Index A
AAA
accounting 7-21
authentication
network access 7-2
authorization
downloadable access lists 7-17
network access 7-14
performance 7-1
web clients 7-10
access lists
downloadable 7-17
global access rules 6-2
implicit deny 6-3
inbound 6-3
outbound 6-3
phone proxy 16-7
ActiveX filtering 29-2
AIP
See IPS module
AIP SSC
loading an image 30-24, 31-21, 31-23, 32-14
AIP SSM
about 31-1
loading an image 30-24, 31-21, 31-23, 32-14
application inspection
about 9-1
applying 9-7
configuring 9-7
inspection class map 2-5
inspection policy map 2-4
special actions 2-1
ASA CX module
about 30-1
ASA feature compatibility 30-5
authentication proxy
about 30-5
port 30-17
troubleshooting 30-31
basic settings 30-15
cabling 30-9
configuration 30-8
debugging 30-30
failover 30-7
licensing 30-6
management access 30-4
management defaults 30-8
management IP address 30-14
monitoring 30-25
password reset 30-22
PRSM 30-5
reload 30-22
security policy 30-16
sending traffic to 30-18
shutdown 30-23
traffic flow 30-2
VPN 30-5
asymmetric routing
TCP state bypass 22-4
attacks
DNS HINFO request 28-7
DNS request for all records 28-7
DNS zone transfer 28-7
DNS zone transfer from high port 28-7
fragmented ICMP traffic 28-6
IP fragment 28-4
IP impossible packet 28-4
large ICMP traffic 28-6
ping of death 28-6
proxied RPC request 28-7
statd buffer overflow 28-8
TCP FIN only flags 28-7
TCP NULL flags 28-6
TCP SYN+FIN flags 28-6
UDP bomb 28-7
UDP chargen DoS 28-7
UDP snork 28-7
authentication
FTP 7-4
HTTP 7-3
network access 7-2
Telnet 7-3
web clients 7-10
authorization
downloadable access lists 7-17
network access 7-14
B
basic threat detection
See threat detection
Botnet Traffic Filter
actions 26-2
address categories 26-2
blacklist
adding entries 26-9
description 26-2
blocking traffic manually 26-15
classifying traffic 26-12
configuring 26-7
databases 26-2
default settings 26-6
DNS Reverse Lookup Cache
information about 26-4
using with dynamic database 26-10
DNS snooping 26-10
dropping traffic 26-13
graylist 26-13
dynamic database
enabling use of 26-8
files 26-3
information about 26-2
searching 26-16
updates 26-8
examples 26-19
feature history 26-22
graylist
description 26-2
dropping traffic 26-13
guidelines and limitations 26-6
information about 26-1
licensing 26-6
monitoring 26-17
static database
adding entries 26-9
information about 26-3
syslog messages 26-17
task flow 26-7
threat level
dropping traffic 26-13
whitelist
adding entries 26-9
description 26-2
working overview 26-5
bypassing firewall checks 22-3
C
certificate
Cisco Unified Mobility 18-5
Cisco Unified Presence 19-4
certificates
phone proxy 16-15
required by phone proxy 16-16
Cisco IP Communicator 16-10
Cisco IP Phones, application inspection 11-25
Cisco UMA. See Cisco Unified Mobility.
Cisco Unified Mobility
architecture 18-2
ASA role 14-2, 14-3, 15-2
certificate 18-5
functionality 18-1
NAT and PAT requirements 18-3, 18-4
trust relationship 18-5
Cisco Unified Presence
ASA role 14-2, 14-3, 15-2
configuring the TLS Proxy 19-8
debugging the TLS Proxy 19-14
NAT and PAT requirements 19-2
sample configuration 19-14
trust relationship 19-4
Cisco UP. See Cisco Unified Presence.
