symbols & numericsptgmedia.pearsoncmg.com/images/1587051893/index/... · symbols & numerics...
TRANSCRIPT
I N D E X
Symbols & Numerics*.rtr files, displaying output, 991.evt files, 887
50 percent rule, 148802.1x
FAQs, 582–584statistics, displaying, 555–557
AAAA (Authentication, Authorization, and
Accounting)architectural components, 420authentication, testing on VPN 3K, 593–594authorization, troubleshooting on Cisco
switches, 570–574Auth-proxy, troubleshooting on Cisco
routers, 457communication protocols
RADIUS, 425–427TACACS+, 421–424
configuring, best practices, 474debug commands, 430–431dial-up networking, troubleshooting on Cisco
routers, 446–449, 452–457FAQs, 472–474on Cisco routers
accounting, configuring, 445command authorization, troubleshooting,
443–445exec authorization, troubleshooting,
440–443troubleshooting, 432–440VPDN case study, 458–462
on Cisco switches802.1x, FAQs, 582–584IBNS, 566–570IBNSs, 541–545switch management, 541, 558–566
on VPN 3KFAQs, 611–612
session timeouts, avoiding, 593troubleshooting, 587
show commands, 429X-Auth, troubleshooting on Cisco routers, 457
access lists. See ACLsAccess-Accept messages (RADIUS), 427Access-Challenge messages (RADIUS), 427accessing
IDM sensor, 888NM-CIDS console, 839
Access-Reject messages (RADIUS), 427accounting
configuring on Cisco routers, 445on Cisco switches, 565
troubleshooting on Cisco switches, 566ACL Partition Manager (FWSM), 168–169ACLs. See also VACLs
Conduit to Access-list Converter, 53downloadable, 652
PIX/IP ACLs, syntax, 606troubleshooting, 654–655
effect on CBAC performance, 209enabling/disabling on PIX Firewall, 35established keyword, 180implementing on PIX Firewalls, 34IPS sensor blocking, 734–735limitations of, 177misconfigured, troubleshooting on CBAC, 202on FWSM
ACL Partition Manager, 168–169compilation process, 170–172memory utilization, 164–166
outbound, applying on PIX Firewall, 35–36performance impact on PIX Firewall, 101Reflexive, 180time-range keyword, 34–35wide holes, 181
acquiring CSAgent software, 997–998ACS. See CS ACS (Cisco Secure Access Control
Server)activating
syslog on Cisco routers, 193URL filtering, 186
activation keys for PIX Firewall, 56
1080
Active FTP connections, handling with CBAC, 180–181
active/active mode (PIX Firewall), 102configuring, 105–106
active/standby mode (PIX Firewall), 102activities
Router MC, dangling connections, 968unlocking with Firewall MC, 941
AD (Active Directory). CS ACS integration, 627–629
addingdevices to device table, 1052trusted hosts to sensors, 890–892
Administer Sessions window (VPN 3000 Concentrator series), 352
agent kits (CSA Agent), generating, 997–998aggressive mode negotiation, 231–232AH (Authentication Header), 226alert database, backing up, 1073Alert Inserter, 1044alerts, configuring, 192–193AnalysisEngine, 678Analyzer daemon, 1055analyzing MDCSupport file contents, 886–887anti-spoofing, CBAC configuration
best practices, 219anti-virus software. creating buffer overflow
exclusions, 1018–1020Apache certificate
regenerating, 897trusted host issues, resolving on IDS MC,
897–898verifying on IDS MC, 896
APIs, IDAPI, 678application issues, troubleshooting on
CSAgent, 1016application partition (NM-CIDS)
re-imaging, 854–857recovering, 708–709
application-layer protocols, traffic inspection, 183SMTP, 184
applications comprising IPS softwareAnalysisEngine, 678CLI, 678MainApp, 677–678
application-specific roles (ACS), 975application-to-port mappings, modifying,
188–189
architectural components of AAA, 420archive files, redirecting away from Database
Disk, 1063arguments
for csutil.exe, 655–656for show crypto ipsec command, 299
ARP spoofing, 80ASA (Adaptive Security Algorithm),
characteristics of, 29–30assigning
IP address to IDS-Sensor interface, 839privilege levels to VPN 3k users, 592
asymmetric cryptographic algorithms, 224asymmetric routing
PIX Firewall support, 106troubleshooting on CBAC, 205
attributes (VPN 3K), 589audit reports (IDS MC), 885audits, configuring, 193AUS authentication
with Firewall MC, troubleshooting, 940with firewalls, troubleshooting, 940–941
