Search below for:

Index: Cisco IOS Security Command Reference, Release 12.1

Symbols   A   C   D   E   F   G   H   I   K   L   M   N   O   P   Q   R   S   T   U   Z

Symbols

? command     ix, xv

A

AAA

server groups     SR-92, SR-117

aaa accounting command     SR-70

aaa accounting connection h323 command     SR-73

aaa accounting nested command     SR-74

aaa accounting send stop-record authentication failure command     SR-75

aaa accounting suppress null-username command     SR-76

aaa accounting update command     SR-77

aaa authentication arap command     SR-4

aaa authentication banner command     SR-6

aaa authentication enable default command     SR-8

aaa authentication fail-message command     SR-10

aaa authentication login command     SR-12

aaa authentication nasi command     SR-14

aaa authentication password-prompt command     SR-16

aaa authentication ppp command     SR-17

aaa authentication username-prompt command     SR-19

aaa authorization command     SR-56

aaa authorization config-commands command     SR-60

aaa authorization reverse-access command     SR-61

aaa dnis map accounting network group command     SR-79

aaa dnis map authentication ppp group command     SR-21

aaa group server command     SR-117

aaa group server radius command     SR-92

aaa nas-port extended command     SR-93

aaa new-model command     SR-23

aaa processes command     SR-24

abbreviating commands

context-sensitive help     viii, ix, xv

access-enable command     SR-142

access-list (encryption) command     SR-250

access lists

dynamic

temporary entries, clearing manually     SR-142

See also IPSec

access-profile command     SR-26

replace command form

(caution)     SR-27

using per-user configuration

(caution)     SR-27

access-template command     SR-143

accounting (gatekeeper) command     SR-83

accounting command     SR-81

address command     SR-432

addressed-key command     SR-434

AESOs

attaching to interfaces     SR-500

algorithms

encryption

See IKE, algorithms

hash

See IKE, algorithms

arap authentication command     SR-29

using list-names

(caution)     SR-29

authentication

CAs     SR-406

See also IKE, authentication

authentication (IKE policy) command     SR-436

authentication proxy

commands     SR-229

authorization command     SR-65

Auxiliary Extended Security Options

See AESOs

C

ca-identity mode

enabling     SR-415

CAs

authenticating     SR-406

CEP

support     SR-428

declaring     SR-415, SR-427

enrolling     SR-412

identity

deleting     SR-415

LDAP

support     SR-428

locations

specifying     SR-427

public keys     SR-406

URLs

specifying     SR-427

See also Certification Authority Interoperability

cautions

access lists     SR-254, SR-306, SR-315

access-profile command

replace command form (caution)     SR-27

using per-user configuration (caution)     SR-27

arap authentication command

using list-names (caution)     SR-29

Cisco 7200 series router     SR-293

crypto key zeroize dss command     SR-293

DSS keys     SR-292

enable password command

using encryption-type (caution)     SR-472

enable secret command

using encryption-type (caution)     SR-474

Java blocking     SR-189

key config-key command

unrecoverable DES key (caution)     SR-137

login authentication command

using list-names (caution)     SR-35

nasi authentication command

using list-names (caution)     SR-37

ppp authentication command

using list-names (caution)     SR-40

service password-encryption command

security level (caution)     SR-482

usage in text     ix

CBAC

alert messages

enabling     SR-178

application-layer protocols

configuring     SR-189

audit trail messages

(example)     SR-178

enabling     SR-179

configurations

viewing     SR-205

denial-of-service attacks

detection     SR-199

disabling     SR-204

fragment

inspection, configuring     SR-191

H.323 inspection

configuring     SR-189

half-open sessions

deleting, high threshold     SR-182, SR-193

deleting, low threshold     SR-184, SR-195

description     SR-182

TCP threshold     SR-199

inspection rules

applying     SR-181

applying (example)     SR-181

defining     SR-186

removing     SR-181

viewing     SR-205

Java

blocking     SR-187

