symbols & numericsptgmedia.pearsoncmg.com/images/1587051893/index/... · symbols & numerics...

I N D E X

Symbols & Numerics*.rtr files, displaying output, 991.evt files, 887

50 percent rule, 148802.1x

FAQs, 582–584statistics, displaying, 555–557

AAAA (Authentication, Authorization, and

Accounting)architectural components, 420authentication, testing on VPN 3K, 593–594authorization, troubleshooting on Cisco

switches, 570–574Auth-proxy, troubleshooting on Cisco

routers, 457communication protocols

RADIUS, 425–427TACACS+, 421–424

configuring, best practices, 474debug commands, 430–431dial-up networking, troubleshooting on Cisco

routers, 446–449, 452–457FAQs, 472–474on Cisco routers

accounting, configuring, 445command authorization, troubleshooting,

443–445exec authorization, troubleshooting,

440–443troubleshooting, 432–440VPDN case study, 458–462

on Cisco switches802.1x, FAQs, 582–584IBNS, 566–570IBNSs, 541–545switch management, 541, 558–566

on VPN 3KFAQs, 611–612

session timeouts, avoiding, 593troubleshooting, 587

show commands, 429X-Auth, troubleshooting on Cisco routers, 457

access lists. See ACLsAccess-Accept messages (RADIUS), 427Access-Challenge messages (RADIUS), 427accessing

IDM sensor, 888NM-CIDS console, 839

Access-Reject messages (RADIUS), 427accounting

configuring on Cisco routers, 445on Cisco switches, 565

troubleshooting on Cisco switches, 566ACL Partition Manager (FWSM), 168–169ACLs. See also VACLs

Conduit to Access-list Converter, 53downloadable, 652

PIX/IP ACLs, syntax, 606troubleshooting, 654–655

effect on CBAC performance, 209enabling/disabling on PIX Firewall, 35established keyword, 180implementing on PIX Firewalls, 34IPS sensor blocking, 734–735limitations of, 177misconfigured, troubleshooting on CBAC, 202on FWSM

ACL Partition Manager, 168–169compilation process, 170–172memory utilization, 164–166

outbound, applying on PIX Firewall, 35–36performance impact on PIX Firewall, 101Reflexive, 180time-range keyword, 34–35wide holes, 181

acquiring CSAgent software, 997–998ACS. See CS ACS (Cisco Secure Access Control

Server)activating

syslog on Cisco routers, 193URL filtering, 186

activation keys for PIX Firewall, 56

1080

Active FTP connections, handling with CBAC, 180–181

active/active mode (PIX Firewall), 102configuring, 105–106

active/standby mode (PIX Firewall), 102activities

Router MC, dangling connections, 968unlocking with Firewall MC, 941

AD (Active Directory). CS ACS integration, 627–629

addingdevices to device table, 1052trusted hosts to sensors, 890–892

Administer Sessions window (VPN 3000 Concentrator series), 352

agent kits (CSA Agent), generating, 997–998aggressive mode negotiation, 231–232AH (Authentication Header), 226alert database, backing up, 1073Alert Inserter, 1044alerts, configuring, 192–193AnalysisEngine, 678Analyzer daemon, 1055analyzing MDCSupport file contents, 886–887anti-spoofing, CBAC configuration

best practices, 219anti-virus software. creating buffer overflow

exclusions, 1018–1020Apache certificate

regenerating, 897trusted host issues, resolving on IDS MC,

897–898verifying on IDS MC, 896

APIs, IDAPI, 678application issues, troubleshooting on

CSAgent, 1016application partition (NM-CIDS)

re-imaging, 854–857recovering, 708–709

application-layer protocols, traffic inspection, 183SMTP, 184

applications comprising IPS softwareAnalysisEngine, 678CLI, 678MainApp, 677–678

application-specific roles (ACS), 975application-to-port mappings, modifying,

188–189

architectural components of AAA, 420archive files, redirecting away from Database

Disk, 1063arguments

for csutil.exe, 655–656for show crypto ipsec command, 299

ARP spoofing, 80ASA (Adaptive Security Algorithm),

characteristics of, 29–30assigning

IP address to IDS-Sensor interface, 839privilege levels to VPN 3k users, 592

asymmetric cryptographic algorithms, 224asymmetric routing

PIX Firewall support, 106troubleshooting on CBAC, 205

attributes (VPN 3K), 589audit reports (IDS MC), 885audits, configuring, 193AUS authentication

with Firewall MC, troubleshooting, 940with firewalls, troubleshooting, 940–941

authentication, 592AAA on VPN 3K, FAQs, 611–612on Firewall MC firewalls, troubleshooting, 939on Firewall MC with AUS, troubleshooting, 940on Router MC, troubleshooting, 967on VPN 3K, causes of failure, 607–608PEAP configuration case study, 574–576, 580testing, 593–594

authentication server (IEEE 802.x framework), 543

authenticator, 542authorization

configuring on Cisco switches, 564–565NARs, 648

configuring, 648, 651troubleshooting, 651–652

troubleshooting on Cisco switches, 565, 570–574

Authorization cache, 212auth-proxy, 177

authentication methods, 212configuring, 213–215on Cisco routers, troubleshooting, 457operation, 212

Active FTP connections, handling with CBAC

1081

supported Cisco router platforms, 213troubleshooting, 216–217

avoiding AAA session timeouts on VPN 3K, 593

Bbacking up data

alert database, 1073CiscoWorks Common Services, 874–875command syntax, 656CS ACS, 665CSA MC database, 1023–1024IPS sensor configuration, 782–783Router MC database, 972

backup files, redirecting away from Database Disk, 1063

backup/restore operations, troubleshooting on Router MC, 973

base group attributes (VPN 3K), 589baselining, importance of, 6best practices

for AAA configuration, 474for CBAC

anti-spoofing configuration, 219router security, 218–219

for CiscoWorks Common Services management, 881

for CS ACS Server, 670–671for CSA MC installation, 1036for IDS MC configuration, 929for IDSM-2 blade implementation, 829for implementing AAA on VPN 3K, 612for IPS deployment, 781–785for protecting PIX Firewall, 110–111for Security Monitor operation, 1077

Bidirectional replication, 647BIN directory (CSA MC), 985blat, 1070blocking issues on IPS sensors,

ACLs, 734–735configuring, 737–740for specific signatures, troubleshooting, 753implementing, 736–737MBS, 737, 741–743supported managed devices and versions, 735verifying blocking processes, 923–924

blocking forwarding sensor, 737

blue screen, troubleshooting, 990browsers. See web browsersbuffer overflow exclusions, creating, 1018–1020Bugs Tracker, 54bulk importing NASs, 667Bypass mode (IPS sensor), 682

Ccapture command, 47–49capturing

debug command output, 199IPS traffic

on MPLS IP IDS, 776–777on RSPAN, 773–775on SPAN, 763–770on VACL, 775–776on hub, 763

packets on FWSM, 123–124sniffer traces, 199

“cascade” replication, 645case studies

Hairpinning, configuring, 335–337PEAP configuration, 574–576, 580RADIUS configuration on Cisco IOS routers,

462–463troubleshooting VPDN on Cisco IOS routers,

464–472user permissions on Router MC, 974

ACS roles, 975, 978CiscoWorks Server roles, 975

VPDN configuration on Cisco IOS routers, 458–462

Catalyst 2900/3500XL switches, configuring IPS traffic capture with SPAN, 765– 767

Catalyst 2900/3600XL switches, configuring SPAN, 765–767

Catalyst 2950 switches, configuring IPS traffic capture with SPAN, 767–770

Catalyst 2950/3550 and 3750 switches, configuring SPAN, 767–770



Catalyst 4000/6000 switches running CatOS, configuring SPAN, 770–771

Catalyst 4000/6000 switches running CatOS, configuring SPAN

1082

Catalyst 4000/6000 switches running Native IOS, configuring SPAN, 771–772

Catalyst 6500, IDSM-2 bladeCommand and Control port, configuring,

801–805event generation, troubleshooting, 817–818front panel indicator lights, 789hardware issues on CatOS, troubleshooting,

797–800hardware issues on Native IOS,

troubleshooting, 793–797hardware requirements, 788installing, 789Maintenance Partition, upgrading, 823–824Promiscuous mode

configuring, 805–813troubleshooting, 814–816

re-imaging, 818–823removing from switch, 790serial cable, connecting, 826signature update, installing, 824–825slot assignment, 788sniffing ports, 791supported ports, 790TCP reset, 818upgrading to version 5.x, 826user passwords, recovering, 827–829VACL Capture, 827versus IDS Appliance, 787

categorizing CS ACS problem areas, 625CatOS, Native IOS show commands, 792CBAC (Context-Based Access Control), 177

Active FTP connections, handling, 180–181anti-spoofing configuration, best practices, 219asymmetric routing, troubleshooting, 205Cisco IOS code base, upgrading, 209connection states, 194–195connectivity, troubleshooting, 201–203CPU utilization, verifying, 205–206FAQs, 217–218half-open connections, manipulating threshold

values, 208HTTP inspection, verifying dropped

packets, 208

interaction with IPsec, 193interoperability with NAT, 188IP fragmentation, mitigating, 191Java blocking, configuring, 184misconfigured ACLs, troubleshooting, 202misconfigured IP inspection,

troubleshooting, 203misconfigured NAT, troubleshooting, 202multi-channel protocols

inspecting, 187, 205securing, 180

packet drops, troubleshooting, 210packet flow across routers, 196performance, troubleshooting, 205–210protecting inside network, 179–180router security configuration, best practices,

