hit counter script
Cisco 4700M Configuration Manual

Cisco 4700M Configuration Manual

Application control engine appliance security
Hide thumbs Also See for 4700M:
Table of Contents

Advertisement

Cisco 4700 Series Application
Control Engine Appliance Security

Configuration Guide

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel:
408 526-4000
800 553-NETS (6387)
Fax:
408 527-0883
Text Part Number: OL-16202-01

Advertisement

Table of Contents
loading

Summary of Contents for Cisco 4700M

  • Page 1: Configuration Guide

    Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-16202-01...
  • Page 2 LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
  • Page 3: Table Of Contents

    Configuring Comments in an Extended ACL 1-16 Configuring an EtherType ACL 1-17 Resequencing Entries 1-18 Simplifying Access Control Lists with Object Groups 1-20 Overview of Object Groups 1-20 Configuring Network Object Groups 1-21 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 4 Displaying ACL Statistics 1-43 Displaying the ACL Merge Tree Node Usage 1-45 Clearing ACL Statistics 1-45 Configuring Authentication and Accounting Services C H A P T E R AAA Overview Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 5 Configuring the RADIUS NAS-IP-Address Attribute 2-28 Setting the Global RADIUS Server Preshared Key 2-28 Configuring the Global RADIUS Server Dead-Time Interval 2-29 Setting the Global RADIUS Server Number of Retransmissions 2-30 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 6 Displaying RADIUS Server Configuration Information 2-49 Displaying TACACS+ Server Configuration Information 2-51 Displaying LDAP Server Configuration Information 2-52 Displaying Accounting Configuration Information 2-52 Displaying Accounting Log Information 2-53 Displaying Authentication Configuration Information 2-54 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 7 Specifying the Layer 7 FTP Command Inspection Policy Actions 3-37 Configuring a Layer 7 HTTP Deep Inspection Policy 3-38 Configuring a Layer 7 HTTP Deep Inspection Class Map 3-39 Creating an HTTP Deep Inspection Class Map 3-39 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 8 Specifying the Layer 7 SCCP Inspection Policy Map Action 3-73 Configuring a Layer 7 SIP Inspection Policy 3-74 Configuring a Layer 7 SIP Inspection Class Map 3-74 Creating a Layer 7 SIP Inspection Class Map 3-75 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide viii OL-16202-01...
  • Page 9 Adding a Layer 3 and Layer 4 Policy Map Description 3-100 Specifying a Layer 3 and Layer 4 Traffic Class with the Traffic Policy 3-100 Defining Layer 3 and Layer 4 Application Protocol Inspection Policy Actions 3-102 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 10 Enabling Strict Header Validation 3-120 Enabling Non-SIP URI Detection in SIP Messages 3-122 Associating a SIP Parameter Map with a Layer 3 and Layer 4 Policy 3-122 Applying a Service Policy 3-123 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 11 Configuring the Timeout for a Half-Closed Connection 4-15 Configuring the Connection Inactivity Timeout 4-16 Setting How the ACE Applies TCP Optimizations to Packets 4-16 Setting the Window Scale Factor 4-18 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 12 Setting the IP Packet TTL 4-40 Configuring Unicast Reverse-Path Forwarding 4-40 Configuring IP Fragment Reassembly Parameters 4-42 IP Fragment Reassembly Configuration Quick Start 4-42 Configuring the MTU for an Interface 4-44 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 13 Clearing IP Fragmentation and Reassembly Statistics 4-67 Clearing SYN Cookie Statistics 4-67 Configuring Network Address Translation C H A P T E R Network Address Translation Overview Dynamic NAT Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide xiii OL-16202-01...
  • Page 14 Configuring a Layer 7 Load-Balancing Class Map for Server Farm-Based Dynamic NAT 5-26 Configuring a Layer 7 Load-Balancing Policy Map for Server Farm-Based Dynamic NAT 5-27 Configuring Server Farm-Based Dynamic NAT as a Layer 7 Policy Action 5-28 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 15 Dynamic NAT and PAT (SNAT) Configuration Example 5-45 Server Farm-Based Dynamic NAT (SNAT) Configuration Example 5-46 Static Port Redirection (DNAT) Configuration Example 5-47 SNAT with Cookie Load Balancing Example 5-48 N D E X Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 16 Contents Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 17 Preface This guide describes how to configure the security feature of the Cisco 4700 Series Application Control Engine (ACE) appliance. This guide describes how to perform the following ACE security configuration tasks: Security access control lists (ACLs) • User authentication and accounting using a Terminal Access Controller •...
  • Page 18: How To Use This Guide

    Chapter 5, Configuring Describes NAT and how to configure it on the ACE. Network Address NAT protects your data center by hiding private Translation addresses from public networks. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide xviii OL-16202-01...
  • Page 19: Related Documentation

    Describes how to use the ACE Device Manager Application Control GUI to perform the initial setup and VIP Engine Appliance Device load-balancing configuration tasks. Manager GUI Quick Configuration Note Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 20 ACE: Engine Appliance Routing Configuring Ethernet ports • and Bridging Configuring VLAN interfaces • Configuration Guide Configuring routing • Configuring bridging • Configuring Dynamic Host Configuration • Protocol (DHCP) Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 21 ACE. Cisco 4700 Series Provides an alphabetical list and descriptions of all Application Control CLI commands by mode, including syntax, Engine Appliance options, and related commands. Command Reference Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 22 A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks. font Terminal sessions and information the system displays screen are in font. screen Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide xxii OL-16202-01...
  • Page 23 Means reader be careful. In this situation, you might do something that could Caution result in equipment damage or loss of data. For additional information about CLI syntax formatting, see the Cisco 4700 Series Application Control Engine Appliance Command Reference. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide...
  • Page 24 For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
  • Page 25 Lists This chapter describes how to configure security access control lists (ACLs) on your Cisco 4700 Series Application Control Engine (ACE) appliance. ACLs provide basic security for your network by filtering traffic and controlling network connections. This chapter contains the following major sections: ACL Overview •...
  • Page 26: C H A P T E R 1 Configuring Security Access Control Lists

    You can also apply the same ACL on multiple interfaces.You can apply EtherType ACLs only in the inbound direction and only on Layer 2 interfaces. This section contains the following topics: ACL Types and Uses • ACL Guidelines • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 27: Acl Types And Uses

    For example, if you create an entry at the beginning of an ACL that explicitly permits all traffic, the ACE does not check any other statements in the ACL. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 28: Acl Implicit Deny

    Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 1-1. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 29 C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
  • Page 30: Configuring Acls

    Enter the ACL name in uppercase letters so that the name is easy to see in the configuration. You may want to name the ACL for the interface (for example, INBOUND) or for the purpose (for example, NO_NAT or VPN). Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 31 | object_group network_grp_name} [icmp_type [code operator code1 [code2]]]} | {object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name} Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 32 Internet Control Message Protocol igmp Internet Group Management Protocol Internet Protocol ip-in-ip IP-in-IP Layer 3 Tunneling Protocol ospf Open Shortest Path First Protocol Independent Multicast Transmission Control Protocol User Datagram Protocol Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 33 UDP port names and numbers. Table 1-3 Well-Known TCP Port Numbers and Keywords Keyword Port Number Description 5190 America-Online Border Gateway Protocol chargen Character Generator citrix-ica 1494 Citrix Independent Computing Architecture Protocol Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 34 Internet Relay Chat kerberos Kerberos klogin Kerberos Login kshell Kerberos Shell ldap Lightweight Directory Access Protocol ldaps LDAP over TLS/SSL login Login (rlogin) lotusnotes 1352 IBM Lotus Notes Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-10 OL-16202-01...
  • Page 35 Sun Remote Procedure Call tacacs Terminal Access Controller Access Control System talk Talk telnet Telnet time Time uucp UNIX-to-UNIX Copy Program whois Nicname World Wide Web (HTTP) Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-11 OL-16202-01...
  • Page 36 Remote Authentication Dial-in User Service radius-acct 1813 RADIUS Accounting Routing Information Protocol snmp Simple Network Management Protocol snmptrap SNMP Traps sunrpc Sun Remote Procedure Call syslog System Logger Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-12 OL-16202-01...
  • Page 37 – range—Inclusive range of port values. If you enter this operator, enter a – second port number value to define the upper limit of the range. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-13 OL-16202-01...
  • Page 38 Table 1-5. Table 1-5 ICMP Types ICMP Code Number ICMP Type echo-reply unreachable source-quench redirect alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-request timestamp-reply information-request information-reply mask-request mask-reply traceroute Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-14 OL-16202-01...
  • Page 39 192.168.12.0 255.255.255.0 gt 1024 172.27.16.0 255.255.255.0 lt 4000 For example, to remove an entry from an extended ACL, enter: host1/Admin(config)# no access-list INBOUND line 10 To control a ping, specify echo (8) (host to ACE). Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-15 OL-16202-01...
  • Page 40: Configuring Comments In An Extended Acl

    For example, to remove entry comments from an ACL, enter: host1/Admin(config)# no access-list INBOUND line 200 remark If you delete an ACL using the no access-list name command, then all the remarks are also removed. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-16 OL-16202-01...
  • Page 41: Configuring An Ethertype Acl

    You can configure an EtherType ACL on a Layer 2 interface in the inbound Note direction only. On Cisco IOS routers, enter the appropriate command for your protocol: LDP or TDP. The interface is the interface connected to the ACE: host1/Admin(config)# mpls ldp router-id interface force...
  • Page 42: Resequencing Entries

    You can resequence the entries in an ACL with a specific starting number and interval by using the access-list name resequence command in configuration mode. The ability to resequence entries in an ACL is supported only for extended ACLs. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-18 OL-16202-01...
  • Page 43 Chapter 1 Configuring Security Access Control Lists Configuring ACLs The syntax of this command is as follows: access-list name resequence [number1] [number2] Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-19 OL-16202-01...
  • Page 44: Simplifying Access Control Lists With Object Groups

    ACL entry instead of having to enter an ACL entry for each object separately. You can create the following types of object groups: Network object groups • Service object groups • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-20 OL-16202-01...
  • Page 45: Creating A Network Object Group

    Creating a Network Object Group • Adding a Description to a Network Object Group • • Configuring a Network IP Address for a Network Object Group Configuring a Host IP Address • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-21 OL-16202-01...
  • Page 46 The syntax of this command is as follows: description text The text argument is an unquoted text string with a maximum of 240 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-22 OL-16202-01...
  • Page 47 To associate a host IP address with a network object group, use the host command in object-group network configuration mode. The syntax of this command is as follows: host ip_address Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-23 OL-16202-01...
  • Page 48: Configuring Service Object Groups

    Enter an unquoted text string • with no spaces and a maximum of 64 alphanumeric characters. For example, to create a service object group, enter: host1/Admin(config)# object-group service SERV_OBJ_GROUP1 host1/Admin(config-objgrp-serv)# Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-24 OL-16202-01...
  • Page 49 SERV_OBJ_GROUP1 host1/Admin(config-objgrp-serv)# description intranet network object group To remove a description from a service object group, enter: host1/Admin(config)# object-group service SERV_OBJ_GROUP1 host1/Admin(config-objgrp-serv)# no description intranet network object group Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-25 OL-16202-01...
  • Page 50 ICMP message codes. If you – enter this operator, enter a second port number value or a second ICMP message code to define the upper limit of the range. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-26 OL-16202-01...
  • Page 51 0 To remove the ICMP protocol from the above service object group, enter: host1/Admin(config-objgrp-prot)# no icmp echo code eq 0 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-27 OL-16202-01...
  • Page 52: Using Object Groups In An Acl