authentication, 592AAA on VPN 3K, FAQs, 611–612on Firewall MC firewalls, troubleshooting, 939on Firewall MC with AUS, troubleshooting, 940on Router MC, troubleshooting, 967on VPN 3K, causes of failure, 607–608PEAP configuration case study, 574–576, 580testing, 593–594
authentication server (IEEE 802.x framework), 543
authenticator, 542authorization
configuring on Cisco switches, 564–565NARs, 648
configuring, 648, 651troubleshooting, 651–652
troubleshooting on Cisco switches, 565, 570–574
Authorization cache, 212auth-proxy, 177
authentication methods, 212configuring, 213–215on Cisco routers, troubleshooting, 457operation, 212
Active FTP connections, handling with CBAC
1081
supported Cisco router platforms, 213troubleshooting, 216–217
avoiding AAA session timeouts on VPN 3K, 593
Bbacking up data
alert database, 1073CiscoWorks Common Services, 874–875command syntax, 656CS ACS, 665CSA MC database, 1023–1024IPS sensor configuration, 782–783Router MC database, 972
backup files, redirecting away from Database Disk, 1063
backup/restore operations, troubleshooting on Router MC, 973
base group attributes (VPN 3K), 589baselining, importance of, 6best practices
for AAA configuration, 474for CBAC
anti-spoofing configuration, 219router security, 218–219
for CiscoWorks Common Services management, 881
for CS ACS Server, 670–671for CSA MC installation, 1036for IDS MC configuration, 929for IDSM-2 blade implementation, 829for implementing AAA on VPN 3K, 612for IPS deployment, 781–785for protecting PIX Firewall, 110–111for Security Monitor operation, 1077
Bidirectional replication, 647BIN directory (CSA MC), 985blat, 1070blocking issues on IPS sensors,
ACLs, 734–735configuring, 737–740for specific signatures, troubleshooting, 753implementing, 736–737MBS, 737, 741–743supported managed devices and versions, 735verifying blocking processes, 923–924
blocking forwarding sensor, 737
blue screen, troubleshooting, 990browsers. See web browsersbuffer overflow exclusions, creating, 1018–1020Bugs Tracker, 54bulk importing NASs, 667Bypass mode (IPS sensor), 682
Ccapture command, 47–49capturing
debug command output, 199IPS traffic
on MPLS IP IDS, 776–777on RSPAN, 773–775on SPAN, 763–770on VACL, 775–776on hub, 763
packets on FWSM, 123–124sniffer traces, 199
“cascade” replication, 645case studies
Hairpinning, configuring, 335–337PEAP configuration, 574–576, 580RADIUS configuration on Cisco IOS routers,
462–463troubleshooting VPDN on Cisco IOS routers,
464–472user permissions on Router MC, 974
ACS roles, 975, 978CiscoWorks Server roles, 975
VPDN configuration on Cisco IOS routers, 458–462
Catalyst 2900/3500XL switches, configuring IPS traffic capture with SPAN, 765– 767
Catalyst 2900/3600XL switches, configuring SPAN, 765–767
Catalyst 2950 switches, configuring IPS traffic capture with SPAN, 767–770
Catalyst 2950/3550 and 3750 switches, configuring SPAN, 767–770
Catalyst 3550 switches, configuring IPS traffic capture with SPAN, 767–770
Catalyst 3750 switches, configuring IPS traffic capture with SPAN, 767–770
Catalyst 4000/6000 switches running CatOS, configuring SPAN, 770–771
Catalyst 4000/6000 switches running CatOS, configuring SPAN
1082
Catalyst 4000/6000 switches running Native IOS, configuring SPAN, 771–772
Catalyst 6500, IDSM-2 bladeCommand and Control port, configuring,
801–805event generation, troubleshooting, 817–818front panel indicator lights, 789hardware issues on CatOS, troubleshooting,
797–800hardware issues on Native IOS,
troubleshooting, 793–797hardware requirements, 788installing, 789Maintenance Partition, upgrading, 823–824Promiscuous mode
configuring, 805–813troubleshooting, 814–816
re-imaging, 818–823removing from switch, 790serial cable, connecting, 826signature update, installing, 824–825slot assignment, 788sniffing ports, 791supported ports, 790TCP reset, 818upgrading to version 5.x, 826user passwords, recovering, 827–829VACL Capture, 827versus IDS Appliance, 787
categorizing CS ACS problem areas, 625CatOS, Native IOS show commands, 792CBAC (Context-Based Access Control), 177
