Search below for:

Index: Cisco IOS Security Configuration Guide, Release 12.1

Symbols   A   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U

Symbols

<$startange     SC-442

? command     xxxvii

A

AAA

accounting     SC-81

AV pairs     SC-96

command type     SC-91

configuration (example)     SC-96

connection type     SC-86

enabling     SC-92

EXEC type     SC-89

interim records     SC-95

method lists (example)     SC-81

methods (table)     SC-93

monitoring     SC-96

network configuration (figure)     SC-83

network type     SC-84

prerequisites     SC-91

server groups     SC-82

suppress records     SC-94  to SC-95

system type     SC-90

types     SC-84  to SC-91

ARA authentication     SC-32  to SC-35

authorized guest logins     SC-33

guest logins     SC-34

line password     SC-34

local password     SC-34

methods (table)     SC-33

TACACS+     SC-35

authentication

ARA     SC-32  to SC-35

configuration (examples)     SC-53

configuration procedure     SC-24

double authentication     SC-41  to SC-44

enable default     SC-39

login     SC-25  to SC-27

methods     SC-24

NASI     SC-35  to SC-38

network configuration (figure)     SC-22

PPP     SC-28  to SC-30

server groups     SC-22

authentication method lists     SC-21

authorization

AV pairs     SC-75

configuration (examples)     SC-76  to SC-80

configuring     SC-73

description     SC-69

for global configuration commands     SC-74

method lists     SC-69  to SC-71

network configuration (figure)     SC-71

prerequisites     SC-72

RADIUS     SC-74

reverse telnet     SC-75

server groups     SC-71

TACACS+     SC-74

types     SC-72

configuration process     SC-19

description     SC-15  to SC-17

disabling     SC-19

enable default authentication     SC-39

methods (table)     SC-39

enabling     SC-19

login authentication     SC-25  to SC-27

enable password     SC-26

Kerberos     SC-27

line password     SC-27

local password     SC-27

methods (table)     SC-26

RADIUS     SC-27, SC-31, SC-35, SC-37

TACACS+     SC-28, SC-31, SC-35, SC-38

message banners

configuring a failed-login banner     SC-40

configuring a login banner     SC-40

examples     SC-57

method lists

accounting     SC-81

authentication     SC-21

authorization     SC-69  to SC-71

description     SC-17

NASI authentication     SC-35  to SC-38

enable password     SC-37

line password     SC-37

local password     SC-37

methods     SC-36

TACACS+     SC-38

PPP authentication     SC-28  to SC-30

Kerberos     SC-30

local password     SC-30

RADIUS

accounting     SC-111

authentication     SC-110

authorization     SC-111

server groups

accounting     SC-82

authentication     SC-22

authorization     SC-71

RADIUS, configuring     SC-108

TACACS+, configuring     SC-125

aaa authentication ppp command

undefined list name (caution)     SC-50

AAA scalability

configuration example     SC-56

abbreviating commands

context-sensitive help     xxxvii

access-enable command     SC-181

access-list (encryption) command     SC-337, SC-378

access-list (IP extended) command     SC-180

access-list command     SC-179

access lists

applying to interfaces     SC-166

CBAC

basic configuration     SC-218

configuring     SC-217

how it works     SC-210

creating     SC-163

criteria statements, order of     SC-165

description     SC-161

dynamic

entries, deleting     SC-184

See also lock-and-key

IP

See also Reflexive Access Lists

numeric ranges for protocols (table)     SC-164

reflexive     SC-187

specifying

by name (table)     SC-164

by number (table)     SC-164

See also IKE

See also IPSec, access lists

See also IPSec, crypto access lists

accounting

See AAA accounting

address command     SC-419

addressed-key command     SC-403, SC-419

AH

description     SC-371

algorithms

encryption

See IKE, algorithms

hash

See IKE, algorithms

anti-replay

description     SC-371, SC-411

attack signatures

See Cisco IOS Firewall IDS

audit rule

See Cisco IOS Firewall IDS, audit rule

audit trail

CBAC messages     SC-234

DNSIX facility     SC-450

See CBAC, audit trail

authentication

CAs     SC-401

for encryption     SC-323

neighbor router     SC-12, SC-441

benefits     SC-441

configuration information for protocols     SC-445

key chains     SC-444

MD5     SC-443

plain text     SC-442, SC-443

process     SC-442

protocols     SC-442

types     SC-442

non-AAA methods     SC-46

static login     SC-46

username     SC-47

route     SC-12

route authentication     SC-441

user

overview     SC-11

See also IKE, authentication

See also lock-and-key

Authentication, Authorization, and Accounting

See AAA

authentication command     SC-416

authentication header

See AH

authentication proxy     SC-275

applying     SC-280

CBAC requirement     SC-285

comparison with Lock-and-Key feature     SC-283

compatibility

CBAC     SC-282

NAT     SC-282

VPN     SC-283

configuration tasks     SC-285

deleting cache entries     SC-292

denial-of-service attack protection     SC-283

description     SC-275

displaying dynamic ACL entries     SC-291

examples     SC-292  to SC-305

AAA server user profile     SC-302

IPSec, NAT, and CBAC     SC-298

IPSec and CBAC     SC-294

feature overview     SC-3

HTTP trigger     SC-276

login page (figure)     SC-276

login status message (figure)     SC-277

maintaining     SC-291

monitoring     SC-291

one-time passwords     SC-280, SC-282

operation     SC-276