218–219single channel protocol inspection, 182

application-layer protocols, 183ICMP, 182SMTP, 184UDP, 182

switching path, troubleshooting performance issues, 209

TCP SYN flood attacks, mitigating, 189–191troubleshooting, 199UDP connection timeout, selecting, 207–208UDP inspection, troubleshooting, 203–205URL filtering

configuring, 185–187troubleshooting, 211

CEP (Certificate Enrollment Protocol), PKIconfiguring, 258–261troubleshooting, 261–265

CFG directory (CSA MC), 985challenge-response-based authentication, 546changing database maximum event limit, 1066check pointing CiscoWorks Common Services

database, 951checking status of Firewall MC processes, 931CIDEE (Cisco Intrusion Detection Event

Exchange), 679–680CIFS access, configuring on VPN 3000

Concentrator series, 394circular blocks, 737Cisco AV-Pairs, 653

Catalyst 4000/6000 switches running Native IOS, configuring SPAN

1083

Cisco IOS routersAAA

accounting, configuring, 445Auth-proxy, troubleshooting, 457command authorization, 443–445dial-up networking, troubleshooting,

446–457exec authorization, 440–443router management, troubleshooting,

432–440VPDN case study, 458–462X-Auth, troubleshooting, 457

IPsec VPNsPKI, troubleshooting, 258–265Remote Access client VPN connections,

troubleshooting, 265–270NM-CIDS, managing, 848–849RADIUS configuration, case study, 462–463VPDN troubleshooting, case study, 464–472VPNs, DMVPN, 270–280

Cisco IOS Software, upgrading code base on CBAC routers, 209

Cisco PIX firewalls. See PIX firewallsCisco Secure ACS mode (CiscoWorks Common

Services), 862Cisco Security Agent Management Center (CSA

MC) license key, 865Cisco switches

AAA802.1x FAQs, 582–584authorization, troubleshooting, 570–574IBNS, 566–570PEAP configuration, case study, 574–580switch management, 541, 558–566

IBNSs, 541–542IEEE 802.1x framework, 542–545

CiscoWorks Common Services databasebacking up, 874–875FAQs, 877–881installing, 870–871

database management, 873minimum requirements, 870problems, troubleshooting, 871–873user management issues, 873

license key, upgrading, 868licenses, troubleshooting, 869managing, best practices, 881MDCSUPPORT, 863

files collected by, 864

MDCSupportInformation.zip file, file summary, 864

Privileges, 862resolving DNS errors, 1048restore procedures, 875–876, 950Roles, 862running on multi-homed machines, 879user authentication, case study, 876–877user management, 862

CiscoWorks Common Services Desktop, launching on browser, 861

CiscoWorks MDCSupportInformation.zip, file contents, 933

classifier, 84clear crypto sa command, 238CLI (command-line interface), 678

IPS sensors, licensing, 719–720clientless SSL VPN mode (VPN 3000

Concentrator series)configuring, 390troubleshooting, 391–395

closing NM-CIDS sessions, 843cluster redundancy on VPN 3000 Concentrator

series, 412–414collecting MDCSupport file on Windows

platform, 886combined sensor mode (IPS), 683Command and Control port

on IDSM-25-minute output rate, checking, 803–805configuring, 801–803

on NM-CIDS, 834configuring, 844–845

command authorization, troubleshooting on Cisco routers, 443–445

commandscapture, 47–49clear crypto sa, 238debug, 300debug aaa accounting, 430debug aaa authentication, 430debug aaa authorization, 430debug application-protocol, 47debug commands, FWSM-related, 122–123debug fixup tcp|udp, 47debug icmp trace, 46–47debug ip inspect, 197–198

commands

1084

debug pix process, 47debug sanity, 24debug tunnel, 257–258diagnostic level complete, 795for PIX flash file system, 33intrusion-detection module, 808ip port-map, 189iplog, 691nslookup, 19packet, 692ping, 17recover application-partition, 709service-module, connecting to NM-CIDS, 840show authorization, 554show aaa servers, 430show aaa user, 430show accounting, 554show asp drop, 41–42show blocks, 43show commands

for IPsec Phase 1 tunnel negotiations, 233–235

for IPsec Phase 2 tunnel negotiations, 235–236

FWSM-related, 120–122show configuration, 687show connection, 40show cpu usage, 42show crypto ipsec, 299–300show crypto map, 237show dot1x all, 556show dot1x statistics, 557show events, 687show interfaces, 689show ip inspect, 194–195show local-host, 40–41show localusers, 552show module, 791show output filters, 44–45show radius, 553show radius statistics, 430show running config, 15, 300show running logging, 52show security acl, 792show service-policy, 41, 94show span, 792

show statistics, 687–688show tacacs, 430, 553show tech-support, 45, 689show test, 792show traffic, 42show trunk, 792show users, 430show version, 15, 200, 686–690, 791show vlan brief, 558show xlate, 39–40tcpdump, 690telnet, 18time-range, 34–35traceroute, 18winmsd, 988

common services license key, 865commonly asked questions. See FAQscommunication architecture

for CSA MC, 986of Firewall MC, 932of Router MC, 960on IDS MC, 884–885

communication protocols, 678–681RADIUS, 425–426

authentication operation, 426–427authorization operation, 426–427configuring, case study, 462–463

TACACS+, 421AAA packet flows, 423accounting operation, 424authentication operation, 422–423authorization operation, 424versus RADIUS, 428–429

compactingCiscoWorks Common Services database,

952–953CS ACS database, 660CSA MC database, 1029–1031

comparing RADIUS and TACACS+, 428–429compilation process for ACLs on FWSM,

170–172components of CSA, 983, 985Conduit to Access-list Converter, 53configuration files

for VPN 3000 Concentrator series, 354sysvars.cf, 991

commands

1085

configuringAAA

best practices, 474on Cisco switches, enable password

authentication, 563accounting

on Cisco IOS routers, 445on Cisco switches, 565

active/active failover on PIX Firewall, 105–106

alerts, 192–193audits, 193auth-proxy, 213–215basic router security, best practices, 218–219blocking, 737–743CBAC anti-spoofing, best practices, 219clientless SSL VPN mode on VPN 3000

Concentrator series, 390Command and Control interface (NM-CIDS),

844–845connectivity

on FWSM, 135–139on PIX Firewall, 69–72

CS ACSAAA Client definition for

VPN 3K, 609domain controller mode, 628replication, 640, 644–647

email notification, 1068–1070Firewall MC, Recovery Server, 953–954FWSM

failover, 149–155multiple SVI interfaces, 157, 161–162

GRE over IPsec, 256–257Hairpinning, 335–337IDM sensors, trusted hosts, 889–890IDS MC, best practices, 929IDSM-2

Command and Control port, 801–805

Promiscuous mode, 805–813IPS sensor, Inline mode, 757–762IPsec LAN-to-LAN VPN tunnels,

302, 305–308crypto maps, creating, 305–306transform sets, 304tunnel groups, 305

IPsec over TCP, 339

Java blocking, 184LAN-to-LAN tunnels on VPN 3000

Concentrator series, 356LLQ on PIX Firewall, 93–94local user authentication on VPN 3K, 597–599login authentication, 559–560MAPI Proxy on VPN 3000 Concentrator,

399–400MBS, 741–743MPLS IP IDS, IPS traffic capture, 776–777NARs, 648, 651NAT-T, 338–339NDS database with CS ACS, 630

troubleshooting, 631–636NM-CIDS, time stamping, 857–858packet capturing on NM-CIDS, 846–848PEAP

case study, 574–576, 580Machine Authentication, 567–570

PIX Firewallmultiple context mode, 87–90policing, 90–92Remote Access VPN, 323–327

PKI, 258–261RADIUS

dynamic filters, 604on Cisco IOS routers, case study, 462–463

Remote Access VPN connections on VPN 3000 Concentrator series, 364–365

RSPAN, IPS traffic capture, 773–775sensors

on IDS MC, 906shunning, case study, 920–925

SPANIPS traffic capture, 763–770on Catalyst 2900/3600XL, 765–767on Catalyst 2950/3550 and 3750,

767–770on Catalyst 4000/6000 running CatOS,

770–771on Catalyst 4000/6000 running

Native IOS, 771–772Split Tunneling, 342–344SSL VPN on VPN 3000 Concentrator, Thick

Client mode, 402–403syslog on PIX Firewall, 50–53TACACS+ on VPN 3K, 590–592traceback on PIX Firewall, 53

configuring

1086

transparent firewalls, 193on PIX Firewall, 79–82

URL filtering, 185–187VACL, IPS traffic capture, 775–776VPN 3000 Concentrator series

Cisco Secure ACS, 590–591event classes, 348group authentication with RADIUS,

599–600Group feature, 608Group Lock feature, 601local group and user authentication, 595RADIUS Server, 609