    10.1.1.4 host 209.165.201.16 eq www host1/Admin(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.16 eq www host1/Admin(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.16 eq www Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-28 OL-16202-01...
  • Page 53 ACL_IN extended deny tcp object-group DENIED object-group WEB eq www host1/Admin(config)# access-list ACL_IN extended permit ip any any host1/Admin(config)# interface vlan 100 host1/Admin(config-if)# access-group input ACL_IN Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-29 OL-16202-01...
  • Page 54 209.165.201.16 eq www (hitcount=0) access-list ACL_IN line 8 extended deny tcp host 10.1.1.89 host 209.165.201.78 eq www (hitcount=0) access-list ACL_IN line 16 extended permit ip any any (hitcount=0) Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-30 OL-16202-01...
  • Page 55: Applying An Acl To An Interface

    Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For example, enter: host1/Admin(config)# interface vlan 100 host1/Admin(config-if)# access-group input INBOUND To remove an ACL from an interface, enter: host1/Admin(config-if)# no access-group input INBOUND Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-31 OL-16202-01...
  • Page 56: Applying An Acl Globally To All Interfaces In A Context

    In a redundancy configuration, the ACE does not apply a global ACL to the • FT VLAN. For details about redundancy, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. To apply an ACL globally to all interfaces in a context in the inbound direction, use the access-group input command in configuration mode.
  • Page 57: Filtering Traffic With An Acl

    The following ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network. All other addresses are permitted. host1/Admin(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 host1/Admin(config)# access-list ACL_IN extended permit ip any any Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-33 OL-16202-01...
  • Page 58: Inbound And Outbound Acls

    INBOUND extended permit icmp host 10.0.0.1 host 20.0.0.1 unreachable code range 0 3 This section contains the following topics: Inbound and Outbound ACLs • IP Addresses for ACLs with NAT • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-34 OL-16202-01...
  • Page 59 Inbound and outbound refer to the application of an ACL on an interface, either Note to traffic entering the ACE on an interface or traffic exiting the ACE on an interface. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-35 OL-16202-01...
  • Page 60 HR extended permit ip any any host1/Admin(config)# interface vlan 100 host1/Admin(config-if)# access-group input HR host1/Admin(config)# access-list ENG extended permit ip any any host1/Admin(config)# interface vlan 100 host1/Admin(config-if)# access-group input ENG Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-36 OL-16202-01...
  • Page 61 OUTSIDE extended permit tcp host 209.165.201.6 host 209.165.200.225 eq www host1/Admin(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq www host1/Admin(config)# interface vlan 100 host1/Admin(config-if)# access-group output OUTSIDE Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-37 OL-16202-01...
  • Page 62 ACLs. The ACL direction does not determine the address used, only the interface to which the ACL is attached determines the address that is used. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-38 OL-16202-01...
  • Page 63 10.1.1.0/24 to access the outside destination host 209.165.200.225 and apply the ACL to VLAN interface 100: host1/Admin(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 host1/Admin(config)# interface vlan 100 host1/Admin(config-if)# access-group input INSIDE Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-39 OL-16202-01...
  • Page 64 The last command applies the ACL to VLAN interface 100. host1/Admin(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 host1/Admin(config)# interface vlan 100 host1/Admin(config-if)# access-group input OUTSIDE Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-40 OL-16202-01...
  • Page 65 INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 10.1.1.56 host1/Admin(config)# interface vlan 100 host1/Admin(config-if)# access-group input INSIDE For an example of IP addresses used in outbound ACLs, see Figure 1-2. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-41 OL-16202-01...
  • Page 66: Examples Of Ethertype Acls

    BPDU but allows all others on both interfaces: host1/Admin(config)# access-list nonIP ethertype deny bpdu host1/Admin(config)# access-list nonIP ethertype permit any host1/Admin(config)# interface vlan 100 host1/Admin(config-if)# access-group input ethertype nonIP Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-42 OL-16202-01...
  • Page 67: Displaying Acl Configuration Information And Statistics

    MD5-hash value that the ACE uses to identify the ACL entry that caused a deny syslog (106023). See the description of the 0xnnnnnnnn output field in Table 1-6. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-43 OL-16202-01...
  • Page 68 ACL entry that caused the syslog, you need to search for an entry in this command output that matches both the hash 1 and the hash 2 hexadecimal values. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-44 OL-16202-01...
  • Page 69: Displaying The Acl Merge Tree Node Usage

    If you configured redundancy, then you must explicitly clear ACL statistics (hit Note counts) on both the active and the standby ACEs. Clearing statistics on the active appliance only will leave the standby appliance’s statistics at the old value. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-45 OL-16202-01...
  • Page 70 Chapter 1 Configuring Security Access Control Lists Clearing ACL Statistics Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 1-46 OL-16202-01...
  • Page 71: Configuring Authentication And Accounting Services

    Configuring Authentication and Accounting Services This chapter describes how to configure the Cisco 4700 Series Application Control Engine (ACE) appliance to perform user authentication and accounting (AAA) services to provide a higher level of security for users accessing the ACE.
  • Page 72: C H A P T E R 2 Configuring Authentication And Accounting Services

    IP address. Users can also send SNMP requests to the ACE by using this IP address. Only the Admin context is accessible through the console port; all other contexts Note can be reached through Telnet or SSH. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 73 (TACACS+), or Lightweight Directory Access Protocol (v3) (LDAP) server for remote authentication and designation of access rights. This section contains the following topics: Local Database and Remote Server Support • Authentication Overview • Accounting Overview • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 74: Local Database And Remote Server Support

    ACE declares the server to be unresponsive and initiates the sequence to contact the next available server specified in the server group. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 75: Local Database

    A TACACS+ server can provide user authentication and accounting functions. These services, while all part of TACACS+, are independent of one another, so a given TACACS+ configuration can use any or all of the services. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 76: Radius Server

    The types are mnemonic strings, such as “cn” for a common name, or “mail” for an e-mail address. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 77: Authentication Overview

    The host is prompted by the ACE to provide a valid username and password. After the designated RADIUS, TACACS+, or LDAP server authenticates the username and password, the ACE provides access rights to the user. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 78: Accounting Overview

    ACE. Each step includes the CLI command required to complete the task. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 79 1645 host1/Admin(config)# radius-server host 192.168.2.3 acct-port 1646 host1/Admin(config)# radius-server host 192.168.2.3 authentication host1/Admin(config)# radius-server host 192.168.2.3 accounting host1/Admin(config)# radius-server host 192.168.2.3 timeout 25 host1/Admin(config)# radius-server host 192.168.2.3 retransmit 3 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 80 RAD_Server_Group1 local none Configure the default accounting method. host1/Admin(config)# aaa accounting default group RAD_Server_Group1 local (Optional) Save your configuration changes to flash memory. host1/Admin(config)# exit host1/Admin# copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-10 OL-16202-01...
  • Page 81: Configuring The Aaa Server

    Configuring the AAA Server This section describes how to set up a TACACS+ or RADIUS server such as the Cisco Secure Access Control Server (ACS). It also covers general guidelines for setting up an LDAP directory server, such as OpenLDAP Software available from OpenLDAP Project.
  • Page 82: Configuring Accounting Settings On The Tacacs+ Server

    Chapter 2 Configuring Authentication and Accounting Services Configuring the AAA Server Key—Enter the shared secret that the ACE and Cisco Secure ACS use to • authenticate transactions. You must specify the identical shared secret on both the Cisco Secure ACS and the ACE. The key is case sensitive.
  • Page 83: Defining Private Attributes For Virtualization Support In A Tacacs+ Server

    <domain1> <domain2>...<domainN> shell:<contextname>*<role> <domain1> <domain2>...<domainN> If you are using Cisco IOS command authorization, be sure to use an asterisk (*) Note rather than the equals sign (=) operator in the shell command string. The equals sign indicates that Cisco IOS software expects a required field to follow.
  • Page 84 Check the Per-user TACACS+/RADIUS Attributes check box. Click Submit. Go to the User Setup section of the Cisco Secure ACS HTML interface and Step 3 double-click the name of an existing user that you want to define a user profile attribute for virtualization.
  • Page 85: Configuring A Radius Server

    Configuring Authentication Settings on the RADIUS Server To configure the RADIUS authentication settings on Cisco Secure ACS, perform the following steps Go to the Network Configuration section of the Cisco Secure ACS HTML Step 1 interface. If you are using Network Device Groups (NDGs), you must also click the Note name of the NDG to which you want to add the AAA client entry.
  • Page 86 AAA client. Click Submit + Restart. Step 4 Cisco Secure ACS saves the AAA client entry and restarts its services, after which it will accept and process RADIUS requests from the ACE. Configuring Accounting Settings on the RADIUS Server...
  • Page 87 Chapter 2 Configuring Authentication and Accounting Services Configuring the AAA Server (Optional) If you are using Cisco Secure ACS for Windows Server, you can Step 4 specify log file management, which determines how large the RADIUS account files can be, how many are retained, how long they are retained, and where they are stored.
  • Page 88 To configure the RADIUS role and domain settings on Cisco Secure ACS, perform the following steps: Go to the User Setup section of the Cisco Secure ACS HTML interface and Step 1 double-click the name of an existing user that you want to define a user profile attribute for virtualization.
  • Page 89: Configuring An Ldap Server

    The Example Corporation dn: cn=Manager,dc=example,dc=com objectclass: organizationalRole cn: Manager Run ldapadd to insert these entries into your directory. For example: Step 5 ldapadd -x -D “cn=Manager,dc=example,dc=com” -w secret -f example.ldif Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-19 OL-16202-01...
  • Page 90: Defining Private Attributes For Virtualization Support In An Ldap Server

    See the LDAP client documentation for information about how to extend the attributetype directive used by the slapd LDAP directory server. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-20 OL-16202-01...
  • Page 91 RFC 2849. An example is as follows: dn: ctxid=admin,cn=john,ou=employees,dc=example,dc=com objectClass: ctxperson ctxid: admin cn: john usrprof: shell:Admin=ROLE-1 DOMAIN-1 userPassword: xxxxxxxx Start the LDAP server, which is slapd in the case of OpenLDAP. Step 4 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-21 OL-16202-01...
  • Page 92 If the bind is successful, the LDAP server returns an authentication PASS • message and also includes the user profile attribute value in this message. The LDAP client sends an unbind request to the LDAP server. • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-22 OL-16202-01...
  • Page 93: Creating User Accounts

    For detailed information about creating contexts and user accounts to provide access to the local database on the ACE for CLI access authentication, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-23 OL-16202-01...
  • Page 94: Configuring The Ace As A Client Of A Radius, Tacacs+, Or Ldap Server

    This section contains the following topics: Configuring RADIUS on the ACE • Configuring TACACS+ on the ACE • Configuring LDAP on the ACE • Configuring AAA Server Groups • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-24 OL-16202-01...
  • Page 95: Configuring Radius On The Ace

    RADIUS keys are always stored in encrypted form in persistent storage. The running configuration also displays keys in encrypted form. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-25 OL-16202-01...
  • Page 96 Specifies that the RADIUS server is used only for • accounting. Note If you do not specify either the authentication or accounting options, the RADIUS server is used for both accounting and authentication. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-26 OL-16202-01...
  • Page 97 192.168.2.3 timeout 25 host1/Admin(config)# radius-server host 192.168.2.3 retransmit 3 To revert to a default RADIUS server authentication setting, enter: host1/Admin(config)# no radius-server host 192.168.2.3 acct-port 1646 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-27 OL-16202-01...
  • Page 98 ACE. This global key is applied to those RADIUS servers in a named server group for which a shared secret is not individually configured by the radius-server host command. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-28 OL-16202-01...
  • Page 99 The ACE skips a RADIUS server that is marked as dead by sending additional requests for the duration of the specified minutes argument. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-29 OL-16202-01...
  • Page 100 RADIUS server before trying to contact the next available server. The range is from 1 to 5 times. The default is 1. For example, to globally configure the number of retransmissions to 3, enter: host1/Admin(config)# radius-server retransmit 3 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-30 OL-16202-01...
  • Page 101: Configuring Tacacs+ On The Ace

