Corporate Headquarters Cisco Systems, Inc.
170 West Tasman Drive San Jose, CA 95134-1706 USA
http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 526-4100
Cisco Security Appliance Command Line Configuration Guide
For the Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 7.2(2)
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco Security Appliance Command Line Configuration Guide Copyright © 2006 Cisco Systems, Inc. All rights reserved.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)
C O N T E N T S
About This Guide xxxiii
Document Objectives
xxxiiiAudience
xxxiiiRelated Documentation
xxxivDocument Organization
xxxivDocument Conventions
xxxviiObtaining Documentation
xxxviiiCisco.com
xxxviiiProduct Documentation DVD
xxxviiiOrdering Documentation
xxxviiiDocumentation Feedback
xxxviiiCisco Product Security Overview
xxxixReporting Security Problems in Cisco Products
xxxixObtaining Technical Assistance
xlCisco Technical Support & Documentation Website
xlSubmitting a Service Request
xliDefinitions of Service Request Severity
xliObtaining Additional Publications and Information
xliC H A P T E R 1 Introduction to the Security Appliance 1-1
Firewall Functional Overview
1-1Security Policy Overview
1-2Permitting or Denying Traffic with Access Lists
1-2Applying NAT
1-2Using AAA for Through Traffic
1-2Applying HTTP, HTTPS, or FTP Filtering
1-3Applying Application Inspection
1-3Sending Traffic to the Advanced Inspection and Prevention Security Services Module
1-3Sending Traffic to the Content Security and Control Security Services Module
1-3Applying QoS Policies
1-3Applying Connection Limits and TCP Normalization
1-3Firewall Mode Overview
1-3Stateful Inspection Overview
1-4VPN Functional Overview
1-5Contents
Intrusion Prevention Services Functional Overview
1-5Security Context Overview
1-6C H A P T E R 2 Getting Started 2-1
Getting Started with Your Platform Model
2-1Factory Default Configurations
2-1Restoring the Factory Default Configuration
2-2ASA 5505 Default Configuration
2-2ASA 5510 and Higher Default Configuration
2-3PIX 515/515E Default Configuration
2-4Accessing the Command-Line Interface
2-4Setting Transparent or Routed Firewall Mode
2-5Working with the Configuration
2-6Saving Configuration Changes
2-6Saving Configuration Changes in Single Context Mode
2-7Saving Configuration Changes in Multiple Context Mode
2-7Copying the Startup Configuration to the Running Configuration
2-8Viewing the Configuration
2-8Clearing and Removing Configuration Settings
2-9Creating Text Configuration Files Offline
2-9C H A P T E R 3 Enabling Multiple Context Mode 3-1
Security Context Overview
3-1Common Uses for Security Contexts
3-1Unsupported Features
3-2Context Configuration Files
3-2Context Configurations
3-2System Configuration
3-2Admin Context Configuration
3-2How the Security Appliance Classifies Packets
3-3Valid Classifier Criteria
3-3Invalid Classifier Criteria
3-4Classification Examples
3-5Cascading Security Contexts
3-8Management Access to Security Contexts
3-9System Administrator Access
3-9Context Administrator Access
3-10Enabling or Disabling Multiple Context Mode
3-10Backing Up the Single Mode Configuration
3-10Contents
Enabling Multiple Context Mode
3-10Restoring Single Context Mode
3-11C H A P T E R 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security
Appliance 4-1
Interface Overview
4-1Understanding ASA 5505 Ports and Interfaces
4-2Maximum Active VLAN Interfaces for Your License
4-2Default Interface Configuration
4-3VLAN MAC Addresses
4-4Power Over Ethernet
4-4Monitoring Traffic Using SPAN
4-4Security Level Overview
4-5Configuring VLAN Interfaces
4-5Configuring Switch Ports as Access Ports
4-9Configuring a Switch Port as a Trunk Port
4-11Allowing Communication Between VLAN Interfaces on the Same Security Level
4-13C H A P T E R 5 Configuring Ethernet Settings and Subinterfaces 5-1
Configuring and Enabling RJ-45 Interfaces
5-1Configuring and Enabling Fiber Interfaces
5-2Configuring and Enabling Subinterfaces
5-3C H A P T E R 6 Adding and Managing Security Contexts 6-1
Configuring Resource Management
6-1Classes and Class Members Overview
6-1Resource Limits
6-2Default Class
6-3Class Members
6-4Configuring a Class
6-4Configuring a Security Context
6-7Automatically Assigning MAC Addresses to Context Interfaces
6-11Changing Between Contexts and the System Execution Space
6-11Managing Security Contexts
6-12Removing a Security Context
6-12Changing the Admin Context
6-13Changing the Security Context URL
6-13Reloading a Security Context
6-14Contents
Reloading by Clearing the Configuration
6-14Reloading by Removing and Re-adding the Context
6-15Monitoring Security Contexts
6-15Viewing Context Information
6-15Viewing Resource Allocation
6-16Viewing Resource Usage
6-19Monitoring SYN Attacks in Contexts
6-20C H A P T E R 7 Configuring Interface Parameters 7-1
Security Level Overview
7-1Configuring the Interface
7-2Allowing Communication Between Interfaces on the Same Security Level
7-6C H A P T E R 8 Configuring Basic Settings 8-1
Changing the Login Password
8-1Changing the Enable Password
8-1Setting the Hostname
8-2Setting the Domain Name
8-2Setting the Date and Time
8-2Setting the Time Zone and Daylight Saving Time Date Range
8-3Setting the Date and Time Using an NTP Server
8-4Setting the Date and Time Manually
8-4Setting the Management IP Address for a Transparent Firewall
8-5C H A P T E R 9 Configuring IP Routing 9-1
Configuring Static and Default Routes
9-1Configuring a Static Route
9-2Configuring a Default Route
9-3Configuring Static Route Tracking
9-3Defining Route Maps
9-6Configuring OSPF
9-7OSPF Overview
9-8Enabling OSPF
9-8Redistributing Routes Into OSPF
9-9Configuring OSPF Interface Parameters
9-10Configuring OSPF Area Parameters
9-12Configuring OSPF NSSA
9-13Configuring Route Summarization Between OSPF Areas
9-14Contents
Configuring Route Summarization When Redistributing Routes into OSPF
9-14Defining Static OSPF Neighbors
9-15Generating a Default Route
9-16Configuring Route Calculation Timers
9-16Logging Neighbors Going Up or Down
9-17Displaying OSPF Update Packet Pacing
9-17Monitoring OSPF
9-18Restarting the OSPF Process
9-18Configuring RIP
9-19Enabling and Configuring RIP
9-19Redistributing Routes into the RIP Routing Process
9-20Configuring RIP Send/Receive Version on an Interface
9-21Enabling RIP Authentication
9-21Monitoring RIP
9-22The Routing Table
9-22Displaying the Routing Table
9-22How the Routing Table is Populated
9-23Backup Routes
9-24How Forwarding Decisions are Made
9-24C H A P T E R 10 Configuring DHCP, DDNS, and WCCP Services 10-1
Configuring a DHCP Server
10-1Enabling the DHCP Server
10-2Configuring DHCP Options
10-3Using Cisco IP Phones with a DHCP Server
10-4Configuring DHCP Relay Services
10-5Configuring Dynamic DNS
10-6Example 1: Client Updates Both A and PTR RRs for Static IP Addresses
10-7Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration
10-7Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs.