Active FTP connections, handling, 180–181anti-spoofing configuration, best practices, 219asymmetric routing, troubleshooting, 205Cisco IOS code base, upgrading, 209connection states, 194–195connectivity, troubleshooting, 201–203CPU utilization, verifying, 205–206FAQs, 217–218half-open connections, manipulating threshold
values, 208HTTP inspection, verifying dropped
packets, 208
interaction with IPsec, 193interoperability with NAT, 188IP fragmentation, mitigating, 191Java blocking, configuring, 184misconfigured ACLs, troubleshooting, 202misconfigured IP inspection,
troubleshooting, 203misconfigured NAT, troubleshooting, 202multi-channel protocols
inspecting, 187, 205securing, 180
packet drops, troubleshooting, 210packet flow across routers, 196performance, troubleshooting, 205–210protecting inside network, 179–180router security configuration, best practices,
218–219single channel protocol inspection, 182
application-layer protocols, 183ICMP, 182SMTP, 184UDP, 182
switching path, troubleshooting performance issues, 209
TCP SYN flood attacks, mitigating, 189–191troubleshooting, 199UDP connection timeout, selecting, 207–208UDP inspection, troubleshooting, 203–205URL filtering
configuring, 185–187troubleshooting, 211
CEP (Certificate Enrollment Protocol), PKIconfiguring, 258–261troubleshooting, 261–265
CFG directory (CSA MC), 985challenge-response-based authentication, 546changing database maximum event limit, 1066check pointing CiscoWorks Common Services
database, 951checking status of Firewall MC processes, 931CIDEE (Cisco Intrusion Detection Event
Exchange), 679–680CIFS access, configuring on VPN 3000
Concentrator series, 394circular blocks, 737Cisco AV-Pairs, 653
Catalyst 4000/6000 switches running Native IOS, configuring SPAN
1083
Cisco IOS routersAAA
accounting, configuring, 445Auth-proxy, troubleshooting, 457command authorization, 443–445dial-up networking, troubleshooting,
446–457exec authorization, 440–443router management, troubleshooting,
432–440VPDN case study, 458–462X-Auth, troubleshooting, 457
IPsec VPNsPKI, troubleshooting, 258–265Remote Access client VPN connections,
troubleshooting, 265–270NM-CIDS, managing, 848–849RADIUS configuration, case study, 462–463VPDN troubleshooting, case study, 464–472VPNs, DMVPN, 270–280
Cisco IOS Software, upgrading code base on CBAC routers, 209
Cisco PIX firewalls. See PIX firewallsCisco Secure ACS mode (CiscoWorks Common
Services), 862Cisco Security Agent Management Center (CSA
MC) license key, 865Cisco switches
AAA802.1x FAQs, 582–584authorization, troubleshooting, 570–574IBNS, 566–570PEAP configuration, case study, 574–580switch management, 541, 558–566
IBNSs, 541–542IEEE 802.1x framework, 542–545
CiscoWorks Common Services databasebacking up, 874–875FAQs, 877–881installing, 870–871
database management, 873minimum requirements, 870problems, troubleshooting, 871–873user management issues, 873
license key, upgrading, 868licenses, troubleshooting, 869managing, best practices, 881MDCSUPPORT, 863
files collected by, 864
MDCSupportInformation.zip file, file summary, 864
Privileges, 862resolving DNS errors, 1048restore procedures, 875–876, 950Roles, 862running on multi-homed machines, 879user authentication, case study, 876–877user management, 862
CiscoWorks Common Services Desktop, launching on browser, 861
CiscoWorks MDCSupportInformation.zip, file contents, 933
classifier, 84clear crypto sa command, 238CLI (command-line interface), 678
IPS sensors, licensing, 719–720clientless SSL VPN mode (VPN 3000
Concentrator series)configuring, 390troubleshooting, 391–395
closing NM-CIDS sessions, 843cluster redundancy on VPN 3000 Concentrator
series, 412–414collecting MDCSupport file on Windows
platform, 886combined sensor mode (IPS), 683Command and Control port
on IDSM-25-minute output rate, checking, 803–805configuring, 801–803
on NM-CIDS, 834configuring, 844–845
command authorization, troubleshooting on Cisco routers, 443–445
commandscapture, 47–49clear crypto sa, 238debug, 300debug aaa accounting, 430debug aaa authentication, 430debug aaa authorization, 430debug application-protocol, 47debug commands, FWSM-related, 122–123debug fixup tcp|udp, 47debug icmp trace, 46–47debug ip inspect, 197–198