class-default class map 1-9
class map
inspection 2-5
Layer 3/4
management traffic 1-14
match commands 1-12, 1-15
through traffic 1-12
configuration examples
CSC SSM 32-17
connection blocking 28-2
connection limits
configuring 22-1
context modes 32-6
CSC SSM
about 32-1
loading an image 30-24, 31-21, 31-23, 32-14
sending traffic to 32-10
what to scan 32-3
CSC SSM feature history 32-19
cut-through proxy
AAA performance 7-1
CX module
about 30-1
ASA feature compatibility 30-5
authentication proxy
about 30-5
port 30-17
troubleshooting 30-31
basic settings 30-15
cabling 30-9
configuration 30-8
debugging 30-30
failover 30-7
licensing 30-6
management access 30-4
management defaults 30-8
management IP address 30-14
monitoring 30-25
password reset 30-22
PRSM 30-5
reload 30-22
security policy 30-16
sending traffic to 30-18
shutdown 30-23
traffic flow 30-2
VPN 30-5
D
default policy 1-8
DHCP
transparent firewall 6-6
DiffServ preservation 23-5
DNS
inspection
about 10-2
managing 10-1
NAT effect on 3-28
DNS HINFO request attack 28-7
DNS request for all records attack 28-7
DNS zone transfer attack 28-7
DNS zone transfer from high port attack 28-7
downloadable access lists
configuring 7-17
converting netmask expressions 7-21
DSCP preservation 23-5
dynamic NAT
about 3-7
network object NAT 4-5
twice NAT 5-7
dynamic PAT
network object NAT 4-7
See also NAT
twice NAT 5-11
E
EIGRP 6-6
EtherType access list
compatibilty with extended access lists 6-2
implicit deny 6-3
F
failover
guidelines 32-6
Fibre Channel interfaces
default settings 6-8
filtering
ActiveX 29-2
FTP 29-14
Java applet 29-4
Java applets 29-4
servers supported 29-6
URLs 29-1, 29-7
fragmented ICMP traffic attack 28-6
fragment size 28-2
FTP inspection
about 10-10
configuring 10-10
G
GTP inspection
about 13-3
configuring 13-3
H
H.225 timeouts 11-9
H.245 troubleshooting 11-10
H.323 inspection
about 11-4
configuring 11-3
limitations 11-5
troubleshooting 11-10
HTTP
filtering 29-1
HTTP(S)
filtering 29-7
HTTP inspection
about 10-15
configuring 10-15
I
ICMP
testing connectivity 24-1
identity NAT
about 3-10
network object NAT 4-14
twice NAT 5-21
ILS inspection 12-1
IM 11-19
inbound access lists 6-3
inspection_default class-map 1-9
inspection engines
See application inspection
Instant Messaging inspection 11-19
interfaces
default settings 6-8, 32-6
IP fragment attack 28-4
IP impossible packet attack 28-4
IP overlapping fragments attack 28-5
IP phone
phone proxy provisioning 16-12
IP phones
addressing requirements for phone proxy 16-9
supported for phone proxy 16-3, 17-2
IPSec
anti-replay window 23-13
IPS module
about 31-1
configuration 31-7
operating modes 31-3
sending traffic to 31-18
traffic flow 31-2
virtual sensors 31-16
IP spoofing, preventing 28-1
IP teardrop attack 28-5
J
Java applet filtering 29-4
Java applets, filtering 29-2
L
large ICMP traffic attack 28-6
latency
about 23-1
configuring 23-2, 23-3
reducing 23-9
Layer 3/4
matching multiple policy maps 1-6
LCS Federation Scenario 19-2
LDAP
application inspection 12-1
licenses
Cisco Unified Communications Proxy features 14-4, 17-5, 18-6, 19-7, 20-7
licensing requirements
CSC SSM 32-5
LLQ
See low-latency queue
login
FTP 7-4
low-latency queue
applying 23-2, 23-3
M
management interfaces
default settings 6-8
mapped addresses
guidelines 3-19
match commands
inspection class map 2-4
Layer 3/4 class map 1-12, 1-15
