Configuration Guide
Page 179
...8226; To configure a DHCP option that you can configure the FWSM to RFC 2132. For example, you provide match the expected type and value for the DHCP options listed in RFC 2132. The DHCP options fall into one or two IP addresses, enter... DHCP Options Option Code 0 1 12 50 51 Description DHCPOPT_PAD HCPOPT_SUBNET_MASK DHCPOPT_HOST_NAME DHCPOPT_REQUESTED_ADDRESS DHCPOPT_LEASE_TIME OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-37 Table 8-1 shows the DHCP options that return a hexadecimal value. Chapter...
...8226; To configure a DHCP option that you can configure the FWSM to RFC 2132. For example, you provide match the expected type and value for the DHCP options listed in RFC 2132. The DHCP options fall into one or two IP addresses, enter... DHCP Options Option Code 0 1 12 50 51 Description DHCPOPT_PAD HCPOPT_SUBNET_MASK DHCPOPT_HOST_NAME DHCPOPT_REQUESTED_ADDRESS DHCPOPT_LEASE_TIME OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-37 Table 8-1 shows the DHCP options that return a hexadecimal value. Chapter...
Configuration Guide
Page 180
... download their requests, which sets the default route. Cisco IP Phones might include both options in RFC 2132. Configuring DHCP Chapter 8 Configuring IP Routing and DHCP Services Table 8-1 Unsupported DHCP Options Option Code 52 53 54 58 59 61 67 82 255 ... the administration of one or two TFTP servers for more information about configuring those options. See the "Using Cisco IP Phones with small branch offices that include an option number as specified in RFC 2132, enter the following command: hostname(config)# dhcpd option number value • To provide the IP address or...
... download their requests, which sets the default route. Cisco IP Phones might include both options in RFC 2132. Configuring DHCP Chapter 8 Configuring IP Routing and DHCP Services Table 8-1 Unsupported DHCP Options Option Code 52 53 54 58 59 61 67 82 255 ... the administration of one or two TFTP servers for more information about configuring those options. See the "Using Cisco IP Phones with small branch offices that include an option number as specified in RFC 2132, enter the following command: hostname(config)# dhcpd option number value • To provide the IP address or...
Configuration Guide
Page 192
...from 1 to 600 seconds. By default, router query messages are used for sending router query messages. To change this value, enter the following RFCs from 10 to 3600 seconds. For More Information About Multicast Routing Chapter 9 Configuring Multicast Routing hostname(config)# pim accept-register {list acl | ... elect the PIM DR. The PIM DR is responsible for implementing the SMR feature: • RFC 2236 IGMPv2 • RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txt Catalyst 6500 ...
...from 1 to 600 seconds. By default, router query messages are used for sending router query messages. To change this value, enter the following RFCs from 10 to 3600 seconds. For More Information About Multicast Routing Chapter 9 Configuring Multicast Routing hostname(config)# pim accept-register {list acl | ... elect the PIM DR. The PIM DR is responsible for implementing the SMR feature: • RFC 2236 IGMPv2 • RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txt Catalyst 6500 ...
Configuration Guide
Page 208
...given service is either permitted or denied by RADIUS vendor ID 3076. • Microsoft VSAs, defined in RFC 2868. • Cisco IOS VSAs, identified by RADIUS vendor ID 9. • Cisco VPN-related VSAs, identified by the access list. TACACS+ Server Support The security appliance supports TACACS+ ... password management when the RADIUS server communicates with ASCII, PAP, CHAP, and MS-CHAPv1. 11-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using dynamic access lists or access list names per user. When your password expires...
...given service is either permitted or denied by RADIUS vendor ID 3076. • Microsoft VSAs, defined in RFC 2868. • Cisco IOS VSAs, identified by RADIUS vendor ID 9. • Cisco VPN-related VSAs, identified by the access list. TACACS+ Server Support The security appliance supports TACACS+ ... password management when the RADIUS server communicates with ASCII, PAP, CHAP, and MS-CHAPv1. 11-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using dynamic access lists or access list names per user. When your password expires...