commands
1084
debug pix process, 47debug sanity, 24debug tunnel, 257–258diagnostic level complete, 795for PIX flash file system, 33intrusion-detection module, 808ip port-map, 189iplog, 691nslookup, 19packet, 692ping, 17recover application-partition, 709service-module, connecting to NM-CIDS, 840show authorization, 554show aaa servers, 430show aaa user, 430show accounting, 554show asp drop, 41–42show blocks, 43show commands
for IPsec Phase 1 tunnel negotiations, 233–235
for IPsec Phase 2 tunnel negotiations, 235–236
FWSM-related, 120–122show configuration, 687show connection, 40show cpu usage, 42show crypto ipsec, 299–300show crypto map, 237show dot1x all, 556show dot1x statistics, 557show events, 687show interfaces, 689show ip inspect, 194–195show local-host, 40–41show localusers, 552show module, 791show output filters, 44–45show radius, 553show radius statistics, 430show running config, 15, 300show running logging, 52show security acl, 792show service-policy, 41, 94show span, 792
show statistics, 687–688show tacacs, 430, 553show tech-support, 45, 689show test, 792show traffic, 42show trunk, 792show users, 430show version, 15, 200, 686–690, 791show vlan brief, 558show xlate, 39–40tcpdump, 690telnet, 18time-range, 34–35traceroute, 18winmsd, 988
common services license key, 865commonly asked questions. See FAQscommunication architecture
for CSA MC, 986of Firewall MC, 932of Router MC, 960on IDS MC, 884–885
communication protocols, 678–681RADIUS, 425–426
authentication operation, 426–427authorization operation, 426–427configuring, case study, 462–463
TACACS+, 421AAA packet flows, 423accounting operation, 424authentication operation, 422–423authorization operation, 424versus RADIUS, 428–429
compactingCiscoWorks Common Services database,
952–953CS ACS database, 660CSA MC database, 1029–1031
comparing RADIUS and TACACS+, 428–429compilation process for ACLs on FWSM,
170–172components of CSA, 983, 985Conduit to Access-list Converter, 53configuration files
for VPN 3000 Concentrator series, 354sysvars.cf, 991
commands
1085
configuringAAA
best practices, 474on Cisco switches, enable password
authentication, 563accounting
on Cisco IOS routers, 445on Cisco switches, 565
active/active failover on PIX Firewall, 105–106
alerts, 192–193audits, 193auth-proxy, 213–215basic router security, best practices, 218–219blocking, 737–743CBAC anti-spoofing, best practices, 219clientless SSL VPN mode on VPN 3000
Concentrator series, 390Command and Control interface (NM-CIDS),
844–845connectivity
on FWSM, 135–139on PIX Firewall, 69–72
CS ACSAAA Client definition for
VPN 3K, 609domain controller mode, 628replication, 640, 644–647
email notification, 1068–1070Firewall MC, Recovery Server, 953–954FWSM
failover, 149–155multiple SVI interfaces, 157, 161–162
GRE over IPsec, 256–257Hairpinning, 335–337IDM sensors, trusted hosts, 889–890IDS MC, best practices, 929IDSM-2
Command and Control port, 801–805
Promiscuous mode, 805–813IPS sensor, Inline mode, 757–762IPsec LAN-to-LAN VPN tunnels,
302, 305–308crypto maps, creating, 305–306transform sets, 304tunnel groups, 305
IPsec over TCP, 339
Java blocking, 184LAN-to-LAN tunnels on VPN 3000
Concentrator series, 356LLQ on PIX Firewall, 93–94local user authentication on VPN 3K, 597–599login authentication, 559–560MAPI Proxy on VPN 3000 Concentrator,
399–400MBS, 741–743MPLS IP IDS, IPS traffic capture, 776–777NARs, 648, 651NAT-T, 338–339NDS database with CS ACS, 630
troubleshooting, 631–636NM-CIDS, time stamping, 857–858packet capturing on NM-CIDS, 846–848PEAP
case study, 574–576, 580Machine Authentication, 567–570
PIX Firewallmultiple context mode, 87–90policing, 90–92Remote Access VPN, 323–327
PKI, 258–261RADIUS
dynamic filters, 604on Cisco IOS routers, case study, 462–463
Remote Access VPN connections on VPN 3000 Concentrator series, 364–365
RSPAN, IPS traffic capture, 773–775sensors
on IDS MC, 906shunning, case study, 920–925
SPANIPS traffic capture, 763–770on Catalyst 2900/3600XL, 765–767on Catalyst 2950/3550 and 3750,