10-8Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only;
Honors Client Request and Updates Both A and PTR RR
10-8Example 5: Client Updates A RR; Server Updates PTR RR
10-9Configuring Web Cache Services Using WCCP
10-9WCCP Feature Support
10-9WCCP Interaction With Other Features
10-10Enabling WCCP Redirection
10-10Contents
C H A P T E R 11 Configuring Multicast Routing 11-13
Multicast Routing Overview
11-13Enabling Multicast Routing
11-14Configuring IGMP Features
11-14Disabling IGMP on an Interface
11-15Configuring Group Membership
11-15Configuring a Statically Joined Group
11-15Controlling Access to Multicast Groups
11-15Limiting the Number of IGMP States on an Interface
11-16Modifying the Query Interval and Query Timeout
11-16Changing the Query Response Time
11-17Changing the IGMP Version
11-17Configuring Stub Multicast Routing
11-17Configuring a Static Multicast Route
11-17Configuring PIM Features
11-18Disabling PIM on an Interface
11-18Configuring a Static Rendezvous Point Address
11-19Configuring the Designated Router Priority
11-19Filtering PIM Register Messages
11-19Configuring PIM Message Intervals
11-20Configuring a Multicast Boundary
11-20Filtering PIM Neighbors
11-20Supporting Mixed Bidirctional/Sparse-Mode PIM Networks
11-21For More Information about Multicast Routing
11-22C H A P T E R 12 Configuring IPv6 12-1
IPv6-enabled Commands
12-1Configuring IPv6
12-2Configuring IPv6 on an Interface
12-3Configuring a Dual IP Stack on an Interface
12-4Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses
12-4Configuring IPv6 Duplicate Address Detection
12-4Configuring IPv6 Default and Static Routes
12-5Configuring IPv6 Access Lists
12-6Configuring IPv6 Neighbor Discovery
12-7Configuring Neighbor Solicitation Messages
12-7Configuring Router Advertisement Messages
12-9Configuring a Static IPv6 Neighbor
12-11Contents
Verifying the IPv6 Configuration
12-11The show ipv6 interface Command
12-11The show ipv6 route Command
12-12C H A P T E R 13 Configuring AAA Servers and the Local Database 13-1
AAA Overview
13-1About Authentication
13-1About Authorization
13-2About Accounting
13-2AAA Server and Local Database Support
13-2Summary of Support
13-3RADIUS Server Support
13-3Authentication Methods
13-4Attribute Support
13-4RADIUS Authorization Functions
13-4TACACS+ Server Support
13-4SDI Server Support
13-4SDI Version Support
13-5Two-step Authentication Process
13-5SDI Primary and Replica Servers
13-5NT Server Support
13-5Kerberos Server Support
13-5LDAP Server Support
13-6Authentication with LDAP
13-6Authorization with LDAP for VPN
13-7LDAP Attribute Mapping
13-8SSO Support for WebVPN with HTTP Forms
13-9Local Database Support
13-9User Profiles
13-10Fallback Support
13-10Configuring the Local Database
13-10Identifying AAA Server Groups and Servers
13-12Using Certificates and User Login Credentials
13-15Using User Login Credentials
13-15Using certificates
13-16Supporting a Zone Labs Integrity Server
13-16Overview of Integrity Server and Security Appliance Interaction
13-17Configuring Integrity Server Support
13-17Contents
C H A P T E R 14 Configuring Failover 14-1
Understanding Failover
14-1Failover System Requirements
14-2Hardware Requirements
14-2Software Requirements
14-2License Requirements
14-2The Failover and Stateful Failover Links
14-3Failover Link
14-3Stateful Failover Link
14-5Active/Active and Active/Standby Failover
14-6Active/Standby Failover
14-6Active/Active Failover
14-9Determining Which Type of Failover to Use
14-14Regular and Stateful Failover
14-15Regular Failover
14-15Stateful Failover
14-15Failover Health Monitoring
14-16Unit Health Monitoring
14-16Interface Monitoring
14-16Failover Feature/Platform Matrix
14-17Failover Times by Platform
14-18Configuring Failover
14-18Failover Configuration Limitations
14-18Configuring Active/Standby Failover
14-19Prerequisites
14-19Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only)
14-19Configuring LAN-Based Active/Standby Failover
14-21Configuring Optional Active/Standby Failover Settings
14-24Configuring Active/Active Failover
14-26Prerequisites
14-27Configuring Cable-Based Active/Active Failover (PIX security appliance)
14-27Configuring LAN-Based Active/Active Failover
14-29Configuring Optional Active/Active Failover Settings
14-32Configuring Unit Health Monitoring
14-36Configuring Failover Communication Authentication/Encryption
14-37Verifying the Failover Configuration
14-38Using the show failover Command
14-38Viewing Monitored Interfaces
14-46Displaying the Failover Commands in the Running Configuration
14-46Contents
Testing the Failover Functionality
14-46Controlling and Monitoring Failover
14-47Forcing Failover
14-47Disabling Failover
14-48Restoring a Failed Unit or Failover Group
14-48Monitoring Failover
14-48Failover System Messages
14-48Debug Messages
14-49SNMP
14-49C H A P T E R 15 Firewall Mode Overview 15-1
Routed Mode Overview
15-1IP Routing Support
15-1Network Address Translation
15-1How Data Moves Through the Security Appliance in Routed Firewall Mode
