Index

Numerics
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X

Numerics

: 100BaseTX Ethernet 6 - 86
: 10BaseT Ethernet 6 - 86
: 3Com 10/100 Ethernet network interface card 2 - 39

A

AAA 2 - 36, 6 - 4, 6 - 9, 6 - 157

aaa authentication enable console, syslog messages
6 - 101

aaa command 6 - 2

aaa-server command 6 - 9

abbreviating commands 1 - 13

access

: control list 6 - 115
: limiting 2 - 34
: lists 1 - 5
: modes 1 - 13

access lists, IPSec 4 - 7, 4 - 8

: creating 6 - 13
: peer mirror images 4 - 10

access-group command 6 - 11

access-list command 5 - 27, 5 - 30, 6 - 12

AccessPro router 6 - 128

ActiveX blocking 3 - 11, 6 - 16, 6 - 76

Adaptive Security Algorithm (ASA) 1 - 2, 1 - 5

address translations 6 - 111

administer PIX Firewall from remote location 5 - 25

age command 3 - 17

AH 5 - 29

alias command 6 - 15, 6 - 148

alias option to arp command 6 - 17

apply command 6 - 114

ARP 3 - 7

arp command 6 - 17

ARP proxies 6 - 144

assigning remote clients dynamic IP addressing 4 - 30

authenticating the CA 6 - 21

authentication and authorization, user 2 - 36

authentication, authorization, and accounting 6 - 2

auth-prompt command 6 - 19

B

: blocking ActiveX objects 3 - 11
: buffer allocation, interface 6 - 87

C

authenticating the CA 6 - 21

configuring 4 - 35

CRL 4 - 34

declaring the CA 6 - 25

deleting RSA keys 6 - 25

digital certificates 4 - 31

displaying public keys 6 - 25

fingerprint 6 - 20

generating RSA key pairs 6 - 24

obtaining an updated CRL 6 - 23

obtaining certificates 6 - 23

peer authentication 4 - 34

pre-shared keys 4 - 34

public key cryptography 4 - 31

Registration Authority (RA) mode 6 - 21

revoked certificates 4 - 34

revoking your certificate 6 - 24

RSA public key record 6 - 22

saving RSA Key pairs and certificates 6 - 25

sending enrollment request 6 - 23

serial number included in certificate 6 - 24

server

: pkiclient.exe 6 - 25

signature 4 - 32

ca command 6 - 20

CCO upgrades 2 - 4

certificate enrollment protocol 4 - 35, 6 - 27

Certificate Revocation List

: See CRL

certificates, digital 5 - 46

Cisco Secure VPN Client 4 - 29

CiscoSecure 6 - 157

CiscoWorks for Windows 3 - 15

clear blocks command 6 - 129

clear flashfs 6 - 80

clear uauth command 6 - 157

client, remote 4 - 29, 6 - 51

clock command 6 - 27, 6 - 103

command

: aaa 6 - 2
: aaa-server 6 - 9
: access-group 6 - 11
: access-list 5 - 27, 5 - 30, 6 - 12
: age 3 - 17
: alias 6 - 15, 6 - 148
: apply 6 - 114
: arp 6 - 17
: auth-prompt 6 - 19
: ca 6 - 20
: clear blocks 6 - 129
: clear flashs 6 - 80
: clear uauth 6 - 157
: clear xlate command 6 - 167
: clock 6 - 27
: conduit 6 - 28
: configure 6 - 33
: crypto 5 - 27, 5 - 30
: crypto dynamic-map 6 - 36
: crypto ipsec 3 - 17, 6 - 40
: crypto map 6 - 48
: crypto map interface 4 - 10
: debug 6 - 61
: disable 6 - 64
: domain-name 6 - 65
: enable 6 - 66
: enable password 6 - 67
: established 6 - 69
: exit 6 - 72
: failover 3 - 5, 6 - 73
: fixup protocol 6 - 78
: floodguard 6 - 81
: global 6 - 82
: help 6 - 84
: hostname 6 - 85
: interface 6 - 86
: ip address 2 - 12, 6 - 89
: ip local pool 6 - 89
: ipsec 6 - 91
: isakmp 6 - 92
: kill 6 - 98
: link 3 - 17
: linkpath 3 - 17
: logging 6 - 99
: monitor 7 - 2
: mtu 6 - 107
: name 6 - 108
: nameif 2 - 10, 6 - 110
: names 6 - 108
: nat 6 - 111
: outbound 6 - 114
: pager 6 - 119
: passwd 6 - 120
: perfmon 6 - 121
: ping 6 - 122
: quit 6 - 123
: radius-server, replaced by aaa-server 6 - 9
: reload 2 - 6, 6 - 124
: rip 6 - 125
: route 6 - 126
: service 6 - 127
: session 6 - 128
: show 6 - 129
: show blocks 6 - 129
: show checksum 6 - 130
: show conn 6 - 131
: show flashfs 6 - 80
: show history 6 - 132
: show interface 6 - 86
: show ip 6 - 89
: show memory 6 - 132
: show processes 6 - 133
: show tech-support 6 - 133
: show traffic 6 - 134
: show uauth 6 - 157
: show version 6 - 134
: show who 6 - 164
: show xlate 6 - 167
: snmp-server 6 - 136
: static 6 - 138
: syslog 6 - 143
: sysopt 6 - 144
: sysopt connectin permit-ipsec 4 - 7
: sysopt connection permit-ipsec 6 - 145
: sysopt ipsec pl-compatible 3 - 15, 3 - 19, 6 - 147
: tacacs-server, replaced by aaa-server 6 - 9
: terminal 6 - 153
: tftp-server 6 - 154
: timeout 6 - 155
: url-cache 6 - 158
: url-server 6 - 160
: virtual 6 - 161
: who 6 - 164
: write 6 - 165