blocking (caution)     SR-189

inspection, configuring     SR-189

RPC inspection

configuring     SR-190

session information

(example)     SR-205

viewing     SR-205

SMTP inspection

configuring     SR-190

TCP inspection

configuring     SR-189

timeouts

DNS idle, specifying     SR-180

FIN-exchange, specifying     SR-197

overriding     SR-190

synwait, specifying     SR-201

TCP idle, specifying     SR-198

UDP idle, specifying     SR-202

UDP inspection

configuring     SR-189

CCO

accessing     x

definition     x

CEP

specifying     SR-428

certificate chain configuration mode

enabling     SR-408

certificate command     SR-402

certificate enrollment protocol

See CEP

certificates

accepting     SR-404

adding     SR-402

deleting     SR-402, SR-408

requesting     SR-412

requests

resending, number of times     SR-423

resending, wait period     SR-425

retrieving     SR-410

revoking     SR-412

storing     SR-410

viewing     SR-429

Certification Authority Interoperability

CA authentication     SR-406

CEP

specifying     SR-428

challenge password     SR-412

commands     SR-401

LDAP support

specifying     SR-428

NVRAM memory usage     SR-410

See also CAs

See also certificates

See also CRLs

See also RSA keys

Cisco Connection Online

See CCO

Cisco IOS

saving configuration changes     xviii

clear access-template command     SR-145

clear crypto connection command     SR-258

clear crypto isakmp command     SR-438

clear crypto sa command     SR-354

clear ip audit configuration command     SR-210

clear ip audit statistics command     SR-211

clear ip auth-proxy cache command     SR-230

clear ip trigger-authentication command     SR-31

clear kerberos creds command     SR-126

command modes

summary (table)     xiv

config-isakmp command mode

enabling     SR-445

configuration, saving     xviii

crl optional command     SR-404

CRLs

certificates

accepting     SR-404

revoking     SR-411

checking     SR-404

downloading     SR-411

requesting     SR-411

retrieving     SR-410

storing     SR-410

See also CAs

See also certificates

crypto algorithm 40-bit-des command

See crypto cisco algorithm 40-bit-des command

crypto algorithm des command

See crypto cisco algorithm des command

crypto ca authenticate command     SR-406

crypto ca certificate chain command     SR-408

crypto ca certificate query command     SR-410

crypto ca crl request command     SR-411

crypto ca enroll command     SR-412

crypto ca identity command     SR-415

crypto card clear-latch command     SR-264

crypto card command     SR-262

crypto cisco algorithm 40-bit-des command     SR-266

crypto cisco algorithm des command     SR-268

crypto cisco connections command

crypto cisco entities command     SR-272

crypto cisco key-timeout command     SR-274

crypto cisco pregen-dh-pairs command     SR-275

crypto clear-latch command

See crypto card clear-latch command

crypto dynamic-map command     SR-356

crypto esa command

See crypto card command

crypto gen-signature-keys command

See crypto key generate dss command

crypto ipsec security-association lifetime command     SR-359

crypto ipsec transform-set command     SR-361

crypto isakmp enable command     SR-440

crypto isakmp identity command     SR-441

crypto isakmp key command     SR-443

crypto isakmp policy command     SR-445

crypto key-exchange command

See crypto key exchange dss command

crypto key exchange dss command     SR-281

crypto key exchange dss passive command     SR-283

crypto key-exchange passive command

See crypto key exchange dss passive command

crypto key generate dss command     SR-286

crypto key generate rsa (CA) command     SR-417

crypto key generate rsa (IKE) command     SR-447

crypto key pubkey-chain dss command     SR-289

crypto key pubkey-chain rsa command     SR-450

crypto key-timeout command

See crypto cisco key-timeout command

crypto key zeroize dss command     SR-292

crypto key zeroize rsa command     SR-420

crypto map (CET global) command     SR-294

crypto map (CET interface) command     SR-297

crypto map (IPSec global) command     SR-365

crypto map (IPSec interface) command     SR-370

crypto map local-address command     SR-372

crypto pregen-dh-pairs command