    • Setting the TACACS+ Server Parameters Setting the Global Preshared Key • Setting the Global TACACS+ Server Dead-Time Interval • Setting the Global TACACS+ Server Timeout Value • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-31 OL-16202-01...
  • Page 102 49, use the port keyword to configure the ACE for the appropriate port prior to starting the TACACS+ service. The port_number argument specifies the TACACS+ port number. Valid values are from 1 to 65535. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-32 OL-16202-01...
  • Page 103 63 alphanumeric characters or you can enter spaces if you enclose the entire key with quotation marks (for example, “my key”). Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-33 OL-16202-01...
  • Page 104 (24 hours). The default is 0. For example, to globally configure a 15-minute dead-time interval for TACACS+ servers that fail to respond to authentication requests, enter: host1/Admin(config)# tacacs-server deadtime 15 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-34 OL-16202-01...
  • Page 105: Configuring Ldap On The Ace

    This section contains the following topics: • Setting the LDAP Server Parameters Setting the Global LDAP Server Port Setting • Setting the Global LDAP Server Timeout Value • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-35 OL-16202-01...
  • Page 106 LDAP server database. Enter a quoted string that has a maximum of 63 alphanumeric characters. The default is an empty string. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-36 OL-16202-01...
  • Page 107 For example, to globally configure the TCP port, enter: host1/Admin(config)# ldap-server port 2003 To revert to the default of TCP port 389, enter: host1/Admin(config)# no ldap-server port 2003 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-37 OL-16202-01...
  • Page 108: Setting The Global Ldap Server Timeout Value

    Configuring the User Profile Attribute Type for an LDAP Server Group • Configuring the Base DN for an LDAP Server Group • • Configuring the Search Filter for an LDAP Server Group Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-38 OL-16202-01...
  • Page 109: Group

    The CLI displays the TACACS+, RADIUS, or LDAP server configuration mode where you identify the name of one or more previously configured servers that you want added to the server group. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-39 OL-16202-01...
  • Page 110 Base DN—See the “Configuring the Base DN for an LDAP Server – Group” section. LDAP search filter—See the “Configuring the Search Filter for an LDAP – Server Group” section. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-40 OL-16202-01...
  • Page 111 For example, to globally configure a 15-minute dead-time interval for TACACS+ servers that fail to respond to authentication requests, enter: host1/Admin(config-tacacs)# deadtime 15 To reset the RADIUS server dead-time interval to 0, enter: host1/Admin(config-tacacs)# no deadtime 15 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-41 OL-16202-01...
  • Page 112 For example, to globally configure a 15-minute dead-time interval for RADIUS servers that fail to respond to authentication requests, enter: host1/Admin(config-radius)# deadtime 15 To reset the RADIUS server dead-time interval to 0, enter: host1/Admin(config-radius)# no deadtime 15 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-42 OL-16202-01...
  • Page 113: Configuring The User Profile Attribute Type For An Ldap Server Group

    You can configure the LDAP user profile attribute at the subconfiguration level for the LDAP server group (created as described in the “Configuring AAA Server Groups” section). The syntax of this command is as follows: attribute user-profile text Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-43 OL-16202-01...
  • Page 114: Configuring The Base Dn For An Ldap Server Group

    For example, to configure the base DN, enter: host1/Admin(config)# aaa group server ldap LDAP_Server_Group1 host1/Admin(config-ldap)# base-DN “dc=sns,dc=cisco,dc=com” To delete the configured base DN, enter: host1/Admin(config-ldap)# no base-DN “dc=sns,dc=cisco,dc=com” Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-44 OL-16202-01...
  • Page 115: Configuring The Search Filter For An Ldap Server Group

    For example, to configure a search request, enter: host1/Admin(config)# aaa group server ldap LDAP_Server_Group1 host1/Admin(config-ldap)# filter search-user “(&(objectclass=person) (&(cn=$userid)(cid=$contextid)))” To delete the search request, enter: host1/Admin(config-ldap)# no filter search-user “(&(objectclass=person)(&(cn=$userid)(cid=$contextid)))” Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-45 OL-16202-01...
  • Page 116: Defining The Login Authentication Method

    ACE as the login • authentication method. If the server does not respond, then the local database is used as the fallback authentication method. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-46 OL-16202-01...
  • Page 117 TacServers local none For example, to revert to the local authentication method, enter: host1/Admin(config)# no aaa authentication login console group TacServers local none Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-47 OL-16202-01...
  • Page 118: Defining The Default Accounting Method

    TacServers local To revert to the default local accounting method, enter: host1/Admin(config-context)# no aaa accounting default group TacServers local Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-48 OL-16202-01...
  • Page 119: Viewing Aaa Status And Statistics

    You can display the configured RADIUS server and group parameters by using the show radius-server command. The syntax of this command is as follows: show radius-server [groups | sorted] Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-49 OL-16202-01...
  • Page 120 RADIUS servers are configured: 192.168.34.45: available for authentication on port:1812 available for accounting on port:1813 192.168.2.3: available for authentication on port:1812 available for accounting on port:1813 RADIUS shared secret:******** Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-50 OL-16202-01...
  • Page 121: Displaying Tacacs+ Server Configuration Information

    TACACS+ server groups are configured: group TacServers: server 192.168.58.91 on port 2 For example, to display the sorted TACACS+ servers, enter: host1/Admin# show tacacs-server sorted timeout value:1 total number of servers:1 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-51 OL-16202-01...
  • Page 122: Displaying Ldap Server Configuration Information

    The syntax of this command is as follows: show aaa accounting For example, to display accounting configuration information, enter: host1/Admin# show aaa accounting default: local Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-52 OL-16202-01...
  • Page 123: Displaying Accounting Log Information

    Sat Nov 5 00:20:58 2005:update:/dev/ttyS00_946684975:admin:0:ft group 1 Sat Nov 5 00:20:58 2005:update:/dev/ttyS00_946684975:admin:0:peer Sat Nov 5 00:20:58 2005:update:/dev/ttyS00_946684975:admin:0:priority 50 Sat Nov 5 00:20:58 2005:update:/dev/ttyS00_946684975:admin:0:associate-context Admin Sat Nov 5 00:20:58 2005:update:/dev/ttyS00_946684975:admin:0:inservice Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-53 OL-16202-01...
  • Page 124: Displaying Authentication Configuration Information

    For example, to display the configured authentication parameters, enter: host1/Admin# show aaa authentication default: group TacServers local none console: local host1/Admin# show aaa authentication login error-enable enabled Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 2-54 OL-16202-01...
  • Page 125: Configuring Application Protocol Inspection

    Configuring a DNS Parameter Map • Configuring an HTTP Parameter Map • Configuring an SCCP Parameter Map • Configuring a SIP Parameter Map • Applying a Service Policy • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 126: Application Protocol Inspection Overview

    “fixup” for applications that do the following: Embed IP addressing information in the data packet including the data • payload. Open secondary channels on dynamically assigned ports. • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 127 ACE, the default TCP or UDP protocol and port, and whether the protocol is compatible with Network Address Translation (NAT) and Port Address Translation (PAT). Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 128 RFC 2616 Inspects HTTP packets. See the “HTTP Deep Dest—80 Packet Inspection” section for more information. ICMP ICMP Src—N/A Both — See the “ICMP Inspection” section for Dest—N/A more information. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 129 Dest—389 supported. Includes support for Users in multiple RFC 1777 directories are not unified. (LDAPv2) Single users having multiple identities in multiple directories cannot be recognized by NAT. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 130 For example, FTP commands are supposed to be in a particular order, but the does not enforce the order. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 131 The flow chart also shows how the ACE associates the various components of the class map and policy map configuration with each other. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 132 Associates the Layer 7 FTP inspection class map HTTP_INSPECT_L4POLICY and specifies one or more of the following actions: Service policy applies policy Deny map to a specific VLAN Mask-reply interface Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 133: Application Inspection Protocol Overview

    Performs a maximum DNS packet length check to verify that the maximum • length of a DNS reply is no greater than the value specified in the inspect dns command. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 134: Ftp Inspection

    • response to a file upload, a file download, or a directory listing event and must be prenegotiated. The port is negotiated through the PORT or PASV commands. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-10 OL-16202-01...
  • Page 135 Command spoofing—Verifies that the PORT command is always sent – from the client. If a PORT command is sent from the server, the ACE denies the TCP connection. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-11 OL-16202-01...
  • Page 136: Http Deep Packet Inspection

    ICMP traffic to pass through the ACE. Without stateful inspection, ICMP can be used to attack your network. ICMP inspection ensures that there is only one response for each request, and that the sequence number is correct. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-12 OL-16202-01...
  • Page 137 Allows reply packets only if a valid connection record exists and prevents the • reply packets from passing through an ACL again if the connection record (or the state information) exists. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-13 OL-16202-01...
  • Page 138: Ils Inspection

    Because ILS traffic occurs only on the secondary UDP channel, the ACE disconnects the TCP connection after the TCP inactivity interval has elapsed. By default, the TCP inactivity is 60 minutes, but you can adjust it using a connection Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-14 OL-16202-01...
  • Page 139: Rtsp Inspection

    RTSP inspection is not required in this case to open a secure port (pinhole) for the data channel. The ACE parses SETUP response messages with a status code of 200. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-15 OL-16202-01...
  • Page 140: Sccp Inspection

    The following additional restrictions apply to RTSP inspection as performed by the ACE: With Cisco IP/TV, the number of translations that the ACE performs on the • SDP part of the message is proportional to the number of program listings in the Content Manager (each program listing can have at least six embedded IP addresses).
  • Page 141 Validates message ID length (configurable maximum). • Ensures that only registered clients can make calls. This feature is • configurable and disabled by default. Allows you to configure timeouts. • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-17 OL-16202-01...
  • Page 142: Sip Inspection

    If the user is not entitled to talk to any host on the protected network, the SIP ACE appliance will generate a SIP message (Response 603 Decline). Checks the Via field to deny messages from specific SIP proxy servers. • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-18 OL-16202-01...
  • Page 143 ACE appliance. You can specify the Content-type string in the form of a regular expression, for example, Application/SDP, text/html. The default behavior is to allow all types. Enforces SIP or SIPS URI length (user configurable). – Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-19 OL-16202-01...
  • Page 144 Therefore, the callee cannot learn the real IP address of the caller. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-20 OL-16202-01...
  • Page 145: Application Protocol Inspection Configuration Quick Start Procedures

    Change to the correct context if necessary. host1/Admin# changeto C1 host1/C1# For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode. host1/Admin# config Enter configuration commands, one per line.
  • Page 146 Include one or more of the match commands as part of the Layer 3 and Layer 4 class map. host1/Admin(config-cmap)# description FTP command inspection of incoming traffic host1/Admin(config-cmap)# match port tcp eq 21 host1/Admin(config-cmap)# exit host1/Admin(config)# Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-22 OL-16202-01...
  • Page 147 VLAN, enter: host1/Admin(config)# interface vlan 50 host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0 host1/Admin(config-if)# service-policy input FTP_INSPECT_L4POLICY (Optional) Save your configuration changes to flash memory. host1/Admin(config)# exit host1/Admin# copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-23 OL-16202-01...
  • Page 148 C1 host1/C1# The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
  • Page 149 (Optional) Configure the class map to define application inspection decisions that limit the HTTP transfer-encoding types that can pass through the ACE. host1/Admin(config-cmap-http-insp)# match transfer-encoding chunked Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-25 OL-16202-01...
  • Page 150 Include one or more of the match commands as part of the Layer 3 and Layer 4 class map. host1/Admin(config-cmap)# description HTTP protocol deep inspection of incoming traffic host1/Admin(config-cmap)# match port tcp eq 80 host1/Admin(config-cmap)# exit host1/Admin(config)# Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-26 OL-16202-01...
  • Page 151 VLAN, enter: host1/Adminhost1/Admin(config)#interface vlan50 host1/Admin(config-if)# ip address 172.16.1.100 255.255.255.0 host1/Admin(config-if)# service-policy input HTTP_INSPECT_L4POLICY (Optional) Save your configuration changes to flash memory. host1/Admin(config)# exit host1/Admin# copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-27 OL-16202-01...
  • Page 152 Change to the correct context if necessary. host1/Admin# changeto C1 host1/C1# For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode. host1/Admin# config Enter configuration commands, one per line.
  • Page 153 1500 host1/Admin(config-if)# ip address 192.168.1.100 255.255.0.0 host1/Admin(config-if)# service-policy input DNS_INSPECT_L4POLICY (Optional) Save your configuration changes to flash memory. host1/Admin(config)# exit host1/Admin# copy running-config startup-config Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-29 OL-16202-01...
  • Page 154: Configuring A Layer 7 Ftp Command Inspection Policy