operation with JavaScript     SC-278

operation without JavaScript     SC-278

prerequisites

AAA     SC-284

access control lists     SC-284

browser     SC-284

CBAC     SC-284

restrictions     SC-284

risk of spoofing     SC-283

secure authentication     SC-277

using     SC-279

verifying configuration     SC-285, SC-288

when to use     SC-279, SC-280

authorization

See AAA, authorization

autocommand command     SC-181

C

CA interoperability

description     SC-320

CAs

authenticating     SC-401

certificates

revoked     SC-398

declaring     SC-400

(example)     SC-405

description     SC-395

identity

deleting     SC-404

IPSec

implementing     SC-396  to SC-397

LDAP

support     SC-400

public keys     SC-401

purpose     SC-395

URLs

specifying     SC-400

See also certificates

See also certification authority interoperability

See also CRLs

See also IPSec

See also RAs

cautions

access lists     SC-179, SC-338

authenticating keys     SC-442

crypto engines, switching     SC-345, SC-346

DSS keys     SC-349

Java blocking     SC-224

lock-and-key     SC-179

neighbor authentication     SC-442

passwords

encrypting (caution)     SC-429

Unicast RPF

BGP optional attributes     SC-458

usage in text     xxxi

CBAC

access lists

configuring     SC-217

how it works     SC-210

application-layer protocols

configuring     SC-222

audit trail     SC-225

audit trail messages

(example)     SC-234

enabling     SC-231

authentication proxy compatibility     SC-285

configuration

(example)     SC-235  to SC-253

guidelines     SC-226

viewing     SC-227

configuring     SC-215  to SC-225

verifying     SC-227

debugging     SC-231  to SC-232

denial-of-service attacks

detection     SC-220

error messages     SC-233

indications     SC-221

description     SC-205

disabling     SC-235

displaying access list contents     SC-227

error messages

audit trail     SC-234

denial-of-service attacks     SC-233

FTP attacks     SC-234

Java blocking     SC-234

SMTP attacks     SC-233

filtering

Java blocking     SC-206

TCP traffic     SC-206

UDP traffic     SC-206

filtering, traffic     SC-206

firewall

configuration, guidelines     SC-226

FTP attacks

error messages     SC-234

FTP traffic     SC-215

H.323 inspection

configuring     SC-222

multimedia support     SC-213

half-open sessions

deleting     SC-221

description     SC-221

how it works     SC-208

inspection rules

applying     SC-225

defining     SC-222  to SC-225

description     SC-222

viewing     SC-227

interfaces

choosing     SC-216

external, tips     SC-219

internal, tips     SC-220

intrusion detection

SMTP attacks     SC-207

IP packet fragmentation

inspection     SC-224

IPSec compatibility     SC-215

Java

blocking     SC-206, SC-223

blocking (caution)     SC-224

blocking, messages     SC-234

inspection, configuring     SC-223

limitations     SC-207

See also CBAC, restrictions

logging     SC-225

memory usage     SC-215

multimedia support

protocol inspection     SC-213

packet inspection     SC-209

PAM operation     SC-310

process     SC-211

protocol support (table)     SC-212

restrictions     SC-214

See also CBAC, limitations

RPC inspection

configuring     SC-222

RTSP inspection     SC-213

session information

viewing     SC-227

SMTP attacks

error messages     SC-233

state tables     SC-210

TCP inspection

configuring     SC-224

thresholds

configuring     SC-220

default values     SC-220

modifying     SC-220

timeouts

configuring     SC-220

default values     SC-220

modifying     SC-220

traffic filtering

UDP inspection

configuring     SC-224

UDP sessions     SC-210

verifying configuration     SC-227

when to use     SC-210

CCO

accessing     xxxii

definition     xxxii

certificate chain configuration mode

enabling     SC-404

certificate command     SC-404

certificate revocation lists

See CRLs

certificates

deleting     SC-404

description     SC-394, SC-411

requesting     SC-401

requests

resending, number of times     SC-400

resending, wait period     SC-400

requirements

RSA keys     SC-399

saving     SC-399

storing     SC-398

viewing     SC-404

See also CAs

See also CRLs

See also RSA keys

certification authorities

See CAs

certification authority interoperability

CA authentication     SC-401

configuration

(example)     SC-405

saving your configuration     SC-402

description     SC-393

domain names

configuration (example)     SC-405

configuring     SC-399

host names

configuration (example)     SC-405

configuring     SC-399

NVRAM memory usage     SC-399

prerequisites     SC-395

restrictions     SC-394

supported standards     SC-394

See also CAs

See also certificates

See also CRLs

See also RSA keys

CET

access lists, encryption     SC-337

(example)     SC-356

authenticating peer routers     SC-323

Cisco IOS implementation     SC-322

connection problems     SC-350

crypto engines     SC-328

Cisco IOS     SC-329

ESA     SC-330

VIP2     SC-329

crypto maps     SC-336

applying to interfaces     SC-339

example     SC-356

defining     SC-339

example     SC-356

data encryption

introduction     SC-12

DES algorithms     SC-326

defaults (global)     SC-336

enabling, globally     SC-336

enabling, globally (example)     SC-356

enabling in crypto maps     SC-338

types     SC-336

description     SC-317

DH     SC-325

exchanging numbers     SC-325

generating the DES key     SC-326