media termination address, criteria 16-6
MGCP inspection
about 11-11
configuring 11-11
mgmt0 interfaces
default settings 6-8
Microsoft Access Proxy 19-1
mixed-mode Cisco UCM cluster, configuring for phone proxy 16-17
MMP inspection 18-1
monitoring
CSC SSM 32-13
MPF
default policy 1-8
examples 1-18
feature directionality 1-3
features 1-2
flows 1-6
matching multiple policy maps 1-6
service policy, applying 1-17
See also class map
See also policy map
MPLS
LDP 6-7
router-id 6-7
TDP 6-7
multi-session PAT 4-16
N
NAT
about 3-1
bidirectional initiation 3-2
DNS 3-28
dynamic
about 3-7
dynamic NAT
network object NAT 4-5
twice NAT 5-7
dynamic PAT
about 3-8
network object NAT 4-7
twice NAT 5-11
identity
about 3-10
identity NAT
network object NAT 4-14
twice NAT 5-21
implementation 3-13
interfaces 3-19
mapped address guidelines 3-19
network object
comparison with twice NAT 3-13
network object NAT
about 3-14
configuring 4-1
dynamic NAT 4-5
dynamic PAT 4-7
examples 4-18
guidelines 4-2
identity NAT 4-14
monitoring 4-17
prerequisites 4-2
static NAT 4-11
no proxy ARP 4-15, 5-20
object
extended PAT 4-7
flat range for PAT 4-7
routed mode 3-11
route lookup 4-15, 5-24
RPC not supported with 12-3
rule order 3-18
static
about 3-3
few-to-many mapping 3-6
many-to-few mapping 3-5, 3-6
one-to-many 3-5
static NAT
network object NAT 4-11
twice NAT 5-18
static with port translation
about 3-4
terminology 3-2
transparent mode 3-11
twice
extended PAT 5-12
flat range for PAT 5-12
twice NAT
about 3-14
comparison with network object NAT 3-13
configuring 5-1
dynamic NAT 5-7
dynamic PAT 5-11
examples 5-25
guidelines 5-2
identity NAT 5-21
monitoring 5-24
prerequisites 5-2
static NAT 5-18
types 3-3
VPN 3-22
VPN client rules 3-18
network object NAT
about 3-14
comparison with twice NAT 3-13
configuring 4-1
dynamic NAT 4-5
dynamic PAT 4-7
examples 4-18
guidelines 4-2
identity NAT 4-14
monitoring 4-17
prerequisites 4-2
static NAT 4-11
non-secure Cisco UCM cluster, configuring phone proxy 16-15
no proxy ARP 5-20
O
object NAT
See network object NAT
outbound access lists 6-3
P
packet trace, enabling 24-7
PAT
per-session and multi-session 4-16
See dynamic PAT
per-session PAT 4-16
phone proxy
access lists 16-7
ASA role 14-3
certificates 16-15
Cisco IP Communicator 16-10
Cisco UCM supported versions 16-3, 17-2
configuring mixed-mode Cisco UCM cluster 16-17
configuring non-secure Cisco UCM cluster 16-15
event recovery 16-42
IP phone addressing 16-9
IP phone provisioning 16-12
IP phones supported 16-3, 17-2
Linksys routers, configuring 16-27
NAT and PAT requirements 16-8
ports 16-7
rate limiting 16-11
required certificates 16-16
sample configurations 16-44
SAST keys 16-42
TLS Proxy on ASA, described 14-3
troubleshooting 16-28
ping
See ICMP
ping of death attack 28-6
policing
flow within a tunnel 23-12
policy, QoS 23-1
policy map
inspection 2-4
Layer 3/4
about 1-1
feature directionality 1-3
flows 1-6
ports
phone proxy 16-7
port translation
about 3-4
prerequisites for use
CSC SSM 32-5
presence_proxy_remotecert 15-15
proxied RPC request attack 28-7
proxy servers
SIP and 11-18
PRSM 30-5
Q
QoS
about 23-1, 23-3
DiffServ preservation 23-5
DSCP preservation 23-5
feature interaction 23-4
policies 23-1
priority queueing
IPSec anti-replay window 23-13
statistics 23-16
token bucket 23-2
traffic shaping
overview 23-4
viewing statistics 23-16