    • Layer 7 action lists This section contains the following topics: Configuring an FTP Inspection Class Map • Configuring a Layer 7 FTP Command Inspection Policy Map • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-30 OL-16202-01...
  • Page 155: Configuring An Ftp Inspection Class Map

    ACE to indicate a match, enter: host1/Admin(config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASS host1/Admin(config-cmap-ftp-insp)# match request-method cdup host1/Admin(config-cmap-ftp-insp)# match request-method mkdir host1/Admin(config-cmap-ftp-insp)# match request-method get host1/Admin(config-cmap-ftp-insp)# match request-method put Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-31 OL-16202-01...
  • Page 156 FTP commands that you want filtered by the ACE. You must access the class map configuration mode to specify the match request-method command. The syntax of this command is as follows: match request-method ftp_commands Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-32 OL-16202-01...
  • Page 157: Configuring A Layer 7 Ftp Command Inspection Policy Map

    Including Inline Match Statements in a Layer 7 FTP Command Inspection • Policy Map Associating a Layer 7 FTP Command Inspection Traffic Class with the • Traffic Policy Specifying the Layer 7 FTP Command Inspection Policy Actions • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-33 OL-16202-01...
  • Page 158 The syntax of this command is as follows: description text Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-34 OL-16202-01...
  • Page 159: Including Inline Match Statements In A Layer 7 Ftp Command Inspection Policy Map

    See • below for details on the match commands associated with the Layer 7 FTP command inspection class map. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-35 OL-16202-01...
  • Page 160: Associating A Layer 7 Ftp Command Inspection Traffic Class With The Traffic Policy

    The CLI displays the policy map class configuration mode. For example, to specify an existing class map in the Layer 7 policy map, enter: host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS host1/Admin(config-pmap-ftp-ins-c)# Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-36 OL-16202-01...
  • Page 161: Specifying The Layer 7 Ftp Command Inspection Policy Actions

    FTP_INSPECT_L7POLICY host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS host1/Admin(config-pmap-ftp-ins-c)# mask-reply To disable an action from the Layer 7 FTP inspection policy map, enter: host1/Admin(config-pmap-ftp-ins-c)# no mask-reply Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-37 OL-16202-01...
  • Page 162: Configuring A Layer 7 Http Deep Inspection Policy

    Layer 7 action lists This section contains the following topics: Configuring a Layer 7 HTTP Deep Inspection Class Map • Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-38 OL-16202-01...
  • Page 163: Configuring A Layer 7 Http Deep Inspection Class Map

    HTTP traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions: Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-39 OL-16202-01...
  • Page 164 Length for Inspection” section. match header mime-type—See the “Defining a Header MIME-Type • Messages for Inspection” section. match port-misuse—See the “Defining an HTTP Traffic Restricted • Category” section. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-40 OL-16202-01...
  • Page 165 The syntax of this command is as follows: description text Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-41 OL-16202-01...
  • Page 166 Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?). Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-42 OL-16202-01...
  • Page 167 ACE. Based on the policy map action, the ACE allows or denies messages with a content length equal to the specified value. Valid entries are from 1 to 65535 bytes. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-43 OL-16202-01...
  • Page 168 “Including Inline Match Statements in a Layer 7 HTTP Deep Packet Inspection Policy Map” section. The syntax of this command is as follows: match cookie secondary [name cookie_name | prefix prefix_name] value expression Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-44 OL-16202-01...
  • Page 169 0 or more of expression. (expr)+ 1 or more of expression. expr{m,n} Repeat the expression between m and n times, where m and n have a range from 1 to 255. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-45 OL-16202-01...
  • Page 170 HTTP_INSPECT_L7CLASS host1/Admin(config-cmap-http-insp)# match cookie secondary prefix id value .* host1/Admin(config-cmap-http-insp)# match cookie secondary name identity value bob Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-46 OL-16202-01...
  • Page 171 To remove a secondary cookie match statement from a class map, enter the no form of the command as follows: host1/Admin(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS host1/Admin(config-cmap-http-insp)# no match cookie secondary value .*machine-key Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-47 OL-16202-01...
  • Page 172 HTTP header; the ACE rejects the colon as an invalid token. header_field—Standard HTTP/1.1 header field. Valid selections include • request-header fields, general-header fields, and entity-header field. Table 3-6 lists the supported HTTP/1.1 header fields. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-48 OL-16202-01...
  • Page 173 Expect Used by a client to inform the server about the behaviors that the client requires. From E-mail address of the person that controls the requesting user agent. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-49 OL-16202-01...
  • Page 174 Transfer-Encoding What (if any) type of transformation has been applied to the message body in order to safely transfer it between the sender and the recipient. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-50 OL-16202-01...
  • Page 175 For example, to specify that the Layer 7 class map is to match and perform application inspection on HTTP headers, enter: host1/Admin(config)# class-map type http inspect HTTP_INSPECT_L7CLASS host1/Admin(config-cmap)# match header Host header-value .mycompanyexample.com Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-51 OL-16202-01...
  • Page 176 HTTP header request message that can be • received by the ACE. response—Specifies the size of the HTTP header response message sent by • the ACE. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-52 OL-16202-01...
  • Page 177 MIME-type validation extends the format of Internet mail to allow non-US-ASCII textual messages, nontextual messages, multipart message bodies, and non-US-ASCII information in message headers. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-53 OL-16202-01...
  • Page 178 The supported mime-types are as follows: application/msexcel – application/mspowerpoint – application/msword – application/octet-stream – application/pdf – application/postscript – application/x-gzip – – application/x-java-archive application/x-java-vm – application/x-messenger – application/zip – audio/* – Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-54 OL-16202-01...
  • Page 179 – image/x-portable-greymap – image/x-xpm – text/* – – text/css text/html – text/plain – text/richtext – text/sgml – text/xmcd – text/xml – video/* – video/flc – video/mpeg – Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-55 OL-16202-01...
  • Page 180 (p2p) applications, tunneling applications, and instant messaging. You must access the class map configuration mode to specify the match port-misuse command. The syntax of this command is as follows: [line_number] match port-misuse application_category Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-56 OL-16202-01...
  • Page 181 HTTP_INSPECT_L7CLASS host1/Admin(config-cmap-http-insp)# match port-misuse p2p To clear the HTTP restricted application category match criteria from the class map, enter: host1/Admin(config-cmap-http-insp)# no match port-misuse p2p Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-57 OL-16202-01...
  • Page 182 Each match request-method command configures a single request method. • • For unsupported HTTP request methods, include the inspect http strict command as an action in the Layer 3 and Layer 4 policy map. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-58 OL-16202-01...
  • Page 183 You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-59 OL-16202-01...
  • Page 184 URL expression. You must access the class map configuration mode to specify the match url command. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-60 OL-16202-01...
  • Page 185 HTTP_INSPECT_L7CLASS host1/Admin(config-cmap-http-insp)# match url .*.gif host1/Admin(config-cmap-http-insp)# match url .*.html To clear a URL match criteria from the class map, enter: host1/Admin(config-cmap-http-insp)# no match url .*.gif Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-61 OL-16202-01...
  • Page 186 ACE. Based on the policy map action, the ACE allows or denies messages with a URL length within this range. The range is from 1 to 65535 bytes. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-62 OL-16202-01...
  • Page 187: Configuring A Layer 7 Http Deep Packet Inspection Policy Map

    You can use the policy-map type inspect http command in configuration mode to name the traffic policy and initiate Layer 7 HTTP deep packet inspection. The syntax of this command is as follows: policy-map type inspect http all-match map_name Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-63 OL-16202-01...
  • Page 188: Description

    To add a description that the policy map is to perform HTTP deep packet inspection, enter: host1/Admin(config-pmap-ins-http)# description HTTP protocol deep inspection of incoming traffic To remove the description from the policy map, enter: host1/Admin(config-pmap-ins-http)# no description Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-64 OL-16202-01...
  • Page 189: Including Inline Match Statements In A Layer 7 Http Deep Packet Inspection Policy Map

    [offset number] match name content length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2} match name content-type-verification Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-65 OL-16202-01...
  • Page 190 The MIME-type HTTP inspection process requires a search up to the Note configured maximum content parse length of the HTTP message, which may degrade performance of the ACE. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-66 OL-16202-01...
  • Page 191: Policy

    The ACE does not save sequence reordering through the insert-before command as part of the configuration. The syntax of this command is as follows: class map_name1 insert-before map_name2 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-67 OL-16202-01...
  • Page 192 HTTP traffic depending on whether it matches the specified commands. You apply the specified command against the single inline match command or the specified class map. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-68 OL-16202-01...
  • Page 193 By default, all matches are applied to both HTTP request and response messages, Note but the class class-default command is applied only to HTTP requests. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-69 OL-16202-01...
  • Page 194: Configuring A Layer 7 Sccp Inspection Policy

    You can create a Layer 7 SCCP inspection policy map by using the policy-map type inspect skinny command in configuration mode. The syntax of this command is as follows: policy-map type inspect skinny name Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-70 OL-16202-01...
  • Page 195: Adding A Description To The Layer 7 Sccp Inspection Policy Map

    For example, enter: host1/Admin(config-pmap-ins-skinny)# description this is an SCCP inspection policy map To remove the policy map description from the configuration, enter: host1/Admin(config-pmap-ins-skinny)# no description Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-71 OL-16202-01...
  • Page 196: Including An Inline Match Statement In A Layer 7 Sccp Inspection Policy Map

    SCCP_MATCH message-id range 100 500 host1/Admin(config-pmap-ins-skinny-m)# To remove the inline match statement from the policy map, enter: host1/Admin(config-pmap-ins-skinny)# no match SCCP_MATCH message-id range 100 500 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-72 OL-16202-01...
  • Page 197: Specifying The Layer 7 Sccp Inspection Policy Map Action

    SCCP_INSPECT_L7POLICY host1/Admin(config-pmap-ins-skinny)# match SCCP_MATCH message-id range 100 500 host1/Admin(config-pmap-ins-skinny-m)# reset To disable the action in the Layer 7 SCCP inspection policy map, enter: host1/Admin(config-pmap-ins-skinny-m)# no reset Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-73 OL-16202-01...
  • Page 198: Configuring A Layer 7 Sip Inspection Policy

    Adding a Layer 7 Class Map Description for SIP Inspection • • Defining the Called Party in the SIP To Header Defining the Calling Party in the SIP From Header • Defining SIP Content Checks • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-74 OL-16202-01...
  • Page 199: Creating A Layer 7 Sip Inspection Class Map

    For example, you could not have two match uri sip length statements in the same class map, but you could have one match uri sip length and one match uri tel length statement in one class map. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-75 OL-16202-01...
  • Page 200 JOHN_Q_PUBLIC host1/Admin(config-cmap-sip-insp)# match content type sdp To remove the SIP inspection class map from the ACE, enter: host1/Admin(config)# no class-map type sip inspect match-any SIP_INSPECT_L7CLASS Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-76 OL-16202-01...
  • Page 201: Adding A Layer 7 Class Map Description For Sip Inspection