Windows NT/2000 Authentication, Unknown User Policy, 609–610

connectingIPS sensor to network, 784serial cable to IDSM-2, 826to NM-CIDS console, 840–842

connection block, 734connection states, CBAC, 194–195connectivity

on CBAC, troubleshooting, 201–203on FWSM

configuring, 135–139troubleshooting, 134, 139–142

on IPS sensors, troubleshooting, 720–725on PIX Firewall

configuring, 69–72displaying details, 40troubleshooting, 72–76

testing with ping command, 17console access to NM-CIDS, troubleshooting,

843–844console port (NM-CIDS), 835Context-Based Access Control. See CBACCONTINUE packets (TACACS+), 422control connection, 181cooperation between SecOP and NetOP

personnel, 7core dumps

generating, 22with Flash disk, 23with FTP, 22with rcp, 23with TFTP, 22

testing configuration of, 24corrupt IDS MC licenses, troubleshooting, 904

CP (control plane), FWSM architecture, 113–114CPU utilization

on CBAC, verifying, 205–206on FWSM, troubleshooting, 143on PIX Firewall

displaying, 42troubleshooting, 95–98

Cr directory (CSA MC), 986creating

buffer overflow exclusions, 1018–1020crypto maps for LAN-to-LAN tunnels, 305–306database rules, 1064DMVPN spoke-to-spoke tunnels, 275dump text files, 657dynamic crypto maps, 327exceptions, 1016securitylog.txt file, 991transform sets, 304

CRSHDUMP.TXT file, 354Crypto Errors (CS ACS), resolving, 661crypto maps, creating for LAN-to-LAN tunnels,

305–306crypto socket creation problems (NHRP),

troubleshooting, 279cryptographic algorithms, 224cryptographic-based authentication (EAP), 546CS ACS (Cisco Secure Access Control Server)

AAA Client definition for VPN 3K, configuring, 609

Active Directory integration, 627–629application-specific roles, 975as proxy server, 665associated registries, 663backing up, 665best practices, 670–671categorizing problem areas, 625configuring, 590–591FAQs, 661–670database, compacting, 660default NAS, adding, 663domain controller mode, configuring, 628domain stripping, 665external user database integration, required

components, 620GUI, recovering lost passwords, 663installing on Windows platform, 625–627“Logged in Users” report, 668

configuring

1087

NARs, 648configuring, 648, 651troubleshooting, 651–652

NASs, bulk importing, 667Novell IDS integration, 630

troubleshooting, 631–636packet flow, 619–620password encryption, 668RADIUS Server, communicating with VPN 3K,

597–599replication


SDI integration, 636–638troubleshooting, 638–639

services, CSAdmin, 615–616setup procedures for Router MC, 979–980Shared File Components, 653–654uninstalling, 661upgrading on Windows platform, 625–626user/NAS import options, 658

exporting user and group information, 660importing NAS to CS ACS database, 659importing users to existing database, 658

user names, defining, 980users, deleting, 659

CSA Agent, 983application issues, troubleshooting, 1016communication with CSA MC,

troubleshooting, 1014–1015csainfo.bat utility, 989debug mode, turning on, 989–991disk usage, monitoring, 992installation

minimum requirements, 998–999troubleshooting, 997, 1001

license, procuring, 1007log files, 988–992policies, 987polling issues, troubleshooting, 1014–1015registration, troubleshooting, 1014–1015removing from Windows systems, 999–1000rtrformat utility, 990shims, disabling, 1016–1017software, procuring, 997–998stopping service, 991update issues, troubleshooting, 1004–1005

CSA MC (Cisco Security Agent Management Console), 983

communication architecture, 986database

compacting, 1029–1031manual backups, performing,

1023–1024purging events from, 1028–1029repairing, 1031–1032restoring, 1025–1027

database maintenance, 1023default installation directory, 985directory structure, 985–986disaster recovery, 1036–1037DRP, 1023installation

best practices, 1036minimum requirements, 995troubleshooting, 993

launchingproblems with, troubleshooting,

1010–1013slow launches, troubleshooting,

1013–1014license key, installing, 869licenses, 1005–1006

importing, 1007–1008procuring, 1007troubleshooting, 1009–1010

local database installation, troubleshooting, 994log directory, 988log files, 987management model, 983–985manually removing components, 996–997registration, 868remote database installation,

troubleshooting, 994uninstalling, 995upgrading, 1002

on same system, 1002–1003on separate system, 1003–1004

CSAdmin, 615–616csainfo.bat utility, 989csalog.txt file, 989csauser.dll, disabling, 1018CSAuth, 616CSDBSync, 616CSLog, 616

CSLog

1088

CSMon, 616–617CSRadius service, 618CSSupport utility, files included in Package.cab

file, 622–624CSTacacs service, 618csutil.exe, 655, 658

options, 655–656

Ddaemons

Analyzer, 1055Notifier, 1055

daily alarm reports, scheduling, 1073dangling connections on Router MC, 968data connection, 181data not passing through IPsec LAN-to-LAN

VPN tunnels, troubleshooting, 322–323databases

backing up, command syntax, 656CiscoWorks Common Services, 873

backing up, 874–875check pointing, 951compacting, 952–953restoring, 875–876, 950

compacting, 660, 1068CSA MC database

compacting, 1029–1031purging events, 1028–1029repairing, 1031–1032restoring database, 1025–1027

disk utilization, monitoring, 1066DRP, 1023maximum event limit, changing, 1066pruning issues, troubleshooting, 1067–1068restoring, 657Router MC

backing up, 972restoring, 973

rules, creating, 1064DB directory (CSA MC), 986debug aaa accounting command, 430debug aaa authentication command, 430debug aaa authorization command, 430debug application-protocol command, 47

debug commands, 195, 197, 300FWSM-related, 122–123guidelines for using, 16output, capturing, 199

debug fixup tcp|udp command, 47debug icmp trace command, 46–47debug information

on Firewall MC, viewing, 932on Router MC, 961–962

debug ip inspect command, 197–198debug logging level (Router MC), 961debug mode (CSA Agent), turning on, 989debug pix process command, 47debug sanity command, 24debug tunnel command, 257–258debugging

IDS MC, 887–888turning off, 555

decryption, 223default event limit (database), changing, 1066default installation directory for CSA MC, 985defining

tunnel groups for LAN-to-LAN tunnels, 305usernames in ACS, 980

deletingCS ACS users, 659users in multiple group, 669

deployed jobs, stopping, 942deploying

device configurations from Firewall MC, 947device configurations from Router MC,

970–971IDS MC configuration, 917–920

deployment architecture of IPS, 676–677destination ports, 764detecting IOS Firewall feature set, 200device groups, defining in ACS, 980devices

adding to device table, 1052configuration files

deploying, 947importing, 943–946, 969–970

flow rates, monitoring, 1064–1065diagnostic commands, show ip inspect, 194–195diagnostic level complete command, 795dial-up networking on Cisco routers

accounting, 457troubleshooting, 446–456

CSMon

1089

Digital Certificateson VPN 3000 Concentrator series, 383–384

troubleshooting, 384–389on VPN 3000 Concentrator series VPN client,

382–383digital signatures, 225directory structure of CSA MC, 985–986disabling

CSAgent shims, 1016–1017csauser.dll, 1018

disconnecting from NM-CIDS console, 842–843disk space, reclaiming, 1011disk usage, monitoring, 992displaying

*.rtr file output, 991802.1X statistics, 555–557Firewall MC debug information, 932Router MC debug information, 961–962server selftest information, 988Windows system information, 988

DMVPN (Dynamic Multipoint VPN), 270configurable dynamic routing protocols, 280crypto socket creation problems,

troubleshooting, 279dynamic spoke-to-spoke configuration,

273–276mGRE interface, 271NHRP, 271

mapping problems, troubleshooting, 278–279

DNS errors, resolving, 1048Doc directory (CSA MC), 986documenting network topology, importance of, 6domain controller mode (CS ACS),

configuring, 628domain stripping on CS ACS, 665DoS attacks

fragmentation, mitigating with CBAC, 191TCP SYN flood, mitigating with CBAC,

189–191downgrading PIX Firewall, 66downloadable ACLs, 652

PIX/IP, syntax, 606troubleshooting, 654–655

DPD (Dead Peer Discovery), 345driver_install.log file, 989

DRP (disaster recovery plan), 1023application partition, recovery procedures,

708–709implementing, 707

dump text files, creating, 657dynamic crypto maps, creating, 327dynamic filters

active, viewing, 603configuring on VPN 3K, 602fields, 604on RADIUS, configuring, 604rules, syntax, 603

dynamic routing protocols for DMVPN networks, 280

dynamic spoke-to-spoke DMVPN configuration, 273–276

dynamically mapped users, replication, 670

EEAP (Extensible Authentication

Protocol), 545–546EAPOL (EAP over LANs), 544egress traffic, 764email notification