Quality of Service
See QoS
queue, QoS
latency, reducing 23-9
limit 23-2, 23-3
R
RADIUS
downloadable access lists 7-17
network access authentication 7-7
network access authorization 7-17
RAS, H.323 troubleshooting 11-10
rate limiting 23-3
rate limiting, phone proxy 16-11
RealPlayer 11-15
routed mode
NAT 3-11
routing
other protocols 6-5
RTSP inspection
about 11-15
configuring 11-14
S
SAST keys 16-42
SCCP (Skinny) inspection
about 11-25
configuration 11-25
configuring 11-24
service policy
applying 1-17
default 1-17
interface 1-18
SIP inspection
about 11-18
configuring 11-18
instant messaging 11-19
timeouts 11-24
troubleshooting 11-24
SMTP inspection 10-32
SSCs
management access 31-4
management defaults 31-6
management interface 31-13
password reset 31-24, 32-15
reload 31-25, 32-16
reset 31-25, 32-16
routing 31-10
sessioning to 31-13
shutdown 31-23, 32-17
SSMs
loading an image 30-24, 31-21, 31-23, 32-14
management access 31-4
management defaults 31-6
password reset 31-24, 32-15
reload 31-25, 32-16
reset 31-25, 32-16
routing 31-10
sessioning to 31-13
shutdown 31-23, 32-17
Startup Wizard
licensing requirements 15-3
statd buffer overflow attack 28-8
stateful inspection
bypassing 22-3
static NAT
about 3-3
few-to-many mapping 3-6
many-to-few mapping 3-5, 3-6
network object NAT 4-11
twice NAT 5-18
static NAT with port translation
about 3-4
statistics, QoS 23-16
Sun RPC inspection
about 12-3
configuring 12-3
T
TACACS+
network access authorization 7-14
tail drop 23-3
TCP
sequence number randomization
disabling using Modular Policy Framework 22-13
TCP FIN only flags attack 28-7
TCP Intercept
enabling using Modular Policy Framework 22-13
TCP normalization 22-3
TCP NULL flags attack 28-6
TCP state bypass
AAA 22-5
configuring 22-11
failover 22-5
firewall mode 22-5
inspection 22-5
mutliple context mode 22-5
NAT 22-5
SSMs and SSCs 22-5
TCP Intercept 22-5
TCP normalization 22-5
unsupported features 22-5
TCP SYN+FIN flags attack 28-6
testing configuration 24-1
threat detection
basic
drop types 27-2
enabling 27-4
overview 27-2
rate intervals 27-2
rate intervals, setting 27-4
statistics, viewing 27-5
system performance 27-3
scanning
attackers, viewing 27-18
default limits, changing 27-17
enabling 27-17
host database 27-15
overview 27-15
shunned hosts, releasing 27-18
shunned hosts, viewing 27-17
shunning attackers 27-17
system performance 27-15
targets, viewing 27-18
scanning statistics
enabling 27-7
system performance 27-6
viewing 27-9
TLS Proxy
applications supported by ASA 14-3
Cisco Unified Presence architecture 19-1
configuring for Cisco Unified Presence 19-8
licenses 14-4, 17-5, 18-6, 19-7, 20-7
tocken bucket 23-2
traffic shaping
overview 23-4
transmit queue ring limit 23-2, 23-3
transparent firewall
DHCP packets, allowing 6-6
packet handling 6-5
transparent mode
NAT 3-11
troubleshooting
H.323 11-9
H.323 RAS 11-10
phone proxy 16-28
SIP 11-24
Trusted Flow Acceleration
modes 6-7
trust relationship
Cisco Unified Mobility 18-5
Cisco Unified Presence 19-4
twice NAT
about 3-14
comparison with network object NAT 3-13
configuring 5-1
dynamic NAT 5-7
dynamic PAT 5-11
examples 5-25
guidelines 5-2
identity NAT 5-21
monitoring 5-24
prerequisites 5-2
static NAT 5-18
tx-ring-limit 23-2, 23-3
U
UDP
bomb attack 28-7
chargen DoS attack 28-7
snork attack 28-7
URLs
filtering 29-1
filtering, about 29-7
filtering, configuration 29-11
