index

Numerics

index

Numerics

: 100BaseTX Ethernet 6 - 110
: 10BaseT Ethernet 6 - 110
: 3Com 10/100 Ethernet network interface card 2 - 47

A

AAA 2 - 44, 6 - 5, 6 - 11, 6 - 35, 6 - 201

aaa authentication enable console, syslog messages 6 - 135

aaa command 6 - 2

aaa-server command 6 - 11

abbreviating commands 1 - 17

access

: control list 6 - 152
: lists 1 - 5
: modes 1 - 17

access-group command 6 - 14

access-list command 5 - 32, 5 - 35, 6 - 15

access-list deny syslog message 6 - 18

access lists, IPSec 4 - 8, 4 - 9

: creating 6 - 17
: peer mirror images 4 - 11

AccessPro router 6 - 169

ActiveX blocking 3 - 14, 6 - 22, 6 - 98

Adaptive Security Algorithm (ASA) 1 - 3, 1 - 6

address translations 6 - 148

administer PIX Firewall from remote location 5 - 27

age command 3 - 26

AH 5 - 34

alias command 6 - 21, 6 - 191

alias option to arp command 6 - 24

alternate-address 6 - 19

apply command 6 - 151

ARP 3 - 8

arp command 6 - 24

ARP proxies 6 - 186

assigning remote VPN clients dynamic IP addresses 4 - 35

authenticating the CA 6 - 29

authentication, authorization, and accounting 6 - 2

authentication and authorization, user 2 - 44

auth-prompt command 6 - 26

B

: blocking ActiveX objects 3 - 14
: buffer allocation, interface 6 - 111
: Buffer usage, access with SNMP 3 - 17

C

authenticating the CA 6 - 29

configuring 4 - 40

CRL 4 - 39

declaring the CA 6 - 33

deleting RSA keys 6 - 33

digital certificates 4 - 36

displaying public keys 6 - 34

fingerprint 6 - 28

generating RSA key pairs 6 - 32

obtaining an updated CRL 6 - 31

obtaining certificates 6 - 31

peer authentication 4 - 39

pre-shared keys 4 - 39

public key cryptography 4 - 36

Registration Authority (RA) mode 6 - 29

revoked certificates 4 - 39

revoking your certificate 6 - 31

RSA public key record 6 - 30

saving RSA Key pairs and certificates 6 - 33

sending enrollment request 6 - 31

serial number included in certificate 6 - 32

server

: pkiclient.exe 6 - 33

signature 4 - 37

supported CAs 4 - 36

ca command 6 - 27

certificate enrollment protocol 4 - 40, 6 - 39

Certificate Revocation List

: See CRL

certificates, digital 5 - 51

Certification Authority

: See CA

CHAP 3 - 13

Cisco Firewall MIB 3 - 16

CiscoSecure 6 - 201

Cisco Secure VPN Client 4 - 33

Cisco Works for Windows 3 - 19

clear 6 - 2

: aaa 6 - 2
: aaa-server 6 - 11
: access-group 6 - 14
: access-list 6 - 15
: arp 6 - 24
: auth-prompt 6 - 26
: command summary 6 - 35

clear access-list command 6 - 15

clear alias command 6 - 21

clear blocks command 6 - 171

clear Commands 6 - 35

clear crypto ipsec sa command 6 - 61

clear flashfs 6 - 103

clear isakmp command 6 - 129

clear isakmp sa command 6 - 129

clear local-host command 6 - 131

clear timeout command 6 - 198

clear uauth command 6 - 201

client, remote VPN 4 - 33, 6 - 69

clock command 6 - 39, 6 - 137

command

aaa 6 - 2

aaa-server 6 - 11

access-group 6 - 14

access-list 5 - 32, 5 - 35, 6 - 15

age 3 - 26

alias 6 - 21, 6 - 191

apply 6 - 151

arp 6 - 24

auth-prompt 6 - 26

ca 6 - 27

clear

: aaa 6 - 2
: aaa-server 6 - 11
: access-group 6 - 14
: access-list 6 - 15
: acess-list 6 - 15
: alias 6 - 21
: arp 6 - 24
: auth-prompt 6 - 26
: crypto ipsec sa 6 - 61
: isakmp 6 - 129
: isakmp sa 6 - 129
: timeout 6 - 198