pregenerating numbers     SC-347

dropped packets     SC-351

DSS keys     SC-325

deleting     SC-349

(examples)     SC-364

exchanging     SC-324, SC-333

(example)     SC-354

generating     SC-333

(example)     SC-353

saving     SC-333

encapsulation     SC-330

ESA

(examples)     SC-363

Cisco 7200     SC-342

VIP2     SC-341

fragmentation, IP     SC-331

GRE tunnels     SC-340

(example)     SC-360

IPSec

comparison     SC-318, SC-319

comparison (table)     SC-319

using with     SC-320

multicast     SC-331

network topology     SC-328

number of sessions     SC-332

passwords (ESA)     SC-352

peer encrypting routers     SC-323, SC-328

performance impacts     SC-332

prework     SC-328

process     SC-324

purpose     SC-322

session keys     SC-326

session times     SC-347

standards implemented     SC-323

switching types     SC-332

tasks, basic     SC-332

testing and troubleshooting     SC-350

testing connections

(example)     SC-366

turning off     SC-349

which packets are encrypted     SC-323

Challenge Handshake Authentication Protocol

See CHAP

CHAP

authentication     SC-47  to SC-50

common password     SC-50

delay authentication     SC-51

description     SC-47

enable authentication     SC-49

refuse authentication requests     SC-51

Cisco Connection Online

See CCO

Cisco Encryption Technology

See CET

Cisco IOS

saving configuration changes     xl

Cisco Secure IDS

See Cisco IOS Firewall IDS, compatibility

Cisco Secure Integrated Software

See Cisco IOS Firewall

Cisco IOS Firewall

authentication proxy     SC-275

context-based access control (CBAC)     SC-205

description     SC-169

dynamic access lists     SC-177

feature set     SC-170

firewall solution     SC-169

Intrusion Detection System (IDS)     SC-255

port to application mapping (PAM)     SC-307

reflexive access lists     SC-187

See also authentication proxy

See also CBAC

See also Cisco IOS Firewall IDS

See also dynamic access lists

See also PAM

See also reflexive access lists

See also TCP intercept

TCP intercept     SC-199

Cisco IOS Firewall IDS

audit rule     SC-257

compatibility     SC-256

Cisco Secure IDS

configuration (examples)     SC-270  to SC-273

configuring     SC-264  to SC-269

applying audit rules     SC-267

initializing, IDS     SC-264

verifying     SC-269

configuring, initializing, post office     SC-265

description     SC-255, SC-257

event logging     SC-256

monitoring and maintaining     SC-269

performance impact     SC-258

process     SC-257

response to threats     SC-256

sensor     SC-256

signature list     SC-259  to SC-264

signature types

attack atomic     SC-259

attack compound     SC-259

info atomic     SC-259

info compound     SC-259

threat response     SC-256

usage scenarios     SC-258

when to use     SC-257

clear access-template command     SC-184

clear crypto isakmp command     SC-423

clear crypto sa command     SC-391

command modes

summary (table)     xxxvi

command syntax conventions

Cisco IOS documentation     xxxi

config-isakmp command mode

enabling     SC-416

configuration, saving     xl

configurations

saving     SC-402

Context-based Access Control

See CBAC

crl optional command     SC-400

CRLs

downloading     SC-402

missing     SC-400

requesting     SC-402

saving     SC-399

storing     SC-398

crypto

See CET

crypto ca authenticate command     SC-401

crypto ca certificate chain command     SC-404

crypto ca certificate query command     SC-399

crypto ca crl request command     SC-402

crypto ca enroll command     SC-401

crypto ca identity command     SC-400, SC-404

crypto card clear-latch command     SC-341, SC-343

crypto card command     SC-346

crypto card enable command     SC-344

crypto cisco algorithm 40-bit-des command     SC-336

crypto cisco algorithm des command     SC-336

crypto cisco connections command     SC-349

crypto cisco entities command     SC-349

crypto cisco key-timeout command     SC-347

crypto cisco pregen-dh-pairs command     SC-347, SC-349

crypto dynamic-map command     SC-389, SC-422

crypto ipsec security-association lifetime command     SC-376

crypto ipsec transform-set command     SC-382

crypto isakmp enable command     SC-413, SC-416

crypto isakmp identity command     SC-418

crypto isakmp key command     SC-420

crypto key exchange dss command     SC-334

crypto key exchange dss passive command     SC-334

crypto key generate dss command     SC-333

crypto key generate rsa command     SC-400, SC-418

crypto key pubkey-chain rsa command     SC-403, SC-419

crypto key zeroize dss command     SC-342, SC-344, SC-346, SC-349

crypto key zeroize rsa command     SC-403

crypto map command     SC-339, SC-385, SC-386

D

data authentication

description     SC-371

data confidentiality

description     SC-371

Data Encryption Standard

See DES

data flow

description     SC-371

debug crypto isakmp command     SC-423

debug ip inspect command     SC-231

default form of a command

using     xxxix

denial-of-service attacks

CBAC detection     SC-220

half-open sessions     SC-221

deploying Unicast RPF     SC-459

detection

authentication proxy     SC-283

using Cisco IOS Firewall IDS     SC-259

mitigating IP address spoofing     SC-459

preventing

reflexive access lists     SC-188

using TCP Intercept     SC-199

error messages

See also CBAC, error messages attacks

Department of Defense Intelligence Information System Network Security for Information Exchange