command line

: editing 1 - 14
: prompt 6 - 85

command output paging 1 - 14

compiling Cisco SMI MIB and syslog MIB 3 - 15

conduit command 6 - 28

conduits 1 - 5, A - 7

configuration

: mode 6 - 34
: PIX Firewall units for failover 3 - 5
: rechecking 2 - 37
: size 1 - 14

configuration example

: IPSec with manual keys 5 - 27
: multiple servers 5 - 6
: six interfaces with NAT 5 - 20
: three interfaces with NAT 5 - 12
: three interfaces without NAT 5 - 10
: two interfaces without NAT 5 - 2
: VPN tunnel using VeriSign digital certificates 5 - 39

configure command 6 - 33

configuring

: CA 4 - 35
: dynamic IP addressing assignment 4 - 30
: IKE 4 - 26
: IKE Mode Configuration 4 - 30
: IPSec with IKE 4 - 17
: IPSec with pre-shared keys 4 - 20

connection, state information 1 - 3

console

: authentication 6 - 4
: session 6 - 62

contact, SNMP 6 - 136

control list 6 - 115

converting from Private Link to IPSec 3 - 15, 3 - 19

CRL 4 - 34

crypto command 5 - 27, 5 - 30

crypto dynamic-map command 6 - 36

crypto ipsec command 3 - 17, 6 - 40

crypto map command 6 - 48

crypto map interface command 4 - 10

crypto maps

: applying to interface 4 - 16
: dynamic 4 - 14
: entries 4 - 12
: load sharing 4 - 13

cut-through proxies 1 - 5

D

daisy-chain PIX Firewall units 6 - 5

debug command 6 - 61

default password 6 - 67

default route

: broadcast 6 - 125
: router and hosts 2 - 6

DES 5 - 29

digital certificates 4 - 31, 5 - 39, 5 - 46

disable command 6 - 64

diskette 6 - 34

disk-full condition, recovering from 2 - 32

displaying public keys 6 - 25

DNS 6 - 144

domain-name command 6 - 65

download upgrades 2 - 4

downloading image, TFTP 7 - 2

downloading IP address to VPN client 4 - 29

dynamic crypto maps 4 - 14

: entries 4 - 15
: referencing 4 - 15
: sets 4 - 15

dynamic IP address assignment 4 - 30

E

editing command lines 1 - 14

EIGRP B - 2

embryonic connection 6 - 111

enable command 6 - 66

enable password command 6 - 67

encryption, key 6 - 9

enforcesubnet 6 - 144

Entrust digital certificates 5 - 46

ESMTP commands rejected by Mail Guard 6 - 79

ESP 5 - 29

established command 6 - 69

Ethernet 6 - 86, 6 - 110, 6 - 147, 7 - 1

examples

: IPSec with manual keys 5 - 27
: multiple servers 5 - 6
: six interfaces with NAT 5 - 20
: three interfaces with NAT 5 - 12
: three interfaces without NAT 5 - 10
: two interfaces without NAT 5 - 2
: VPN client access with AAA and pre-shared keys 5 - 58
: VPN client access with manual IP address and pre-shared keys 5 - 53
: VPN tunnel using Entrust digital certificates 5 - 46
: VPN tunnel using VeriSign digital certificates 5 - 39
: working with IPSec and NAT on the PIX Firewall