clear blocks 6 - 171

clear crypto ipsec sa 6 - 61

clear flashs 6 - 103

clear isakmp 6 - 129

clear isakmp sa 6 - 129

clear local-host 6 - 131

clear uauth 6 - 201

clear xlate command 6 - 220

clock 6 - 39

conduit 6 - 41

configure 6 - 48

crypto dynamic-map 6 - 53

crypto ipsec 3 - 26, 6 - 57

crypto map 6 - 65

crypto map interface 4 - 11

debug 6 - 79

disable 6 - 84

domain-name 6 - 85

dynamic-map 6 - 86

enable 6 - 87

enable password 6 - 88

established 6 - 90

exit 6 - 93

failover 3 - 6, 6 - 94

fixup protocol 6 - 100

floodguard 6 - 104

global 6 - 105

help 6 - 108

hostname 6 - 109

interface 6 - 110

ip address 2 - 16, 6 - 115

ip local pool 6 - 117

ipsec 6 - 120

ip verify reverse-path 6 - 118

isakmp 6 - 121

kill 6 - 130

link 3 - 26

linkpath 3 - 26

logging 6 - 132

mtu 6 - 142

name 6 - 143

nameif 2 - 15, 6 - 145

names 6 - 143

nat 6 - 147

outbound 6 - 151

pager 6 - 157

passwd 6 - 158

perfmon 6 - 159

ping 6 - 161

quit 6 - 162

reload 2 - 9, 6 - 163

rip 6 - 164

route 6 - 166

service 6 - 168

session 6 - 169

show 6 - 170

: aaa 6 - 2
: aaa-server 6 - 11
: access-group 6 - 14
: access-list 6 - 15
: alias 6 - 21
: arp timeout 6 - 24
: auth-prompt 6 - 26
: ca certificate 6 - 27
: ca configure 6 - 27
: ca identity 6 - 27

show blocks 6 - 171

show checksum 6 - 172

show conn 6 - 172

show flashfs 6 - 103

show history 6 - 173

show interface 6 - 110

show local-host 6 - 131

show memory 6 - 174

show processes 6 - 174

show tech-support 6 - 175

show traffic 6 - 175

show uauth 6 - 201

show version 6 - 176

show who 6 - 216

show xlate 6 - 220

snmp-server 6 - 177

static 6 - 180

syslog 6 - 185

sysopt 6 - 186

sysopt connection permit-ipsec 4 - 8, 6 - 187

sysopt ipsec pl-compatible 3 - 24, 3 - 28, 6 - 190

terminal 6 - 196

tftp-server 6 - 197

timeout 6 - 198

url-cache 6 - 203

url-server 6 - 205

virtual 6 - 206

who 6 - 216

write 6 - 217

command line

: editing 1 - 17
: prompt 6 - 109

command output paging 1 - 18

compiling Cisco SMI MIB and syslog MIB 3 - 18

conduit command 6 - 41

conduits 1 - 6

configuration

: mode 6 - 49
: PIX Firewall units for failover 3 - 6
: rechecking 2 - 45
: size 1 - 18

configuration example

: IPSec/VPN tunnel using Entrust digital certificates 5 - 51
: IPSec/VPN tunnel using VeriSign digital certificates 5 - 44
: IPSec/VPN with manual keys 5 - 32
: multiple servers 5 - 6
: six interfaces with NAT 5 - 22
: three interfaces with NAT 5 - 12
: three interfaces without NAT 5 - 10
: two interfaces without NAT 5 - 2
: VPN Client access with Extended Authentication, IKE Mode Config, and Wildcard Pre-shared key 5 - 58

configure command 6 - 48

configuring

: CA 4 - 40
: dynamic IP addressing assignment 4 - 35
: IKE 4 - 27
: IKE Extended Authentication (Xauth) 4 - 32
: IKE Mode Config 4 - 35
: IKE Mode Config (dynamic IP address assignment) 4 - 35
: IPSec with IKE 4 - 18
: IPSec with pre-shared keys 4 - 21