E-mail Proxy (VPN 3000 Concentrator)configuring, 401troubleshooting, 401–402

enable password authenticationconfiguring, 563troubleshooting, 562–564

enablingFirewall MC, Recovery Server, 954SSL, 1049

encryption, 223of CS ACS passwords, 668

error messages, troubleshootingInternal Server Error, 1050Page Cannot Be Found Error, 1050

escalation procedures, documenting, 7ESMTP (Extended Simple Mail

Transfer Protocol), traffic inspection, 183–184ESP (Encapsulating Security Header), 226established keyword (ACLs), 180establishing LAN-to-LAN tunnels, 240–246

establishing LAN-to-LAN tunnels

1090

Ethereal, 125, 199web site, 20

Ethernet, interface IDS-Sensor, 834event classes, configuring on VPN 3000

Concentrator series, 348Event Limiting, 991event log (VPN 3000 Concentrator series),

viewing, 350–352Event Viewer

launching, 1055test events, generating, 1057troubleshooting, 1057

eventsLarge ICMP events, generating, 1057maximum event limit (database),

changing, 1066purging from CSA MC database, 1028–1029writing to securitylog.txt file, 991

exception memory command, generating core dump, 23

exceptions, creating, 1016exec authorization, troubleshooting on Cisco

routers, 440–443expired IDS MC licenses, troubleshooting, 905exporting user and group information from CS

ACS database, 660

Ffact gathering stage, production network

troubleshooting, 10–11Failed Attempts logs, 621failover, 102

on FWSMconfiguring, 149–155forced reboot conditions, 147initialization phase, 146monitoring, 147–148troubleshooting, 144–146, 155–157

on PIX Firewallactive/active failover, configuring, 102,

105–106active/standby mode, 102asymmetrical routing support, 106failover groups, 104hardware and licensing

requirements, 104

failover groups, 104failure of VPN 3K authentication, causes of,

607–608FAQs

regarding 802.1x, 582–584regarding AAA, 472–474

on VPN 3K, 611–612regarding CBAC, 217–218regarding CS ACS, 661–670regarding CSA Agent/CSA MC, 1032–1035regarding CiscoWorks Common Services,

877–881regarding FWSM, 173–174regarding IDS MC, 925–929regarding IPS, 777–781regarding PIX Firewall, 109–110regarding VPN 3000 Concentrator series,

406–410Fast Path packet flow through FWSM, 116–118features of Router MC, 960Field Notices, 54fields

of dynamic filters, 603–604of EAP frames, 546

file systems (PIX), commands, 33files in MDCSupport, analyzing, 886–887filters, configuring dynamic filters on

VPN 3K, 602Firewall MC

activities, unlocking, 941authentication problems, resolving, 939–940browser-related problems, resolving, 937CiscoWorks Common Services database

check pointing, 951compacting, 952–953

Common Services, installing, 935communication architecture, 932debug information, viewing, 932device configurations

deploying, 947importing, 943–946

initialization, 936, 964installation issues, troubleshooting, 934interoperability with other applications, 936jobs, rolling back, 942MDCSupport utility, generated files, 933processes, 931purge-mc-tasks utility, 942

Ethereal

1091

Recovery Serverconfiguring, 953–954enabling, 954

terminal activities, removing, 941–942Firewall module administration on FWSM,

troubleshooting, 128–133firewalls

and IPsec, 284–285deploying between IPsec peers, 340on IPsec endpoints, 340

Flash disk, generating core dumps, 23flow rates, monitoring, 1064–1065fragmentation, mitigating with CBAC, 191front panel indicator lights

IDSM-2, 789NM-CIDS, 833

FTP, 21generating core dumps, 22packet flow through FWSM, 118

FWSMaccess-lists

ACL Partition Manager, 168–169compilation process, 170–172memory utilization, 164–166

connectivityconfiguring, 135–139troubleshooting, 134, 139–142

CP, 113–114CPU utilization, troubleshooting, 143debug commands, 122–123failover

configuring, 149–155forced reboot conditions, 147initialization phase, 146monitoring, 147–148troubleshooting, 144–146, 155–157

FAQs, 173–174Firewall module administration issues,

troubleshooting, 128–133hardware issues, troubleshooting, 127–128image upgrades, performing, 133–134intermittent packet drops, troubleshooting, 144licensing issues, troubleshooting, 126–127Maintenance Partition, 130–132multiple SVI interfaces, configuring, 157–162NP, 114–116packet capturing, 123–124

packet flows, 116Fast Path packet flow, 116–118FTP session packet flow, 118Session Management Path packet flow, 118

password recovery, 132show commands, 120–122syslog, 125

Ggenerating

agent kits, 997–998core dumps, 22

with exception memory command, 23with Flash disk, 23with FTP, 22with rcp, 23with TFTP, 22

Large ICMP events, 1057test events on Event Viewer, 1057

GRE over IPsecconfiguring, 256–257troubleshooting, 257–258

group attributes (VPN 3K), 589group authentication with RADIUS, configuring

on VPN 3K, 599–600group configuration on VPN 3K, 608Group Lock feature (VPN 3K), 601, 607groups, 985GUI (Firewall MC)

lost passwords, recovering, 663removing terminal activities from

Firewall MC, 941–942

HHairpinning, 334

configuring, 335–337half-open connections, manipulating threshold

values on CBAC routers, 208hardware

IPS support, 683–685on FWSM, troubleshooting, 127–128

hardware requirementsfor IDSM-2, 788

hardware requirements

1092

for NM-CIDS support, 832for PIX Firewall failover, 104

Headless CSAgent software, procuring, 997high availability of PIX firewall for VPN

connections, 344–345high CPU utilization, troubleshooting

on FWSM, 143on PIX Firewall, 95–98

host block, 734hosts, 985HTTP inspection, Java filtering, 204HTTPS, tasks performed on IDS MC, 885hubs, capturing IPS traffic, 763

IIBNSs (Identity-Based Network Services),

541–542, 555802.1X statistics, displaying, 555–557IEEE 802.1x framework, 542–545

standard operation, 544–545machine authentication, 566–567

PEAP, configuring, 567–570ICMP (Internet Control Message Protocol),

traffic inspection, 182IDAPI (Intrusion Detection Application

Programming Interface), 678IDENT protocol, troubleshooting on PIX

Firewall, 102identifying registered CSA MC agents, 1008IDIOM, 681IDM (IPS Device Manager)

IPS sensors, licensing, 719sensors

accessing, 888, 901–902trusted hosts, adding, 890–892trusted hosts, configuring, 889–890

IDS MCApache certificate

regenerating, 897trusted host issues, resolving, 897–898verifying, 896

audit reports, 885communication architecture, 884–885configuration deployment, 917

troubleshooting, 918–920

configuring, best practices, 929corrupt licenses, troubleshooting, 904database pruning, 920debugging, 887–888device table, adding devices to, 1052expired licenses, troubleshooting, 905FAQs, 925–929installing, 902–903MDCSupport file

collecting on Windows platform, 886file contents, analyzing, 886–887

processes, starting/stopping, 884resolving connection problems with sensor, 893secure communication with sensor,

verifying, 893sensors

configuring, 906import process, troubleshooting, 907–908,

1051shunning, case study, 920–925updating signature level, 899–901upgrading, 908–917

service pack version, verifying, 895–896VMS Server, IP addressing, modifying, 898

IDS Sensor Software, naming conventions, 700platform-dependent images, 700–701platform-independent images, 701–702

IdsAlarms.exe utility, 1076IDSdbcompact utility, 1068IDSM-2 (Intrusion Detection Services Module 2)

bladeCommand and Control port

5-minute output rate, checking, 803–805configuring, 801–803

event generation, troubleshooting, 817–818front panel indicator lights, 789hardware issues, troubleshooting

on CatOS, 797–800on Native IOS, 793–797

hardware requirements, 788implementing, best practices, 829installing, 789Maintenance Partition, upgrading, 823–824Promiscuous mode, 805


re-imaging, 818–823removing from switch, 790

hardware requirements

1093

serial cable, connecting, 826signature update, installing, 824–825slot assignment, 788sniffing ports, 791supported ports, 790TCP reset, 818upgrading to version 5.x, 826user passwords, recovering, 827–829VACL Capture, 827versus IDS Appliance, 787

IKE (Internet Key Exchange), 229phase 1, 229–232phase 2, 232–233

imagesfor NM-CIDS, 849upgrading on FWSM, 133–134

implementingAAA on VPN 3K, best practices, 612access lists on PIX Firewalls, 34–35

outbound ACLs, 35–36time-range keyword, 34–35

disaster recovery plan, 707–709IDSM-2, best practices, 829

importingCSA MC license, 1007–1008device configurations

with Firewall MC, 943–946with Router MC, 969–970

IDS sensors from IDS MC, 1051troubleshooting, 907–908

NAS to CS ACS database, 659users to existing CS ACS database, 658

inaccessible sensors, troubleshooting, 901–902inbound connections, 69

configuring on PIX Firewall, 69–72information logging level (Router MC), 961ingress traffic, 764initial IPS sensor setup problems,

troubleshooting, 693–696initialization problems, resolving

on Firewall MC, 936on Router MC, 964

Inline Bypass sensor mode (IPS), 682Inline mode (IPS sensor), 681–682


inside network, protecting, 178–180

inspectingmulti-channel protocols, 187single channel protocols, 182

application-layer protocols, 183ICMP, 182SMTP, 183UDP, 182URL filtering, 185–187

installation failures on Router MC, troubleshooting, 963

installing. See also removing; uninstallingCiscoWorks Common Services, 870–871

database management, 873minimum requirements, 870problems, troubleshooting, 871–873user management issues, 873with Terminal Services in Remote