See crypto cisco pregen-dh-pairs command

crypto public-key command

See crypto key pubkey-chain dss command

crypto sdu connections command

See crypto cisco connections command

crypto sdu entities command

See crypto cisco entities command

crypto transform configuration mode

enabling     SR-363

crypto zeroize command

See crypto key zeroize dss command

D

default form of a command

using     xvii

deny (CET) command     SR-303

Diffie-Hellman

See IKE, DH

DNS idle timeout

specifying     SR-180

DNSIX

collection center, specifying     SR-493

enabling     SR-496

hosts that receive messages

alternate     SR-495

primary     SR-494

number of records in a packet, specifying     SR-497

retransmit count     SR-492

dnsix-dmdp retries command     SR-492

dnsix-nat authorized-redirection command     SR-493

dnsix-nat primary command     SR-494

dnsix-nat secondary command     SR-495

dnsix-nat source command     SR-496

dnsix-nat transmit-count command     SR-497

E

enable password command     SR-472

using encryption-type

(caution)     SR-472

enable secret command     SR-474

using encryption-type

(caution)     SR-474

encryption algorithm

See IKE, algorithms

encryption (IKE policy) command     SR-453

enrollment mode ra command     SR-422

enrollment retry-count command     SR-423

enrollment retry-period command     SR-425

enrollment url command     SR-427

evaluate command     SR-148

examples

CBAC

audit trail messages     SR-178

half-open sessions, high threshold     SR-182, SR-193

half-open sessions, low threshold     SR-184, SR-195

half-open sessions, TCP threshold     SR-200

session information, viewing     SR-205

timeouts, synwait     SR-201

timeouts, UDP idle     SR-203

pre-shared keys

specifying     SR-444

F

FIN-exchange timeout

specifying     SR-197

G

gatekeeper

security, enabling     SR-83

global configuration commands

aaa accounting     SR-70

aaa accounting connection h323 command     SR-73

aaa accounting nested     SR-74

aaa accounting send stop-record authentication failure command     SR-75

aaa accounting suppress null-username     SR-76

aaa accounting update     SR-77

aaa authentication arap     SR-4

aaa authentication banner     SR-6

aaa authentication enable default     SR-8

aaa authentication fail-message     SR-10

aaa authentication login     SR-12

aaa authentication nasi     SR-14

aaa authentication password-prompt     SR-16

aaa authentication ppp     SR-17

aaa authentication username-prompt     SR-19

aaa authorization     SR-56

aaa authorization config-commands     SR-60

aaa authorization reverse-access     SR-61

aaa dnis map accounting network group     SR-79

aaa dnis map authentication ppp group     SR-21

aaa group server     SR-117

aaa group server radius command     SR-92

aaa nas-port extended     SR-93

aaa new-model     SR-23

aaa processes     SR-24

ip radius source-interface     SR-95

ip tacacs source-interface     SR-118

ip trigger-authentication (global)     SR-32

kerberos clients mandatory     SR-127

kerberos credentials forward     SR-128

kerberos instance map     SR-129

kerberos local-realm     SR-130

kerberos preauth     SR-131

kerberos realm     SR-132

kerberos server     SR-133

kerberos srvtab entry     SR-134

kerberos srvtab remote     SR-136

key config-key     SR-137

radius-server attribute nas-port extended     SR-97

radius-server configure-nas     SR-98

radius-server deadtime     SR-99

radius-server host     SR-101

radius-server host non-standard     SR-104

radius-server key     SR-105

radius-server optional passwords     SR-107

radius-server retransmit     SR-108

radius-server timeout     SR-109

radius-server vsa     SR-110

tacacs-server directed-request     SR-121

tacacs-server host     SR-122

tacacs-server key     SR-124

global configuration mode

summary     xiv

group (IKE policy) command     SR-454

H

hash (IKE policy) command     SR-455

hash algorithm

See IKE, algorithms

help command     viii, ix, xv

I

IKE

algorithms

encryption, specifying     SR-453

hash, specifying     SR-455

authentication

methods, specifying     SR-436

commands     SR-431

connections

clearing     SR-438

DH

group identifier, specifying     SR-454

disabling     SR-440