    To header. Enter a regular expression from 1 to 255 alphanumeric characters. The ACE supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-77 OL-16202-01...
  • Page 202: Defining The Calling Party In The Sip From Header

    SIP From header. Enter a regular expression from 1 to 255 alphanumeric characters. The ACE supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-78 OL-16202-01...
  • Page 203: Defining Sip Content Checks

    The line numbers do not dictate a priority or sequence for the match statements. length—Specifies the SIP message body length. • gt—Specifies the greater than operator. • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-79 OL-16202-01...
  • Page 204 SIP_INSP_POLICY host1/Admin(config-pmap-ins-sip)# class SIP_INSP_CLASS host1/Admin(config-pmap-ins-sip-c)# deny To remove the match statement from the class map, enter: host1/Admin(config-cmap-sip-insp)# no match content length gt 200 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-80 OL-16202-01...
  • Page 205: Defining The Sip Instant Messaging Subscriber

    (\) to escape a dot (.) or a question mark (?). For example, enter: host1/Admin(config-cmap-sip-insp)# match im-subscriber John_Q_Public To remove the match statement from the class map, enter: host1/Admin(config-cmap-sip-insp)# no match im-subscriber John_Q_Public Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-81 OL-16202-01...
  • Page 206: Defining The Message Path Taken By Sip Messages

    You can also use a backslash (\) to escape a dot (.) or a question mark (?). For example, enter: host1/Admin(config-cmap-sip-insp)# match message-path 192.168.12.3:5060 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-82 OL-16202-01...
  • Page 207: Defining The Sip Request Methods

    SIP method using one of the following keywords: • – – cancel – info – invite – message – notify – options – prack – – refer register – subscribe – unknown – update – Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-83 OL-16202-01...
  • Page 208: Defining The Sip Party Registration Entities

    You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-84 OL-16202-01...
  • Page 209: Defining Sip Uri Checks

    To filter SIP traffic based on URIs, use the match uri command in class map SIP inspection configuration mode. The syntax of this command is as follows: [line_number] match uri {sip | tel} length gt value Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-85 OL-16202-01...
  • Page 210: Configuring A Layer 7 Sip Inspection Policy Map

    Including Inline Match Statements in a Layer 7 SIP Inspection Policy Map • Associating the Layer 7 SIP Inspection Class Map with the Policy Map • Specifying the Layer 7 SIP Inspection Policy Map Actions • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-86 OL-16202-01...
  • Page 211: Creating A Layer 7 Sip Policy Map

    The syntax of this command is as follows: description For example, to add a description for a Layer 7 SIP inspection policy map, enter: host1/Admin(config-pmap-ins-sip)# description layer 7 sip inspection policy Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-87 OL-16202-01...
  • Page 212: Including Inline Match Statements In A Layer 7 Sip Inspection Policy Map

    The syntax for the Layer 7 SIP inspection policy map inline match commands is as follows: match name called-party expression match name calling-party expression match name content {length gt number} | {type sdp | expression} Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-88 OL-16202-01...
  • Page 213: Associating The Layer 7 Sip Inspection Class Map With The Policy Map

    For example, to associate a Layer 7 SIP inspection class map with a Layer 7 SIP inspection policy map, enter: host/Admin(config-pmap-ins-sip)# class SIP_INSPECT_L7CLASS host/Admin(config-pmap-ins-sip-c)# To dissociate the class map from the policy map, enter: host/Admin(config-pmap-ins-sip)# no class SIP_INSPECT_L7CLASS Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-89 OL-16202-01...
  • Page 214: Specifying The Layer 7 Sip Inspection Policy Map Actions

    SIP_INSPECT_L7POLICY host1/Admin(config-pmap-ins-sip)# match SIP_MATCH calling-party 123abc.* host1/Admin(config-pmap-ins-sip-m)# drop To disable an action in the Layer 7 SIP inspection policy map, enter: host1/Admin(config-pmap-ins-sip-m)# no drop Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-90 OL-16202-01...
  • Page 215: Configuring A Layer 3 And Layer 4 Application Protocol Inspection Traffic Policy

    ACE in a redundant configuration may boot up to the STANDBY_COLD state. For information about redundancy states, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. If the class map for the inspection traffic is generic (match . . . any or class-default is configured) so that noninspection traffic is also matched, the ACE displays an error message and does not accept the inspection configuration.
  • Page 216 For ICMP protocol inspection, the class map must have ICMP as the configured protocol. For example, enter the following commands: host1/Admin(config)# access-list ACL1 extended permit icmp 192.168.12.15 255.255.255.0 192.168.16.25 255.255.255.0 echo Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-92 OL-16202-01...
  • Page 217: Configuring A Layer 3 And Layer 4 Class Map

    The CLI displays the class map configuration mode. To classify network traffic that passes through the ACE for application protocol inspection, include one or more of the following commands to configure the match criteria for the class map: Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-93 OL-16202-01...
  • Page 218: Adding A Layer 3 And Layer 4 Class Map Description

    The syntax of this command is as follows: description text The text argument is an unquoted text string with a maximum of 240 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-94 OL-16202-01...
  • Page 219: Defining Access-List Match Criteria

    ACL entries. Otherwise, the ACE displays an error message. You must access the class map configuration mode to specify the match access-list command. The syntax of this command is as follows: [line_number] match access-list identifier Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-95 OL-16202-01...
  • Page 220: Defining Tcp/Udp Port Number Or Port Range Match Criteria

    You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-96 OL-16202-01...
  • Page 221 Real Time Streaming Protocol 5060 Session Initiation Protocol skinny 2000 Cisco Skinny Client Control Protocol (SCCP) smtp Simple Mail Transfer Protocol sunrpc Sun Remote Procedure Call (RPC) telnet Telnet protocol Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-97 OL-16202-01...
  • Page 222 23 To clear the TCP or UDP port number match criteria from the class map, enter: host1/Admin(config-cmap)# no match port tcp eq 23 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-98 OL-16202-01...
  • Page 223: Configuring A Layer 3 And Layer 4 Policy Map

    The CLI displays the policy map configuration mode. To remove a Layer 3 and Layer 4 policy map from the ACE, enter: host1/Admin(config)# no policy-map multi-match HTTP_INSPECT_L4POLICY Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-99 OL-16202-01...
  • Page 224: Policy

    For example, to specify an existing class map within the Layer 3 and Layer 4 policy map, enter: host1/Admin(config-pmap)# class HTTP_INSPECT_L4CLASS host1/Admin(config-pmap-c)# To remove a class map from a Layer 3 and Layer 4 policy map, enter: Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-100 OL-16202-01...
  • Page 225 For example, to use the class class-default command, enter: host1/Admin(config-pmap)# class class-default host1/Admin(config-pmap-c)# The CLI displays the policy map class configuration mode. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-101 OL-16202-01...
  • Page 226 The syntax of this command is as follows: inspect dns [maximum-length bytes] inspect ftp [strict policy name1 | sec-param conn_parammap_name1] inspect http [policy name4 | url-logging] inspect icmp [error] inspect ils Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-102 OL-16202-01...
  • Page 227 FTP inspection. If you do not specify a Layer 7 policy map, the ACE performs a Note general set of Layer 3 and Layer 4 FTP protocol fixup actions. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-103 OL-16202-01...
  • Page 228 RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. The ACE monitors Setup and Response (200 OK) messages in the control channel established using TCP port 554 (no UDP support). Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-104 OL-16202-01...
  • Page 229 Cisco Skinny Client Control Protocol (SCCP) inspection. • The SCCP is a Cisco proprietary protocol that is used between Cisco CallManager and Cisco VoIP phones. The ACE performs a NAT on embedded IP addresses and port numbers in SCCP packet data.
  • Page 230: Configuring A Dns Parameter Map

    You can configure DNS actions for DNS packet inspection by using the parameter-map type dns command in configuration mode. The syntax of this command is as follows: parameter-map type dns name Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-106 OL-16202-01...
  • Page 231: Configuring A Dns Query Timeout

    UDP connection in 2 seconds. You can configure the UDP inactivity timeout using a connection parameter map. For details, see Chapter 4, Configuring TCP/IP Normalization and IP Reassembly Parameters. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-107 OL-16202-01...
  • Page 232 DNS parameter map as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For details about configuring a DNS parameter map, see the “Configuring a DNS Parameter Map” section. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-108 OL-16202-01...
  • Page 233: Configuring An Http Parameter Map

    • Setting the Maximum Number of Bytes to Parse in HTTP Content • Associating an HTTP Parameter Map with a Layer 3 and Layer 4 Policy Map • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-109 OL-16202-01...
  • Page 234: Disabling Case-Sensitivity Matching

    For example, to set the HTTP header maximum parse length to 8192, enter: host1/Admin(config-parammap-http)# set header-maxparse-length 8192 To reset the HTTP header maximum parse length to the default of 2048 bytes, enter: host1/Admin(config-parammap-http)# no set-header maxparse-length Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-110 OL-16202-01...
  • Page 235: Map

    HTTP parameter map as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For details about configuring an HTTP parameter map, see the “Configuring an HTTP Parameter Map” section. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-111 OL-16202-01...
  • Page 236: Configuring An Sccp Parameter Map

    Setting the Maximum Message ID • Setting the Minimum and Maximum SCCP Prefix Length • Associating an SCCP Parameter Map with a Layer 3 and Layer 4 Policy Map • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-112 OL-16202-01...
  • Page 237: Sccp Inspection Configuration Considerations

    Be aware of the following considerations when you configure SCCP inspection on the ACE: If the ACE resides between the Cisco CallManager (CCM) and the IP phones, • then explicit security ACLs are required to permit the TFTP traffic between the CCM and the phones because the ACE does not support TFTP fixup.
  • Page 238: Enabling Registration Enforcement

    For example, to set the maximum SCCP message ID to 0x3000, enter: host1/Admin(config-parammap-skinny)# message-id max 3000 To reset the maximum message ID to the default of 0x181, enter host1/Admin(config-parammap-skinny)# no message-id max 3000 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-114 OL-16202-01...
  • Page 239: Setting The Minimum And Maximum Sccp Prefix Length

    You can associate an SCCP parameter map with a Layer 3 and Layer 4 policy map by using the appl-parameter skinny advanced-options command in policy map class configuration mode. The syntax of this command is as follows: appl-parameter skinny advanced-options name Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-115 OL-16202-01...
  • Page 240: Associating An Sccp Parameter Map With A Layer 3 And Layer 4 Policy Map

    Enabling Strict Header Validation • Enabling Non-SIP URI Detection in SIP Messages • Associating a SIP Parameter Map with a Layer 3 and Layer 4 Policy Map • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-116 OL-16202-01...
  • Page 241: Sip Inspection Configuration Considerations

    The name argument is the identifier assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 32 alphanumeric characters. For example, enter: host1/Admin(config)# parameter-map type sip SIP_PARAMMAP host1/Admin(config-parammap-sip)# Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-117 OL-16202-01...
  • Page 242: Configuring A Timeout For A Sip Media Secure Port

    SIP configuration mode. By default, IM is disabled. The syntax of this command is as follows: For example, to enable instant messaging, enter: host1/Admin(config)# parameter-map type sip SIP_PARAMMAP host1/Admin(config-parammap-sip)# im Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-118 OL-16202-01...
  • Page 243: Enabling Maximum Forward Field Validation

    ACE reset the SIP connection. • For example, to enable Max-Forwards header field validation, enter: host1/Admin(config-parammap-sip)# max-forward-validation drop log To disable maximum forward field validation, enter: host1/Admin(config-parammap-sip)# no max-forward-validation Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-119 OL-16202-01...
  • Page 244: Configuring User Agent Software Version Options