V
viewing QoS statistics 23-16
virtual HTTP 7-3
virtual sensors 31-16
VoIP
proxy servers 11-18
troubleshooting 11-9
VPN client
NAT rules 3-18
W
web clients, secure authentication 7-10
Index
A
AAA
accounting 7-21
authentication
network access 7-2
authorization
downloadable access lists 7-17
network access 7-14
performance 7-1
web clients 7-10
access lists
downloadable 7-17
global access rules 6-2
implicit deny 6-3
inbound 6-3
outbound 6-3
phone proxy 16-7
ActiveX filtering 29-2
AIP
See IPS module
AIP SSC
loading an image 30-24, 31-21, 31-23, 32-14
AIP SSM
about 31-1
loading an image 30-24, 31-21, 31-23, 32-14
application inspection
about 9-1
applying 9-7
configuring 9-7
inspection class map 2-5
inspection policy map 2-4
special actions 2-1
ASA CX module
about 30-1
ASA feature compatibility 30-5
authentication proxy
about 30-5
port 30-17
troubleshooting 30-31
basic settings 30-15
cabling 30-9
configuration 30-8
debugging 30-30
failover 30-7
licensing 30-6
management access 30-4
management defaults 30-8
management IP address 30-14
monitoring 30-25
password reset 30-22
PRSM 30-5
reload 30-22
security policy 30-16
sending traffic to 30-18
shutdown 30-23
traffic flow 30-2
VPN 30-5
asymmetric routing
TCP state bypass 22-4
attacks
DNS HINFO request 28-7
DNS request for all records 28-7
DNS zone transfer 28-7
DNS zone transfer from high port 28-7
fragmented ICMP traffic 28-6
IP fragment 28-4
IP impossible packet 28-4
large ICMP traffic 28-6
ping of death 28-6
proxied RPC request 28-7
statd buffer overflow 28-8
TCP FIN only flags 28-7
TCP NULL flags 28-6
TCP SYN+FIN flags 28-6
UDP bomb 28-7
UDP chargen DoS 28-7
UDP snork 28-7
authentication
FTP 7-4
HTTP 7-3
network access 7-2
Telnet 7-3
web clients 7-10
authorization
downloadable access lists 7-17
network access 7-14
B
basic threat detection
See threat detection
Botnet Traffic Filter
actions 26-2
address categories 26-2
blacklist
adding entries 26-9
description 26-2
blocking traffic manually 26-15
classifying traffic 26-12
configuring 26-7
databases 26-2
default settings 26-6
DNS Reverse Lookup Cache
information about 26-4
using with dynamic database 26-10
DNS snooping 26-10
dropping traffic 26-13
graylist 26-13
dynamic database
enabling use of 26-8
files 26-3
information about 26-2
searching 26-16
updates 26-8
examples 26-19
feature history 26-22
graylist
description 26-2
dropping traffic 26-13
guidelines and limitations 26-6
information about 26-1
licensing 26-6
monitoring 26-17
static database
adding entries 26-9
information about 26-3
syslog messages 26-17
task flow 26-7
threat level
dropping traffic 26-13
whitelist
adding entries 26-9
description 26-2
working overview 26-5
bypassing firewall checks 22-3
C
certificate
Cisco Unified Mobility 18-5
Cisco Unified Presence 19-4
certificates
phone proxy 16-15
required by phone proxy 16-16
Cisco IP Communicator 16-10
Cisco IP Phones, application inspection 11-25
Cisco UMA. See Cisco Unified Mobility.
Cisco Unified Mobility
architecture 18-2
ASA role 14-2, 14-3, 15-2
certificate 18-5
functionality 18-1
NAT and PAT requirements 18-3, 18-4
trust relationship 18-5
Cisco Unified Presence
ASA role 14-2, 14-3, 15-2
configuring the TLS Proxy 19-8
debugging the TLS Proxy 19-14
NAT and PAT requirements 19-2
sample configuration 19-14
trust relationship 19-4
Cisco UP. See Cisco Unified Presence.