15-2An Inside User Visits a Web Server
15-3An Outside User Visits a Web Server on the DMZ
15-4An Inside User Visits a Web Server on the DMZ
15-5An Outside User Attempts to Access an Inside Host
15-6A DMZ User Attempts to Access an Inside Host
15-7Transparent Mode Overview
15-7Transparent Firewall Network
15-8Allowing Layer 3 Traffic
15-8Allowed MAC Addresses
15-8Passing Traffic Not Allowed in Routed Mode
15-8MAC Address Lookups
15-9Using the Transparent Firewall in Your Network
15-9Transparent Firewall Guidelines
15-10Unsupported Features in Transparent Mode
15-10How Data Moves Through the Transparent Firewall
15-12An Inside User Visits a Web Server
15-13An Outside User Visits a Web Server on the Inside Network
15-14An Outside User Attempts to Access an Inside Host
15-15C H A P T E R 16 Identifying Traffic with Access Lists 16-1
Access List Overview
16-1Access List Types
16-2Access Control Entry Order
16-2Access Control Implicit Deny
16-3Contents
IP Addresses Used for Access Lists When You Use NAT
16-3Adding an Extended Access List
16-5Extended Access List Overview
16-5Allowing Broadcast and Multicast Traffic through the Transparent Firewall
16-6Adding an Extended ACE
16-6Adding an EtherType Access List
16-8EtherType Access List Overview
16-8Supported EtherTypes
16-8Implicit Permit of IP and ARPs Only
16-9Implicit and Explicit Deny ACE at the End of an Access List
16-9IPv6 Unsupported
16-9Using Extended and EtherType Access Lists on the Same Interface
16-9Allowing MPLS
16-9Adding an EtherType ACE
16-10Adding a Standard Access List
16-10Adding a Webtype Access List
16-11Simplifying Access Lists with Object Grouping
16-11How Object Grouping Works
16-11Adding Object Groups
16-12Adding a Protocol Object Group
16-12Adding a Network Object Group
16-13Adding a Service Object Group
16-13Adding an ICMP Type Object Group
16-14Nesting Object Groups
16-15Using Object Groups with an Access List
16-16Displaying Object Groups
16-17Removing Object Groups
16-17Adding Remarks to Access Lists
16-17Scheduling Extended Access List Activation
16-18Adding a Time Range
16-18Applying the Time Range to an ACE
16-19Logging Access List Activity
16-19Access List Logging Overview
16-19Configuring Logging for an Access Control Entry
16-20Managing Deny Flows
16-21C H A P T E R 17 Applying NAT 17-1
NAT Overview
17-1Introduction to NAT
17-2Contents
NAT Control
17-3NAT Types
17-5Dynamic NAT
17-5PAT
17-7Static NAT
17-7Static PAT
17-8Bypassing NAT when NAT Control is Enabled
17-9Policy NAT
17-9NAT and Same Security Level Interfaces
17-12Order of NAT Commands Used to Match Real Addresses
17-13Mapped Address Guidelines
17-13DNS and NAT
17-14Configuring NAT Control
17-15Using Dynamic NAT and PAT
17-16Dynamic NAT and PAT Implementation
17-16Configuring Dynamic NAT or PAT
17-22Using Static NAT
17-25Using Static PAT
17-26Bypassing NAT
17-28Configuring Identity NAT
17-28Configuring Static Identity NAT
17-29Configuring NAT Exemption
17-31NAT Examples
17-32Overlapping Networks
17-33Redirecting Ports
17-34C H A P T E R 18 Permitting or Denying Network Access 18-1
Inbound and Outbound Access List Overview
18-1Applying an Access List to an Interface
18-4C H A P T E R 19 Applying AAA for Network Access 19-1
AAA Performance
19-1Configuring Authentication for Network Access
19-1Authentication Overview
19-2One-Time Authentication
19-2Applications Required to Receive an Authentication Challenge
19-2Static PAT and HTTP
19-3Authenticating Directly with the Security Appliance
19-3Contents
Enabling Network Access Authentication
19-3Enabling Secure Authentication of Web Clients
19-5Configuring Authorization for Network Access
19-5Configuring TACACS+ Authorization
19-5Configuring RADIUS Authorization
19-7Configuring a RADIUS Server to Send Downloadable Access Control Lists
19-7Configuring a RADIUS Server to Download Per-User Access Control List Names
19-11Configuring Accounting for Network Access
19-12Using MAC Addresses to Exempt Traffic from Authentication and Authorization
19-13C H A P T E R 20 Applying Filtering Services 20-1
Filtering Overview
20-1Filtering ActiveX Objects
20-1ActiveX Filtering Overview
20-2Enabling ActiveX Filtering
20-2Filtering Java Applets
20-3Filtering URLs and FTP Requests with an External Server
20-3URL Filtering Overview
20-4Identifying the Filtering Server
20-4Buffering the Content Server Response
20-5Caching Server Addresses
20-6Filtering HTTP URLs
20-6Configuring HTTP Filtering
20-6Enabling Filtering of Long HTTP URLs
20-7Truncating Long HTTP URLs
20-7Exempting Traffic from Filtering
20-7Filtering HTTPS URLs
20-8Filtering FTP Requests
20-8Viewing Filtering Statistics and Configuration
20-9Viewing Filtering Server Statistics
20-9Viewing Buffer Configuration and Statistics
20-10Viewing Caching Statistics
20-11Viewing Filtering Performance Statistics
20-11Viewing Filtering Configuration
20-11C H A P T E R 21 Using Modular Policy Framework 21-1
Modular Policy Framework Overview
21-1Default Global Policy
21-2Contents
Identifying Traffic Using a Layer 3/4 Class Map