Administration mode, 935CS ACS on Windows platform, 625–627CSA MC

best practices, 1036license key, 869minimum requirements, 995problems, troubleshooting, 993–994

CSAgentminimum requirements, 998–999problems, troubleshooting, 997, 1001

Firewall MC, 934IDS MC, 902–903IPS Sensor Appliances, 703

with CD-ROM, 703–704with TFTP server, 704–707

ISDM-2 blade, 789NM-CIDS, 833Security Monitor, 1047signature update on IDSM-2, 824–825

integrating CS ACSwith Novell IDS, 630–636with AD, 627–629with SDI, 636–639

interfaces supported on IPS, 683– 685intermittent packet drops on FWSM,

troubleshooting, 144Internal Server Error messages, troubleshooting,

1050interoperability

of Firewall MC with other applications, 936of NAT and CBAC, 188

interoperability

1094

inter-process communication, 678intrusion-detection module command, 808IOS Firewall feature set, 177

auth-proxy, 212authentication methods, 212configuring, 213–215troubleshooting, 216–217

detecting with show version command, 200supported Cisco router platforms, 213

IP addressesassigning to IDS-Sensor interface, 839DNS errors, resolving, 1048on VMS Server, modifying, 898

IP fragmentation, mitigating with CBAC, 191IP inspection on CBAC routers,

troubleshooting, 202ip port-map command, 189iplog command, 691IPS (Intrusion Prevention System)

AnalysisEngine, 678best practices, 781–785capturing traffic

with MPLS IP IDS, 776–777with RSPAN, 773–775with SPAN, 763–770with VACL, 775–776

CLI, 678combined sensor mode, 683communication protocols, 678–681deployment architecture, 676–677FAQs, 777–781Inline Bypass sensor mode, 682Inline sensor mode, 681–682MainApp, 677–678monitoring device, troubleshooting event

reception issues, 726–733NM-CIDS, 831

ACL checks, case study, 852application partition, re-imaging,

854–857available images, 849CEF forwarding path, case study, 850Command and Control port, configuring,

844–845connecting to, 840–842console access, 839, 843–844disconnecting from, 842–843dropped packets, case study, 853

encryption, case study, 852front-panel indicator lights, 833GRE tunnels, case study, 853hardware issues, troubleshooting,

836–838hardware/software requirements, 832installing, 833IPS insertion points, case study, 851managing from IOS router, 848–849NAT, case study, 851network setup, 831packet capturing, configuring, 846–848removing from router, 833slot assignment, 833supported ports, 834–835time stamp configuration, 857–858

Promiscuous sensor mode, 682–683sensors

blocking function, verifying, 744–745blocking issues, troubleshooting,

733–743, 753configuration, backing up, 782–783connecting to network, 784connectivity issues, resolving, 720–725,

746–752initial setup issues, 693–696Inline mode, 757–763MBS, 754NAC function, verifying, 745–746software installation/upgrade issues,

699–717TCP reset, 754–757upgrading to IPS 5.0, 715–717user management issues, 696–698

Sensor Appliances, installing, 703–707show commands, 686–690supported hardware and interfaces, 683–685traffic, capturing, 763

IPS 5.0, licensing, 717–720IPsec

aggressive mode negotiation, 231–232AH, 226backup servers, redundancy on VPN 3000

Concentrator series, 415debug commands, 300ESP, 226firewall issues, troubleshooting, 284–285, 340

inter-process communication

1095

GRE over IPsecconfiguring, 256–257troubleshooting, 257–258

IKE, 229phase 1, 229–232phase 2, 232–233

interaction with CBAC, 193IOS routers, VPN troubleshooting

debug commands, 238PKI, 258–265Remote Access client VPN connections,

265–270LAN-to-LAN tunnels, 239

establishing, 240–246phase 1 establishment failures, 247–251phase 2 establishment failures, 252–254traffic flow, troubleshooting, 254–255

LAN-to-LAN VPN tunnels between PIX firewalls

configuring, 302, 305–308crypto maps, creating, 305–306data not passing through, troubleshooting,

322–323MTU issues, 340–342Phase I failures, 309–319Phase II failures, 319–321transform sets, creating, 304tunnel groups, creating, 305

main mode negotiation, 229–231MTU issues, troubleshooting, 285–286NAT-related problems, troubleshooting,

282–284exemptions, 338

over NAT-T, configuring, 338–339over TCP, configuring, 339Phase 1 tunnel negotiations, show commands,

233–235Phase 2 tunnel negotiations, show commands,

235–236PKI


Remote Access VPNs on PIX firewallconfiguring, 323, 325–327debug output for successful tunnel

build-up, 328–331split tunneling, 342–344stateful failover, obtaining resiliency

through, 287–288

stateless failover, obtaining resiliency through, 288–295

tunnel not passing through traffic, 333–334unestablished tunnels, troubleshooting,

332–333SAs, 228split tunneling issues, troubleshooting, 286transparent tunneling options, 340transport mode, 226tunnel mode, 227–228tunnels,

tearing down, 238verifying configuration of, 237

J-KJava blocking, configuring on CBAC, 184jobs (Firewall MC), rolling back, 942Jonas logs, 963

keyed message digest, 225Knoppix security CD, 21

L

LAC routers, troubleshooting, 464–467LAN-to-LAN IPsec VPN tunnels, 239

configuring, 302, 305–308crypto maps, creating, 305–306data not passing through, troubleshooting,

322–323establishing, 240–246MTU issues, 340–342on VPN 3000 Concentrator series,

troubleshooting, 356–363Phase 1 establishment failures, troubleshooting,

247–251, 309–319Phase 2 establishment failures, troubleshooting,

252–254, 319–321traffic flow, troubleshooting, 254–255transform sets, creating, 304tunnel groups, defining, 305

Large ICMP events, generating, 1057launching

CiscoWorks Common Services on web browser, 861

launching

1096

CSA MCproblems, troubleshooting, 1010–1013slow launches, troubleshooting,

1013–1014Event Viewer, 1055Security Monitor, 1050

LED indicator lights, on Catalyst 6500 IDSM-2 blade, 789on VPN 3000 Concentrator series, 354on NM-CIDS, 833

libpcap format files, 691license keys (CSA MC), installing, 869licensing

for CiscoWorks Common Services, troubleshooting, 869

for CSA MC, 1005–1007importing, 1007–1008troubleshooting, 1009–1010

for FWSM, troubleshooting, 126–127for IDS MC

corrupt licenses, troubleshooting, 904expired licenses, troubleshooting, 905

for IPS software, 717–718procuring license from Cisco.com, 718sensors, 719–720

for PIX Firewall, 54–56for VMS, 865–868

limitations of ACLs, 177of Virtual Firewall, 86

LLQ (Low-Latency Queuing), configuring on PIX Firewall, 93–94

LNS (L2TP Network Server) routers, troubleshooting, 468–471

load balancing on VPN 3000 Concentrator series, 413

loading Event Viewer, 1057local database installation (CSA MC),

troubleshooting, 994local group authentication, configuring on VPN

3K, 596Local mode (CiscoWorks Common

Services), 862local user authentication, configuring on VPN

3K, 597–599locking VPN 3K users to specific groups, 601

log directory CSA Agent files, 988CSA MC, 986

log events, viewing on VPN 3K, 589log files

CSA MC Log, 987for CSA Agent, 988–992securitylog.txt, writing events to, 991size of, monitoring, 1065–1066

“Logged in Users” report, 668logging

Event Limiting, 991syslog configuration on PIX Firewall, 50–53

logical PIX firewallsSee Security Contexts

login authenticationconfiguring, 559–560troubleshooting, 561–562

lost GUI passwords, recovering, 663low memory issues, troubleshooting on PIX

Firewall, 98–101

Mmachine authentication

activating on Cisco switches, 566–567PEAP, configuring, 567–570

Main mode negotiation (IPsec), 229–231MainApp, 677–678Maintenance Partition (FWSM), 130–132major/minor software, upgrading, 710

to IPS 5.0, 716–717managed devices, troubleshooting connectivity

with sensor, 746–752Management Center, 985management model for CSA, 983–985managing NM-CIDS from IOS router, 848–849man-in-the-middle attacks, 80manipulating half-open connection threshold

values on CBAC routers, 208manual operations

adding trusted hosts to IDM sensors, 892

performing backups on CSA MC database, 1023–1024

uninstalling CS ACS, 661

launching

1097

MAPI Proxy (VPN 3000 Concentrator)configuring, 399–400troubleshooting, 400–401

mappingCS ACS group names to VPN 3K

group names, 598NHRP issues, resolving, 278–279

maximum event limit (database), changing, 1066MBS (Master Blocking Sensor), 737


MDCSUPPORTMDCSupport, 863

collecting on Windows platform, 886contents, analyzing, 886–887files collected by, 864

MDCSupportInformation.zip filecontents of, 933file summary, 864installation log files, 864

memory utilization, troubleshooting on PIX Firewall, 98–101

memory.dmp file, 990message digest, 225messages, RADIUS, 427mGRE interface, 271minimum installation requirements