class-default class map 1-9
class map
inspection 2-5
Layer 3/4
management traffic 1-14
match commands 1-12, 1-15
through traffic 1-12
configuration examples
CSC SSM 32-17
connection blocking 28-2
connection limits
configuring 22-1
context modes 32-6
CSC SSM
about 32-1
loading an image 30-24, 31-21, 31-23, 32-14
sending traffic to 32-10
what to scan 32-3
CSC SSM feature history 32-19
cut-through proxy
AAA performance 7-1
CX module
about 30-1
ASA feature compatibility 30-5
authentication proxy
about 30-5
port 30-17
troubleshooting 30-31
basic settings 30-15
cabling 30-9
configuration 30-8
debugging 30-30
failover 30-7
licensing 30-6
management access 30-4
management defaults 30-8
management IP address 30-14
monitoring 30-25
password reset 30-22
PRSM 30-5
reload 30-22
security policy 30-16
sending traffic to 30-18
shutdown 30-23
traffic flow 30-2
VPN 30-5
D
default policy 1-8
DHCP
transparent firewall 6-6
DiffServ preservation 23-5
DNS
inspection
about 10-2
managing 10-1
NAT effect on 3-28
DNS HINFO request attack 28-7
DNS request for all records attack 28-7
DNS zone transfer attack 28-7
DNS zone transfer from high port attack 28-7
downloadable access lists
configuring 7-17
converting netmask expressions 7-21
DSCP preservation 23-5
dynamic NAT
about 3-7
network object NAT 4-5
twice NAT 5-7
dynamic PAT
network object NAT 4-7
See also NAT
twice NAT 5-11
E
EIGRP 6-6
EtherType access list
compatibilty with extended access lists 6-2
implicit deny 6-3
F
failover
guidelines 32-6
Fibre Channel interfaces
default settings 6-8
filtering
ActiveX 29-2
FTP 29-14
Java applet 29-4
Java applets 29-4
servers supported 29-6
URLs 29-1, 29-7
fragmented ICMP traffic attack 28-6
fragment size 28-2
FTP inspection
about 10-10
configuring 10-10
G
GTP inspection
about 13-3
configuring 13-3
H
H.225 timeouts 11-9
H.245 troubleshooting 11-10
H.323 inspection
about 11-4
configuring 11-3
limitations 11-5
troubleshooting 11-10
HTTP
filtering 29-1
HTTP(S)
filtering 29-7
HTTP inspection
about 10-15
configuring 10-15
I
ICMP
testing connectivity 24-1
identity NAT
about 3-10
network object NAT 4-14
twice NAT 5-21
ILS inspection 12-1
IM 11-19
inbound access lists 6-3
inspection_default class-map 1-9
inspection engines
See application inspection
Instant Messaging inspection 11-19
interfaces
default settings 6-8, 32-6
IP fragment attack 28-4
IP impossible packet attack 28-4
IP overlapping fragments attack 28-5
IP phone
phone proxy provisioning 16-12
IP phones
addressing requirements for phone proxy 16-9
supported for phone proxy 16-3, 17-2
IPSec
anti-replay window 23-13
IPS module
about 31-1
configuration 31-7
operating modes 31-3
sending traffic to 31-18
traffic flow 31-2
virtual sensors 31-16
IP spoofing, preventing 28-1
IP teardrop attack 28-5
J
Java applet filtering 29-4
Java applets, filtering 29-2
L
large ICMP traffic attack 28-6
latency
about 23-1
configuring 23-2, 23-3
reducing 23-9
Layer 3/4
matching multiple policy maps 1-6
LCS Federation Scenario 19-2
LDAP
application inspection 12-1
licenses
Cisco Unified Communications Proxy features 14-4, 17-5, 18-6, 19-7, 20-7
licensing requirements
CSC SSM 32-5
LLQ
See low-latency queue
login
FTP 7-4
low-latency queue
applying 23-2, 23-3
M
management interfaces
default settings 6-8
mapped addresses
guidelines 3-19
match commands
inspection class map 2-4
Layer 3/4 class map 1-12, 1-15
media termination address, criteria 16-6
MGCP inspection