21-2Creating a Layer 3/4 Class Map for Through Traffic
21-3Creating a Layer 3/4 Class Map for Management Traffic
21-5Configuring Special Actions for Application Inspections
21-5Creating a Regular Expression
21-6Creating a Regular Expression Class Map
21-8Identifying Traffic in an Inspection Class Map
21-9Defining Actions in an Inspection Policy Map
21-10Defining Actions Using a Layer 3/4 Policy Map
21-13Layer 3/4 Policy Map Overview
21-13Default Layer 3/4 Policy Map
21-14Adding a Layer 3/4 Policy Map
21-15Applying a Layer 3/4 Policy to an Interface Using a Service Policy
21-17Modular Policy Framework Examples
21-17Applying Inspection and QoS Policing to HTTP Traffic
21-18Applying Inspection to HTTP Traffic Globally
21-18Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers
21-19Applying Inspection to HTTP Traffic with NAT
21-20C H A P T E R 22 Managing AIP SSM and CSC SSM 22-1
Managing the AIP SSM
22-1About the AIP SSM
22-1Getting Started with the AIP SSM
22-2Diverting Traffic to the AIP SSM
22-2Sessioning to the AIP SSM and Running Setup
22-4Managing the CSC SSM
22-5About the CSC SSM
22-5Getting Started with the CSC SSM
22-7Determining What Traffic to Scan
22-9Limiting Connections Through the CSC SSM
22-11Diverting Traffic to the CSC SSM
22-11Checking SSM Status
22-13Transferring an Image onto an SSM
22-14C H A P T E R 23 Preventing Network Attacks 23-1
Configuring TCP Normalization
23-1Configuring Connection Limits and Timeouts
23-4Preventing IP Spoofing
23-5Contents
Configuring the Fragment Size
23-6Blocking Unwanted Connections
23-6Configuring IP Audit for Basic IPS Support
23-7C H A P T E R 24 Applying QoS Policies 24-1
Overview
24-1QoS Concepts
24-2Implementing QoS
24-2Identifying Traffic for QoS
24-4Defining a QoS Policy Map
24-5Applying Rate Limiting
24-6Activating the Service Policy
24-7Applying Low Latency Queueing
24-8Configuring Priority Queuing
24-8Sizing the Priority Queue
24-8Reducing Queue Latency
24-9Configuring QoS
24-9Viewing QoS Configuration
24-12Viewing QoS Service Policy Configuration
24-12Viewing QoS Policy Map Configuration
24-13Viewing the Priority-Queue Configuration for an Interface
24-13Viewing QoS Statistics
24-14Viewing QoS Police Statistics
24-14Viewing QoS Priority Statistics
24-14Viewing QoS Priority Queue Statistics
24-15C H A P T E R 25 Configuring Application Layer Protocol Inspection 25-1
Inspection Engine Overview
25-2When to Use Application Protocol Inspection
25-2Inspection Limitations
25-2Default Inspection Policy
25-3Configuring Application Inspection
25-5CTIQBE Inspection
25-9CTIQBE Inspection Overview
25-9Limitations and Restrictions
25-10Verifying and Monitoring CTIQBE Inspection
25-10DCERPC Inspection
25-11Contents
DCERPC Overview
25-11Configuring a DCERPC Inspection Policy Map for Additional Inspection Control
25-12DNS Inspection
25-13How DNS Application Inspection Works
25-13How DNS Rewrite Works
25-14Configuring DNS Rewrite
25-15Using the Static Command for DNS Rewrite
25-15Using the Alias Command for DNS Rewrite
25-16Configuring DNS Rewrite with Two NAT Zones
25-16DNS Rewrite with Three NAT Zones
25-17Configuring DNS Rewrite with Three NAT Zones
25-19Verifying and Monitoring DNS Inspection
25-20Configuring a DNS Inspection Policy Map for Additional Inspection Control
25-20ESMTP Inspection
25-24Configuring an ESMTP Inspection Policy Map for Additional Inspection Control
25-24FTP Inspection
25-25FTP Inspection Overview
25-26Using the strict Option
25-26Configuring an FTP Inspection Policy Map for Additional Inspection Control
25-27Verifying and Monitoring FTP Inspection
25-30GTP Inspection
25-31GTP Inspection Overview
25-31Configuring a GTP Inspection Policy Map for Additional Inspection Control
25-32Verifying and Monitoring GTP Inspection
25-36H.323 Inspection
25-37H.323 Inspection Overview
25-37How H.323 Works
25-37Limitations and Restrictions
25-38Configuring an H.323 Inspection Policy Map for Additional Inspection Control
25-38Configuring H.323 and H.225 Timeout Values
25-41Verifying and Monitoring H.323 Inspection
25-41Monitoring H.225 Sessions
25-42Monitoring H.245 Sessions
25-42Monitoring H.323 RAS Sessions
25-43HTTP Inspection
25-43HTTP Inspection Overview
25-43Configuring an HTTP Inspection Policy Map for Additional Inspection Control
25-44Instant Messaging Inspection
25-48IM Inspection Overview
25-48Contents
Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control
25-48ICMP Inspection
25-51ICMP Error Inspection
25-51ILS Inspection
25-52MGCP Inspection
25-53MGCP Inspection Overview
25-53Configuring an MGCP Inspection Policy Map for Additional Inspection Control
25-55Configuring MGCP Timeout Values
25-56Verifying and Monitoring MGCP Inspection
25-56NetBIOS Inspection
25-57Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control
25-57PPTP Inspection
25-59RADIUS Accounting Inspection
25-59Configuring a RADIUS Inspection Policy Map for Additional Inspection Control
25-60RSH Inspection
25-60RTSP Inspection
25-60RTSP Inspection Overview
25-60Using RealPlayer
25-61Restrictions and Limitations
25-61SIP Inspection
25-62SIP Inspection Overview
25-62SIP Instant Messaging
25-62Configuring a SIP Inspection Policy Map for Additional Inspection Control
25-63Configuring SIP Timeout Values
25-67Verifying and Monitoring SIP Inspection
25-67Skinny (SCCP) Inspection
25-68SCCP Inspection Overview
25-68Supporting Cisco IP Phones
25-69Restrictions and Limitations
25-69Verifying and Monitoring SCCP Inspection
25-69Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control
25-70SMTP and Extended SMTP Inspection
25-72SNMP Inspection
25-73SQL*Net Inspection
25-73Sun RPC Inspection
25-74Sun RPC Inspection Overview
25-74Managing Sun RPC Services
25-74Verifying and Monitoring Sun RPC Inspection
25-75Contents
TFTP Inspection
25-76XDMCP Inspection
25-77C H A P T E R 26 Configuring ARP Inspection and Bridging Parameters 26-1
Configuring ARP Inspection
26-1ARP Inspection Overview
26-1Adding a Static ARP Entry
26-2Enabling ARP Inspection
26-2Customizing the MAC Address Table
26-3MAC Address Table Overview
26-3Adding a Static MAC Address
26-3Setting the MAC Address Timeout
26-4Disabling MAC Address Learning
26-4Viewing the MAC Address Table
26-4C H A P T E R 27 Configuring IPSec and ISAKMP 27-1
Tunneling Overview
27-1IPSec Overview
27-2Configuring ISAKMP
27-2ISAKMP Overview
27-2Configuring ISAKMP Policies
27-5Enabling ISAKMP on the Outside Interface
27-6Disabling ISAKMP in Aggressive Mode
27-6Determining an ID Method for ISAKMP Peers
27-6Enabling IPSec over NAT-T
27-7Using NAT-T
27-7Enabling IPSec over TCP
27-8Waiting for Active Sessions to Terminate Before Rebooting
27-9Alerting Peers Before Disconnecting
27-9Configuring Certificate Group Matching
27-9Creating a Certificate Group Matching Rule and Policy
27-10Using the Tunnel-group-map default-group Command
27-11Configuring IPSec
27-11Understanding IPSec Tunnels
27-11Understanding Transform Sets
27-12Defining Crypto Maps
27-12Applying Crypto Maps to Interfaces
27-20Using Interface Access Lists
27-20Changing IPSec SA Lifetimes
Contents
Creating a Basic IPSec Configuration
27-22Using Dynamic Crypto Maps
27-24Providing Site-to-Site Redundancy
27-26Viewing an IPSec Configuration
27-26Clearing Security Associations
27-27Clearing Crypto Map Configurations
27-27Supporting the Nokia VPN Client
27-28C H A P T E R 28 Configuring L2TP over IPSec 28-1
L2TP Overview
28-1IPSec Transport and Tunnel Modes
28-2Configuring L2TP over IPSec Connections
28-3Tunnel Group Switching
28-5Viewing L2TP over IPSec Connection Information
28-5Using L2TP Debug Commands
28-7Enabling IPSec Debug
28-8Getting Additional Information
28-8C H A P T E R 29 Setting General IPSec VPN Parameters 29-1
Configuring VPNs in Single, Routed Mode
29-1Configuring IPSec to Bypass ACLs
29-1Permitting Intra-Interface Traffic
29-2NAT Considerations for Intra-Interface Traffic
29-3Setting Maximum Active IPSec VPN Sessions
29-3Using Client Update to Ensure Acceptable Client Revision Levels
29-3Understanding Load Balancing
29-5Implementing Load Balancing
29-6Prerequisites
29-6Eligible Platforms
29-7Eligible Clients
29-7VPN Load-Balancing Cluster Configurations
29-7Some Typical Mixed Cluster Scenarios
29-8Scenario 1: Mixed Cluster with No WebVPN Connections
29-8Scenario 2: Mixed Cluster Handling WebVPN Connections
29-8Configuring Load Balancing 29-9
Configuring the Public and Private Interfaces for Load Balancing
29-9Configuring the Load Balancing Cluster Attributes
29-10Configuring VPN Session Limits
29-11Contents
C H A P T E R 30 Configuring Tunnel Groups, Group Policies, and Users 30-1
Overview of Tunnel Groups, Group Policies, and Users
30-1Tunnel Groups
30-2General Tunnel-Group Connection Parameters
30-2IPSec Tunnel-Group Connection Parameters
30-3WebVPN Tunnel-Group Connection Parameters
30-4Configuring Tunnel Groups
30-5Default IPSec Remote Access Tunnel Group Configuration
30-5Configuring IPSec Tunnel-Group General Attributes
30-6Configuring IPSec Remote-Access Tunnel Groups
30-6Specifying a Name and Type for the IPSec Remote Access Tunnel Group
30-6Configuring IPSec Remote-Access Tunnel Group General Attributes
30-6Configuring IPSec Remote-Access Tunnel Group IPSec Attributes
30-10Configuring IPSec Remote-Access Tunnel Group PPP Attributes
30-12Configuring LAN-to-LAN Tunnel Groups
30-13Default LAN-to-LAN Tunnel Group Configuration
30-13Specifying a Name and Type for a LAN-to-LAN Tunnel Group
30-13Configuring LAN-to-LAN Tunnel Group General Attributes
30-14Configuring LAN-to-LAN IPSec Attributes
30-14Configuring WebVPN Tunnel Groups
30-16Specifying a Name and Type for a WebVPN Tunnel Group
30-16Configuring WebVPN Tunnel-Group General Attributes
30-17Configuring WebVPN Tunnel-Group WebVPN Attributes
30-20Customizing Login Windows for WebVPN Users
30-23Configuring Microsoft Active Directory Settings for Password Management
30-24Using Active Directory to Force the User to Change Password at Next Logon
30-24Using Active Directory to Specify Maximum Password Age
30-26Using Active Directory to Override an Account Disabled AAA Indicator
30-27Using Active Directory to Enforce Minimum Password Length
30-28Using Active Directory to Enforce Password Complexity
30-29Group Policies
30-30Default Group Policy
30-31Configuring Group Policies
30-33Configuring an External Group Policy
30-33Configuring an Internal Group Policy
30-34Configuring Group Policy Attributes
30-34Configuring WINS and DNS Servers
30-34Configuring VPN-Specific Attributes
30-35Configuring Security Attributes
30-38Contents
Configuring the Banner Message
30-40Configuring IPSec-UDP Attributes
30-40Configuring Split-Tunneling Attributes
30-41Configuring Domain Attributes for Tunneling
30-42Configuring Attributes for VPN Hardware Clients
30-44Configuring Backup Server Attributes
30-47Configuring Microsoft Internet Explorer Client Parameters
30-48Configuring Network Admission Control Parameters
30-50Configuring Address Pools
30-53Configuring Firewall Policies
30-54Configuring Client Access Rules
30-57Configuring Group-Policy WebVPN Attributes
30-58Configuring User Attributes
30-69Viewing the Username Configuration
30-70Configuring Attributes for Specific Users
30-70Setting a User Password and Privilege Level
30-70Configuring User Attributes
30-71Configuring VPN User Attributes
30-71Configuring WebVPN for Specific Users
30-75C H A P T E R 31 Configuring IP Addresses for VPNs 31-1
Configuring an IP Address Assignment Method
31-1Configuring Local IP Address Pools
31-2Configuring AAA Addressing
31-2Configuring DHCP Addressing
31-3C H A P T E R 32 Configuring Remote Access IPSec VPNs 32-1
Summary of the Configuration
32-1Configuring Interfaces
32-2Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
32-3Configuring an Address Pool
32-4Adding a User
32-4Creating a Transform Set
32-4Defining a Tunnel Group
32-5Creating a Dynamic Crypto Map
32-6Creating a Crypto Map Entry to Use the Dynamic Crypto Map
32-7Contents
C H A P T E R 33 Configuring Network Admission Control 33-1
Uses, Requirements, and Limitations
33-1Configuring Basic Settings
33-2Specifying the Access Control Server Group
33-2Enabling NAC
33-2Configuring the Default ACL for NAC
33-3Configuring Exemptions from NAC
33-4Changing Advanced Settings
33-5Changing Clientless Authentication Settings
33-5Enabling and Disabling Clientless Authentication
33-5Changing the Login Credentials Used for Clientless Authentication
33-6Configuring NAC Session Attributes
33-7Setting the Query-for-Posture-Changes Timer
33-9Setting the Revalidation Timer
33-9C H A P T E R 34 Configuring Easy VPN Services on the ASA 5505 34-1
Specifying the Client/Server Role of the Cisco ASA 5505
34-2Specifying the Primary and Secondary Servers
34-3Specifying the Mode
34-3Configuring Automatic Xauth Authentication
34-4Configuring IPSec Over TCP
34-4Comparing Tunneling Options
34-5Specifying the Tunnel Group or Trustpoint
34-6Specifying the Tunnel Group
34-6Specifying the Trustpoint
34-7Configuring Split Tunneling
34-8Configuring Device Pass-Through
34-8Configuring Remote Management
34-9Guidelines for Configuring the Easy VPN Server
34-9Group Policy and User Attributes Pushed to the Client
34-10Authentication Options
34-12C H A P T E R 35 Configuring the PPPoE Client 35-1
PPPoE Client Overview
35-1Configuring the PPPoE Client Username and Password
35-2Enabling PPPoE
35-3Using PPPoE with a Fixed IP Address
35-3Contents
Monitoring and Debugging the PPPoE Client
35-4Clearing the Configuration
35-5Using Related Commands
35-5C H A P T E R 36 Configuring LAN-to-LAN IPSec VPNs 36-1
Summary of the Configuration
36-1Configuring Interfaces
36-2Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
36-2Creating a Transform Set
36-4Configuring an ACL
36-4Defining a Tunnel Group
36-5Creating a Crypto Map and Applying It To an Interface
36-6Applying Crypto Maps to Interfaces
36-7C H A P T E R 37 Configuring WebVPN 37-1
Getting Started with WebVPN
37-1Observing WebVPN Security Precautions
37-2Understanding Features Not Supported for WebVPN
37-2Using SSL to Access the Central Site
37-3Using HT4TPS for WebVPN Sessions
37-3Configuring WebVPN and ASDM on the Same Interface
37-3Setting WebVPN HTTP/HTTPS Proxy
37-4Configuring SSL/TLS Encryption Protocols
37-4Authenticating with Digital Certificates
37-5Enabling Cookies on Browsers for WebVPN
37-5Managing Passwords
37-5Using Single Sign-on with WebVPN
37-6Configuring SSO with HTTP Basic or NTLM Authentication
37-6Configuring SSO Authentication Using SiteMinder
37-7Configuring SSO with the HTTP Form Protocol
37-9Authenticating with Digital Certificates
37-15Creating and Applying WebVPN Policies
37-15Creating Port Forwarding, URL, and Access Lists in Global Configuration Mode
37-15Assigning Lists to Group Policies and Users in Group-Policy or User Mode
37-16Enabling Features for Group Policies and Users
37-16Assigning Users to Group Policies
37-16Using the Security Appliance Authentication Server
37-16Using a RADIUS Server
37-16Contents
Configuring WebVPN Tunnel Group Attributes
37-16Configuring WebVPN Group Policy and User Attributes