exit command 6 - 72

F

failover

: command 6 - 73
: configuring on Active unit 3 - 5
: frequently asked questions 3 - 9
: interface tests 3 - 9
: saving configuration of Active unit on standby unit 3 - 6
: stateful 6 - 74
: syslog messages 3 - 10
: syslog messages, SNMP 3 - 13
: timeout feature 6 - 74
: upgrading 3 - 8

failover command 3 - 5

fault detection within failover PIX Firewall units 3 - 10

FDDI network interfaces 1 - 6

filtering

: ActiveX 3 - 11
: URL 3 - 12

fingerprint, CA 6 - 20

fixup protocol command 6 - 78

Flash memory

: persistent data file 6 - 24, 6 - 25
: write configuration to 6 - 166

flashfs 6 - 80

Flood Defender 6 - 81

floodguard command 6 - 81

Frag Guard 6 - 144

fragmentation 6 - 144

FTP 3 - 12, 6 - 78

full duplex 6 - 86

G

: generating RSA key pairs 6 - 24
: global command 6 - 82
: global IP addresses, associating network with 6 - 111
: GRE 2 - 25, 6 - 31

H

H.323 6 - 78, 6 - 142, 6 - 155

hardware

: address 6 - 17
: ID 6 - 86
: speed 6 - 86

help command 6 - 84

help, command line 1 - 16

host, SNMP 6 - 136

hostname command 6 - 85

HTML <object> tag blocking 3 - 11

HTTP 6 - 78

HyperTerminal, configuring 2 - 2

I

IANA URL 1 - 19

ICMP trace 6 - 62

IDENT 6 - 127

IKE 5 - 29

: authentication methods 4 - 25
: benefits 4 - 22
: configuring pre-shared keys 4 - 28
: creating policies 4 - 25
: disabling 4 - 29
: enabling and configuring 4 - 26
: policy parameters 4 - 23
: remote client 4 - 29

IKE Mode Configuration

: configuring 4 - 30, 6 - 51
: types 4 - 30

interface

: buffer allocation 6 - 87
: command 6 - 86
: name 6 - 110

Internet Key Exchange

: See IKE

Interrupt vector, interface cards 6 - 87

ip address command 2 - 12, 6 - 89

IP Frag Guard 6 - 149

ip local pool command 6 - 89

IPSec

access lists 4 - 7, 4 - 8

: creating 6 - 13
: keyword "any" 4 - 10
: peer mirror images 4 - 10

configuring manually using pre-shared keys 4 - 20

configuring with IKE 4 - 17

crypto maps

: entries 4 - 12
: load sharing 4 - 13

digital certificates 4 - 31

order of configuration 4 - 5

security associations

: clearing and reinitializing 4 - 16
: global lifetimes 4 - 7
: IKE 4 - 14
: manual using pre-shared keys 4 - 14

supported standards 4 - 2

transform sets 4 - 11

using CAs 4 - 34

view information 4 - 17

without CAs 4 - 32

ipsec command 6 - 91

ipsec-isakmp option 6 - 53

ipsec-manual option 5 - 29, 6 - 53

isakmp command 6 - 92

J

: Java applets 3 - 11, 6 - 114, 6 - 117

K

: key, authentication 6 - 9
: kill command 6 - 98

L

: LDAP (Lightweight Directory Access Protocol 6 - 25
: LEDs, PIX 515 7 - 1
: line protocol up and down 6 - 87
: link command 3 - 17
: link up and link down 6 - 87
: link up and link down, SNMP 3 - 13
: linkpath command 3 - 17
: LINUX default route 2 - 8
: list ID 2 - 35
: literal names 1 - 17
: local pool 6 - 89
: LOCAL0 - LOCAL7 2 - 33, 6 - 100
: location, SNMP 6 - 136
: logging 2 - 32
: logging command 6 - 99