connection

: state information 1 - 3

console

: authentication 6 - 5
: session 6 - 81

contact, SNMP 6 - 177

control list 6 - 152

conversion-error 6 - 19

converting from Private Link to IPSec 3 - 24

CRL 4 - 39

crypto dynamic-map command 6 - 53

crypto ipsec command 3 - 26, 6 - 57

crypto map command 6 - 65

crypto map interface command 4 - 11

crypto maps

: applying to interface 4 - 16, 5 - 35
: dynamic 4 - 15
: entries 4 - 13
: load sharing 4 - 14

cut-through proxies 1 - 6

D

daisy-chain PIX Firewall units 6 - 6

debug command 6 - 79

default password 6 - 88

default route

: broadcast 6 - 164
: router and hosts 2 - 10

DES 4 - 2, 4 - 24, 4 - 25, 5 - 34

digital certificates 4 - 36, 5 - 44, 5 - 51

disable command 6 - 84

diskette 6 - 49

disk-full condition, recovering from 2 - 41

displaying public keys 6 - 34

DNS 6 - 186

domain-name command 6 - 85

downloading IP address to VPN client 4 - 33

dynamic crypto maps 4 - 15

: entries 4 - 16
: referencing 4 - 16
: sets 4 - 16

dynamic IP address assignment 4 - 35

dynamic-map command 6 - 86

E

echo-reply 6 - 19

editing command lines 1 - 17

EIGRP B - 2

embryonic connection 6 - 148

enable command 6 - 87

enable password command 6 - 88

encrypting Telnet connection to outside interface 3 - 30

encryption, key 6 - 11

enforcesubnet 6 - 186

Entrust digital certificates 5 - 51

ESMTP commands rejected by Mail Guard 6 - 102

ESP 5 - 34

established command 6 - 90

Ethernet 6 - 110, 6 - 145, 6 - 190

examples

: IPSec/VPN tunnel using Entrust digital certificates 5 - 51
: IPSec/VPN tunnel using VeriSign digital certificates 5 - 44
: IPSec/VPN with manual keys 5 - 32
: multiple servers 5 - 6
: six interfaces with NAT 5 - 22
: three interfaces with NAT 5 - 12
: three interfaces without NAT 5 - 10
: two interfaces without NAT 5 - 2
: VPN client access with Extended Authentication, IKE Mode Config, and Wildcard Pre-shared key 5 - 58

exit command 6 - 93

Extended Authentication (Xauth), IKE 4 - 31

: configuring 4 - 32
: making an exception for security gateways 4 - 31

F

failover

: command 6 - 94
: configuring on Active unit 3 - 6
: interface tests 3 - 10
: saving configuration of Active unit on standby unit 3 - 6
: syslog messages 3 - 11
: syslog messages, SNMP 3 - 17
: upgrading 3 - 9

failover cable 3 - 6

failover command 3 - 6

fault detection within failover PIX Firewall units 3 - 12

FDDI network interfaces 1 - 7

filtering

: ActiveX 3 - 14
: URL 3 - 15

fingerprint, CA 6 - 28

Firewall MIB, Memory Pool MIB 3 - 16

fixup protocol command 6 - 100

flashfs 6 - 103

Flash memory

: persistent data file 6 - 32, 6 - 33
: write configuration to 6 - 218

Flood Defender 6 - 104

floodguard command 6 - 104

Frag Guard 6 - 186

fragmentation 6 - 186

FTP 3 - 15, 6 - 100

full duplex 6 - 110, A - 2

G

: generating RSA key pairs 6 - 32
: global command 6 - 105
: global IP addresses, associating network with 6 - 147
: GRE 2 - 32, 6 - 46

H

H.323 6 - 100, 6 - 184, 6 - 198

hardware

: address 6 - 24
: ID 6 - 110
: speed 6 - 110

help, command line 1 - 20

help command 6 - 108

host, SNMP 6 - 177

hostname command 6 - 109

HTML <object> tag blocking 3 - 14

HTTP 6 - 100

HyperTerminal, configuring 2 - 2

I

IANA URL 1 - 24

ICMP trace 6 - 81

IDENT 6 - 168

IKE

: authentication methods 4 - 26
: benefits 4 - 23
: configuring pre-shared keys 4 - 30
: creating policies 4 - 26
: disabling 4 - 30
: enabling and configuring 4 - 27
: Extended Authentication (Xauth) 4 - 31
: policy parameters 4 - 24
: remote VPN client 4 - 33