See DNSIX

DES

description     SC-371, SC-410

IKE policy parameter     SC-414

See CET

DH

See also CET

See IKE, DH

Dialed Number Identification Service

See DNIS

Diffie-Hellman

See DH

Digital Signature Standard

See DSS

DMDP

definition     SC-451

DNIS

selecting server groups     SC-109, SC-126

DNSIX

audit trail facility     SC-450

DMDP     SC-451

enabling     SC-451

extended IPSO fields     SC-449

hosts to receive messages     SC-451

Network Audit Trail Protocol     SC-451

transmission parameters     SC-451

dnsix-dmdp retries command     SC-451

DNSIX Message Deliver Protocol

See DMDP

dnsix-nat authorized-redirection command     SC-451

dnsix-nat primary command     SC-451

dnsix-nat secondary command     SC-451

dnsix-nat source command     SC-451

dnsix-nat transmit-count command     SC-451

documentation conventions

Cisco IOS     xxx

domain names

certification authority interoperability

configuration (example)     SC-405

configuring     SC-399

double authentication

access user profile     SC-43

configuring     SC-42, SC-44

operation     SC-41

DSS

See CET

dynamic crypto maps

See IPSec, crypto maps

E

encapsulating security payload

See ESP

encapsulation

IPSec supported     SC-373

encrypted nonces

See RSA encrypted nonces

encryption

IPSec

See CET

encryption algorithm

See IKE, algorithms

encryption command     SC-416

enrollment mode ra command     SC-400

enrollment retry-count command     SC-400

enrollment retry-period command     SC-400

enrollment url command     SC-400

ESP

description     SC-371

examples

CAs

declaring     SC-405

CBAC configuration     SC-235  to SC-253

certification authority interoperability

configuration     SC-405

domain names, configuring     SC-405

host names, configuration     SC-405

Cisco IOS Firewall IDS     SC-270  to SC-273

IKE

configuration     SC-423

IPSec

transform set, configuring     SC-405

IPSec configuration     SC-392

PAM configuration     SC-312  to SC-313

pre-shared keys

configuration     SC-423

F

filtering

See access lists

firewalls

CBAC guidelines     SC-226

Cisco IOS Firewall

feature set     SC-170

solution     SC-169

configuring as     SC-169

creating     SC-170

description     SC-169

features     SC-170, SC-171

guidelines     SC-174

See also CBAC

See also Cisco IOS Firewall

FTP attacks

CBAC error messages     SC-234

G

global configuration mode

summary     xxxvi

group command     SC-416

H

H.323 inspection

multimedia protocol support     SC-213

See CBAC, H.323 inspection

hash algorithm

See IKE, algorithms

hash command     SC-416

help command     xxxvii

hijacking

preventing     SC-12

hostname command     SC-399

host names

certification authority interoperability

configuration (example)     SC-405

configuring     SC-399

I

identification support

configuring     SC-437

IDS

See Cisco IOS Firewall IDS

IKE

access lists

configuration     SC-413

algorithms

encryption, specifying     SC-416

hash, specifying     SC-416

options     SC-415

anti-replay

description     SC-411

authentication

methods     SC-415

methods, specifying     SC-416

connections

clearing     SC-423

debug messages     SC-423

description     SC-320

feature     SC-409

protocol     SC-370, SC-410

DH

description     SC-411

group identifier, specifying     SC-416

IKE policy parameter     SC-414

disabling     SC-413

enabling     SC-413

group identifier

specifying     SC-416

ISAKMP identity

configuring     SC-418

keys

See keys, pre-shared

See RSA keys

mode configuration     SC-420

configuring     SC-421

restrictions     SC-421

types     SC-420

negotiations

successful     SC-415

unsuccessful     SC-415

policies

configuration (example)     SC-423

configuration, required     SC-417

configuring     SC-416

creating     SC-413  to SC-417

defaults, viewing     SC-417

identifying     SC-416

multiple     SC-416

parameters     SC-414

parameters, choosing     SC-415

parameters, viewing     SC-423

purpose     SC-414

requirements     SC-413

viewing     SC-416

requirements

access lists     SC-413

policies     SC-413

RSA encrypted nonces method     SC-417

RSA signatures method     SC-417

SAs     SC-412

supported standards     SC-410

troubleshooting     SC-423

tunnel endpoint discovery     SC-421

restrictions     SC-422

See also IPSec

See also RSA encrypted nonces

See also SAs

initialization-vector size command     SC-382

inspection rules

See CBAC, inspection rules

interface command     SC-180

interface configuration mode

summary     xxxvi

internet key exchange mode configuration     SC-420

See IKE, mode configuration

Internet Key Exchange Security Protocol

See IKE

intrusion detection

See Cisco IOS Firewall IDS

intrusion detection system

See Cisco IOS Firewall IDS

IP

access lists

dynamic, deleting     SC-184

reflexive     SC-187

encryption

introduction     SC-12

security

See also lock-and-key

See also TCP Intercept

See also CET

session filtering

See Reflexive Access Lists

ip access-group command     SC-180

ip domain-name command     SC-399

ip inspect audit trail command     SC-231

ip inspect command     SC-225

ip inspect dns-timeout command     SC-221

ip inspect max-incomplete high command     SC-221

ip inspect max-incomplete low command     SC-221

ip inspect name command     SC-222

ip inspect one-minute high command     SC-221

ip inspect one-minute low command     SC-221

ip inspect tcp finwait-time command     SC-220

ip inspect tcp idle-time command     SC-220

ip inspect tcp max-incomplete host command     SC-221

ip inspect tcp synwait-time command     SC-220

ip inspect udp idle-time command     SC-220

IP packet fragmentation

See CBAC, IP packet fragmentation

ip port-map command     SC-311

IPSec

access lists     SC-373

requirements     SC-375

benefits     SC-318

CA certificates

using     SC-397

CAs

implementing with     SC-397

implementing without     SC-396, SC-397

CBAC compatibility     SC-215

CET

comparison     SC-318, SC-319

comparison (table)     SC-319

using with     SC-320

configuration

(example)     SC-392

configuring     SC-375  to SC-391

crypto access lists

any keyword, using     SC-381

creating     SC-377

description     SC-377

manually established SAs     SC-379

mirror images     SC-380

purpose     SC-377

tips     SC-378

crypto map entries

creating     SC-383  to SC-390

crypto maps

applying     SC-390

dynamic, adding     SC-390

dynamic, creating     SC-387, SC-388

dynamic, definition     SC-388

purpose     SC-383

quantity     SC-384

description     SC-317

feature     SC-369

protocol     SC-370

encapsulation supported     SC-373

hardware supported     SC-372

how it works     SC-373

monitoring     SC-391

multiple peers     SC-374

NAT

configuring     SC-373

network services     SC-12, SC-369

performance impacts     SC-319

prerequisites     SC-375

requirements

SAs     SC-412

restrictions     SC-373

SAs

clearing     SC-382

IKE negotiations     SC-374, SC-386

manual negotiations     SC-374, SC-385

See also SAs

supported standards     SC-370

switching paths supported     SC-373

traffic protected

defining     SC-373

transforms

description     SC-372

transform sets

changing     SC-381

configuration (example)     SC-405

defining     SC-381

tunnel endpoint discovery

See IKE, tunnel endpoint discovery

IPSec network security protocol

See IPSec

ip security add command     SC-448

ip security aeso command     SC-450

ip security dedicated command     SC-448

ip security eso-info command     SC-450

ip security eso-max command     SC-450

ip security eso-min command     SC-450

ip security extended-allowed command     SC-448

ip security first command     SC-449

ip security ignore-authorities command     SC-448

ip security implicit-labelling command     SC-448

ip security multilevel command     SC-448

IP Security Option

See IPSO

ip security reserved-allowed command     SC-449

ip security strip command     SC-448

IPSO

(examples)     SC-452

basic     SC-448

configuration tasks     SC-448

defaults     SC-449

enabling     SC-448

processing     SC-448

security classifications     SC-448

extended     SC-449

AESOs, attaching     SC-450

configuration tasks     SC-450

ESOs attaching     SC-450

global defaults     SC-450

ip tcp intercept connection-timeout command     SC-202

ip tcp intercept drop-mode command     SC-201

ip tcp intercept finrst-timeout command     SC-202

ip tcp intercept list command     SC-200

ip tcp intercept max-incomplete high command     SC-202

ip tcp intercept max-incomplete low command     SC-202

ip tcp intercept mode command     SC-201

ip tcp intercept one-minute high command     SC-203

ip tcp intercept one-minute low command     SC-203

ip tcp intercept watch-timeout command     SC-201

ISAKMP

description     SC-410

See also IKE

J

K

Kerberos

authentication     SC-143

login     SC-27

PPP     SC-30

configuration (examples)     SC-146  to SC-157

configuring     SC-139  to SC-145

copying SRVTABs files     SC-142

creating SRVTABs     SC-140

credential forwarding     SC-143

extracting SRVTABs     SC-141

instance mapping     SC-145

KDC     SC-139

KDC database     SC-140

mandatory authentication     SC-145

network access server communication     SC-141

realms     SC-141

description     SC-135

Encrypted Kerberized Telnet     SC-144

maintaining     SC-145

monitoring     SC-145

operation     SC-137  to SC-139

Telnet to router     SC-144

terms (table)     SC-136

key distribution center

See Kerberos, KDC

keys

chains     SC-444

management     SC-444

pre-shared

configuration (example)     SC-423

configuring     SC-420

IKE policy parameter     SC-414

ISAKMP identity, configuring     SC-418

specifying     SC-420

RSA

See RSA keys

key-string command     SC-419

L

LDAP protocol support

specifying     SC-400

lifetime command     SC-416

line vty command     SC-181

lock-and-key

benefits     SC-178

configuration (examples)     SC-184  to SC-186

configuring     SC-180

examples     SC-184  to SC-186

prerequisites     SC-180

tips     SC-181

verification     SC-183

description     SC-177

maintenance tasks     SC-184

performance impacts     SC-180

process     SC-178

risk of spoofing     SC-179

when to use     SC-178

logging

See CBAC, logging and audit trail

login local command     SC-181

login tacacs command     SC-181

M

match address command     SC-339, SC-386, SC-389

MD5

neighbor router authentication     SC-443

MD5 algorithm

description     SC-371, SC-411

IKE policy parameter     SC-414

memory usage

certification authority interoperability     SC-399

Message Digest 5

See MD5 algorithm

Message Digest Algorithm Version 5

See MD5

method lists

AAA

accounting     SC-81

authentication     SC-21

authorization     SC-69  to SC-71

description     SC-17

example     SC-18

Microsoft Challenge Handshake Authentication Protocol

See MS-CHAP

modes

certificate chain configuration

enabling     SC-404

public key configuration

enabling     SC-403

query

enabling     SC-399

RA

enabling     SC-400

See command modes

MS-CHAP

configuration example     SC-66

feature summary     SC-51

vendor-specific RADIUS attributes     SC-52

multimedia

application protocol support

H.323     SC-214

protocols (table)     SC-212

RTSP     SC-213

N

named-key command     SC-403, SC-419

NAT

IPSec, configuring for     SC-373

neighbor router authentication

See authentication, neighbor router

network data encryption

See CET

no form of a command

using     xxxix

no ip inspect command     SC-235

nonces

See RSA encrypted nonces

non-repudiation

description     SC-411

notes

usage in text     xxxi

O

Oakley key exchange protocol

description     SC-410

See also IKE

one-time passwords

authentication proxy operation     SC-282

online documentation

See CCO

P

packet fragmentation

See CBAC, IP packet fragmentation

PAM

CBAC operation     SC-308

configuration examples     SC-312  to SC-313

configuring

access lists     SC-311

port mapping     SC-311

verifying     SC-311

default port mapping     SC-308

defining a port range     SC-309

deleting system-defined mapping information     SC-308

host-defined mapping     SC-308

host-specific mapping     SC-310

how PAM works     SC-307

mapping types

host-specific     SC-308, SC-310

system-defined     SC-308

user-defined     SC-308, SC-309

monitoring and maintaining     SC-312

operation with CBAC     SC-308, SC-310

overriding system-defined mapping     SC-308, SC-310

port mapping

default     SC-308

host-specific     SC-310

system-defined     SC-308

user-defined     SC-309

port range

defining     SC-309

registered ports     SC-308

saving mapping information     SC-309

system-defined mapping     SC-308

deleting     SC-308

overriding     SC-308, SC-310

port numbers (table)     SC-308

registered ports     SC-308

table     SC-308

well-known ports     SC-308

system-defined port mapping     SC-308

table     SC-308

user-defined mapping     SC-308, SC-309

saving     SC-309

verifying     SC-311

well-known ports     SC-308

when to use     SC-310

PAP

authentication     SC-47  to SC-50

description     SC-47

enable authentication     SC-49

outbound authentication     SC-50

Password Authentication Protocol

See PAP

password command     SC-181

passwords

configuration (examples)     SC-437  to SC-439

configuring

enable password     SC-428

enable secret     SC-428

line password     SC-429

static enable password     SC-428

encrypting     SC-429

(caution)     SC-429

recovering lost enable passwords     SC-431

procedure 1     SC-432

procedure 2     SC-434

procedures (tables)     SC-431

process     SC-432

recovering lost line passwords     SC-436

diagnostic mode settings (table)     SC-437

peer

description     SC-372

perfect forward secrecy

See PFS

PFS

description     SC-372, SC-411

plain text authentication

See authentication, neighbor router

Point-to-Point Protocol

See PPP

port mapping

See PAM

port range mapping

See PAM

port to application mapping

See PAM

PPP

enable encapsulation     SC-49

inbound authentication     SC-50

outbound authentication     SC-50

pre-shared keys

See keys, pre-shared

privileged EXEC mode

summary     xxxvi

privileges

changing default     SC-430

configuration (examples)     SC-437  to SC-439