CiscoWorks Common Services , 870CSA MC, 995CSAgent, 998–999

misconfigured ACLs, troubleshooting on CBAC, 202

misconfigured IP inspection, troubleshooting on CBAC routers, 203

misconfigured URL filtering, troubleshooting, 205

mitigatingIP fragmentation with CBAC, 191TCP SYN flood attacks with CBAC, 189, 191

mls ip ids command, 813configuring on switch running Native

IOS, 809modifying

application-to-port mappings, 188–189IP addressing on VMS Server, 898

monitoringdatabase, disk utilization, 1066devices, flow rates, 1064–1065

disk usage, 992log files, size of, 1065–1066

monitoring interface (NM-CIDS), 834MPF (Modular Policy Framework), 37–38MPLS IP IDS, configuring IPS traffic capture,

776–777MSDE database

compacting, 1030repairing, 1031–1032

MTU problems with IPsec, troubleshooting, 285–286, 340–342

multi-channel protocolsinspecting, 187, 205securing with CBAC, 180

multi-homed machines, running CiscoWorks Common Services on, 879

multiple context mode (PIX Firewall), 84–90multiple mode (FWSM), access list memory

utilization, 164–166multiple SVI interfaces, configuring on FWSM,

157–162

NNAC (Network Access Controller) function,

verifying, 745–746naming conventions

after CSA MC upgrade, 1004of IDS Sensor Software, 700

platform-dependent images, 700–701platform-independent images, 701–702

NARs (Network Access Restrictions)configuring, 648–651troubleshooting, 651–652

NAS (Network Access Server), 421, 639bulk importing, 667

NAT (Network Address Translation)interoperability with CBAC, 188troubleshooting on CBAC router, 202with IPsec, 282–284

NAT exemptions, 338nat-control, implementing on PIX Firewall, 36Native IOS

IDSM-2, troubleshooting hardware issues, 793–797

show commands, 792NAT-T (NAT Traversal), configuring, 338–339

NAT-T (NAT Traversal), configuring

1098

NBMA (Non-Broadcast Multiple Access), 271network analyzers, 20network failures

proactive troubleshooting methods, 5–7types of, 7

network resources, protecting on PIX Firewall, 111

NHRP (Next Hop Resolution Protocol), 271NMBA addresses, 272NM-CIDS (Cisco IDS Network Module), 831

application partition, re-imaging, 854–857case studies

ACL checks, 852CEF forwarding path, 850dropped packets, 853encryption, 852GRE tunnels, 853IP insertion points, 851NAT, 851

Command and Control port, configuring, 844–845

console access, 839console access, troubleshooting, 843–844front-panel indicator lights, 833hardware issues, troubleshooting, 836–838hardware/software requirements, 832images, 849installing, 833managing from Cisco IOS router, 848–849network setup, 831packet capture, configuring, 846–848removing from router, 833slot assignment, 833supported ports, 834–835time stamping configuration, 857–858upgrading to version 5.0, 849

Notifier daemon, 1055Novell IDS, troubleshooting CS ACS

integration, 630–636NPs (network processors)

FWSM architecture, 114–116NP3, access-list utilization on FWSM, 164–166

NSDB (Network Security Database), 785viewing from Security Monitor, 1073

nslookup command, 19NT/RADIUS password authentication feature,

testing, 610–611

Oobtaining

Common Services software production license, 867

IPsec resiliencywith stateful failover, 287–288with stateless failover, 288–295

options for csutil.exe, 655–656outbound connections, 69

configuring on PIX Firewall, 69–72Output Interpreter, 54

PPackage.cab file, contents of, 622–624packet capturing

configuring on NM-CIDS, 846–848on FWSM, 123–124

packet command, 692packet drops. troubleshooting

on CBAC routers, 210on FWSM, 144

packet flowsthrough CS ACS, 619–620through FWSM, 116

Fast Path packet flow, 116–118FTP session packet flow, 118Session Management packet flow, 118

packets, troubleshooting IPsec MTU issues, 285–286

Page Cannot Be Found Error messages (Security Monitor), 1050

PAM (Port Application Mapping), 188–189Passed Authentication log, turning on, 621Password Expiry, testing, 610–611passwords

encryption (CS ACS), 668recovering

from FWSM, 132from IDSM-2, 827, 829from PIX Firewall, 56–60

PEAP (Protected EAP)configuring, case study, 574–580machine authentiation, configuring, 567–570

performance issues on CBAC, troubleshooting, 205–210

NBMA (Non-Broadcast Multiple Access)

1099

Perl directory (CSA MC), 986Phase 1 tunnel negotiations

IPsec LAN-to-LAN VPN failures, 309–319show commands, 233–235

Phase 2 tunnel negotiationIPsec LAN-to-LAN VPN failures, 319–321show commands, 235–236tearing down tunnels, 238

ping command, 17pinging CBAC router incoming interface, 201PIX firewalls

access listsenabling/disabling, 35implementing, 34outbound, 35–36time-range keyword, 34–35

activation keys, 56ASA, characteristics of, 29–30commands

capture, 47–49debug application-protocol, 47debug fixup tcp|udp, 47debug icmp trace, 46–47debug pix process, 47show asp drop command, 41–42show blocks, 43show connection command, 40show cpu usage command, 42show local-host command, 40–41show output filters, 44–45show service-policy command, 41show tech-support, 45show traffic, 42show xlate command, 39–40

connectionsconfiguring, 69–72troubleshooting, 72–76

CPU utilization, troubleshooting, 95–98Downloadable PIX ACL, 653failover

active/active failover, configuring, 105–106

active/standby failover, 102asymmetrical routing support, 106failover groups, 104hardware and licensing requirements, 104

FAQs, 109–110file system commands, 33

Hairpinning, 334–337high availability on VPN connections,

obtaining, 344–345IDENT protocol, troubleshooting on PIX

Firewall, 102licensing issues, troubleshooting, 54–56memory utilization, troubleshooting, 98–101MPF, 37–38multiple context mode, configuring, 87–90nat-control, configuring, 36packet processing, 30–32password recovery issues, troubleshooting,

56–60protecting network resources, best practices,

110–111QoS issues, troubleshooting, 90, 92–94Remote Access VPNs

configuring, 323, 325–327debug output for successful tunnel

build-up, 328–331tunnel not passing through traffic,

333–334unestablished tunnels, troubleshooting,

332–333Security Contexts, 84

multiple context mode, 84–86software upgrade/downgrade issues,

troubleshooting, 60–68syslog, 50–53tools, 53traceback, 53Transparent Firewall, 38–39, 78


Virtual Firewall, 84–86PKI

configuring, 258–259, 261troubleshooting, 261–265

platform-dependent images, naming conventions, 700–701

platform-independent images, naming conventions, 701–702

policies, 985–987Policies directory (CSA MC), 986policing, configuring on PIX Firewall, 90–92polling issues with CSA MC, troubleshooting,

1014–1015

polling issues with CSA MC, troubleshooting

1100

port forwarding, VPN 3000 Concentratorconfiguring, 396–397troubleshooting, 397–399

port-level authentication, 542ports

ISDM-2 switch support, 790mapping information, changing, 188–189NM-CIDS, configuring Command and Control

interface, 834–835, 844–845Post-Block ACL, 735Pre-Block ACL, 734privilege levels, assigning to VPN 3K users, 592proactive troubleshooting methods, 5–7processes running

on Firewall MC, 931on IDS MC, 884on Router MC, 959on SecMon, 884

procuringCSA MC license, 1007CSAgent license, 1007CSAgent software, 997–998IPS 5.0 license from Cisco.com, 718

production license for Common Services software, obtaining, 867

production network failures, 8, 12–13defining the problem, 9–10gathering the facts, 10–11

Profiler, 1022Promiscuous mode (IDSM-2), 805

configuring, 805on switch running CatOS, 810–813on switch running Native IOS, 806–809

troubleshooting, 814–816Promiscuous sensor mode (IPS), 682–683protecting

inside network, 178–180PIX Firewall, best practices, 110–111

protocol analyzers, 20pruning

IDS MC database, 920troubleshooting, 1067–1068

public key algorithms, 224purge-mc-tasks utility, 942purging CSA MC database, 1028–1029

Q–RQoS, 90

LLQ, configuring on PIX Firewall, 93–94policing, PIX Firewall configuration, 90–92

RADIUS, 425–426, 609authentication operation, 426–427authorization operation, 426–427configuring on Cisco IOS routers, case study,

462–463dynamic filters, configuring, 604group authentication, configuring on VPN 3K,

599–600user authentication, configuring on VPN 3K,

596–597versus TACACS+, 428–429

rcp, generating core dumps, 23RDEP (Remote Data Exchange Protocol), 1041RDEP2, 679real-time alerts, configuring, 192–193reclaiming disk space, 1011records, pruning from IDS MC database, 920recover application-partition command, 709recovering

application partition, 708–709lost GUI passwords, 663user passwords from IDSM-2, 827–829

recovering lost passwordsfrom FWSM, 132from GUI, 663from PIX Firewall, 56–60

recovery packages, 702Recovery Server (Firewall MC)

configuring, 953–954enabling, 954

redirecting archive/backup files away from Database Disk, 1063

redundancyfailover

active/active failover, configuring, 105–106

active/standby failover, 102configuring on FWSM, 149–155monitoring on FWSM, 147–148troubleshooting on FWSM, 144, 146–147,