about 11-11
configuring 11-11
mgmt0 interfaces
default settings 6-8
Microsoft Access Proxy 19-1
mixed-mode Cisco UCM cluster, configuring for phone proxy 16-17
MMP inspection 18-1
monitoring
CSC SSM 32-13
MPF
default policy 1-8
examples 1-18
feature directionality 1-3
features 1-2
flows 1-6
matching multiple policy maps 1-6
service policy, applying 1-17
See also class map
See also policy map
MPLS
LDP 6-7
router-id 6-7
TDP 6-7
multi-session PAT 4-16
N
NAT
about 3-1
bidirectional initiation 3-2
DNS 3-28
dynamic
about 3-7
dynamic NAT
network object NAT 4-5
twice NAT 5-7
dynamic PAT
about 3-8
network object NAT 4-7
twice NAT 5-11
identity
about 3-10
identity NAT
network object NAT 4-14
twice NAT 5-21
implementation 3-13
interfaces 3-19
mapped address guidelines 3-19
network object
comparison with twice NAT 3-13
network object NAT
about 3-14
configuring 4-1
dynamic NAT 4-5
dynamic PAT 4-7
examples 4-18
guidelines 4-2
identity NAT 4-14
monitoring 4-17
prerequisites 4-2
static NAT 4-11
no proxy ARP 4-15, 5-20
object
extended PAT 4-7
flat range for PAT 4-7
routed mode 3-11
route lookup 4-15, 5-24
RPC not supported with 12-3
rule order 3-18
static
about 3-3
few-to-many mapping 3-6
many-to-few mapping 3-5, 3-6
one-to-many 3-5
static NAT
network object NAT 4-11
twice NAT 5-18
static with port translation
about 3-4
terminology 3-2
transparent mode 3-11
twice
extended PAT 5-12
flat range for PAT 5-12
twice NAT
about 3-14
comparison with network object NAT 3-13
configuring 5-1
dynamic NAT 5-7
dynamic PAT 5-11
examples 5-25
guidelines 5-2
identity NAT 5-21
monitoring 5-24
prerequisites 5-2
static NAT 5-18
types 3-3
VPN 3-22
VPN client rules 3-18
network object NAT
about 3-14
comparison with twice NAT 3-13
configuring 4-1
dynamic NAT 4-5
dynamic PAT 4-7
examples 4-18
guidelines 4-2
identity NAT 4-14
monitoring 4-17
prerequisites 4-2
static NAT 4-11
non-secure Cisco UCM cluster, configuring phone proxy 16-15
no proxy ARP 5-20
O
object NAT
See network object NAT
outbound access lists 6-3
P
packet trace, enabling 24-7
PAT
per-session and multi-session 4-16
See dynamic PAT
per-session PAT 4-16
phone proxy
access lists 16-7
ASA role 14-3
certificates 16-15
Cisco IP Communicator 16-10
Cisco UCM supported versions 16-3, 17-2
configuring mixed-mode Cisco UCM cluster 16-17
configuring non-secure Cisco UCM cluster 16-15
event recovery 16-42
IP phone addressing 16-9
IP phone provisioning 16-12
IP phones supported 16-3, 17-2
Linksys routers, configuring 16-27
NAT and PAT requirements 16-8
ports 16-7
rate limiting 16-11
required certificates 16-16
sample configurations 16-44
SAST keys 16-42
TLS Proxy on ASA, described 14-3
troubleshooting 16-28
ping
See ICMP
ping of death attack 28-6
policing
flow within a tunnel 23-12
policy, QoS 23-1
policy map
inspection 2-4
Layer 3/4
about 1-1
feature directionality 1-3
flows 1-6
ports
phone proxy 16-7
port translation
about 3-4
prerequisites for use
CSC SSM 32-5
presence_proxy_remotecert 15-15
proxied RPC request attack 28-7
proxy servers
SIP and 11-18
PRSM 30-5
Q
QoS
about 23-1, 23-3
DiffServ preservation 23-5
DSCP preservation 23-5
feature interaction 23-4
policies 23-1
priority queueing
IPSec anti-replay window 23-13
statistics 23-16
token bucket 23-2
traffic shaping
overview 23-4
viewing statistics 23-16
Quality of Service
See QoS
queue, QoS
latency, reducing 23-9
limit 23-2, 23-3
R
RADIUS
downloadable access lists 7-17