    You can ensure the validity of SIP packet headers by configuring the ACE to check for the presence of the following mandatory SIP header fields: From • • Call-ID • CSeq • • Max-Forwards • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-120 OL-16202-01...
  • Page 245 For example, when a call is made and then cancelled, the phone receives a 487 Request Terminated cancel status request and transmits an ACK. However, for the Cisco IP Phone 7960, the transmitted ACK does not contain the MAX-FORWARDS header, which is a mandatory header for ACK.
  • Page 246: Map

    SCCP parameter map as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For details about configuring a SIP parameter map, see the “Configuring a SIP Parameter Map” section. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-122 OL-16202-01...
  • Page 247: Applying A Service Policy

    VLAN interface. The traffic policy evaluates all traffic received by that interface. policy_name—Name of a previously defined policy map, configured with a • previously created policy-map command. The name can be a maximum of 64 alphanumeric characters. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-123 OL-16202-01...
  • Page 248 A policy activated on a VLAN interface overwrites any specified global • policies for overlapping classification and actions. The ACE allows only one policy of a specific feature type to be activated on • a given interface. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-124 OL-16202-01...
  • Page 249: Examples Of Application Protocol Inspection Configurations

    ACL1 extended permit tcp any any eq http rserver host SERVER1 ip address 192.168.252.245 inservice rserver host SERVER2 ip address 192.168.252.246 inservice rserver host SERVER3 ip address 192.168.252.247 inservice Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-125 OL-16202-01...
  • Page 250: Layer 7 Ftp Command Inspection

    In the following FTP command inspection configuration, the ACE does the following: • Masks the responses from the SYST and USER commands Denies selected FTP commands from executing • Allows the remaining FTP commands to execute • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-126 OL-16202-01...
  • Page 251 2 match virtual-address 192.168.120.119 tcp range 3333 4444 policy-map type loadbalance first-match L7_FTP-LB-SF-FTP_POLICY class class-default serverfarm SFARM1 policy-map type inspect ftp first-match L7_FTP-INSPSF-FTP_POLICY class L7_FTP-MAX-DENY_CLASS deny class L7_FTP-MAX-DENY2_CLASS mask-reply Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-127 OL-16202-01...
  • Page 252: Layer 3 And Layer 4 Application Protocol Inspection For Dns Inspection

    ACL1 line 10 extended permit ip any any class-map match-any L4_DNS-INSPECT_CLASS description DNS application protocol inspection of incoming traffic match port udp eq domain policy-map multi-match L4_DNS-INSPECT_POLICY class L4_DNS-INSPECT_CLASS inspect dns maximum length 1000 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-128 OL-16202-01...
  • Page 253: Information

    Total logging decisions Use the clear stats inspect command to clear the HTTP protocol inspection statistics. Table 3-9 describes the fields in the show stats inspect command output. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-129 OL-16202-01...
  • Page 254: Displaying Service Policy Configuration Information

    (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters. detail—(Optional) Displays a more detailed listing of policy map statistics • and status information. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-130 OL-16202-01...
  • Page 255 : 0 , client byte count: 0 server pkt count : 0 , server byte count: 0 L7 policy: FTP_INSPECT_L4POLICY TotalReplyMasked : 0 TotalDropped: 0 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-131 OL-16202-01...
  • Page 256 Optional description about the policy map. Context Global Indicates whether the service policy has been applied Policy globally in configuration mode to all VLAN interfaces for the context. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-132 OL-16202-01...
  • Page 257 Number of packets received from clients. Client Byte Number of bytes received from clients. Count Server Pkt Count Number of packets received from servers. Server Byte Number of bytes received from servers. Count Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-133 OL-16202-01...
  • Page 258 (Applicable only to the FTP SYST command and its associated reply.) Total Total number of packets dropped due to an error in the Dropped On match. Error TotalLogged Total number of errors logged. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 3-134 OL-16202-01...
  • Page 259: Configuring Tcp/Ip Normalization And Ip Reassembly Parameters

    IP Reassembly Parameters This chapter describes how to configure TCP/IP normalization and termination parameters to protect your Cisco 4700 Series Application Control Engine (ACE) appliance and the data center from attacks. It also describes IP fragmentation and reassembly parameters. The chapter contains the following major sections: TCP Normalization Overview •...
  • Page 260: Tcp Normalization Overview

    For details about configuring traffic policies, see the “Configuring a Traffic Policy for TCP/IP Normalization and Termination” section. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 261: C H A P T E R 4 Configuring Tcp/Ip Normalization And Ip Reassembly Parameters

    Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 4-1. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 262 C1 host1/C1# The rest of the examples in this table use the C1 user context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
  • Page 263 (Optional) Save your configuration changes to flash memory. host1/C1# copy running-config startup-config Display the TCP/IP normalization configuration information. host1/C1# show running-config policy-map host1/C1# show running-config parameter-map host1/C1# show running-config interface host1/C1# show service-policy name Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 264: Configuring A Connection Parameter Map For Tcp/Ip Normalization And Termination

    Configuring How the ACE Handles TCP SYN Segments that Contain Data • Configuring How the ACE Handles TCP Options • Setting the Urgent Pointer Policy • Setting the Type of Service • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 265: Creating A Connection Parameter Map For Tcp/Ip, Udp, And Icmp

    • Make sure that you assign the current context to the resource class. For details about resource classes, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide...
  • Page 266: Configuring Rate Limits For A Policy Map

    You can also limit the connection rate and the bandwidth rate of a real server in a server farm. For details, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
  • Page 267: Setting The Maximum Receive Or Transmit Buffer Share

    32 KB, SSL connections are significantly slower. For example, enter: host1/C1(config-parammap-conn)# set tcp buffer-share 16384 To reset the buffer limit to the default value of 32768 bytes, enter: host1/C1(config-parammap-conn)# no set tcp buffer-share Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 268: Setting A Range For The Maximum Segment Size

    40 bytes (the size of the TCP header plus options) less than the MTU of the ACE server-side VLAN. Otherwise, the ACE may discard incoming packets from the server. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-10 OL-16202-01...
  • Page 269 To reset the minimum MSS to the default value of 0 bytes and the maximum MSS to the default value of 1460, enter:. host1/C1(config-parammap-conn)# no set tcp mss Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-11 OL-16202-01...
  • Page 270: Configuring Ace Behavior For A Segment That Exceeds The Maximum Segment Size

    For example, to set the maximum TCP SYN retries to 3, enter: host1/C1(config-parammap-conn)# set tcp syn-retry 3 To reset the TCP SYN retries to the default value of 4, enter: host1/C1(config-parammap-conn)# no set tcp syn-retry Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-12 OL-16202-01...
  • Page 271: Enabling Nagle's Algorithm

    The syntax of this command is as follows: random-sequence-number For example, to enable the use of random sequence numbers if you have disabled the feature, enter: host1/C1(config-parammap-conn)# random-sequence-number Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-13 OL-16202-01...
  • Page 272: Configuring How The Ace Handles Reserved Bits

    This type of connection is called an embryonic connection. To configure a timeout for embryonic connections, use the set tcp timeout embryonic command in parameter map connection configuration mode. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-14 OL-16202-01...
  • Page 273: Configuring The Timeout For A Half-Closed Connection

    For example, enter: host1/C1(config-parammap-conn)# set tcp timeout half-closed 2400 To reset the TCP half-closed connection timeout to the default value of 3600 seconds, enter: host1/C1(config-parammap-conn)# no set tcp timeout half-closed Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-15 OL-16202-01...
  • Page 274: Configuring The Connection Inactivity Timeout

    TCP optimizations include the following connection parameter-map configuration mode operations: Nagle optimization algorithm (see the “Enabling Nagle’s Algorithm” section) • Slow-start connection behavior (see the “Enabling the TCP Slow Start • Algorithm” section) Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-16 OL-16202-01...
  • Page 275 0 To restore the ACE behavior to the default of not optimizing TCP connections, enter: host1/C1(config-parammap-conn)# no set tcp wan-optimization rtt 0 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-17 OL-16202-01...
  • Page 276: Setting The Window Scale Factor

    For example, to set the TCP window scale factor to 3, enter: host1/C1(config-parammap-conn)# set tcp window-scale factor 3 To reset to the default value of 0, enter: host1/C1(config-parammap-conn)# no set tcp window-scale Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-18 OL-16202-01...
  • Page 277: Enabling The Tcp Slow Start Algorithm

    For example, to delay sending an ACK from a client to a server for 400 ms, enter: host1/C1(config-parammap-conn)# set ack-delay 400 To reset the ACK delay timer to the default value of 200 ms, enter: host1/C1(config-parammap-conn)# no set ack-delay Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-19 OL-16202-01...
  • Page 278: Configuring How The Ace Handles Tcp Syn Segments That Contain Data

    The syntax of this command is as follows: tcp-options {range number1 number2 {allow | drop}} | {selective-ack | timestamp | window-scale} {allow | clear | drop} Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-20 OL-16202-01...
  • Page 279 Clears the specified • option from any segment that has it set and allows the segment. Table 4-2 lists the TCP options available for the tcp-options range command. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-21 OL-16202-01...
  • Page 280 Monroe] MD5 signature option [RFC2385] SCPS capabilities [Scott] Selective negative [Scott] acknowledgements (SNACK) Record boundaries [Scott] Corruption experienced [Scott] SNAP [Sukonnik] Unassigned (released 12/18/00) TCP compression filter [Bellovin] Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-22 OL-16202-01...
  • Page 281 19 26 drop To remove the TCP option ranges from the configuration, enter: host1/C1(config-parammap-conn)# no tcp-options range 6 7 allow host1/C1(config-parammap-conn)# no tcp-options range 19 26 drop Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-23 OL-16202-01...
  • Page 282: Setting The Urgent Pointer Policy

    Urgent Pointer. The ACE clears the Urgent flag for any traffic above Layer 4. If you have enabled TCP server connection reuse (see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide, Chapter 2, Configuring Traffic Policies for Server Load Balancing), the ACE does not pass the Urgent flag value to the server.
  • Page 283: Setting The Type Of Service

    20 To reset the ACE behavior to the default of not rewriting the ToS byte value of an incoming packet, enter: host1/C1(config-parammap)# no set ip tos 20 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-25 OL-16202-01...
  • Page 284: Configuring A Traffic Policy For Tcp/Ip Normalization And Termination

    To configure a class map for TCP/IP normalization and termination, use the class-map command in configuration mode. For details about configuring a class map, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. The syntax of this command is as follows:...
  • Page 285: Defining A Class Map Description

    To remove the description from the class map, enter: host1/C1(config-cmap)# no description filter tcp connections Continue with the following section to enter match criteria as required using the match command in class-map configuration mode. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-27 OL-16202-01...
  • Page 286 IP address 172.27.16.7: host1/C1(config)# class-map match-any IP_CLASS host1/C1(config-cmap)# match destination-address 172.27.16.7 To remove the destination IP address match criteria from the class map, enter: host1/C1(config-cmap)# no match destination-address 172.27.16.7 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-28 OL-16202-01...
  • Page 287 HTTP over TLS/SSL Internet Relay Chat matip-a Mapping of Airline Traffic over Internet Protocol (MATIP) Type A nntp Network News Transport Protocol pop2 Post Office Protocol v2 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-29 OL-16202-01...
  • Page 288 The following example specifies that the network traffic must match on TCP port number 23 (Telnet client): host1/C1(config)# class-map TCP_CLASS host1/C1(config-cmap)# match port tcp eq 23 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-30 OL-16202-01...
  • Page 289: Configuring A Layer 3 And Layer 4 Policy Map

    ACE executes all the corresponding actions. However, for a specific feature, the ACE executes only the first matching classification action. For more information about policy maps, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
  • Page 290: Associating A Connection Parameter Map With A Policy Map

    For details about configuring a connection parameter map, see the “Configuring a Connection Parameter Map for TCP/IP Normalization and Termination” section. The syntax of this command is as follows: connection advanced-options name Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-32 OL-16202-01...
  • Page 291: Associating A Layer 3 And Layer 4 Policy Map With A Service Policy

