection engine 13-14 NetMeeting 13-11 Network Activity test 15-13 Network Address Translation See NAT network processors 1-5 NPs 1-5 O object groups adding ICMP 10-21 network 10-19 protocol 10-19 service 10-20 displaying 10-24 expanded 10-7 nesting 10-22 overview 10-18 removing 10-24 operating system 1-8 OraServ inspection engine 13-14 OSPF ACL for route map 10-17 area authentication 8-11 area MD5 authentication 8-11 area parameters 8-11 authentication key 8-9 cost 8-9 dead interval 8-9 default route 8-14 displaying update packet pacing 8-16 enabling 8-5 hello interval 8-9 interface parameters 8-9 link-state advertisment 8-5 logging neighbor states 8-15 MD5 authentication 8-10 monitoring 8-16 NSSA 8-12 overview 8-4 packet pacing 8-16 processes 8-5 redistributing routes 8-6 route calculation timers 8-15 route map 8-6 route summarization 8-13 stub area 8-12 summary route cost 8-12 outbound ACLs 10-10 outside, definition 1-1 outside NAT 9-10 oversubscribing resources 5-12 P packet capture 17-10 packet classifier 5-2 packet flow routed firewall 4-3 transparent firewall 4-12 paging screen displays C-4 parameter problem, ICMP message D-9 partitions application 2-13 boot 2-13 crash dump 2-13 Flash memory 2-13 maintenance 2-13 network configuration 2-13 passwords clearing application 17-9 maintenance 17-10 enable changing 6-2 default 6-2 login changing 6-2 default 6-2 maintenance partition changing 6-2 default 6-2 troubleshooting 17-9 PAT See NAT PDM allowing connections 11-4 installation 16-2 maximum connections A-4 version 1-4 ping See ICMP PIX implicit permit 1-7 operating system 1-8 security levels 6-7 policy NAT ACLs 10-4 dynamic, configuring 9-22 inspection engines 9-6 maximum rules A-5 overview 9-8 static, configuring 9-25 static PAT, configuring 9-27 pools address DHCP 8-19 global NAT 9-24 addresses VPN 11-7 context rules A-5 port redirection, NAT 9-33 primary unit, failover overview 15-10 setting 15-15 private networks D-2 privileged mode accessing 3-2 authentication 12-8 prompt C-2 privilege levels, for commands 12-11 prompts command C-1 more C-4 protocol numbers and literal values D-5 Q quick start xxiii R RADIUS adding a server 12-6 CLI authentication 12-8 downloadable ACLs 12-23 enable command authentication 12-9 network access authentication 12-21 network access authorization 12-23 support 12-4 RealAudio inspection engine 13-14 RTSP 13-15 RealNetworks 13-15 RealPlayer 13-15 rebooting from the module 17-8 from the switch 2-13 redirect, ICMP message D-9 redundancy See failover reloading context 5-22 module 17-8 remarks 10-25 requirements 1-2 resetting from the module 17-8 from the switch 2-13 resource management assigning a context 5-19 configuring 5-14 default class 5-13 monitoring 5-24 oversubscribing 5-12 overview 5-12 resource types 5-16 unlimited 5-13 reverse route lookup See Unicast RPF RIP default route updates 8-18 enabling 8-18 overview 8-18 passive 8-18 root user, maintenance partition 6-2 routed firewall mode, setting 4-16 route map ACL 10-17 router advertisement, ICMP message D-9 router solicitation, ICMP message D-9 routing default route 8-2 OSPF8-4to 8-17 other protocols 10-3 RIP8-18to 8-19 static 8-3 RSA key 11-3, 11-4 RSH, inspection engine 13-15 RTSP, inspection engine 13-15 RTSP restrictions 13-15 rules manually committing 10-24 maximum 10-7 pools for contexts A-5 S same security level communication embryonic connections 6-9 enabling 6-8 maximum connections 6-9 NAT 9-11 SCCP fragmented packets 13-19 H.323 13-18 inspection engine 13-18 secondary unit, failover 15-10 security contexts adding 5-17 admin context changing 5-20 overview 5-1 assigning to a resource class 5-19 changing between 5-20 classifier 5-2 configuration files 5-2 URL, changing 5-21 URL, setting 5-18 IP address overlap 5-3 logging in 5-9 mapped interface name 5-18 monitoring 5-23 multiple mode, enabling 5-11 name guidelines 5-17 nesting or cascading 5-9 overview 5-1 prompt C-1 reloading 5-22 removing 5-20 resource management 5-12 VLAN allocation 5-18 security level allowing communication between the same level 6-8 overview 6-6 PIX comparison 6-7 same security 6-8 setting 6-8 security policy 1-7 