network access authentication 7-7
network access authorization 7-17
RAS, H.323 troubleshooting 11-10
rate limiting 23-3
rate limiting, phone proxy 16-11
RealPlayer 11-15
routed mode
NAT 3-11
routing
other protocols 6-5
RTSP inspection
about 11-15
configuring 11-14
S
SAST keys 16-42
SCCP (Skinny) inspection
about 11-25
configuration 11-25
configuring 11-24
service policy
applying 1-17
default 1-17
interface 1-18
SIP inspection
about 11-18
configuring 11-18
instant messaging 11-19
timeouts 11-24
troubleshooting 11-24
SMTP inspection 10-32
SSCs
management access 31-4
management defaults 31-6
management interface 31-13
password reset 31-24, 32-15
reload 31-25, 32-16
reset 31-25, 32-16
routing 31-10
sessioning to 31-13
shutdown 31-23, 32-17
SSMs
loading an image 30-24, 31-21, 31-23, 32-14
management access 31-4
management defaults 31-6
password reset 31-24, 32-15
reload 31-25, 32-16
reset 31-25, 32-16
routing 31-10
sessioning to 31-13
shutdown 31-23, 32-17
Startup Wizard
licensing requirements 15-3
statd buffer overflow attack 28-8
stateful inspection
bypassing 22-3
static NAT
about 3-3
few-to-many mapping 3-6
many-to-few mapping 3-5, 3-6
network object NAT 4-11
twice NAT 5-18
static NAT with port translation
about 3-4
statistics, QoS 23-16
Sun RPC inspection
about 12-3
configuring 12-3
T
TACACS+
network access authorization 7-14
tail drop 23-3
TCP
sequence number randomization
disabling using Modular Policy Framework 22-13
TCP FIN only flags attack 28-7
TCP Intercept
enabling using Modular Policy Framework 22-13
TCP normalization 22-3
TCP NULL flags attack 28-6
TCP state bypass
AAA 22-5
configuring 22-11
failover 22-5
firewall mode 22-5
inspection 22-5
mutliple context mode 22-5
NAT 22-5
SSMs and SSCs 22-5
TCP Intercept 22-5
TCP normalization 22-5
unsupported features 22-5
TCP SYN+FIN flags attack 28-6
testing configuration 24-1
threat detection
basic
drop types 27-2
enabling 27-4
overview 27-2
rate intervals 27-2
rate intervals, setting 27-4
statistics, viewing 27-5
system performance 27-3
scanning
attackers, viewing 27-18
default limits, changing 27-17
enabling 27-17
host database 27-15
overview 27-15
shunned hosts, releasing 27-18
shunned hosts, viewing 27-17
shunning attackers 27-17
system performance 27-15
targets, viewing 27-18
scanning statistics
enabling 27-7
system performance 27-6
viewing 27-9
TLS Proxy
applications supported by ASA 14-3
Cisco Unified Presence architecture 19-1
configuring for Cisco Unified Presence 19-8
licenses 14-4, 17-5, 18-6, 19-7, 20-7
tocken bucket 23-2
traffic shaping
overview 23-4
transmit queue ring limit 23-2, 23-3
transparent firewall
DHCP packets, allowing 6-6
packet handling 6-5
transparent mode
NAT 3-11
troubleshooting
H.323 11-9
H.323 RAS 11-10
phone proxy 16-28
SIP 11-24
Trusted Flow Acceleration
modes 6-7
trust relationship
Cisco Unified Mobility 18-5
Cisco Unified Presence 19-4
twice NAT
about 3-14
comparison with network object NAT 3-13
configuring 5-1
dynamic NAT 5-7
dynamic PAT 5-11
examples 5-25
guidelines 5-2
identity NAT 5-21
monitoring 5-24
prerequisites 5-2
static NAT 5-18
tx-ring-limit 23-2, 23-3
U
UDP
bomb attack 28-7
chargen DoS attack 28-7
snork attack 28-7
URLs
filtering 29-1
filtering, about 29-7
filtering, configuration 29-11
V
viewing QoS statistics 23-16
virtual HTTP 7-3
virtual sensors 31-16
VoIP
proxy servers 11-18
troubleshooting 11-9
VPN client
NAT rules 3-18
W
web clients, secure authentication 7-10