    To dissociate a policy map from a service policy, enter: host1/C1(config)# no service-policy input TCP_POLICY Configuring Interface Normalization Parameters This section describes how to configure TCP/IP normalization parameters in interface configuration mode. It contains the following topics: Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-33 OL-16202-01...
  • Page 292: Disabling Tcp Normalization On An Interface

    TCP normalization helps protect the ACE and the data center from attackers by enforcing strict security policies that are designed to examine traffic for malformed or malicious segments. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-34 OL-16202-01...
  • Page 293: Disabling The Icmp Security Checks On An Interface

    IP addresses to attackers. For example, to disable ICMP security checks on interface VLAN 100, enter: host1/C1(config)# interface vlan 100 host1/C1(config-if)# no icmp-guard Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-35 OL-16202-01...
  • Page 294: Configuring Syn-Cookie Denial-Of-Service Protection

    SYN-ACK using a sequence number that is the actual SYN cookie value. The SYN cookie consists of the following: A 32-bit timer that increases every 64 seconds. • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-36 OL-16202-01...
  • Page 295 The ACE does not generate any syslogs for a SYN cookie, even if the number • of embryonic connections exceeds the configured threshold, which may indicate a SYN-flood attack. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-37 OL-16202-01...
  • Page 296: Configuring How The Ace Handles The Don't Fragment Bit

    To configure how the ACE handles the DF bit, use the ip df command in interface configuration mode. The syntax of this command is as follows: Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-38 OL-16202-01...
  • Page 297: Configuring How The Ace Handles Ip Options

    IP options and allows the packet drop—Instructs the ACE to discard the packet regardless of any IP options • that are set For example, enter: host1/C1(config-if)# ip options allow Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-39 OL-16202-01...
  • Page 298: Setting The Ip Packet Ttl

    Unicast reverse-path forwarding (URPF) helps to mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by allowing the ACE to discard IP packets that lack a verifiable source IP address. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-40 OL-16202-01...
  • Page 299 If you configure the mac-sticky command on the interface, you cannot configure Note the ip verify reverse-path command. For details about the mac-sticky command, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. To enable this feature, use the ip verify reverse-path command in interface configuration mode.
  • Page 300: Configuring Ip Fragment Reassembly Parameters

    C1 host1/C1# The rest of the examples in this table use the C1 context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode. host1/C1# config...
  • Page 301 15 (Optional) Save your configuration changes to flash memory. host1/C1# copy running-config startup-config Display the IP fragment reassembly configuration information. host1/C1# show interface vlan 100 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-43 OL-16202-01...
  • Page 302: Configuring The Mtu For An Interface

    ACE accepts for reassembly by using the fragment chain command in interface configuration mode. The syntax of this command is as follows: fragment chain number Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-44 OL-16202-01...
  • Page 303: Configuring The Minimum Fragment Size For Reassembly

    The syntax of this command is as follows: fragment timeout seconds The seconds argument is an integer from to 1 to 30 seconds. The default is 5 seconds. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-45 OL-16202-01...
  • Page 304: Example Of A Tcp/Ip Normalization And Ip Reassembly Configuration

    ACE accepts for reassembly, and the minimum fragment size that the ACE accepts for reassembly. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-46 OL-16202-01...
  • Page 305 192.168.1.100 255.255.255.0 service-policy input L4_TCPIP_POLICY ip ttl minimum 15 ip options clear ip df allow fragment size 400 fragment chain 126 fragment min-mtu 1024 fragment timeout 15 no shutdown Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-47 OL-16202-01...
  • Page 306: Reassembly, And Syn Cookie

    IP addresses and TCP or UDP ports • show running-config policy-map—Displays all policy maps configured in the current context, including the associated class maps Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-48 OL-16202-01...
  • Page 307: Displaying A Connection Parameter Map

    64 alphanumeric characters. For example, to display a connection parameter map configuration, enter: host1/C1# show parameter-map CONN_PMAP Table 4-7 describes the fields in the show parameter-map command output. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-49 OL-16202-01...
  • Page 308 ACE accepts. Possible values are from 0 to 65535. TCP MSS max Maximum value of the TCP maximum segment size that the ACE accepts. Possible values are from 0 to 65535. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-50 OL-16202-01...
  • Page 309 Configured maximum number of connections per second that the ACE allows. bandwidth-rate- Configured maximum number of bytes per second that the limit ACE allows. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-51 OL-16202-01...
  • Page 310: Displaying Tcp/Ip And Udp Connection Statistics

    {tcp | udp}—Displays connection statistics for TCP or UDP. • For example, to display connection statistics for a range of IP addresses, enter: host1/C1# show conn address 192.168.12.15 192.168.12.35 netmask 255.255.255.0 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-52 OL-16202-01...
  • Page 311 Number of packets that have traversed the connection. Conn in Reuse Indication of whether the ACE has placed the connection in Pool the pool for possible reuse. Valid values are TRUE or FALSE. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-53 OL-16202-01...
  • Page 312: Displaying Global Context Connection Statistics

    Total Total number of connections that exceeded the configured Connections timeout in the current context. Timed-out Total Total number of connection attempts that failed to complete. Connections Failed Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-54 OL-16202-01...
  • Page 313: Displaying Ip Statistics

    ACE fragmented, and the number of packets that the ACE could not fragment. Bcast Number of broadcast packets received and sent. Mcast Number of multicast packets received and sent. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-55 OL-16202-01...
  • Page 314 Reports statistics for the following ICMP messages received by the ACE: Redirects • ICMP Unreachable • ICMP Echo • ICMP Echo Reply • Mask Requests • Mask Replies • Quench • Parameter • Timestamp • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-56 OL-16202-01...
  • Page 315 ACE: Redirects • ICMP Unreachable • ICMP Echo • ICMP Echo Reply • Mask Requests • Mask Replies • Quench • Timestamp • Parameter • Time Exceeded • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-57 OL-16202-01...
  • Page 316 ACE. For example, to display IP fragmentation and reassembly statistics for all interfaces in the ACE, enter: host1/C1# show fragment Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-58 OL-16202-01...
  • Page 317: Displaying Tcp Statistics

    ACE. The syntax of this command is as follows: show tcp statistics For example, to display TCP statistics for the current context, enter: host1/C1# show tcp statistics Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-59 OL-16202-01...
  • Page 318: Displaying Udp Statistics

    Description Rcvd Total number of UDP segments, errors, and segments with no port specified that the ACE received. Sent Total number of UDP segments sent by the ACE. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-60 OL-16202-01...
  • Page 319: Displaying Service Policy Statistics

    State of the VIP’s ability to reply to ICMP requests. Possible Reply values are ENABLED or DISABLED. VIP State Current status of the virtual IP address. Possible values are INSERVICE or OUTOFSERVICE. Curr Conns Number of active connections. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-61 OL-16202-01...
  • Page 320: Displaying Syn Cookie Statistics

    [vlan number] The optional vlan number keyword and argument instruct the ACE to display SYN cookie statistics for the specified interface. Enter an integer from 2 to 2024. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-62 OL-16202-01...
  • Page 321 ACE. Processed by SYN COOKIE Failed Number of Number of client ACK packets that did not match a SYN TCP ACKs cookie. Processed by SYN COOKIE Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-63 OL-16202-01...
  • Page 322: Clearing Tcp/Ip And Udp Connections And Statistics

    ICMP, TCP, or UDP. rserver—(Optional) Clears all connections for the specified real server. • For example, to clear all TCP connections in the current context, enter: host1/C1# clear conn flow tcp Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-64 OL-16202-01...
  • Page 323: Clearing Connection Statistics

    If you configured redundancy, then you need to explicitly clear IP statistics on Note both the active and the standby ACEs. Clearing statistics on the active appliance alone will leave the standby appliance’s statistics at the old values. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-65 OL-16202-01...
  • Page 324: Clearing Udp Statistics

    If you configured redundancy, then you need to explicitly clear UDP statistics on Note both the active and the standby ACEs. Clearing statistics on the active appliance alone will leave the standby appliance’s statistics at the old values. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-66 OL-16202-01...
  • Page 325: Clearing Ip Fragmentation And Reassembly Statistics

    The optional number argument instructs the ACE to clear SYN cookie statistics for the specified interface. Enter an integer from 2 to 2024. For example, to clear SYN cookie statistics for VLAN 100, enter: host1/C1# clear syn-cookie vlan 100 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-67 OL-16202-01...
  • Page 326 Chapter 4 Configuring TCP/IP Normalization and IP Reassembly Parameters Clearing TCP/IP and UDP Connections and Statistics Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 4-68 OL-16202-01...
  • Page 327: Configuring Network Address Translation

    C H A P T E R Configuring Network Address Translation This chapter contains the following major sections which describe how to configure NAT on the Cisco 4700 Series Application Control Engine (ACE) appliance: Network Address Translation Overview • •...
  • Page 328: Network Address Translation Overview

    Server load balancing is configured with the forward action in a policy • Some of the benefits of NAT are as follows: You can use private addresses on your inside networks. Private addresses are • not routable on the Internet. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 329: Dynamic Nat

    IP address. For this reason, users on the destination network cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access control list [ACL]). Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 330 The advantage of dynamic NAT is that some protocols cannot use dynamic PAT. Dynamic PAT does not work with some applications that have a data stream on one port and the control path on another, such as some multimedia applications. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 331: Dynamic Pat

    Dynamic PAT allows you to use a single global address, which helps to conserve routable addresses. Dynamic PAT does not work with some multimedia applications that have a data stream on a port that is different from the control path port. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 332: Server Farm-Based Dynamic Nat

    The ACE is configured in one-arm mode, that is, there is only one VLAN • between the ACE and the Cisco Systems 6500 and 7600 Series Catalyst MSFC that is used for both client and server traffic. Both the primary and...
  • Page 333: Static Port Redirection

    Maximum Number of NAT Commands The ACE supports the following maximum numbers of nat, nat-pool, and nat static commands divided among all contexts: nat command—8,192 • nat-pool command—8,192 • nat static command—8,192 • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 334: Global Address Guidelines

    The seconds argument is an integer from 60 to 2147483. The default is 10800 seconds (3 hours). The seconds value determines how long the ACE waits to free the Xlate slot after it becomes idle. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 335: Configuring Dynamic Nat And Pat

    NAT and PAT. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 5-1. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide OL-16202-01...
  • Page 336 C1 host1/C1# The rest of the examples in this table use the C1 user context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
  • Page 337 (Optional) Save your configuration changes to flash memory. host1/Admin# copy running-config startup-config Display and verify your dynamic NAT and PAT configuration. host1/C1# show running-config class-map host1/C1# show running-config policy-map host1/C1# show running-config service-policy Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-11 OL-16202-01...
  • Page 338: Configuring An Acl

    Configure an interface for clients and an interface for the real servers. If you are operating the ACE in one-arm mode, do not configure an interface for clients. For details, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.
  • Page 339 IP address pool. Enter a • mask in dotted-decimal notation (for example, 255.255.255.255). A network mask of 255.255.255.255 instructs the ACE to use all the IP addresses in the specified range. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-13 OL-16202-01...
  • Page 340 255.255.255.255 pat Before you can remove a NAT pool from an interface, you must remove the Note service policy and the policy map associated with the NAT pool. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-14 OL-16202-01...
  • Page 341: Configuring A Class Map

    You can configure a traffic class for dynamic NAT and PAT by using the class-map command in configuration mode. For more information about class maps, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. The syntax of this command is as follows:...
  • Page 342: Configuring A Class Map For Passive Ftp

    You can configure a traffic policy for dynamic NAT and PAT by using the policy-map command in configuration mode. For more information about policy maps, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. The syntax of this command is as follows: policy-map multi-match name The name argument is the name assigned to the policy map.
  • Page 343: Action

    Enter an integer from 1 to 2147483647. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-17 OL-16202-01...
  • Page 344: Service Policy

    Activate the dynamic NAT and PAT policy map and associate it with an interface by using the service-policy command in interface configuration mode. For details about the service-policy command, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
  • Page 345 The ACE performs this action to provide a new starting point for the service-policy statistics the next time that you attach a traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-19 OL-16202-01...
  • Page 346: Configuring Server Farm-Based Dynamic Nat

    For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 5-2. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-20 OL-16202-01...
  • Page 347 C1 host1/C1# The rest of the examples in this table use the C1 user context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
  • Page 348 Layer 7 load-balancing policy. You can configure multiple instances of this command for each primary and backup serverfarm and each outgoing server VLAN. host1/C1(config-pmap-lb-c)# nat dynamic 1 vlan 200 serverfarm primary host1/C1(config-pmap-lb-c)# exit host1/C1(config-pmap-lb)# exit host1/C1(config)# Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-22 OL-16202-01...
  • Page 349 (Optional) Save your configuration changes to flash memory. host1/Admin# copy running-config startup-config Display and verify your server farm-based dynamic NAT configuration. host1/C1# show running-config class-map host1/C1# show running-config policy-map host1/C1# show running-config service-policy Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-23 OL-16202-01...
  • Page 350: Configuring An Acl For Server Farm-Based Dynamic Nat

    Configure an interface for clients and an interface for the real servers. If you are operating the ACE in one-arm mode, omit the client interface. For details about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.
  • Page 351 IP address pool. Enter a • mask in dotted-decimal notation (for example, 255.255.255.255). A network mask of 255.255.255.255 instructs the ACE to use all the IP addresses in the specified range. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-25 OL-16202-01...
  • Page 352: Configuring Real Servers And A Server Farm

    To remove a NAT pool from the configuration, enter: host1/C1(config-if)# no nat-pool 1 Configuring Real Servers and a Server Farm For details about configuring real servers and server farms, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
  • Page 353: Configuring A Layer 7 Load-Balancing Policy Map For Server Farm-Based Dynamic Nat

    To associate the previously created class map with the policy map. For example, enter: host1/C1(config-pmap-lb)# class L7_CLASS host1/C1(config-pmap-lb-c)# To disassociate a class map from a policy map, enter: host1/C1(config-pmap-lb)# no class L7_CLASS Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-27 OL-16202-01...
  • Page 354: Configuring Server Farm-Based Dynamic Nat As A Layer 7 Policy Action

    If a packet egresses an interface that you have not configured for NAT, the ACE Note transmits the packet untranslated. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-28 OL-16202-01...
  • Page 355 Configure a Layer 3 and Layer 4 traffic class for server farm-based dynamic NAT by using the class-map command in configuration mode. For more information about class maps, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. The syntax of this command is as follows:...
  • Page 356 To dissociate a class map from a policy map, enter: host1/C1(config-pmap)# no class NAT_CLASS Configure policy-map actions as required. For example, configure: host1/C1(config-pmap-c)# loadbalance policy L7_POLICY host1/C1(config-pmap-c)# loadbalance VIP inservice Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-30 OL-16202-01...
  • Page 357: Policy

    You can activate the server farm-based dynamic NAT policy and assign it to an interface by using the service-policy command in interface configuration mode. For details about the service-policy command, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
  • Page 358: Configuring Static Nat And Static Port Redirection

    For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 5-3. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-32 OL-16202-01...
  • Page 359 C1 host1/C1# The rest of the examples in this table use the C1 user context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Enter configuration mode.
  • Page 360 (Optional) Save your configuration changes to flash memory. host1/Admin# copy running-config startup-config Display and verify your static NAT and static port redirection configuration. host1/C1# show running-config class-map host1/C1# show running-config policy-map Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-34 OL-16202-01...
  • Page 361: Configuring An Acl For Static Nat And Static Port Redirection

    Configuring Interfaces for Static NAT and Static Port Redirection Configure an interface for clients and an interface for the real servers. For details, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. Configuring a Class Map You can configure a traffic class for static NAT and port redirection by using the class-map command in configuration mode.
  • Page 362: Configuring A Policy Map

    Configuring a Policy Map You can configure a traffic policy for NAT by using the policy-map command in configuration mode. For more information about policy maps, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide. The syntax of this command is as follows: policy-map multi-match name The name argument is the name assigned to the policy map.
  • Page 363: Configuring Static Nat And Static Port Redirection As A Policy Action

    IP address. Enter a • subnet mask in dotted-decimal notation (for example, 255.255.255.0). port1—Global TCP or UDP port for static port redirection. Enter an integer • from 0 to 65535. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-37 OL-16202-01...
  • Page 364 UDP port names and numbers. Table 5-5 Well-Known UDP Port Numbers and Keywords Keyword Port Number Description Domain Name System 9200 Connectionless Wireless Session Protocol (WSP) wsp-wtls 9202 Secure Connectionless WSP Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-38 OL-16202-01...
  • Page 365: Interface Using A Service Policy

    You can activate the static NAT and port redirection policy and assign it to an interface by using the service-policy command in interface configuration mode. For details about the service-policy command, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
  • Page 366 The ACE performs this action to provide a new starting point for the service-policy statistics the next time that you attach a traffic policy to a specific VLAN interface. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-40 OL-16202-01...
  • Page 367: Displaying Nat Configurations And Statistics

    (for example, 192.168.12.15). To specify a range of IP addresses, enter a second IP address. netmask mask—(Optional) Displays the subnet mask for the specified IP • addresses. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-41 OL-16202-01...
  • Page 368: Dynamic Nat Example

    (SNAT in this example). When a user uses Telnet from 172.27.16.5 in VLAN 2020, the ACE translates it to 192.168.100.1 in VLAN 2021. host1/Admin# show xlate global 192.168.100.1 192.168.100.10 NAT from vlan2020:172.27.16.5 to vlan2021:192.168.100.1 count:1 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-42 OL-16202-01...
  • Page 369 VLAN 2021 on the ACE. The ACE maps 172.27.0.5:23 on VLAN 2020 to 192.168.211.1:3030 on VLAN 2021. host1/Admin# show xlate TCP PAT from vlan2020:172.27.0.5/23 to vlan2021:192.168.211.1/3030 Mar 24 2006 20:05:41 : %ACE-7-111009: User 'admin' executed cmd: show xlate Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-43 OL-16202-01...
  • Page 370: Clearing Xlates

    Clears active translations by the local port. • start_port—Global or local port number. • end_port—(Optional) Last port number in a global or local range of ports. • Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-44 OL-16202-01...
  • Page 371: Nat Configuration Examples

    The pat keyword indicates that ports higher than 1024 are also translated. If you are operating the ACE in one-arm mode, omit interface VLAN 100 and configure the service policy on interface VLAN 200. Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-45 OL-16202-01...
  • Page 372: Server Farm-Based Dynamic Nat (Snat) Configuration Example

    NAT_ACCESS line 10 extended permit tcp 192.168.12.0 255.255.255.0 1 72.27.16.0 255.255.255.0 eq http rserver SERVER1 ip address 172.27.16.3 inservice rserver SERVER2 ip address 172.27.16.4 inservice serverfarm SFARM1 rserver SERVER1 inservice rserver SERVER2 inservice Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-46 OL-16202-01...
  • Page 373: Static Port Redirection (Dnat) Configuration Example

    10 extended permit tcp 10.0.0.0 255.0.0.0 eq 8080 any class-map match-any NAT_CLASS match access-list acl1 policy-map multi-match NAT_POLICY class NAT_CLASS nat static 192.0.0.0 255.0.0.0 80 vlan 101 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-47 OL-16202-01...
  • Page 374: Snat With Cookie Load Balancing Example

    3 match http cookie JG cookie-value “.*” policy-map type loadbalance first-match L7SLB_Cookie class L7SLB_Cookie serverfarm httpsf policy-map multi-match L7SLBCookie class vip4 loadbalance vip inservice loadbalance L7SLB_Cookie nat dynamic 1 vlan 2021 <<<<<<<<<< Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-48 OL-16202-01...
  • Page 375 30.11.0.3 255.255.0.0 fragment min-mtu 68 nat-pool 2 30.11.201.1 30.11.201.1 netmask 255.255.255.255 pat nat-pool 3 30.11.202.1 30.11.202.3 netmask 255.255.255.255 nat-pool 1 30.11.100.1 30.11.200.1 netmask 255.255.255.255 <<<<<<<<< no shutdown Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-49 OL-16202-01...
  • Page 376 Chapter 5 Configuring Network Address Translation NAT Configuration Examples Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide 5-50 OL-16202-01...
  • Page 377: I N D E X

    2-49 ICMP TACACS+ server, configuring for 2-31 implicit deny TACACS+ server configuration, displaying 2-51 inbound 1-35 user accounts, creating 2-23 IP extended ACL accounting IPs with NAT 1-38 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-1 OL-16202-01...
  • Page 378 RADIUS server authentication settings, 3-30 configuring 2-15 Layer 7 FTP command inspection quick start TACACS+ server accounting settings, 3-21 configuring 2-11 Layer 7 HTTP deep packet inspection class 3-39 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-2 OL-16202-01...
  • Page 379 Layer 7 FTP command inspection TCP SYN retries, limiting 4-12 description 3-32 TCP SYN segments with data, handling 4-20 Layer 7 FTP request methods 3-32 type of service 4-25 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-3 OL-16202-01...
  • Page 380 3-35 inspection overview inspection overview 3-10 Don’t Fragment bit, handling 4-38 Layer 3 and 4 FTP application protocol inspection, configuring 3-103 DoS protection, SYN cookie 4-36 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-4 OL-16202-01...
  • Page 381 HTTP/1/1 header fields, supported 3-48 application protocol support 3-4, 3-5 inline match commands in policy map 3-65 conversion-error, ICMP message 1-15 inspection overview 3-12 echo, ICMP message 1-14 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-5 OL-16202-01...
  • Page 382 Layer 7 FTP command inspection policy policy map 3-99 3-35 LDAP server in Layer 7 HTTP deep packet inspection ACE configuration 2-35 policy map 3-65 configuration, displaying 2-52 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-6 OL-16202-01...
  • Page 383 ACL configuration, dynamic 5-12 See NAT ACL configuration, static 5-24, 5-35 normalization parameters application protocol inspection support configuring 4-33 as policy map action, dynamic 5-17 Don’t Fragment bit, handling 4-38 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-7 OL-16202-01...
  • Page 384 3-111 Layer 7 FTP command inspection, defining 3-33 maximum header bytes setting 3-110 Layer 7 FTP command inspection, inline passive FTP with source NAT 5-16 match commands 3-35 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-8 OL-16202-01...
  • Page 385 AAA configuration connection ACL configuration remarks in extended ACLs 1-16 dynamic NAT and PAT configuration reordering ACL entries 1-18 IP fragment reassembly configuration 4-42 request methods Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-9 OL-16202-01...
  • Page 386 IP fragmentation and reassembly, creating 2-39 displaying 4-58 LDAP 2-39 IP traffic 4-55 RADIUS 2-39 service policy 4-61 TACACS+ 2-39 TCP, clearing 4-66 service policy TCP, displaying 4-59 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-10 OL-16202-01...
  • Page 387 Layer 4 class map, configuring 2-32 4-26 server authentication settings, normalization parameters, configuring 4-33 configuring 2-11 overview server group, creating 2-39 quick start server group dead-time setting 2-41 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-11 OL-16202-01...
  • Page 388 TTL setting 4-40 type of service, setting in connection parameter 4-25 port numbers and key words 1-12 UDP and TCP/IP configurations, displaying 4-48 unicast reverse-path forwarding, configuring 4-40 Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide IN-12 OL-16202-01...

This manual is also suitable for:

4700 series

Table of Contents