Sentian filtering server 14-1 serial number 5-10 server AAA 12-6 filtering 14-2 sessioning from the switch 3-1 session management path 1-5 shared VLANs 5-5 show command, filtering output C-3 shutting down an interface 6-9 Simple Network Management Protocol See SNMP single mode backing up configuration 5-10 configuration 5-11 enabling 5-11 restoring 5-11 SIP inspection engine 13-16 SiteServer 13-11 site-to-site tunnel 11-8 Skinny fragmented packets 13-19 H.323 13-18 inspection engine 13-18 SMTP inspection engine 13-19 protection from attacks 1-6 SNMP overview 17-2 traps 17-2 software installation any partition 16-3 current partition 16-2 maintenance 16-5 source quench, ICMP message D-9 SPAN session 2-1 specifications A-1 SQLNet inspection engine 13-20 SSH authentication 12-8 concurrent connections 11-2 login 11-3 management access 11-2 maximum rules A-5 RSA key 11-3 username 11-4 version 11-2 standard ACL 10-17 standby state, failover 15-2 startup configuration 5-2 stateful failover See failover stateful inspection 1-5 state information 15-3 state link 15-3 static ARP entry 7-4 static bridge entry 7-2 static NAT See NAT static PAT See NAT static routes 8-3 stealth firewall See transparent firewall subcommand mode prompt C-2 subnet masks /bits D-3 address range D-4 dotted decimal D-3 number of hosts D-3 overview D-2 Sun RPC, inspection engine 13-21 supervisor engine versions 1-2 supervisor IOS 1-2 SVIs configuring 2-8 multiple 2-6 overview 2-6 switch adding VLANs 2-3 assigning VLANs to module 2-2 assigning VLANs to ports 2-3 BPDU forwarding 2-12 configuration 2-1 failover compatibility with transparent firewall 2-12 failover configuration 2-11 maximum modules A-1 resetting the module 2-13 sessioning to the module 3-1 system requirements 1-2 trunk for failover 2-12 verifying module installation 2-2 switched virtual interfaces See SVIs Switch Fabric Module A-1 SYN packet attack protection 1-6 syntax formatting C-2 system configuration network settings 5-2 overview 5-1 system requirements 1-2 T TACACS+ adding a server 12-6 command authorization 12-13 network access authorization 12-22 support 12-4 TCP intercept overview 1-6 security level requirements 6-6 TCP ports and literal values D-5 TCP sequence number randomization disabling routed mode 9-22 same security level 6-10 transparent firewall 6-10 security level requirements 6-7 Telnet authentication 12-8 concurrent connections 11-1 management access 11-1 maximum rules A-5 test 15-13 testing configuration 17-4 TFTP inspection engine 13-21 time exceeded, ICMP message D-9 timestamp reply, ICMP message D-9 timestamp request, ICMP message D-9 traffic flow routed firewall 4-3 transparent firewall 4-12 transparent firewall ARP inspection enabling 7-4 overview 7-3 static entry 7-4 data flow 4-12 DHCP packets, allowing 10-3 embryonic limit 6-10 EtherType ACL 10-16 examples B-15 failover 15-9 guidelines 4-11 HSRP 4-9 MAC address timeout 7-2 MAC learning, disabling 7-2 management IP address 8-2 maximum connections 6-10 mode, setting 4-16 multicast traffic 4-9 NAT 4-11 overview 4-9 packet handling 10-3 static bridge entry 7-2 TCP sequence number randomization, disabling 6-10 VLANs 4-9 VRRP 4-9 traps, SNMP 17-2 trunk, failover 15-4 U UDP connection state information 1-5 ports and literal values D-5 Unicast Reverse Path Forwarding 1-6 Unicast RPF 1-6 unprivileged mode accesssing 3-2 password 6-2 prompt C-1 unreachable, ICMP message D-9 URL context configuration, changing 5-21 context configuration, setting 5-18 filtering 14-1 user, logged in 12-18 V virtual firewalls See security contexts Virtual Re-assembly 1-6 VLANs adding to switch 2-3 allocating to a context 5-18 assiging to switch ports 2-3 assigning to FWSM 2-2 failover interface 15-3 interfaces 2-2 mapped interface name 5-18 maximum A-2 overview 1-7 shared 5-5 VoIP gateways and gatekeepers 13-7 H.323 13-7 MGCP 13-12 SCCP 13-18 Skinny 13-18 VPN basic settings 11-5 client tunnel 11-7 management access 11-5 site-to-site tunnel 11-8 transforms 11-6 VRRP 4-9 W WAN ports 1-2 Websense Enterprise filtering server 14-1 X XDMCP, inspection engine 13-22
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks