hometocprevnextglossaryfeedbacksearchhelp
Search below for:

Index: Cisco IOS Security Command Reference, Release 12.1

Symbols   A   C   D   E   F   G   H   I   K   L   M   N   O   P   Q   R   S   T   U   Z

Symbols


? command     ix, xv

A


AAA
server groups     SR-92, SR-117

aaa accounting command     SR-70

aaa accounting connection h323 command     SR-73

aaa accounting nested command     SR-74

aaa accounting send stop-record authentication failure command     SR-75

aaa accounting suppress null-username command     SR-76

aaa accounting update command     SR-77

aaa authentication arap command     SR-4

aaa authentication banner command     SR-6

aaa authentication enable default command     SR-8

aaa authentication fail-message command     SR-10

aaa authentication login command     SR-12

aaa authentication nasi command     SR-14

aaa authentication password-prompt command     SR-16

aaa authentication ppp command     SR-17

aaa authentication username-prompt command     SR-19

aaa authorization command     SR-56

aaa authorization config-commands command     SR-60

aaa authorization reverse-access command     SR-61

aaa dnis map accounting network group command     SR-79

aaa dnis map authentication ppp group command     SR-21

aaa group server command     SR-117

aaa group server radius command     SR-92

aaa nas-port extended command     SR-93

aaa new-model command     SR-23

aaa processes command     SR-24

abbreviating commands
context-sensitive help     viii, ix, xv

access-enable command     SR-142

access-list (encryption) command     SR-250

access lists
dynamic
temporary entries, clearing manually     SR-142
See also IPSec

access-profile command     SR-26
replace command form
(caution)     SR-27
using per-user configuration
(caution)     SR-27

access-template command     SR-143

accounting (gatekeeper) command     SR-83

accounting command     SR-81

address command     SR-432

addressed-key command     SR-434

AESOs
attaching to interfaces     SR-500

algorithms
encryption
See IKE, algorithms
hash
See IKE, algorithms

arap authentication command     SR-29
using list-names
(caution)     SR-29

authentication
CAs     SR-406
See also IKE, authentication

authentication (IKE policy) command     SR-436

authentication proxy
commands     SR-229

authorization command     SR-65

Auxiliary Extended Security Options
See AESOs

C


ca-identity mode
enabling     SR-415

CAs
authenticating     SR-406
CEP
support     SR-428
declaring     SR-415, SR-427
enrolling     SR-412
identity
deleting     SR-415
LDAP
support     SR-428
locations
specifying     SR-427
public keys     SR-406
URLs
specifying     SR-427
See also Certification Authority Interoperability

cautions
access lists     SR-254, SR-306, SR-315
access-profile command
replace command form (caution)     SR-27
using per-user configuration (caution)     SR-27
arap authentication command
using list-names (caution)     SR-29
Cisco 7200 series router     SR-293
crypto key zeroize dss command     SR-293
DSS keys     SR-292
enable password command
using encryption-type (caution)     SR-472
enable secret command
using encryption-type (caution)     SR-474
Java blocking     SR-189
key config-key command
unrecoverable DES key (caution)     SR-137
login authentication command
using list-names (caution)     SR-35
nasi authentication command
using list-names (caution)     SR-37
ppp authentication command
using list-names (caution)     SR-40
service password-encryption command
security level (caution)     SR-482
usage in text     ix

CBAC
alert messages
enabling     SR-178
application-layer protocols
configuring     SR-189
audit trail messages
(example)     SR-178
enabling     SR-179
configurations
viewing     SR-205
denial-of-service attacks
detection     SR-199
disabling     SR-204
fragment
inspection, configuring     SR-191
H.323 inspection
configuring     SR-189
half-open sessions
deleting, high threshold     SR-182, SR-193
deleting, low threshold     SR-184, SR-195
description     SR-182
TCP threshold     SR-199
inspection rules
applying     SR-181
applying (example)     SR-181
defining     SR-186
removing     SR-181
viewing     SR-205
Java
blocking     SR-187
blocking (caution)     SR-189
inspection, configuring     SR-189
RPC inspection
configuring     SR-190
session information
(example)     SR-205
viewing     SR-205
SMTP inspection
configuring     SR-190
TCP inspection
configuring     SR-189
timeouts
DNS idle, specifying     SR-180
FIN-exchange, specifying     SR-197
overriding     SR-190
synwait, specifying     SR-201
TCP idle, specifying     SR-198
UDP idle, specifying     SR-202
UDP inspection
configuring     SR-189

CCO
accessing     x
definition     x

CEP
specifying     SR-428

certificate chain configuration mode
enabling     SR-408

certificate command     SR-402

certificate enrollment protocol
See CEP

certificates
accepting     SR-404
adding     SR-402
deleting     SR-402, SR-408
requesting     SR-412
requests
resending, number of times     SR-423
resending, wait period     SR-425
retrieving     SR-410
revoking     SR-412
storing     SR-410
viewing     SR-429

Certification Authority Interoperability
CA authentication     SR-406
CEP
specifying     SR-428
challenge password     SR-412
commands     SR-401
LDAP support
specifying     SR-428
NVRAM memory usage     SR-410
See also CAs
See also certificates
See also CRLs
See also RSA keys

Cisco Connection Online
See CCO

Cisco IOS
saving configuration changes     xviii

clear access-template command     SR-145

clear crypto connection command     SR-258

clear crypto isakmp command     SR-438

clear crypto sa command     SR-354

clear ip audit configuration command     SR-210

clear ip audit statistics command     SR-211

clear ip auth-proxy cache command     SR-230

clear ip trigger-authentication command     SR-31

clear kerberos creds command     SR-126

command modes
summary (table)     xiv

config-isakmp command mode
enabling     SR-445

configuration, saving     xviii

crl optional command     SR-404

CRLs
certificates
accepting     SR-404
revoking     SR-411
checking     SR-404
downloading     SR-411
requesting     SR-411
retrieving     SR-410
storing     SR-410
See also CAs
See also certificates

crypto algorithm 40-bit-des command
See crypto cisco algorithm 40-bit-des command

crypto algorithm des command
See crypto cisco algorithm des command

crypto ca authenticate command     SR-406

crypto ca certificate chain command     SR-408

crypto ca certificate query command     SR-410

crypto ca crl request command     SR-411

crypto ca enroll command     SR-412

crypto ca identity command     SR-415

crypto card clear-latch command     SR-264

crypto card command     SR-262

crypto cisco algorithm 40-bit-des command     SR-266

crypto cisco algorithm des command     SR-268

crypto cisco connections command

crypto cisco entities command     SR-272

crypto cisco key-timeout command     SR-274

crypto cisco pregen-dh-pairs command     SR-275

crypto clear-latch command
See crypto card clear-latch command

crypto dynamic-map command     SR-356

crypto esa command
See crypto card command

crypto gen-signature-keys command
See crypto key generate dss command

crypto ipsec security-association lifetime command     SR-359

crypto ipsec transform-set command     SR-361

crypto isakmp enable command     SR-440

crypto isakmp identity command     SR-441

crypto isakmp key command     SR-443

crypto isakmp policy command     SR-445

crypto key-exchange command
See crypto key exchange dss command

crypto key exchange dss command     SR-281

crypto key exchange dss passive command     SR-283

crypto key-exchange passive command
See crypto key exchange dss passive command

crypto key generate dss command     SR-286

crypto key generate rsa (CA) command     SR-417

crypto key generate rsa (IKE) command     SR-447

crypto key pubkey-chain dss command     SR-289

crypto key pubkey-chain rsa command     SR-450

crypto key-timeout command
See crypto cisco key-timeout command

crypto key zeroize dss command     SR-292

crypto key zeroize rsa command     SR-420

crypto map (CET global) command     SR-294

crypto map (CET interface) command     SR-297

crypto map (IPSec global) command     SR-365

crypto map (IPSec interface) command     SR-370

crypto map local-address command     SR-372

crypto pregen-dh-pairs command
See crypto cisco pregen-dh-pairs command

crypto public-key command
See crypto key pubkey-chain dss command

crypto sdu connections command
See crypto cisco connections command

crypto sdu entities command
See crypto cisco entities command

crypto transform configuration mode
enabling     SR-363

crypto zeroize command
See crypto key zeroize dss command

D


default form of a command
using     xvii

deny (CET) command     SR-303

Diffie-Hellman
See IKE, DH

DNS idle timeout
specifying     SR-180

DNSIX
collection center, specifying     SR-493
enabling     SR-496
hosts that receive messages
alternate     SR-495
primary     SR-494
number of records in a packet, specifying     SR-497
retransmit count     SR-492

dnsix-dmdp retries command     SR-492

dnsix-nat authorized-redirection command     SR-493

dnsix-nat primary command     SR-494

dnsix-nat secondary command     SR-495

dnsix-nat source command     SR-496

dnsix-nat transmit-count command     SR-497

E


enable password command     SR-472
using encryption-type
(caution)     SR-472

enable secret command     SR-474
using encryption-type
(caution)     SR-474

encryption algorithm
See IKE, algorithms

encryption (IKE policy) command     SR-453

enrollment mode ra command     SR-422

enrollment retry-count command     SR-423

enrollment retry-period command     SR-425

enrollment url command     SR-427

evaluate command     SR-148

examples
CBAC
audit trail messages     SR-178
half-open sessions, high threshold     SR-182, SR-193
half-open sessions, low threshold     SR-184, SR-195
half-open sessions, TCP threshold     SR-200
session information, viewing     SR-205
timeouts, synwait     SR-201
timeouts, UDP idle     SR-203
pre-shared keys
specifying     SR-444

F


FIN-exchange timeout
specifying     SR-197

G


gatekeeper
security, enabling     SR-83

global configuration commands
aaa accounting     SR-70
aaa accounting connection h323 command     SR-73
aaa accounting nested     SR-74
aaa accounting send stop-record authentication failure command     SR-75
aaa accounting suppress null-username     SR-76
aaa accounting update     SR-77
aaa authentication arap     SR-4
aaa authentication banner     SR-6
aaa authentication enable default     SR-8
aaa authentication fail-message     SR-10
aaa authentication login     SR-12
aaa authentication nasi     SR-14
aaa authentication password-prompt     SR-16
aaa authentication ppp     SR-17
aaa authentication username-prompt     SR-19
aaa authorization     SR-56
aaa authorization config-commands     SR-60
aaa authorization reverse-access     SR-61
aaa dnis map accounting network group     SR-79
aaa dnis map authentication ppp group     SR-21
aaa group server     SR-117
aaa group server radius command     SR-92
aaa nas-port extended     SR-93
aaa new-model     SR-23
aaa processes     SR-24
ip radius source-interface     SR-95
ip tacacs source-interface     SR-118
ip trigger-authentication (global)     SR-32
kerberos clients mandatory     SR-127
kerberos credentials forward     SR-128
kerberos instance map     SR-129
kerberos local-realm     SR-130
kerberos preauth     SR-131
kerberos realm     SR-132
kerberos server     SR-133
kerberos srvtab entry     SR-134
kerberos srvtab remote     SR-136
key config-key     SR-137
radius-server attribute nas-port extended     SR-97
radius-server configure-nas     SR-98
radius-server deadtime     SR-99
radius-server host     SR-101
radius-server host non-standard     SR-104
radius-server key     SR-105
radius-server optional passwords     SR-107
radius-server retransmit     SR-108
radius-server timeout     SR-109
radius-server vsa     SR-110
tacacs-server directed-request     SR-121
tacacs-server host     SR-122
tacacs-server key     SR-124

global configuration mode
summary     xiv

group (IKE policy) command     SR-454

H


hash (IKE policy) command     SR-455

hash algorithm
See IKE, algorithms

help command     viii, ix, xv

I


IKE
algorithms
encryption, specifying     SR-453
hash, specifying     SR-455
authentication
methods, specifying     SR-436
commands     SR-431
connections
clearing     SR-438
DH
group identifier, specifying     SR-454
disabling     SR-440
enabling     SR-440
group identifier
specifying     SR-454
keys
See keys, pre-shared
negotiations
states     SR-464
policies
multiple     SR-445
parameters, specifying     SR-445
parameters, viewing     SR-462
viewing     SR-462
requirements
IPSec peers     SR-440
See also IPSec
See also SAs

interface configuration commands
ip trigger-authentication (interface)     SR-34
ppp accounting     SR-84
ppp authentication     SR-39
ppp chap hostname     SR-41
ppp chap password     SR-43
ppp chap refuse     SR-45
ppp chap wait     SR-47
ppp pap sent-username     SR-49

interface configuration mode
summary     xiv

Internet Key Exchange Security Protocol
See IKE

IP
See also IPSO

ip access-list extended (encryption) command     SR-308

ip audit attack command     SR-213

ip audit command     SR-212

ip audit info command     SR-214

ip audit name command     SR-215

ip audit notify command     SR-217

ip audit po local command     SR-218

ip audit po max-events command     SR-219

ip audit po protected command     SR-220

ip audit po remote command     SR-221

ip audit signature command     SR-223

ip audit smtp command     SR-224

ip auth-proxy auth-cache-time command     SR-232

ip auth-proxy auth-proxy-banner command     SR-233

ip auth-proxy command     SR-231

ip auth-proxy name command     SR-234

ip inspect (interface configuration) command     SR-181

ip inspect alert-off command     SR-178

ip inspect audit trail command     SR-179

ip inspect dns-timeout command     SR-180

ip inspect max-incomplete high command     SR-182

ip inspect max-incomplete low command     SR-184

ip inspect name command     SR-186

ip inspect one-minute high command     SR-193

ip inspect one-minute low command     SR-195

ip inspect tcp finwait-time command     SR-197

ip inspect tcp idle-time command     SR-198

ip inspect tcp max-incomplete host command     SR-199

ip inspect tcp synwait-time command     SR-201

ip inspect udp idle-time command     SR-202

ip port-map command     SR-240

ip radius source-interface command     SR-95

ip reflexive-list timeout command     SR-150

IPSec
commands     SR-353
crypto access lists
specifying     SR-310, SR-374
crypto map entries
creating     SR-294, SR-365
lifetime values, overriding     SR-384
specifying a peer     SR-378
crypto maps
applying     SR-370
dynamic, creating     SR-356
dynamic, priorities     SR-367
dynamic, viewing     SR-392
interfaces, identifying     SR-372
purpose     SR-366
viewing     SR-398
lifetimes
viewing     SR-396
requirements
IKE     SR-440
SAs
clearing     SR-354
lifetimes, changing     SR-359
requesting     SR-382
viewing     SR-393
session keys
manually specifying     SR-387
transforms
allowed combinations     SR-362
changing     SR-363
selecting     SR-363
transform sets
defining     SR-361
mode, changing     SR-376
specifying     SR-390
viewing     SR-397

ip security add command     SR-498

ip security aeso command     SR-500

ip security allow-reserved command     SR-515

ip security dedicated command     SR-501

ip security eso-info command     SR-503

ip security eso-max command     SR-504

ip security eso-min command     SR-506

ip security extended-allowed command     SR-508

ip security first command     SR-509

ip security ignore-authorities command     SR-510

ip security implicit-labelling command     SR-511

ip security multilevel command     SR-513

IP security option
See IPSO

ip security strip command     SR-517

IPSO
authorities and bit patterns
(table)     SR-502
definition     SR-502
basic
configuring     SR-498
extended
configuring     SR-500
defaults     SR-503
maximum sensitivity levels     SR-504
minimum sensitivity levels     SR-506
labels
definition     SR-502
levels and bit patterns
(table)     SR-501
definition     SR-501

ip tacacs source-interface command     SR-118

ip tcp intercept connection-timeout command     SR-158

ip tcp intercept drop-mode command     SR-159

ip tcp intercept finrst-timeout command     SR-161

ip tcp intercept list command     SR-162

ip tcp intercept max-incomplete high command     SR-163

ip tcp intercept max-incomplete low command     SR-165

ip tcp intercept mode command     SR-167

ip tcp intercept one-minute high command     SR-168

ip tcp intercept one-minute low command     SR-170

ip tcp intercept watch-timeout command     SR-172

ip trigger-authentication (global) command     SR-32

ip trigger-authentication (interface) command     SR-34

ip verify unicast reverse-path command     SR-520

ISAKMP
See also IKE

K


kerberos clients mandatory command     SR-127

kerberos crednetials forward command     SR-128

kerberos instance map command     SR-129

kerberos local-realm command     SR-130

kerberos preauth command     SR-131

kerberos realm command     SR-132

kerberos server command     SR-133

kerberos srvtab entry command     SR-134

kerberos srvtab remote command     SR-136

key config-key command     SR-137
unrecoverable DES key
(caution)     SR-137

keys
pre-shared
deleting     SR-443
specifying     SR-443
specifying (example)     SR-444

key-string (IKE) command     SR-456

L


LDAP protocol support
specifying     SR-428

lifetime (IKE policy) command     SR-458

line configuration commands
accounting     SR-81
arap authentication     SR-29
authorization     SR-65
login authentication     SR-35
nasi authentication     SR-37
timeout login response     SR-54

lock-and-key
idle timeouts     SR-142
temporary entries
clearing manually     SR-142, SR-145
creating manually     SR-143
enabling     SR-142

login authentication command     SR-35
using list-names
(caution)     SR-35

M


match address (CET) command     SR-310

match address (IPSec) command     SR-374

memory usage
Certification Authority Interoperability     SR-410

mode (IPSec) command     SR-376

modes
ca-identity
enabling     SR-415
certificate chain configuration
enabling     SR-408
query
enabling     SR-410
RA
enabling     SR-422
See command modes

N


named-key command     SR-460

nasi authentication command     SR-37
using list-names
(caution)     SR-37

no form of a command
using     xvii

no ip inspect command     SR-204

notes
usage in text     ix

O


Oakley key exchange protocol
See also IKE

online documentation
See CCO

P


PAM
commands     SR-239

password command     SR-476

perfect forward secrecy
See PFS

permit (reflexive) command     SR-152

permit command     SR-312

PFS
specifying     SR-380

PKI protocol
See CEP

ppp accounting command     SR-84

ppp authentication command
using list-names
(caution)     SR-40

ppp chap hostname command     SR-41

ppp chap password command     SR-43

ppp chap refuse command     SR-45

ppp chap wait command     SR-47

ppp pap sent-username command     SR-49

privileged EXEC commands
access-enable command     SR-142
clear ip trigger-authentication     SR-31
clear kerberos creds     SR-126
show accounting     SR-85
show ip trigger-authentication     SR-51
show kerberos creds     SR-138
show ppp queues     SR-52

privileged EXEC mode
summary     xiv

privilege level (global) command     SR-477

privilege level (line) command     SR-480

prompts
system     xiv

public key configuration mode
enabling     SR-450, SR-460

Q


query mode
enabling     SR-410

query url command     SR-428

question command     xv

R


radius-server attribute nas-port extended command     SR-97

radius-server configure-nas command     SR-98

radius-server deadtime command     SR-99

radius-server host command     SR-101

radius-server host non-standard command     SR-104

radius-server key command     SR-105

radius-server optional passwords command     SR-107

radius-server retransmit command     SR-108

radius-server timeout command     SR-109

radius-server vsa send command     SR-110

RA mode
enabling     SR-422

RAs
enabling     SR-422

Reflexive Access Lists
configuring
(examples)     SR-149, SR-154
temporary entries
characteristics     SR-154
timeouts, global
(examples)     SR-150

ROM monitor mode
summary     xiv

RPC inspection
See CBAC, RPC inspection

RSA encrypted nonces
requirements     SR-436

RSA keys
deleting     SR-420
general purpose keys     SR-418, SR-448
generating     SR-417, SR-447
sample times required     SR-418, SR-448
IP address
specifying     SR-432
manually specifying     SR-450
modulus length     SR-418, SR-448
pairs     SR-417, SR-447
public key record     SR-406
remote peer
specifying     SR-456
special usage keys     SR-417, SR-447
generating     SR-447
specifying     SR-434
specifying     SR-434, SR-460
viewing     SR-466, SR-467

RSA signatures
requirements     SR-436

S


SAs
lifetimes
configuring     SR-458
parameters     SR-445
viewing     SR-464

saving configuration changes     xviii

security
H.323 gatekeeper, enabling     SR-83
See also IPSO
See also lock-and-key

security associations
See SAs

server (RADIUS) command     SR-112

server (TACACS+) command     SR-120

server groups     SR-92, SR-117

server hosts
RADIUS     SR-92
TACACS+     SR-117

service password-encryption command     SR-482
security level
(caution)     SR-482

set algorithm 40-bit-des command     SR-317

set algorithm des command     SR-319

set peer (CET) command     SR-321

set peer (IPSec) command     SR-378

set peer command     SR-378

set pfs command     SR-380

set security-association level per-host command     SR-382

set security-association lifetime command     SR-384

set session-key command     SR-387

set transform-set command     SR-390

show accounting command     SR-85

show crypto algorithms command
See show crypto cisco algorithms command

show crypto ca certificates command     SR-429

show crypto card command     SR-323

show crypto cisco algorithms command     SR-325

show crypto cisco connections command     SR-326

show crypto cisco key-timeout command     SR-328

show crypto cisco pregen-dh-pairs command     SR-329

show crypto connections command
See show crypto cisco connections command

show crypto dynamic- map command     SR-392

show crypto engine brief command     SR-332

show crypto engine configuration command     SR-334

show crypto engine connections active command     SR-336

show crypto engine connections dropped-packets command     SR-338

show crypto ipsec sa command     SR-393, SR-396

show crypto ipsec security-association lifetime command     SR-396

show crypto ipsec transform-set command     SR-397

show crypto isakmp policy command     SR-462

show crypto isakmp sa command     SR-464

show crypto key mypubkey dss command     SR-339

show crypto key mypubkey rsa command     SR-466

show crypto key pubkey-chain dss command     SR-340

show crypto key pubkey-chain rsa command     SR-467

show crypto key-timeout command
See show crypto cisco key-timeout command

show crypto map (CET) command     SR-343

show crypto map (IPSec) command     SR-398

show crypto mypubkey command
See show crypto key mypubkey command

show crypto pregen-dh-pairs command
See show crypto cisco pregen-dh-pairs command

show crypto pubkey command
See show crypto key pubkey-chain dss command

show crypto pubkey name command
See show crypto key pubkey-chain dss name command

show crypto pubkey serial command
See show crypto key pubkey-chain dss serial command

show dnsix command     SR-518

show ip audit configuration command     SR-225

show ip audit interface command     SR-226

show ip audit statistics command     SR-227

show ip auth-proxy command     SR-236

show ip inspect command     SR-205

show ip port-map command     SR-244

show ip trigger-authentication command     SR-51

show kerberos creds command     SR-138

show ppp queues command     SR-52

show privilege command     SR-484

show tcp intercept connections command     SR-173

show tcp intercept statistics command     SR-175

Skeme key exchange protocol
See also IKE

subinterface configuration mode
summary     xiv

T


Tab key
command completion     xv

TACACS+
command comparison
(table)     SR-115
server hosts     SR-117

tacacs-server directed request command     SR-121

tacacs-server host command     SR-122

tacacs-server key command     SR-124

TCP idle timeout
specifying     SR-198

TCP Intercept
enabling     SR-162
modes
intercept mode     SR-167
watch mode     SR-167
timeouts     SR-161

test crypto initiate-session command     SR-351

thresholds
See also CBAC, thresholds

timeout intervals
See also CBAC, timeouts

timeout login response command     SR-54

transport mode     SR-377

tunnel mode     SR-376

U


UDP idle timeout
specifying     SR-202

Unicast RPF
commands     SR-520

user EXEC commands
access-profile     SR-26

user EXEC mode
summary     xiv

username command     SR-485

Z


access lists
See also IPSec

hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1999 © Cisco Systems Inc.