configuring

multiple levels     SC-430

privilege level     SC-430

displaying current level     SC-430

logging in     SC-431

prompts

system     xxxvi

protocol support

CBAC (table)     SC-212

public key configuration mode

enabling     SC-403, SC-419

Q

query mode

enabling     SC-399

query url command     SC-400

question command     xxxvii

R

RADIUS

accounting     SC-111

attributes     SC-473

IETF     SC-480

vendor-proprietary     SC-111, SC-491

authentication     SC-110

login     SC-27, SC-31, SC-35, SC-37

authorization     SC-74, SC-111

configuration (examples)     SC-112  to SC-119

configuring     SC-101

communication, global     SC-104

communication, per-server     SC-104

displaying NAS port types     SC-107

DNIS, server group selection     SC-109

multiple UDP ports     SC-104

queries for IP addresses     SC-107

queries for static routes     SC-107

server communication     SC-104

server groups     SC-108

server groups, DNIS selection     SC-109

tasks     SC-103

vendor-proprietary     SC-106

vendor-specific RADIUS attributes     SC-106

description     SC-101

operation     SC-102

server groups

description     SC-108

DNIS selection     SC-109

RA mode

enabling     SC-400

RAs

description     SC-398

See also CAs

Reflexive Access Lists     SC-187

benefits     SC-188

configuration (examples)     SC-195  to SC-197

configuring     SC-192  to SC-195

DMZ topology (figure)     SC-191

examples     SC-195  to SC-197

simple topology (figure)     SC-191

description     SC-187

how it works     SC-189

restrictions     SC-190

session filtering

basic access lists

reflexive access lists

topology

DMZ (figure)     SC-191

simple (figure)     SC-191

where to configure     SC-189

registration authorities

See RAs

Remote Authentication Dial-In User Service

See RADIUS

repudiation

description     SC-411

RFC 1108

IP Security Options     SC-447

RFC 1323

window scaling     SC-200

RFC 1334

PPP Authentication Protocols     SC-48

RFC 1413

Identification Protocol     SC-437

RFC 1829

The ESP DES-CBC Transform     SC-371

RFC 1994

PPP Challenge Handshake Authentication Protocol (CHAP)     SC-51

RFC 2138

RADIUS     SC-111

RFC 2139

RADIUS Accounting     SC-111

RFC 2401

Security Architecture for the Internet Protocol     SC-370

RFC 2402

IP Authentication Header     SC-370

RFC 2408

Internet Security Association and Key Management Protocol (ISAKMP)     SC-410

RFC 2409

The Internet Key Exchange     SC-410

RFC 2410

The NULL Encryption Algorithm and Its Use With IPsec     SC-370

ROM monitor mode

summary     xxxvi

route authentication     SC-441

RPF

See Unicast RPF

RSA encrypted nonces

description     SC-411

IKE policy parameter     SC-414

requirements     SC-415, SC-417

RSA keys

deleting     SC-403

description     SC-394

generating     SC-399, SC-418

manually configuring     SC-418

purpose     SC-399

specifying     SC-419

viewing     SC-404, SC-419

See also certificates

See also certification authority interoperability

RSA signatures

description     SC-411

IKE policy parameter     SC-414

requirements     SC-415

IKE configuration     SC-417

RTSP

CBAC inspection     SC-213

CBAC support     SC-213

S

SAs

clearing     SC-376, SC-391

description     SC-372, SC-412

establishing     SC-412

IKE established

crypto map entries, creating     SC-386

lifetimes

configuring     SC-416

global values, configuring     SC-375

global values, default values     SC-376

how they work     SC-376

IKE policy parameter     SC-414

manually established

crypto access lists, defining     SC-379

crypto map entries, creating     SC-385

viewing     SC-423

saving configuration changes     xl

saving your configuration     SC-402

Secure Hash Algorithm

See SHA

security

features     SC-1

IP

denial-of-service attacks     SC-199, SC-464

IPSO     SC-447

See also DNSIX

See also lock-and-key

See also Reflexive Access Lists

See also TCP Intercept

TCP SYN-flooding attacks     SC-199, SC-464

neighbor router authentication     SC-441

policies

creating     SC-5

nature of     SC-6

tips     SC-6

risks

identifying     SC-9

preventing     SC-9

See also access lists

See also authentication

See also CET

See also IPSec

security associations

See SAs

security parameter index

See SPI

server groups

AAA

accounting     SC-82

authentication     SC-22

authorization     SC-71

RADIUS

configuring     SC-108

TACACS+

configuring     SC-125

session filtering

See Reflexive Access Lists

set algorithm 40-bit-des command     SC-339

set algorithm des command     SC-339

set peer command     SC-339, SC-385, SC-386, SC-389, SC-422

set pfs command     SC-387, SC-390, SC-422

set security-association level per-host command     SC-387

set security-association lifetime command     SC-387, SC-389, SC-422