IKE Mode Config

: configuring 4 - 35, 6 - 69
: initiating on security gateway or VPN client 4 - 33
: making an exception to 4 - 34
: types 4 - 33

IKE Mode Configuration

: See IKE Mode Config

information-reply 6 - 19

information-request 6 - 19

interface

: buffer allocation 6 - 111
: command 6 - 110
: name 6 - 145

Internet Key Exchange

: See IKE

Interrupt vector, interface cards 6 - 112

ip address command 2 - 16, 6 - 115

IP Frag Guard 6 - 192

ip local pool command 6 - 117

IPSec

access lists 4 - 8, 4 - 9

: creating 6 - 17
: keyword "any" 4 - 11
: peer mirror images 4 - 11

access-lists 6 - 19

configuring manually using pre-shared keys 4 - 21

configuring with IKE 4 - 18

crypto maps

: entries 4 - 13
: load sharing 4 - 14

digital certificates 4 - 36

order in which you perform your configuration 4 - 5

security associations

: clearing and reinitializing 4 - 17
: global lifetimes 4 - 8
: IKE-established 4 - 14
: manual using pre-shared keys 4 - 14

supported standards 4 - 2

transform sets 4 - 12

using CAs 4 - 39

view information 4 - 17

without CAs 4 - 37

ipsec command 6 - 120

ipsec-isakmp option 6 - 71

ipsec-manual option 5 - 34, 6 - 71

ip verify reverse-path command 6 - 118

ISAKMP 4 - 2, 4 - 23

isakmp command 6 - 121

ISAKMP identity 4 - 27

J

: Java applets 3 - 14, 6 - 152, 6 - 155

K

: key, authentication 6 - 11
: kill command 6 - 130

L

: LDAP (Lightweight Directory Access Protocol) 6 - 33
: line protocol up and down 6 - 111
: link command 3 - 26
: linkpath command 3 - 26
: link up and link down 6 - 111
: link up and link down, SNMP 3 - 17
: LINUX default route 2 - 12
: literal names 1 - 22
: LOCAL0 - LOCAL7 2 - 42, 6 - 134
: local pool 6 - 117
: location, SNMP 6 - 177
: logging command 6 - 132

M

MAC address 6 - 24, 6 - 112

MacOS default route 2 - 13

Mail Guard

: disabling 6 - 102
: feature description 1 - 8

mask-reply 6 - 19

mask-request 6 - 19

MD5 4 - 2, 4 - 3, 4 - 24, 4 - 25, 5 - 34

MD5 encryption, RIP version 2 6 - 165

memory, OS and free 6 - 174

MIB file, updating 3 - 19

MIB-II groups, SNMP 3 - 16

Microsoft

: Exchange C - 1
: MS-Exchange advisory for Mail Guard 6 - 102
: Windows NT default route 2 - 12

mobile-redirect 6 - 19

monitor command instructions 2 - 4

MSCHAP 3 - 13

MSRPC C - 4

MSS 6 - 186

MTU 2 - 47, 6 - 112

mtu command 6 - 142

multimedia applications, supported 1 - 25

N

name command 6 - 143

nameif command 2 - 15, 6 - 145

names command 6 - 143

nat command 6 - 147

net alias 6 - 22

NETBIOS over IP 1 - 9

netstat, setting a default route 2 - 12

net static 5 - 8

Network Address Translation (NAT), See nat command

newsreaders 6 - 8

NFS

: access 5 - 8
: testing with showmount 5 - 8

nodnsalias 6 - 186

noproxyarp 6 - 186

norandomseq 6 - 147, 6 - 180

O

: Oakley key exchange protocol 4 - 2, 4 - 23
: object <object> tag blocking 3 - 14
: obtaining an updated CRL 6 - 31
: Oracle SQL*Net 6 - 81
: outbound command 6 - 151