767–770on Catalyst 4000/6000 running CatOS,
770–771on Catalyst 4000/6000 running
Native IOS, 771–772Split Tunneling, 342–344SSL VPN on VPN 3000 Concentrator, Thick
Client mode, 402–403syslog on PIX Firewall, 50–53TACACS+ on VPN 3K, 590–592traceback on PIX Firewall, 53
configuring
1086
transparent firewalls, 193on PIX Firewall, 79–82
URL filtering, 185–187VACL, IPS traffic capture, 775–776VPN 3000 Concentrator series
Cisco Secure ACS, 590–591event classes, 348group authentication with RADIUS,
599–600Group feature, 608Group Lock feature, 601local group and user authentication, 595RADIUS Server, 609
Windows NT/2000 Authentication, Unknown User Policy, 609–610
connectingIPS sensor to network, 784serial cable to IDSM-2, 826to NM-CIDS console, 840–842
connection block, 734connection states, CBAC, 194–195connectivity
on CBAC, troubleshooting, 201–203on FWSM
configuring, 135–139troubleshooting, 134, 139–142
on IPS sensors, troubleshooting, 720–725on PIX Firewall
configuring, 69–72displaying details, 40troubleshooting, 72–76
testing with ping command, 17console access to NM-CIDS, troubleshooting,
843–844console port (NM-CIDS), 835Context-Based Access Control. See CBACCONTINUE packets (TACACS+), 422control connection, 181cooperation between SecOP and NetOP
personnel, 7core dumps
generating, 22with Flash disk, 23with FTP, 22with rcp, 23with TFTP, 22
testing configuration of, 24corrupt IDS MC licenses, troubleshooting, 904
CP (control plane), FWSM architecture, 113–114CPU utilization
on CBAC, verifying, 205–206on FWSM, troubleshooting, 143on PIX Firewall
displaying, 42troubleshooting, 95–98
Cr directory (CSA MC), 986creating
buffer overflow exclusions, 1018–1020crypto maps for LAN-to-LAN tunnels, 305–306database rules, 1064DMVPN spoke-to-spoke tunnels, 275dump text files, 657dynamic crypto maps, 327exceptions, 1016securitylog.txt file, 991transform sets, 304
CRSHDUMP.TXT file, 354Crypto Errors (CS ACS), resolving, 661crypto maps, creating for LAN-to-LAN tunnels,
305–306crypto socket creation problems (NHRP),
troubleshooting, 279cryptographic algorithms, 224cryptographic-based authentication (EAP), 546CS ACS (Cisco Secure Access Control Server)
AAA Client definition for VPN 3K, configuring, 609
Active Directory integration, 627–629application-specific roles, 975as proxy server, 665associated registries, 663backing up, 665best practices, 670–671categorizing problem areas, 625configuring, 590–591FAQs, 661–670database, compacting, 660default NAS, adding, 663domain controller mode, configuring, 628domain stripping, 665external user database integration, required
components, 620GUI, recovering lost passwords, 663installing on Windows platform, 625–627“Logged in Users” report, 668
configuring
1087
NARs, 648configuring, 648, 651troubleshooting, 651–652
NASs, bulk importing, 667Novell IDS integration, 630
troubleshooting, 631–636packet flow, 619–620password encryption, 668RADIUS Server, communicating with VPN 3K,
597–599replication
configuring, 640, 644troubleshooting, 644–647
SDI integration, 636–638troubleshooting, 638–639
services, CSAdmin, 615–616setup procedures for Router MC, 979–980Shared File Components, 653–654uninstalling, 661upgrading on Windows platform, 625–626user/NAS import options, 658
exporting user and group information, 660importing NAS to CS ACS database, 659importing users to existing database, 658
user names, defining, 980users, deleting, 659
CSA Agent, 983application issues, troubleshooting, 1016communication with CSA MC,
troubleshooting, 1014–1015csainfo.bat utility, 989debug mode, turning on, 989–991disk usage, monitoring, 992installation
minimum requirements, 998–999troubleshooting, 997, 1001
license, procuring, 1007log files, 988–992policies, 987polling issues, troubleshooting, 1014–1015registration, troubleshooting, 1014–1015removing from Windows systems, 999–1000rtrformat utility, 990shims, disabling, 1016–1017software, procuring, 997–998stopping service, 991update issues, troubleshooting, 1004–1005
CSA MC (Cisco Security Agent Management Console), 983
communication architecture, 986database