37-17Configuring Application Access
37-18Downloading the Port-Forwarding Applet Automatically
37-18Closing Application Access to Prevent hosts File Errors
37-18Recovering from hosts File Errors When Using Application Access
37-18Understanding the hosts File
37-19Stopping Application Access Improperly
37-19Reconfiguring a hosts File
37-19Configuring File Access
37-21Configuring Access to Citrix MetaFrame Services
37-24Using WebVPN with PDAs
37-25Using E-Mail over WebVPN
37-25Configuring E-mail Proxies
37-26E-mail Proxy Certificate Authentication
37-26Configuring MAPI
37-26Configuring Web E-mail: MS Outlook Web Access
37-27Optimizing WebVPN Performance
37-27Configuring Caching
37-27Configuring Content Transformation
37-28Configuring a Certificate for Signing Rewritten Java Content
37-28Disabling Content Rewrite
37-29Using Proxy Bypass
37-29Configuring Application Profile Customization Framework
37-29APCF Syntax
37-30APCF Example
37-31WebVPN End User Setup
37-32Defining the End User Interface
37-32Viewing the WebVPN Home Page
37-32Viewing the WebVPN Application Access Panel
37-33Viewing the Floating Toolbar
37-34Customizing WebVPN Pages
37-35Using Cascading Style Sheet Parameters
37-35Customizing the WebVPN Login Page
37-36Customizing the WebVPN Logout Page
37-37Customizing the WebVPN Home Page
37-38Customizing the Application Access Window
37-40Customizing the Prompt Dialogs
37-41Applying Customizations to Tunnel Groups, Groups and Users
37-42Contents
Requiring Usernames and Passwords
37-43Communicating Security Tips
37-44Configuring Remote Systems to Use WebVPN Features
37-44Capturing WebVPN Data
37-50Creating a Capture File
37-51Using a Browser to Display Capture Data
37-51C H A P T E R 38 Configuring SSL VPN Client 38-1
Installing SVC
38-1Platform Requirements
38-1Installing the SVC Software
38-2Enabling SVC
38-3Enabling Permanent SVC Installation
38-4Enabling Rekey
38-5Enabling and Adjusting Dead Peer Detection
38-5Enabling Keepalive
38-6Using SVC Compression
38-6Viewing SVC Sessions
38-7Logging Off SVC Sessions
38-8Updating SVCs
38-8C H A P T E R 39 Configuring Certificates 39-1
Public Key Cryptography
39-1About Public Key Cryptography
39-1Certificate Scalability
39-2About Key Pairs
39-2About Trustpoints
39-3About Revocation Checking
39-3About CRLs
39-3About OCSP
39-4Supported CA Servers
39-5Certificate Configuration
39-5Preparing for Certificates
39-5Configuring Key Pairs
39-6Generating Key Pairs
39-6Removing Key Pairs
39-7Configuring Trustpoints
39-7Obtaining Certificates
39-9Contents
Obtaining Certificates with SCEP
39-9Obtaining Certificates Manually
39-11Configuring CRLs for a Trustpoint
39-13Exporting and Importing Trustpoints
39-14Exporting a Trustpoint Configuration
39-15Importing a Trustpoint Configuration
39-15Configuring CA Certificate Map Rules
39-15C H A P T E R 40 Managing System Access 40-1
Allowing Telnet Access
40-1Allowing SSH Access
40-2Configuring SSH Access
40-2Using an SSH Client
40-3Allowing HTTPS Access for ASDM
40-3Configuring ASDM and WebVPN on the Same Interface
40-4Configuring AAA for System Administrators
40-5Configuring Authentication for CLI Access
40-5Configuring Authentication To Access Privileged EXEC Mode
40-6Configuring Authentication for the Enable Command
40-6Authenticating Users Using the Login Command
40-6Configuring Command Authorization
40-7Command Authorization Overview
40-7Configuring Local Command Authorization
40-8Configuring TACACS+ Command Authorization
40-11Configuring Command Accounting
40-14Viewing the Current Logged-In User
40-14Recovering from a Lockout
40-15Configuring a Login Banner
40-16C H A P T E R 41 Managing Software, Licenses, and Configurations 41-1
Managing Licenses
41-1Obtaining an Activation Key
41-1Entering a New Activation Key
41-2Viewing Files in Flash Memory
41-2Downloading Software or Configuration Files to Flash Memory
41-3Downloading a File to a Specific Location
41-3Downloading a File to the Startup or Running Configuration
41-4Configuring the Application Image and ASDM Image to Boot
41-5Contents
Configuring the File to Boot as the Startup Configuration
41-5Performing Zero Downtime Upgrades for Failover Pairs
41-6Upgrading an Active/Standby Failover Configuration
41-6Upgrading and Active/Active Failover Configuration
41-7Backing Up Configuration Files
41-8Backing up the Single Mode Configuration or Multiple Mode System Configuration
41-8Backing Up a Context Configuration in Flash Memory
41-8Backing Up a Context Configuration within a Context
41-9Copying the Configuration from the Terminal Display
41-9Configuring Auto Update Support
41-9Configuring Communication with an Auto Update Server
41-9Configuring Client Updates as an Auto Update Server
41-11Viewing Auto Update Status
41-12C H A P T E R 42 Monitoring the Security Appliance 42-1
Using SNMP
42-1SNMP Overview
42-1Enabling SNMP
42-3Configuring and Managing Logs
42-5Logging Overview
42-5Logging in Multiple Context Mode
42-5Enabling and Disabling Logging
42-6Enabling Logging to All Configured Output Destinations