155–157

port forwarding, VPN 3000 Concentrator

1101

on VPN 3000 Concentrator seriesclustering, 412–414using IPsec Backup Servers, 415using VVRP, 410–411

Reflexive ACLs, 180regenerating Apache certificates, 897registered CSA MC agents, identifying, 1008registering CSA MC, 868re-imaging

IDSM-2, 818–823NM-CIDS application partition, 854–857

Remote Access VPN connectionson PIX firewall, troubleshooting, 323–327

debug output for successful tunnel build-up, 328–331

MTU issues, 340–342tunnel not passing through traffic,

333–334unestablished tunnels, 332–333

on VPN 3000 Concentrator series, troubleshooting, 364–371

client routing, 377–381Internet inaccessibility, 381–382local LAN inaccessibility, 382tunnel establishment, 372–377

split tunneling, configuring, 342–344remote database installation (CSA MC),

troubleshooting, 994removing

CSA MC components, 995–997CSAgent from Windows systems, 999–1000ISDM-2 blade from switch, 790NM-CIDS from router, 833terminal activities from Firewall MC,

941–942repairing CSA MC database, 1031–1032replication, 640

Bidirectional, 647“cascade”, 645CS ACS


of dynamically mapped users, 670REPLY packets (TACACS+), 422reports

daily alarm reports, scheduling, 1073generation failures, troubleshooting, 1060

pruning reports, 1067Router MC, 963

resolvingconnection problems between IDS MC and

sensor, 893CS ACS Crypto Errors, 661DNS errors, 1048

restoringCiscoWorks Common Services, 875–876, 950CSA MC database, 1025–1027data, 657Router MC database, 973

Roles, 862rollback feature (Firewall MC), 942Router MC

ACS, setup procedures, 979–980authentication problems, resolving, 967backup/restore operations, troubleshooting, 973browser issues, troubleshooting, 965, 967checking status of, 960communication architecture, 960dangling connections, 968database

backing up, 972restoring, 973

debug information, collecting/viewing, 961–962

device configurationsdeploying, 970–971importing, 969–970

features, 960installation failures, troubleshooting, 963logging levels, setting, 961processes, 959reports, 963user permissions, case study, 974–975, 978

RRI (Reverse Route Injection), 345RSPAN (remote SPAN), configuring IPS traffic

capture, 773–775rules

CSA MC, 985database/event, creating, 1064for dynamic filters, syntax, 603

Rx SPAN, 764

Rx SPAN

1102

SSamples directory (CSA MC), 986SAs, 228saving crash information to Flash on PIX

Firewall, 53scheduling daily alarm reports, 1073SDEE (Security Device Event Exchange),

679–680, 1041SDI (Secure ID), CS ACS integration, 636– 639SecMon

database Pruning, 920processes, starting/stopping, 884

security administrators, 984Security Contexts, 84

multiple context mode, 84– 90Security Monitor

best practices, 1077database maintenance issues,

troubleshooting, 1062DNS errors, resolving, 1048email notification


Event Viewerlaunching, 1055troubleshooting, 1057

inability to launch, troubleshooting, 1050inability to receive events, troubleshooting, 726,

728–733installation guidelines, website, 1047Internal Server Error messages,

troubleshooting, 1050licensing issues, troubleshooting, 1051NSDB, viewing, 1073Page Cannot Be Found Error messages,

troubleshooting, 1050report generation failures, troubleshooting,

1060sensor connection status, troubleshooting,

1053–1055strange behavior, troubleshooting, 1051tabs, 1048user management, 1045

securitylog.txt file, writing events to, 991

selectingslot for ISDM-2 placement, 788traffic capture method on IDSM-2, 827UDP connection timeout for CBAC, 207–208

sensor modescombined modes, 683Inline Bypass mode, 682Inline mode, 681–682Promiscuous mode, 682–683

sensorsactive processes, verifying, 893–895blocking

for specific signatures, troubleshooting, 753

process, verifying, 923–924connectivity, 721–725IDM

accessing, 888trusted hosts, adding/configuring,

889–892IDS, importing from IDS MC, 1051IDS MC

configuring, 906deploying, 917–920import process, troubleshooting , 907–908shunning, case study, 920–925upgrade process, troubleshooting,

908–917inaccessibility, troubleshooting, 901–902IPS, troubleshooting

ACLs, 734–735backing up configuration, 782–783blocking, 734–745connecting to network, 784connectivity with managed device,

746–752initial setup issues, 693–696Inline mode, configuring, 757–762Inline mode, troubleshooting, 762–763MBS, 737, 741–744software installation/upgrade issues,

699–717supported managed devices and

versions, 735TCP reset, 754–757user management issues, 696–698

Samples directory (CSA MC)

1103

licensing, 719–720with CLI, 719–720with IDM, 719

resolving connection problems with IDS MC, 893

signature level, updating, 899–901upgrading to IPS 5.0, 715–717verifying secure communication with

IDS MC, 893serial cable, connecting to IDSM-2 blade, 826server selftest information, displaying, 988service packs, IDS MC

upgrading sensors, 908–910verifying version of, 895–896

service-module command, connecting to NM-CIDS, 840

services, CSAdmin, 615–616Session Management packet flow through

FWSM, 118Shared File Components (CS ACS), 653–654Shared Profile (command authorization),

configuring, 444shims, disabling, 1016–1017show aaa servers command, 430show aaa user command, 430show access-list command, 655show accounting command, 554show asp drop command, 41–42show authorization command, 554show blocks command, 43show commands

for IPsec Phase 1 tunnel negotiations, 233–235for IPsec Phase 2 tunnel negotiations, 235–236for Native IOS, 792FWSM-related, 120–122

show configuration command, 687show connection command, 40show cpu usage command, 42show crypto ipsec command, 299–300show crypto map command, 237show dot1x all command, 556show dot1x statistics command, 557show events command, 687show interfaces command, 689show ip inspect command, 194–195show local-host command, 40–41show localusers command, 552show module command, 791show output filters command, 44–45

show radius command, 553show radius statistics command, 430show running config command, 15show running logging command, 52show running-config command, 300show security acl command, 792show service-policy command, 41, 94show span command, 792show statistics command, 687–688show tacacs command, 430, 553show tech-support, 45show tech-support command, 689show test command, 792show traffic command, 42show trunk command, 792show users command, 430show version command, 15, 686–687,

689–690, 791verifying installed IOS Firewall

feature set, 200show vlan brief command, 558show xlate command, 39–40shunning on IDS MC sensor, case study, 920 –925signature levels, updating on IDS MC sensors,

899–901signature updates, installing on IDSM-2,

824–825signatures, IDS MC

upgrading IDS MC sensors, 908–910verifying version of, 895–896

single channel protocol inspection

application-layer, 183ICMP, 182SMTP, 183UDP, 182

securing on inside network, 179–180single-mode (FWSM), access list memory

utilization, 164–166size of log files, monitoring, 1065–1066slot assignment of NM-CIDS on router, 833slow CSA MC launches, troubleshooting,

1013–1014SMTP

email notificationconfiguring, 1068–1070troubleshooting, 1071–1072

traffic inspection, 183–184

SMTP

1104

sniffer software, 49Ethereal, 199

sniffer traces, capturing, 199sniffing ports on IDSM-2, 791software

installation/upgrade problems (IPS), troubleshooting, 699–717

requirementsfor ISDM-2 blade, 788for NM-CIDS support, 832

upgrade/downgrade issues, troubleshooting on PIX Firewall, 60–61, 63–66, 68

Software Advisor Tool, verifying correct IOS Firewall version, 200

source port, 764SPAN (Switched Port Analyzer)

configuring on Catalyst 2900/3600XL, 765–767on Catalyst 2950/3550 and 3750, 767–770on Catalyst 4000/6000 running CatOS,

770–771on Catalyst 4000/6000 running Native

IOS, 771–772on switch running CatOS, 810on switch running Native IOS, 806–807

IPS traffic capture, configuring, 763, 765on Catalyst 2900/3500XL, 765, 767on Catalyst 2950, 767–770on Catalyst 3550, 767–770on Catalyst 3750, 767–770

SPI (security parameter index), 228split tunneling


spoke–to-spoke tunnels, creating, 275SQL Server 2000, compacting, 1031SSH, tasks performed on IDS MC, 885SSL

CSA MC communication architecture, 987enabling, 1049

SSL VPNclientless mode, 390

configuring, 390troubleshooting, 391–395

thick client modeconfiguring, 402–403troubleshooting, 403–405

thin client mode, 395–396E-mail Proxy, configuring, 401E-mail Proxy, troubleshooting,