Configuration Guide
Page 236
...letters so the name is added to each type (extended and EtherType) to the end of the access list. See RFC 1700, "Assigned Numbers," at http://www.ietf.org/rfc/rfc1700.txt for a given access list name, the ACE is easy to name the access list for the interface (for...hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface outside 13-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 When you allow MPLS, ensure that can be identified by configuring ...
...letters so the name is added to each type (extended and EtherType) to the end of the access list. See RFC 1700, "Assigned Numbers," at http://www.ietf.org/rfc/rfc1700.txt for a given access list name, the ACE is easy to name the access list for the interface (for...hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface outside 13-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 When you allow MPLS, ensure that can be identified by configuring ...
Configuration Guide
Page 414
... Unicast RPF, enter the following command: hostname(config)# ip verify reverse-path interface interface_name 21-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using an existing state maintained as part of -order packets that you enable Unicast ... forward the packet. Unicast RPF instructs the FWSM to also look at the destination address when determining where to the routing table. See RFC 2267 for FWSM. If traffic enters the outside interface as follows: • ICMP packets have sessions, so the initial packet requires ...
... Unicast RPF, enter the following command: hostname(config)# ip verify reverse-path interface interface_name 21-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using an existing state maintained as part of -order packets that you enable Unicast ... forward the packet. Unicast RPF instructs the FWSM to also look at the destination address when determining where to the routing table. See RFC 2267 for FWSM. If traffic enters the outside interface as follows: • ICMP packets have sessions, so the initial packet requires ...
Configuration Guide
Page 420
...also notes any NAT limitations. Table 22-1 Application1 CTIQBE DCERPC Supported Application Inspection Engines Default Port NAT Limitations TCP/2748 - RFC 1123 No NAT support is enabled for a protocol and another application utilizes the same port as appropriate. Default maximum packet length...the well known ports 2427 and 2727. • When application inspection is 512 bytes. 22-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the translated port numbers. Inspection Engine Overview Chapter 22 Applying Application Layer ...
...also notes any NAT limitations. Table 22-1 Application1 CTIQBE DCERPC Supported Application Inspection Engines Default Port NAT Limitations TCP/2748 - RFC 1123 No NAT support is enabled for a protocol and another application utilizes the same port as appropriate. Default maximum packet length...the well known ports 2427 and 2727. • When application inspection is 512 bytes. 22-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the translated port numbers. Inspection Engine Overview Chapter 22 Applying Application Layer ...
Configuration Guide
Page 421
...-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-5 UDP (RAS) No static PAT. 1718-1719 TCP/80 - No outside NAT. No NAT on same security UDP/1718 interfaces. No WINS support. RFC 2326, 2327, No handling for.../389 No PAT. UDP/5060 No NAT on same security interfaces. SKINNY (SCCP) TCP/2000 No outside NAT. SMTP TCP/25 - Standards2 RFC 821, 1123 RFC 959 - Comments - Default FTP inspection does not enforce compliance with the strict keyword. If the MTU is matched in the default class map...
...-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-5 UDP (RAS) No static PAT. 1718-1719 TCP/80 - No outside NAT. No NAT on same security UDP/1718 interfaces. No WINS support. RFC 2326, 2327, No handling for.../389 No PAT. UDP/5060 No NAT on same security interfaces. SKINNY (SCCP) TCP/2000 No outside NAT. SMTP TCP/25 - Standards2 RFC 821, 1123 RFC 959 - Comments - Default FTP inspection does not enforce compliance with the strict keyword. If the MTU is matched in the default class map...
Configuration Guide
Page 422
...does not enforce compliance on an interface. 22-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 TCP/111 Payload not NATed. RFC 1530 - XDCMP UDP/177 No NAT or PAT. - - 1. Identifying ...Inspection Engines (continued) Application1 Default Port NAT Limitations Standards2 Comments SNMP UDP/161, No NAT or PAT. 162 RFC 1155, 1157, v.2 RFC 1902-1908; The default policy configuration includes the following commands: class-map inspection_default match default-inspection-traffic policy-map...