42-6Disabling Logging to All Configured Output Destinations
42-6Viewing the Log Configuration
42-6Configuring Log Output Destinations
42-7Sending System Log Messages to a Syslog Server
42-7Sending System Log Messages to the Console Port
42-8Sending System Log Messages to an E-mail Address
42-9Sending System Log Messages to ASDM
42-10Sending System Log Messages to a Telnet or SSH Session
42-11Sending System Log Messages to the Log Buffer
42-12Filtering System Log Messages
42-14Message Filtering Overview
42-15Filtering System Log Messages by Class
42-15Filtering System Log Messages with Custom Message Lists
42-17Customizing the Log Configuration
42-18Customizing the Log Configuration
42-18Configuring the Logging Queue
42-19Contents
Including the Date and Time in System Log Messages
42-19Including the Device ID in System Log Messages
42-19Generating System Log Messages in EMBLEM Format
42-20Disabling a System Log Message
42-20Changing the Severity Level of a System Log Message
42-21Changing the Amount of Internal Flash Memory Available for Logs
42-22Understanding System Log Messages
42-23System Log Message Format
42-23Severity Levels
42-23C H A P T E R 43 Troubleshooting the Security Appliance 43-1
Testing Your Configuration
43-1Enabling ICMP Debug Messages and System Messages
43-1Pinging Security Appliance Interfaces
43-2Pinging Through the Security Appliance
43-4Disabling the Test Configuration
43-5Traceroute
43-6Packet Tracer
43-6Reloading the Security Appliance
43-6Performing Password Recovery
43-6Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance
43-7Password Recovery for the PIX 500 Series Security Appliance
43-8Disabling Password Recovery
43-9Other Troubleshooting Tools
43-10Viewing Debug Messages
43-10Capturing Packets
43-10Viewing the Crash Dump
43-10Common Problems
43-10A P P E N D I X A Feature Licenses and Specifications A-1
Supported Platforms and Feature Licenses
A-1Security Services Module Support
A-10VPN Specifications
A-11Cisco VPN Client Support
A-11Cisco Secure Desktop Support
A-11Site-to-Site VPN Compatibility
A-12Cryptographic Standards
A-12Contents
A P P E N D I X B Sample Configurations B-1
Example 1: Multiple Mode Firewall With Outside Access
B-1Example 1: System Configuration
B-2Example 1: Admin Context Configuration
B-4Example 1: Customer A Context Configuration
B-4Example 1: Customer B Context Configuration
B-4Example 1: Customer C Context Configuration
B-5Example 2: Single Mode Firewall Using Same Security Level
B-6Example 3: Shared Resources for Multiple Contexts
B-8Example 3: System Configuration
B-9Example 3: Admin Context Configuration
B-9Example 3: Department 1 Context Configuration
B-10Example 3: Department 2 Context Configuration
B-11Example 4: Multiple Mode, Transparent Firewall with Outside Access
B-12Example 4: System Configuration
B-13Example 4: Admin Context Configuration
B-14Example 4: Customer A Context Configuration
B-15Example 4: Customer B Context Configuration
B-15Example 4: Customer C Context Configuration
B-16Example 5: WebVPN Configuration
B-16Example 6: IPv6 Configuration
B-18Example 7: Cable-Based Active/Standby Failover (Routed Mode)
B-20Example 8: LAN-Based Active/Standby Failover (Routed Mode)
B-21Example 8: Primary Unit Configuration
B-21Example 8: Secondary Unit Configuration
B-22Example 9: LAN-Based Active/Active Failover (Routed Mode)
B-22Example 9: Primary Unit Configuration
B-23Example 9: Primary System Configuration
B-23Example 9: Primary admin Context Configuration
B-24Example 9: Primary ctx1 Context Configuration
B-25Example 9: Secondary Unit Configuration
B-25Example 10: Cable-Based Active/Standby Failover (Transparent Mode)
B-26Example 11: LAN-Based Active/Standby Failover (Transparent Mode)
B-28Example 11: Primary Unit Configuration
B-28Example 11: Secondary Unit Configuration
B-29Example 12: LAN-Based Active/Active Failover (Transparent Mode)
B-30Example 12: Primary Unit Configuration
B-30Example 12: Primary System Configuration
B-31Contents
Example 12: Primary admin Context Configuration
B-31Example 12: Primary ctx1 Context Configuration
B-32Example 12: Secondary Unit Configuration
B-32Example 14: Dual ISP Support Using Static Route Tracking
B-33Example 14: ASA 5505 Base License
B-34Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup
B-36Example 15: Primary Unit Configuration
B-36Example 15: Secondary Unit Configuration
B-38A P P E N D I X C Using the Command-Line Interface C-1
Firewall Mode and Security Context Mode
C-1Command Modes and Prompts
C-2Syntax Formatting
C-3Abbreviating Commands
C-3Command-Line Editing
C-3Command Completion
C-4Command Help
C-4Filtering show Command Output
C-4Command Output Paging
C-5Adding Comments
C-6Text Configuration Files
C-6How Commands Correspond with Lines in the Text File
C-6Command-Specific Configuration Mode Commands
C-6Automatic Text Entries
C-7Line Order
C-7Commands Not Included in the Text Configuration
C-7Passwords
C-7Multiple Security Context Files
C-7A P P E N D I X D Addresses, Protocols, and Ports D-1