401–402MAPI Proxy, configuring,

399–400MAPI Proxy, troubleshooting,

400–401port forwarding, 397–399

START packets (TACACS+), 422starting IDS MC/SecMon processes, 884stateful failover

for VPN connections, 345obtaining IPsec resiliency, 287–288

stateless failover, obtaining IPsec resiliency, 288–295

static ACLs, established keyword, 180status indicator lights

IDSM-2, 789NM-CIDS, 833

status of Router MC processes, checking, 960stopping

CSAgent service, 991deployed jobs, 942

supplicant, 542supported tokens on VPN 3K, 604suspending NM-CIDS sessions, 842switch management, 558

accountingconfiguring, 565troubleshooting, 566

authorizationconfiguring, 564–565troubleshooting, 565

enable password authentication, troubleshooting, 562–564

login authentication, troubleshooting, 559–562switching path on CBAC, troubleshooting

performance issues, 209symmetric cryptographic algorithms, 224syntax

for database backups, 656for downloadable PIX/IP ACLs, 606for dynamic filter rules, 603rtrformat utility, 990

sniffer traces, capturing

1105

syslogs, 21activating on Cisco routers, 193configuring on PIX Firewall, 50–53on FWSM, 125

System Image, re-imaging IDSM-2, 818–823system images, upgrading to IPS 5.0, 716sysvars.cf file, 991

Ttabs, Security Monitor, 1048TACACS+, 421

AAA packet flows, 422–423accounting operation, 424authentication operation, 422–423authorization operation, 424configuring on VPN 3K, 590–592versus RADIUS, 428–429

TCP reset, 754–757on IDSM-2, 818

TCP SYN flood attacks, mitigating with CBAC, 189–191

tcpdump command, 690tearing down IPsec tunnels, 238telnet, connecting to NM-CIDS, 841–842telnet command, 18terminating CSAgent service, 991test events, generating on Event Viewer, 1057testing

authentication, 593–594core dump setup, 24NT/RADIUS password expiration feature,

610–611TFTP, 20

generating core dumps, 22Thick Client SSL VPN mode (VPN 3000

Concentrator series)configuring, 402–403troubleshooting, 403–405

Thin Client SSL VPN mode (VPN 3000 Concentrator series), 395–396

“time exceeded” error messages, 18time stamping on NM-CIDS, configuring,

857–858time-range command, 34–35Tmp directory (CSA MC), 986tomcat logs, 962

traceback, configuring on PIX Firewall, 53traceroute command, 18traffic capture method on IDSM-2, configuring

with mls ip ids command, 813on switch running Native IOS, 809

with SPANon switch running CatOS, 810on switch running Native IOS, 806–807

with VACLon switch running CatOS, 811on switch running Native IOS, 807–809

traffic filtering, ACLslimitations of, 177wide holes, 181

traffic inspectionof multi-channel protocols, 187of single channel protocols, 182

application-layer protocols, 183ICMP, 182SMTP, 183UDP, 182

transform sets, 325creating, 304

translation details, displaying for PIX Firewall, 39–40

transparent firewalls, 38–39, 193configuring, 79–82, 193troubleshooting on PIX Firewall, 78, 82–83

transparent tunneling options, 340transport mode, 226trusted hosts

adding to IDM sensors, 890–892configuring on IDM sensors, 889–890

tunnel groups, VPN 3K, 326attributes, 589authentication, 588–589defining for LAN-to-LAN tunnels, 305

tunnel mode, 227–228turning off

debugging, 555Passed Authentication log, 621

turning on CSA Agent debug mode, 989Tx SPAN, 765

Tx SPAN

1106

UUDP

connection timeout, selecting, 207–208traffic inspection, 182, 203–205

uninstalling. See also removingCS ACS, 661CSA MC, 995

Unknown User Policy, configuring, 609–610unlocking Firewall MC activities, 941updating

CSAgent, 1004–1005signature level on IDS MC sensors, 899–901

upgradingCisco IOS code base on CBAC routers, 209CiscoWorks Common Services license, 868CS ACS on Windows platform, 625–626CSA MC, 1002CSA MCL

on same system, 1002–1003on separate system, 1003–1004

IDS MC sensors, 908–910failures, troubleshooting, 910–917

IDSM-2 to version 5.x, 826IPS Sensor Appliances, 703

with CD-ROM, 703–704with TFTP server, 704–707

Maintenance Partition on IDSM-2, 823–824Major/Minor Software, 710NM-CIDS, 849PIX Firewall, 61–63

in failover setup, 68ROM Monitor mode, 63–66

Router MC, troubleshooting failures, 963to IPS 5.0, 715–717

URL filteringactivating, 186configuring on CBAC, 185–187on CBAC routers, troubleshooting, 211troubleshooting, 205

user attributes (VPN 3K), 589user authentication

on CiscoWorks Common Services, case study, 876–877

on VPN 3K, 588–589with RADIUS, configuring, 596–597

user managementon CiscoWorks Common Services, 862, 873on IPS, troubleshooting, 696–698on Security Monitor, 1045

user passwords, recovering from IDSM-2, 827–829

user permissions on Router MC, case study, 974–975, 978

users, deletingin multiple groups, 669on CS ACS, 659

utilitiescsutil.exe

arguments, 655–656syntax, 655

IdsAlarms.exe, 1076IDSdbcompact, 1068MDCSUPPORT, 863–864purge-mc-tasks, 942

VVACLs (VLAN ACLs)

blocking, 736configuring

on switch running CatOS, 811on switch running Native IOS, 807–809

IPS traffic capture, configuring, 775–776VACL Capture (IDSM-2), 827verifying

active processes on sensors, 893–895Apache certificate on IDS MC, 896blocking process configuration on sensors,

744–745, 923–924CBAC CPU utilization, 205–206core dump configuration, 24Firewall MC installation, 934IPsec tunnel configuration, 237NAC function, 745–746network connectivity with ping command, 17Router MC installation, 963secure communication between IDS MC and

sensor, 893service pack version on IDS MC, 895–896version of IDS MC, 895–896

UDP

1107

viewingevent log on VPN 3000 Concentrator series,

350–352Firewall MC debug information, 932log events on VPN 3K, 589NSDB from Security Monitor, 1073processes on IDS MC/SecMon, 884Router MC debug information, 961–962

Virtual Firewall, 84–86Virtual Reassembly option (IOS Firewalls), 191VMS (VPN/Security Management Solution)

CiscoWorks Common Servicesbacking up, 874–875FAQs, 877–881installing, 870–873

problems, troubleshooting, 871–873user management issues, 873

managing, best practices, 881restoring, 875–876running on mult-homed machines, 879user authentication, case study, 876–877

licensing issues, 865–866obtaining Common Services production

license, 867upgrading Common Services license, 868

VMS Server, modifying IP addressing, 898VPDNs (Virtual Private Dial-up Networks)

LAC router, troubleshooting, 464–467LNS router, troubleshooting, 468–471on Cisco IOS routers, case study, 458–462troubleshooting on Cisco IOS routers,

case study, 464–472VPN 3000 Concentrator series

AAAsession timeouts, avoiding, 593TACACS+, configuring, 590–592

Administer Sessions window, 352authentication, 590

causes of failure, 607–608FAQs, 406–410Cisco Secure ACS server, configuring, 590–591communicating with CS ACS RADIUS server,

597–599concentrator management, 587configuration files, 354CRSHDUMP.TXT file, 354

Digital Cerficates, 383–384on VPN client, 382–383troubleshooting, 384–389

dynamic filters, configuring, 602E-mail Proxy


event classes, configuring, 348event log, viewing, 350–352failure, causes of, 607group authentication with RADIUS,

configuring, 599–600group configuration, 608group names, mapping to CS ACS group

names, 598LAN-to-LAN tunnel issues


LED indicators, 354local group and user authentication,

configuring, 595–596local user authentication, configuring, 597–599log events, viewing, 589MAPI Proxy


port forwardingconfiguring, 396–397troubleshooting, 397–399

privilege levels, assigning to users, 592RADIUS Server, configuring, 609redundancy

using clustering, 412–414using IPsec Backup Servers, 415using VVRP, 410–411

Remote Access VPN connectionsconfiguring, 364–365troubleshooting, 365–382

SSL VPNclientless mode, 390–395Thick Client mode, 402–405thin client mode, 395–396

supported tokens, 604tunnel group authentication, 588–589user authentication, 588–589

with RADIUS, configuring, 596–597

VPN 3000 Concentrator series

1108

users, locking to specific group, 601VPN client log, 354–355X-Auth, troubleshooting, 594–596

VPNson Cisco IOS routers, DMVPN, 270–280stateful failover, 345transparent tunneling options, 340

VVRP (Virtual Router Redundancy Protocol), redundancy on VPN 3000 Concentrator series, 410–411

Wweb browsers

CiscoWorks Common Services, launching, 861on Firewall MC, troubleshooting, 937on Router MC, troubleshooting, 965–967

websitesEthereal, 20Knoppix tool, 2Security Monitor installation guidelines, 1047

well-known ports, changing port-to-application mappings, 188–189

wide holes, 181Windows operating system

CS ACSinstalling, 625–627related registries, 663

CSAgent, removing, 999–1000IDS MC

MDCSupport file, 886–887MDCSupport file, collecting, 886

system information, displaying, 988Windows NT/2000 Domain Authentication,

configuring Unknown User Policy, 609–610winmsd command, 988worry state, IKE keepalives, 345

X-Y-ZX-Auth, troubleshooting, 594–596

on Cisco routers, 457XML parser, 1044

VPN 3000 Concentrator series

symbols & numericsptgmedia.pearsoncmg.com/images/1587051893/index/... · symbols & numerics...

Documents