P

packets, received and sent 6 - 112

packet trace 6 - 81

pager command 6 - 157

paging screen displays 1 - 18

PAP 3 - 13

parameter-problem 6 - 19

passwd command 6 - 158

password, default 6 - 88

PAT (Port Address Translation) 2 - 24, 6 - 105

PAT not supported with fixup protocol rtsp 6 - 101

PCNFSD, tracking activity 5 - 8

perfmon command 6 - 159

permit-ipsec 6 - 186

PFSS 6 - 139

physical address 6 - 24

ping and ICMP trace 6 - 81

ping command 6 - 161

pings and AAA 6 - 10

PIX 515

: feature description 1 - 9

PIX Firewall

: boot diskette, use for system recovery 2 - 9
: failures on failover units 3 - 12
: forcing to be active or go to standby 3 - 6
: monitoring performance 6 - 159
: reboot and reload 6 - 163

PIX Firewall Manager (PFM) 2 - 3

PIX Firewall Manager, set password 6 - 158

PIX Firewall Syslog Server (PFSS) 2 - 3, 6 - 139

PKI protocol 4 - 40, 6 - 33, 6 - 39

port, outbound 6 - 152

port literal names 1 - 22

portmapper 6 - 46

PPTP 2 - 32, 6 - 46

PPTP and vpdn command 3 - 13

PPTP and VPN 3 - 13

Private Link

: conversion to IPSec 3 - 24
: example of a network diagram 3 - 27

privileged mode, start 6 - 87

prompt host name label 6 - 109

protocols 1 - 24, 6 - 100

public key cryptography 4 - 36

Q

: querying a certificate or CRL 6 - 33
: quit command 6 - 162

R

RA 4 - 40

RADIUS 4 - 31, 6 - 2, 6 - 8

recovering from disk-full condition 2 - 41

redirect 6 - 19, 6 - 45

redirect, ICMP type 6 - 19

Registration Authority

: See RA

reload command 2 - 9, 6 - 163

remote VPN client 4 - 33, 6 - 69

revoked certificates 4 - 39

RFC 2637 (PPTP) 3 - 13

rip command 6 - 164

RIP version 2 6 - 164

route command 6 - 166

router, in PIX Firewall 6 - 169

router-advertisement 6 - 19, 6 - 45

router-solicitation 6 - 19

RPC

: conduit 6 - 46
: MSRPC C - 4
: slot 6 - 198
: Sun 5 - 8
: testing with rpcinfo 5 - 8

RSA public key record 6 - 30

RSH 6 - 100

S

saving configuration before upgrading 2 - 2

screen paging, enabling or disabling 6 - 157

securing Telnet connection to outside interface 3 - 30

security associations, IPSec

: clearing and reinitializing 4 - 17
: global lifetimes 4 - 8
: IKE 4 - 14
: manual using pre-shared keys 4 - 14

security gateway

: initiating IKE Mode Config 4 - 33
: making an exception to Extended Authentication 4 - 31
: making an exception to IKE Mode Config 4 - 34

security level

: assigning 6 - 145
: defaults 6 - 145

security level, values 2 - 16

serial number 6 - 32

service command 6 - 168

session command 6 - 169

session key 5 - 35

SHA 4 - 24, 4 - 25

show 6 - 26

aaa 6 - 2

aaa-server 6 - 11

access-group 6 - 14

access-list 6 - 15

alias 6 - 21

arp,command

: show
: arp 6 - 24

arp timeout 6 - 24

auth-prompt 6 - 26

ca certificate 6 - 27

ca configure 6 - 27

ca identity 6 - 27

show blocks command 6 - 171

show checksum command 6 - 172

show command 6 - 170

show conn command 6 - 172

show flashfs 6 - 103

show history command 6 - 173

show interface command 6 - 110

show ip command 6 - 115

show local-host command 6 - 131

show memory command 6 - 174

showmount 5 - 8

show processes command 6 - 174

show tech-support command 6 - 175

show traffic command 6 - 175

show uauth command 6 - 201

show version command 6 - 176

show who command 6 - 216

show xlate command 6 - 220

shutdown option to interface command 6 - 111

Skeme key exchange protocol 4 - 2, 4 - 23

SMTP 6 - 100

SNMP

: configuring 3 - 16
: contact, location, and host 6 - 177
: object ID (OID) 3 - 18, 6 - 178
: read-only (RO) values 3 - 16
: SNMPc (Cisco Works for Windows) 3 - 19
: syslog Enterprise MIB 3 - 18
: traps 3 - 16