...does not enforce compliance on an interface. 22-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 TCP/111 Payload not NATed. RFC 1530 - XDCMP UDP/177 No NAT or PAT. - - 1. Identifying ...Inspection Engines (continued) Application1 Default Port NAT Limitations Standards2 Comments SNMP UDP/161, No NAT or PAT. 162 RFC 1155, 1157, v.2 RFC 1902-1908; The default policy configuration includes the following commands: class-map inspection_default match default-inspection-traffic policy-map...
Configuration Guide
Page 446
... Protocol Inspection FTP Inspection This section describes how the FTP inspection engine works and how you disable FTP inspection engines with FTP RFCs. 22-30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 Ports for FTP data transfer. Using the strict...
... Protocol Inspection FTP Inspection This section describes how the FTP inspection engine works and how you disable FTP inspection engines with FTP RFCs. 22-30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 Ports for FTP data transfer. Using the strict...
Configuration Guide
Page 447
... from the server. As port numbers in FTP map configuration mode; Disallows the command that map when you can disallow by the RFC. Disallows the client command for FTP traffic through the FWSM. Disallows the command that changes to make use of the current working ...directory. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the request-command deny command. . Disallows the command that makes a directory on the...
... from the server. As port numbers in FTP map configuration mode; Disallows the command that map when you can disallow by the RFC. Disallows the client command for FTP traffic through the FWSM. Disallows the command that changes to make use of the current working ...directory. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the request-command deny command. . Disallows the command that makes a directory on the...
Configuration Guide
Page 450
... IP address, NAT address, and the file operation are logged. • Audit record 201005 is the policy map you configured in RFC 959. 22-34 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 In conjunction with NAT, the FTP application inspection...
... IP address, NAT address, and the file operation are logged. • Audit record 201005 is the policy map you configured in RFC 959. 22-34 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 In conjunction with NAT, the FTP application inspection...
Configuration Guide
Page 476
...enhanced HTTP inspection feature, which is also known as the inspection policy map remains enabled. 22-60 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using HTTP messages for circumventing network security policy. For more information about filtering, ...disables the filter url command. You can then apply the inspection policy map when you enable HTTP inspection according to RFC 2616 • Use of RFC-defined methods only. • Compliance with the filter command. You can change its configuration. HTTP Inspection Chapter 22...
...enhanced HTTP inspection feature, which is also known as the inspection policy map remains enabled. 22-60 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using HTTP messages for circumventing network security policy. For more information about filtering, ...disables the filter url command. You can then apply the inspection policy map when you enable HTTP inspection according to RFC 2616 • Use of RFC-defined methods only. • Compliance with the filter command. You can change its configuration. HTTP Inspection Chapter 22...
Configuration Guide
Page 489
...Firewall Services Module Command Reference. For information about PPTP inspection, see the inspect netbios command page in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. The FWSM parses SETUP response messages with the inspect rtsp command, available in policy map... page 22-74 RTSP Inspection Overview You control RTSP application inspection with a status code of 200. Note For Cisco IP/TV, use the well-known port 554 with RFC 2326. This TCP control channel is used to negotiate the data channels that is used by default. If the...
...Firewall Services Module Command Reference. For information about PPTP inspection, see the inspect netbios command page in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. The FWSM parses SETUP response messages with the inspect rtsp command, available in policy map... page 22-74 RTSP Inspection Overview You control RTSP application inspection with a status code of 200. Note For Cisco IP/TV, use the well-known port 554 with RFC 2326. This TCP control channel is used to negotiate the data channels that is used by default. If the...
Configuration Guide
Page 490
...to properly configure transport mode. hostname(config)# access-list acl-name any any tcp eq port_number 22-74 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using RealPlayer, it is important to recognize HTTP cloaking, which hides RTSP messages in ...the SDP files as follows. RTSP Inspection Chapter 22 Applying Application Layer Protocol Inspection Because RFC 2326 does not require that the client and server ports must be fragmented and FWSM cannot perform NAT on fragmented packets. • ...