set session-key command     SC-386

set transform-set command     SC-386, SC-387, SC-389

SHA

description     SC-411

IKE policy parameter     SC-414

SHA algorithm

description     SC-371

show access-lists command     SC-184

show crypto ca certificates command     SC-404

show crypto cisco algorithms command     SC-336

show crypto cisco connections command     SC-350

show crypto cisco key-timeout command     SC-347

show crypto crypto-engine connections active command     SC-350

show crypto dynamic-map command     SC-392

show crypto engine configuration command     SC-346

show crypto ipsec sa command     SC-392

show crypto ipsec security-association lifetime command     SC-392

show crypto ipsec transform-set command     SC-392

show crypto isakmp policy command     SC-416, SC-417, SC-423

show crypto isakmp sa command     SC-423

show crypto key mypubkey command     SC-333, SC-346

show crypto key mypubkey rsa command     SC-404, SC-418

show crypto key pubkey-chain rsa command     SC-404, SC-419

show crypto map command     SC-350, SC-392

show ip inspect command     SC-227

show ip port-map command     SC-312

show tcp intercept connections command     SC-203

show tcp intercept statistics command     SC-203

signature list

See Cisco IOS Firewall IDS, signature list

signatures

attack

See also Cisco IOS Firewall IDS, signature list

See RSA signatures

Skeme key exchange protocol

description     SC-410

See also IKE

SMTP attacks

CBAC

intrusion detection     SC-207

CBAC error messages     SC-233

SPI

description     SC-372

spoofing attacks

preventing     SC-188

See also Reflexive Access Lists

standards

IKE, supported by     SC-410

subinterface configuration mode

summary     xxxvi

switching

paths

IPSec supported     SC-373

T

Tab key

command completion     xxxvii

TACACS+

accounting     SC-128

attribute-value pairs

See AV pairs

authentication

login     SC-28, SC-31, SC-35, SC-38

NASI     SC-38

authorization     SC-128

AV pairs     SC-128, SC-499  to SC-507

accounting     SC-507

configuration (examples)     SC-128  to SC-133

accounting     SC-131

authentication     SC-128

authorization     SC-130

daemon     SC-133

configuring     SC-123  to SC-128

authentication     SC-127

authentication key     SC-125

DNIS, server group selection     SC-126

login input time     SC-38

server groups     SC-125

server groups, DNIS selection     SC-126

server host     SC-124

description     SC-121

operation     SC-122

server groups

description     SC-125

DNIS selection     SC-126

TCP

filtering

See CBAC

TCP Intercept

configuration

(example)     SC-203

connections

displaying     SC-203

modes     SC-201

active intercept     SC-201

drop mode     SC-201

passive watch     SC-201

monitor and maintain     SC-203

overview     SC-199

statistics

displaying     SC-203

thresholds     SC-202

timeouts     SC-201

TCP SYN-flooding attacks

preventing

using TCP intercept     SC-199

test crypto initiate-session command     SC-350

thresholds

See CBAC, thresholds

timeout intervals

See CBAC, timeouts

traffic filtering

See access lists

See CBAC, traffic filtering

See lock-and-key

transform

See IPSec

transforms

tunnel endpoint discovery

description     SC-421

See IKE, tunnel endpoint discovery

U

UDP

filtering

See CBAC

Unicast Reverse Path Forwarding

See Unicast RPF

Unicast RPF

aggregation routers (figure)     SC-462

applying     SC-459

BGP attributes

caution     SC-458

CEF

requirement     SC-456

tables     SC-462

configuration     SC-465

examples     SC-468  to SC-469

configuring

aggregation routers (figure)     SC-462

BOOTP     SC-463

DHCP     SC-463

enterprise network (figure)     SC-460

examples     SC-468  to SC-469

prerequisites     SC-465

routing table requirements     SC-462

tasks     SC-465

troubleshooting     SC-467

verifying     SC-467

deploying     SC-459

description     SC-5, SC-455

disabling     SC-467

dropping packets (figure)     SC-458

enterprise network (figure)     SC-460

FIB     SC-456

implementing     SC-458

maintaining     SC-467

monitoring     SC-467

prerequisites     SC-465

restrictions

basic     SC-463

routing asymmetry     SC-462

routing asymmetry (figure)     SC-463

routing table requirements     SC-462

security policy

applying     SC-459

deploying     SC-459

mitigating attacks     SC-459

tunneling     SC-459

source addresses

validating     SC-456

validating (figure)     SC-457

validation failure     SC-457

validation failure (figure)     SC-458

traffic filtering     SC-459

troubleshooting     SC-467

tunneling     SC-459

validation

dropping packets     SC-457

failure     SC-457, SC-458

source addresses     SC-457

verifying     SC-467

user EXEC mode

summary     xxxvi