snmp-server command 6 - 177

Solaris default route 2 - 12

Sorry, not allowed to enter IP address on same network... 2 - 17

source-quench message type 6 - 19, 6 - 45

SPI 4 - 5, 5 - 35, 6 - 58, 6 - 62, 6 - 76

SQL*Net 6 - 81, 6 - 100

stateful 1 - 3

state information 1 - 3

static command 6 - 180

static translation 1 - 4

subnet masks D - 1

SunOS default route 2 - 12

Sun RPC 5 - 8

supported standards, IPSec 4 - 2

syslog 3 - 11, 6 - 18

: command 6 - 185
: Enterprise MIB 3 - 18
: log file, UNIX 2 - 43
: message levels 2 - 42
: messages 2 - 42, 6 - 139
: MIB files 3 - 19
: server 6 - 139
: SNMP 3 - 17
: syslog.conf file (UNIX host) 2 - 43
: UNIX system, configuring 2 - 43
: viewing messages from console 6 - 136

sysopt command 6 - 186

sysopt connection permit-ipsec command 4 - 8, 6 - 187

sysopt ipsec pl-compatible command 3 - 24, 3 - 28, 6 - 190

system recovery, PIX Firewall boot diskette 2 - 9

T

TACACS+ 4 - 31, 6 - 2, 6 - 8

TCP

: maximum segment size 6 - 186
: port literals 1 - 22
: randomizing packet sequence number 6 - 147

tcpclose 6 - 186

TCP maximum segment size, IPSec 5 - 34

tcpmss 6 - 186

Telnet

: configure console access 2 - 27
: console, debug 6 - 81
: console, syslog 6 - 136
: console access 6 - 5
: encrypting connection to outside interface 3 - 30
: icmp trace 6 - 81
: interface 1 - 11
: set password 6 - 158
: terminating 6 - 130
: timeout feature 6 - 193
: Trace Channel 6 - 81

terminal command 6 - 196

terminology 1 - 26

TFTP

: configuration 6 - 49, 6 - 197, 6 - 217

TFTP error codes 2 - 6

tftp-server command 6 - 197

TIME_WAIT state 6 - 187

time-exceeded 6 - 19, 6 - 45

timeout command 6 - 198

timestamp-reply 6 - 19

timestamp-request 6 - 19

time stamps 6 - 135

timewait 6 - 186

Token Ring 6 - 110, 6 - 145, 6 - 190

Trace Channel 2 - 29, 6 - 81

trace ICMP, SQL*Net, and packets 6 - 81

transform set

: example configuration 5 - 34

transform set, IPSec 4 - 12

translation slots

: UDP, RPC, H.323 6 - 198

translations of addresses 6 - 148

traps, SNMP 3 - 16

Triple DES 4 - 2, 4 - 24, 4 - 25

troubleshoot PIX Firewall from remote location 5 - 27

U

uauth 6 - 201

UDP

: connection state information 1 - 3
: idle time until slot is freed 6 - 198
: port literals 1 - 22
: portmapper 6 - 46

UNIX

: syslog configuration 2 - 43

UNIX, getting console terminal 2 - 2

unreachable, ICMP type 6 - 19

upgrading, before 2 - 2

upgrading failover 3 - 9

URL

: filtering 3 - 15, 6 - 97, 6 - 203, 6 - 205
: logging 3 - 15

url-cache command 6 - 203

url-server command 6 - 205

User authentication 4 - 31

user authentication, authorization, and accounting, providing 6 - 2

user authentication and authorization, providing 2 - 44

V

validating a CA's signature 4 - 37

VeriSign digital certificates 5 - 44

version 2 RIP 6 - 164

video conferencing applications, supported 1 - 25

virtual command 6 - 206

Virtual Private Network

: See VPN

VPN

: client 4 - 33
: client initiating IKE Mode Config 4 - 33
: configuration example 5 - 32
: definition 4 - 5
: introduction 4 - 6

VPNs over PPTP 3 - 13

W

: Websense server 6 - 203
: who command 6 - 216
: winipcfg, view default route 2 - 12
: write command 6 - 217

X

Xauth

: See Extended Authentication (Xauth), IKE

XDMCP Support 6 - 92

xlate (translation slot) 6 - 198, 6 - 220

Table of Contents

index