...to properly configure transport mode. hostname(config)# access-list acl-name any any tcp eq port_number 22-74 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using RealPlayer, it is important to recognize HTTP cloaking, which hides RTSP messages in ...the SDP files as follows. RTSP Inspection Chapter 22 Applying Application Layer Protocol Inspection Because RFC 2326 does not require that the client and server ports must be fragmented and FWSM cannot perform NAT on fragmented packets. • ...
Configuration Guide
Page 492
...when using PAT with SIP: • If a remote endpoint tries to the proxy server. 22-76 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 The port is configured for the media stream. SIP and ...-78 • Configuring a SIP Inspection Policy Map for the media. This section includes the following RFCs. • SIP: Session Initiation Protocol, RFC 2543 • SDP: Session Description Protocol, RFC 2327 Supporting SIP calls through the FWSM requires inspection of the IP packet and SIP inspection applies NAT...
...when using PAT with SIP: • If a remote endpoint tries to the proxy server. 22-76 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 The port is configured for the media stream. SIP and ...-78 • Configuring a SIP Inspection Policy Map for the media. This section includes the following RFCs. • SIP: Session Initiation Protocol, RFC 2543 • SDP: Session Description Protocol, RFC 2327 Supporting SIP calls through the FWSM requires inspection of the IP packet and SIP inspection applies NAT...
Configuration Guide
Page 493
... in the SIP protocol, which does not provide a port value in the o= field. It dynamically opens media connections for Instant Messaging, RFC 3428 MESSAGE/INFO requests can be used to go through the SIP inspection engine. These indices identify the call to an outside interface to ...not be NATed. RTC Client 5.0 is different than port 5060, they are not supported. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using Windows Messenger RTC Client version 4.7.0105 only. This is received from the called endpoint in...
... in the SIP protocol, which does not provide a port value in the o= field. It dynamically opens media connections for Instant Messaging, RFC 3428 MESSAGE/INFO requests can be used to go through the SIP inspection engine. These indices identify the call to an outside interface to ...not be NATed. RTC Client 5.0 is different than port 5060, they are not supported. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using Windows Messenger RTC Client version 4.7.0105 only. This is received from the called endpoint in...
Configuration Guide
Page 497
... header, you must configure the service resetinbound command in the SIP messages according to RFC 3261, enter the following example shows how to disable instant messaging over SIP: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the well-known SIP signaling port...
... header, you must configure the service resetinbound command in the SIP messages according to RFC 3261, enter the following example shows how to disable instant messaging over SIP: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the well-known SIP signaling port...
Configuration Guide
Page 511
...SMTP application inspection controls and reduces the commands that the user can use as well as enabled by " For more information, see RFC 821. The pipeline character (|) is generated when invalid character embedded in fast path processing; The inspect esmtp command supports those seven ... processor on one of the mail. Chapter 22 Applying Application Layer Protocol Inspection SMTP and Extended SMTP Inspection The inspect smtp command supports seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET). therefore, it occurs on the FWSM. ESMTP application inspection, as...
...SMTP application inspection controls and reduces the commands that the user can use as well as enabled by " For more information, see RFC 821. The pipeline character (|) is generated when invalid character embedded in fast path processing; The inspect esmtp command supports those seven ... processor on one of the mail. Chapter 22 Applying Application Layer Protocol Inspection SMTP and Extended SMTP Inspection The inspect smtp command supports seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET). therefore, it occurs on the FWSM. ESMTP application inspection, as...
Configuration Guide
Page 688
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-2 OL-20748-01 In Example 1, for multicast IP. • Class A addresses (1.xxx.xxx.xxx through ... Class C. Example 1: If you can write a subnet mask as a dotted-decimal mask or as private networks that the Internet Assigned Numbers Authority (IANA) recommends (see RFC 1918). Each class fixes the boundary between the network prefix and the host number at a different point within the 32-bit address. You can use...
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-2 OL-20748-01 In Example 1, for multicast IP. • Class A addresses (1.xxx.xxx.xxx through ... Class C. Example 1: If you can write a subnet mask as a dotted-decimal mask or as private networks that the Internet Assigned Numbers Authority (IANA) recommends (see RFC 1918). Each class fixes the boundary between the network prefix and the host number at a different point within the 32-bit address. You can use...