M

MAC address 6 - 17, 6 - 87

MacOS default route 2 - 9

Mail Guard

: disabling 6 - 79
: feature description 1 - 6

MD5 5 - 29

memory, OS and free 6 - 132

MIB file, updating 3 - 15

MIB-II groups, SNMP 3 - 13

Microsoft

: Exchange C - 1
: MS-Exchange advisory for Mail Guard 6 - 79
: Windows 95 and 98 default route 2 - 8
: Windows 95 or NT 2 - 2
: Windows NT default route 2 - 8

monitor command 7 - 2

MSRPC C - 4

MSS 6 - 144

MTU 2 - 39, 6 - 87

mtu command 6 - 107

multimedia applications, supported 1 - 20

N

name command 6 - 108

nameif command 2 - 10, 6 - 110

names command 6 - 108

nat command 6 - 111

net alias 6 - 15

net static 5 - 8

NETBIOS over IP 1 - 7

netstat, setting a default route 2 - 8

Network Address Translation (NAT), See nat command

newsreaders 6 - 7

NFS

: access 5 - 8
: testing with showmount 5 - 8

nodnsalias 6 - 144

noproxyarp 6 - 144

norandomseq 6 - 111, 6 - 138

O

: object <object> tag blocking 3 - 11
: obtaining an updated CRL 6 - 23
: Oracle SQL*Net 6 - 62
: outbound command 6 - 114

P

packet trace 6 - 62

packets, received and sent 6 - 87

pager command 6 - 119

paging screen displays 1 - 14

passwd command 6 - 120

password, default 6 - 67

PCNFSD, tracking activity 5 - 8

perfmon command 6 - 121

permit-ipsec 6 - 144

PFSS 6 - 104

physical address 6 - 17

ping and ICMP trace 6 - 62

ping command 6 - 122

pings and AAA 6 - 8

PIX 515

: feature description 1 - 7
: LEDs 7 - 1
: upgrading activation key 7 - 5

PIX Firewall

: boot diskette, use for system recovery 2 - 5
: failures on failover units 3 - 10
: forcing to be active or go to standby 3 - 6
: image 2 - 3
: monitoring performance 6 - 121
: reboot and reload 6 - 124

PIX Firewall Manager (PFM) 2 - 3

PIX Firewall Manager, set password 6 - 120

PIX Firewall Syslog Server (PFSS) 2 - 3, 6 - 104

PKI protocol 4 - 35, 6 - 25, 6 - 27

port literal names 1 - 17

port, outbound 6 - 114

portmapper 6 - 31

PPTP 2 - 25, 6 - 31

Private Link

: commands mapped to IPSec commands 3 - 16
: conversion to IPSec 3 - 15, 3 - 19
: example of a network diagram 3 - 18

privileged mode, start 6 - 66

prompt host name label 6 - 85

protocols 1 - 19, 6 - 78

public key cryptography 4 - 31

Q

: querying a certificate or CRL 6 - 25
: quit command 6 - 123

R

RA 4 - 35

RADIUS 6 - 2, 6 - 7

radius-server, replaced by aaa-server command 6 - 9

rawrite.exe, conversion utility 2 - 5

recovering from disk-full condition 2 - 32

redirect 6 - 30

Registration Authority

: See RA

reload command 2 - 6, 6 - 124

remote client 4 - 29, 6 - 51

revoked certificates 4 - 34

rip command 6 - 125

route command 6 - 126

router, in PIX Firewall 6 - 128

router-advertisement 6 - 30

RPC

: conduit 6 - 31
: MSRPC C - 4
: slot 6 - 155
: Sun 5 - 8
: testing with rpcinfo 5 - 8

RSA public key record 6 - 22

RSH 6 - 78

S

saving configuration before upgrading 2 - 1

screen paging, enabling or disabling 6 - 119

security associations, IPSec

: clearing and reinitializing 4 - 16
: global lifetimes 4 - 7
: IKE 4 - 14
: manual using pre-shared keys 4 - 14

security level

: assigning 6 - 110
: defaults 6 - 110

security level, values 2 - 12

serial number 6 - 24

service command 6 - 127

session command 6 - 128

session key 5 - 29

show blocks command 6 - 129

show checksum command 6 - 130

show command 6 - 129

show conn command 6 - 131

show flashfs 6 - 80

show history command 6 - 132

show interface command 6 - 86

show ip command 6 - 89

show memory command 6 - 132

show processes command 6 - 133

show tech-support command 6 - 133

show traffic command 6 - 134

show uauth command 6 - 157

show version command 6 - 134

show who command 6 - 164

show xlate command 6 - 167

showmount 5 - 8

shutdown option to interface command 6 - 86

SMTP 6 - 78

SNMP

: configuring 3 - 13
: contact, location, and host 6 - 136
: object ID (OID) 3 - 14, 6 - 137
: read-only (RO) values 3 - 13
: SNMPc (Cisco Works for Windows) 3 - 15
: syslog Enterprise MIB 3 - 15
: traps 3 - 13

snmp-server command 6 - 136

Solaris default route 2 - 8

source-quench message type 6 - 30

SPI 5 - 29

SQL*Net 6 - 62, 6 - 78

state information 1 - 3

stateful 1 - 3

stateful failover 6 - 74

static command 6 - 138

static translation 1 - 4

subnet masks D - 1

Sun RPC 5 - 8

SunOS default route 2 - 8

supported standards, IPSec 4 - 2

syslog 3 - 10

: command 6 - 143
: Enterprise MIB 3 - 15
: log file, UNIX 2 - 34
: message levels 2 - 33
: messages 2 - 33, 6 - 104
: MIB files 3 - 15
: server 6 - 104
: SNMP 3 - 13
: syslog.conf file (UNIX host) 2 - 34
: UNIX system, configuring 2 - 34
: viewing messages from console 6 - 101

sysopt command 6 - 144

sysopt connection permit-ipsec command 4 - 7, 6 - 145

sysopt ipsec pl-compatible command 3 - 15, 3 - 19, 6 - 147

system recovery, PIX Firewall boot diskette 2 - 5

T

TACACS+ 6 - 2, 6 - 7

tacacs-server, replaced by aaa-server command 6 - 9

TCP

: maximum segment size 6 - 144
: port literals 1 - 17
: randomizing packet sequence number 6 - 111

TCP maximum segment size, IPSec 5 - 29

tcpclose 6 - 144

tcpmss 6 - 144

Telnet

: configure console access 2 - 21
: console access 6 - 4
: console, debug 6 - 62
: console, syslog 6 - 102
: icmp trace 6 - 62
: interface 1 - 8
: set password 6 - 120
: terminating 6 - 98
: timeout feature 6 - 150
: Trace Channel 6 - 62

terminal command 6 - 153

terminology 1 - 21

TFTP

: configuration 6 - 34, 6 - 154, 6 - 165
: error codes 7 - 2

tftp-server command 6 - 154

time stamps 6 - 100

TIME_WAIT state 6 - 144

time-exceeded 6 - 30

timeout command 6 - 155

timewait 6 - 144

Token Ring 6 - 86, 6 - 110, 6 - 147

Trace Channel 2 - 23, 6 - 62

trace ICMP, SQL*Net, and packets 6 - 62

transform set

: example configuration 5 - 29

transform set, IPSec 4 - 11

translation slots

: UDP, RPC, H.323 6 - 155

translations of addresses 6 - 111

traps, SNMP 3 - 13

Trivial File Transfer Protocol (TFTP) 7 - 2

troubleshoot PIX Firewall from remote location 5 - 25

U

uauth 6 - 157

UDP

: connection state information 1 - 3
: idle time until slot is freed 6 - 155
: port literals 1 - 17
: portmapper 6 - 31

UNIX

: creating a bootable disk from 2 - 6
: syslog configuration 2 - 34

UNIX, getting console terminal 2 - 2

upgrades, downloading 2 - 4

upgrading failover 3 - 8

upgrading, before 2 - 1

URL

: filtering 3 - 12
: logging 3 - 12

url-cache command 6 - 158

url-server command 6 - 160

user authentication and authorization, providing 2 - 36

user authentication, authorization, and accounting, providing 6 - 2

V

validating a CA's signature 4 - 32

VeriSign digital certificates 5 - 39

video conferencing applications, supported 1 - 20

virtual command 6 - 161

Virtual Private Network

: See VPN

VPN

: client 4 - 29
: configuration example 5 - 27
: definition 4 - 4
: introduction 4 - 5

W

: WebSENSE server 6 - 158
: who command 6 - 164
: Windows HyperTerminal 7 - 2
: winipcfg, view default route 2 - 8
: write command 6 - 165

X

xlate (translation slot) 6 - 155, 6 - 167

Table of Contents