enabling     SR-440

group identifier

specifying     SR-454

keys

See keys, pre-shared

negotiations

states     SR-464

policies

multiple     SR-445

parameters, specifying     SR-445

parameters, viewing     SR-462

viewing     SR-462

requirements

IPSec peers     SR-440

See also IPSec

See also SAs

interface configuration commands

ip trigger-authentication (interface)     SR-34

ppp accounting     SR-84

ppp authentication     SR-39

ppp chap hostname     SR-41

ppp chap password     SR-43

ppp chap refuse     SR-45

ppp chap wait     SR-47

ppp pap sent-username     SR-49

interface configuration mode

summary     xiv

Internet Key Exchange Security Protocol

See IKE

IP

See also IPSO

ip access-list extended (encryption) command     SR-308

ip audit attack command     SR-213

ip audit command     SR-212

ip audit info command     SR-214

ip audit name command     SR-215

ip audit notify command     SR-217

ip audit po local command     SR-218

ip audit po max-events command     SR-219

ip audit po protected command     SR-220

ip audit po remote command     SR-221

ip audit signature command     SR-223

ip audit smtp command     SR-224

ip auth-proxy auth-cache-time command     SR-232

ip auth-proxy auth-proxy-banner command     SR-233

ip auth-proxy command     SR-231

ip auth-proxy name command     SR-234

ip inspect (interface configuration) command     SR-181

ip inspect alert-off command     SR-178

ip inspect audit trail command     SR-179

ip inspect dns-timeout command     SR-180

ip inspect max-incomplete high command     SR-182

ip inspect max-incomplete low command     SR-184

ip inspect name command     SR-186

ip inspect one-minute high command     SR-193

ip inspect one-minute low command     SR-195

ip inspect tcp finwait-time command     SR-197

ip inspect tcp idle-time command     SR-198

ip inspect tcp max-incomplete host command     SR-199

ip inspect tcp synwait-time command     SR-201

ip inspect udp idle-time command     SR-202

ip port-map command     SR-240

ip radius source-interface command     SR-95

ip reflexive-list timeout command     SR-150

IPSec

commands     SR-353

crypto access lists

specifying     SR-310, SR-374

crypto map entries

creating     SR-294, SR-365

lifetime values, overriding     SR-384

specifying a peer     SR-378

crypto maps

applying     SR-370

dynamic, creating     SR-356

dynamic, priorities     SR-367

dynamic, viewing     SR-392

interfaces, identifying     SR-372

purpose     SR-366

viewing     SR-398

lifetimes

viewing     SR-396

requirements

IKE     SR-440

SAs

clearing     SR-354

lifetimes, changing     SR-359

requesting     SR-382

viewing     SR-393

session keys

manually specifying     SR-387

transforms

allowed combinations     SR-362

changing     SR-363

selecting     SR-363

transform sets

defining     SR-361

mode, changing     SR-376

specifying     SR-390

viewing     SR-397

ip security add command     SR-498

ip security aeso command     SR-500

ip security allow-reserved command     SR-515

ip security dedicated command     SR-501

ip security eso-info command     SR-503

ip security eso-max command     SR-504

ip security eso-min command     SR-506

ip security extended-allowed command     SR-508

ip security first command     SR-509

ip security ignore-authorities command     SR-510

ip security implicit-labelling command     SR-511

ip security multilevel command     SR-513

IP security option

See IPSO

ip security strip command     SR-517

IPSO

authorities and bit patterns

(table)     SR-502

definition     SR-502

basic

configuring     SR-498

extended

configuring     SR-500

defaults     SR-503

maximum sensitivity levels     SR-504

minimum sensitivity levels     SR-506

labels

definition     SR-502

levels and bit patterns

(table)     SR-501

definition     SR-501

ip tacacs source-interface command     SR-118

ip tcp intercept connection-timeout command     SR-158

ip tcp intercept drop-mode command     SR-159

ip tcp intercept finrst-timeout command     SR-161

ip tcp intercept list command     SR-162

ip tcp intercept max-incomplete high command     SR-163

ip tcp intercept max-incomplete low command     SR-165

ip tcp intercept mode command     SR-167

ip tcp intercept one-minute high command     SR-168

ip tcp intercept one-minute low command     SR-170

ip tcp intercept watch-timeout command     SR-172

ip trigger-authentication (global) command     SR-32

ip trigger-authentication (interface) command     SR-34

ip verify unicast reverse-path command     SR-520

ISAKMP

See also IKE

K

kerberos clients mandatory command     SR-127

kerberos crednetials forward command     SR-128

kerberos instance map command     SR-129

kerberos local-realm command     SR-130

kerberos preauth command     SR-131

kerberos realm command     SR-132

kerberos server command     SR-133

kerberos srvtab entry command     SR-134

kerberos srvtab remote command     SR-136

key config-key command     SR-137

unrecoverable DES key

(caution)     SR-137

keys

pre-shared

deleting     SR-443

specifying     SR-443

specifying (example)     SR-444

key-string (IKE) command     SR-456

L

LDAP protocol support

specifying     SR-428

lifetime (IKE policy) command     SR-458

line configuration commands

accounting     SR-81

arap authentication     SR-29

authorization     SR-65

login authentication     SR-35

nasi authentication     SR-37

timeout login response     SR-54

lock-and-key

idle timeouts     SR-142

temporary entries

clearing manually     SR-142, SR-145

creating manually     SR-143

enabling     SR-142

login authentication command     SR-35

using list-names

(caution)     SR-35

M

match address (CET) command     SR-310

match address (IPSec) command     SR-374

memory usage

Certification Authority Interoperability     SR-410

mode (IPSec) command     SR-376

modes

ca-identity

enabling     SR-415

certificate chain configuration

enabling     SR-408

query

enabling     SR-410

RA

enabling     SR-422

See command modes

N

named-key command     SR-460

nasi authentication command     SR-37

using list-names

(caution)     SR-37

no form of a command

using     xvii

no ip inspect command     SR-204

notes

usage in text     ix

O

P

PAM

commands     SR-239

password command     SR-476

perfect forward secrecy

See PFS

permit (reflexive) command     SR-152

permit command     SR-312

PFS

specifying     SR-380

PKI protocol

See CEP

ppp accounting command     SR-84

ppp authentication command

using list-names

(caution)     SR-40

ppp chap hostname command     SR-41

ppp chap password command     SR-43

ppp chap refuse command     SR-45

ppp chap wait command     SR-47

ppp pap sent-username command     SR-49

privileged EXEC commands

access-enable command     SR-142

clear ip trigger-authentication     SR-31

clear kerberos creds     SR-126

show accounting     SR-85

show ip trigger-authentication     SR-51

show kerberos creds     SR-138

show ppp queues     SR-52

privileged EXEC mode

summary     xiv

privilege level (global) command     SR-477

privilege level (line) command     SR-480

prompts

system     xiv

public key configuration mode

enabling     SR-450, SR-460

Q

query mode

enabling     SR-410

query url command     SR-428

question command     xv

R

radius-server attribute nas-port extended command     SR-97

radius-server configure-nas command     SR-98

radius-server deadtime command     SR-99

radius-server host command     SR-101

radius-server host non-standard command     SR-104

radius-server key command     SR-105

radius-server optional passwords command     SR-107

radius-server retransmit command     SR-108

radius-server timeout command     SR-109

radius-server vsa send command     SR-110

RA mode

enabling     SR-422

RAs

enabling     SR-422

Reflexive Access Lists

configuring

(examples)     SR-149, SR-154

temporary entries

characteristics     SR-154

timeouts, global

(examples)     SR-150

ROM monitor mode

summary     xiv

RPC inspection

See CBAC, RPC inspection

RSA encrypted nonces

requirements     SR-436

RSA keys

deleting     SR-420

general purpose keys     SR-418, SR-448

generating     SR-417, SR-447

sample times required     SR-418, SR-448

IP address

specifying     SR-432

manually specifying     SR-450

modulus length     SR-418, SR-448

pairs     SR-417, SR-447

public key record     SR-406

remote peer

specifying     SR-456

special usage keys     SR-417, SR-447

generating     SR-447

specifying     SR-434

specifying     SR-434, SR-460

viewing     SR-466, SR-467

RSA signatures

requirements     SR-436

S

SAs

lifetimes

configuring     SR-458

parameters     SR-445

viewing     SR-464

saving configuration changes     xviii

security

H.323 gatekeeper, enabling     SR-83

See also IPSO

See also lock-and-key

security associations

See SAs

server (RADIUS) command     SR-112

server (TACACS+) command     SR-120

server groups     SR-92, SR-117

server hosts

RADIUS     SR-92

TACACS+     SR-117

service password-encryption command     SR-482

security level

(caution)     SR-482

set algorithm 40-bit-des command     SR-317

set algorithm des command     SR-319

set peer (CET) command     SR-321

set peer (IPSec) command     SR-378

set peer command     SR-378

set pfs command     SR-380

set security-association level per-host command     SR-382

set security-association lifetime command     SR-384

set session-key command     SR-387

set transform-set command     SR-390

show accounting command     SR-85

show crypto algorithms command

See show crypto cisco algorithms command

show crypto ca certificates command     SR-429

show crypto card command     SR-323

show crypto cisco algorithms command     SR-325

show crypto cisco connections command     SR-326

show crypto cisco key-timeout command     SR-328

show crypto cisco pregen-dh-pairs command     SR-329

show crypto connections command

See show crypto cisco connections command

show crypto dynamic- map command     SR-392

show crypto engine brief command     SR-332

show crypto engine configuration command     SR-334

show crypto engine connections active command     SR-336

show crypto engine connections dropped-packets command     SR-338

show crypto ipsec sa command     SR-393, SR-396

show crypto ipsec security-association lifetime command     SR-396

show crypto ipsec transform-set command     SR-397

show crypto isakmp policy command     SR-462

show crypto isakmp sa command     SR-464

show crypto key mypubkey dss command     SR-339

show crypto key mypubkey rsa command     SR-466

show crypto key pubkey-chain dss command     SR-340

show crypto key pubkey-chain rsa command     SR-467

show crypto key-timeout command

See show crypto cisco key-timeout command

show crypto map (CET) command     SR-343

show crypto map (IPSec) command     SR-398

show crypto mypubkey command

See show crypto key mypubkey command

show crypto pregen-dh-pairs command

See show crypto cisco pregen-dh-pairs command

show crypto pubkey command

See show crypto key pubkey-chain dss command

show crypto pubkey name command

See show crypto key pubkey-chain dss name command

show crypto pubkey serial command

See show crypto key pubkey-chain dss serial command

show dnsix command     SR-518

show ip audit configuration command     SR-225

show ip audit interface command     SR-226

show ip audit statistics command     SR-227

show ip auth-proxy command     SR-236

show ip inspect command     SR-205

show ip port-map command     SR-244

show ip trigger-authentication command     SR-51

show kerberos creds command     SR-138

show ppp queues command     SR-52

show privilege command     SR-484

show tcp intercept connections command     SR-173

show tcp intercept statistics command     SR-175

Skeme key exchange protocol

See also IKE

subinterface configuration mode

summary     xiv

T

Tab key

command completion     xv

TACACS+

command comparison

(table)     SR-115

server hosts     SR-117

tacacs-server directed request command     SR-121

tacacs-server host command     SR-122

tacacs-server key command     SR-124

TCP idle timeout

specifying     SR-198

TCP Intercept

enabling     SR-162

modes

intercept mode     SR-167

watch mode     SR-167

timeouts     SR-161

test crypto initiate-session command     SR-351

thresholds

See also CBAC, thresholds

timeout intervals

See also CBAC, timeouts

timeout login response command     SR-54

transport mode     SR-377

tunnel mode     SR-376

U

UDP idle timeout

specifying     SR-202

Unicast RPF

commands     SR-520

user EXEC commands

access-profile     SR-26

user EXEC mode

summary     xiv

username command     SR-485

Z

access lists

See also IPSec