compacting, 1029–1031manual backups, performing,
1023–1024purging events from, 1028–1029repairing, 1031–1032restoring, 1025–1027
database maintenance, 1023default installation directory, 985directory structure, 985–986disaster recovery, 1036–1037DRP, 1023installation
best practices, 1036minimum requirements, 995troubleshooting, 993
launchingproblems with, troubleshooting,
1010–1013slow launches, troubleshooting,
1013–1014license key, installing, 869licenses, 1005–1006
importing, 1007–1008procuring, 1007troubleshooting, 1009–1010
local database installation, troubleshooting, 994log directory, 988log files, 987management model, 983–985manually removing components, 996–997registration, 868remote database installation,
troubleshooting, 994uninstalling, 995upgrading, 1002
on same system, 1002–1003on separate system, 1003–1004
CSAdmin, 615–616csainfo.bat utility, 989csalog.txt file, 989csauser.dll, disabling, 1018CSAuth, 616CSDBSync, 616CSLog, 616
CSLog
1088
CSMon, 616–617CSRadius service, 618CSSupport utility, files included in Package.cab
file, 622–624CSTacacs service, 618csutil.exe, 655, 658
options, 655–656
Ddaemons
Analyzer, 1055Notifier, 1055
daily alarm reports, scheduling, 1073dangling connections on Router MC, 968data connection, 181data not passing through IPsec LAN-to-LAN
VPN tunnels, troubleshooting, 322–323databases
backing up, command syntax, 656CiscoWorks Common Services, 873
backing up, 874–875check pointing, 951compacting, 952–953restoring, 875–876, 950
compacting, 660, 1068CSA MC database
compacting, 1029–1031purging events, 1028–1029repairing, 1031–1032restoring database, 1025–1027
disk utilization, monitoring, 1066DRP, 1023maximum event limit, changing, 1066pruning issues, troubleshooting, 1067–1068restoring, 657Router MC
backing up, 972restoring, 973
rules, creating, 1064DB directory (CSA MC), 986debug aaa accounting command, 430debug aaa authentication command, 430debug aaa authorization command, 430debug application-protocol command, 47
debug commands, 195, 197, 300FWSM-related, 122–123guidelines for using, 16output, capturing, 199
debug fixup tcp|udp command, 47debug icmp trace command, 46–47debug information
on Firewall MC, viewing, 932on Router MC, 961–962
debug ip inspect command, 197–198debug logging level (Router MC), 961debug mode (CSA Agent), turning on, 989debug pix process command, 47debug sanity command, 24debug tunnel command, 257–258debugging
IDS MC, 887–888turning off, 555
decryption, 223default event limit (database), changing, 1066default installation directory for CSA MC, 985defining
tunnel groups for LAN-to-LAN tunnels, 305usernames in ACS, 980
deletingCS ACS users, 659users in multiple group, 669
deployed jobs, stopping, 942deploying
device configurations from Firewall MC, 947device configurations from Router MC,
970–971IDS MC configuration, 917–920
deployment architecture of IPS, 676–677destination ports, 764detecting IOS Firewall feature set, 200device groups, defining in ACS, 980devices
adding to device table, 1052configuration files
deploying, 947importing, 943–946, 969–970
flow rates, monitoring, 1064–1065diagnostic commands, show ip inspect, 194–195diagnostic level complete command, 795dial-up networking on Cisco routers
accounting, 457troubleshooting, 446–456
CSMon
1089
Digital Certificateson VPN 3000 Concentrator series, 383–384
troubleshooting, 384–389on VPN 3000 Concentrator series VPN client,
382–383digital signatures, 225directory structure of CSA MC, 985–986disabling
CSAgent shims, 1016–1017csauser.dll, 1018
disconnecting from NM-CIDS console, 842–843disk space, reclaiming, 1011disk usage, monitoring, 992displaying
*.rtr file output, 991802.1X statistics, 555–557Firewall MC debug information, 932Router MC debug information, 961–962server selftest information, 988Windows system information, 988
DMVPN (Dynamic Multipoint VPN), 270configurable dynamic routing protocols, 280crypto socket creation problems,
troubleshooting, 279dynamic spoke-to-spoke configuration,
273–276mGRE interface, 271NHRP, 271
mapping problems, troubleshooting, 278–279
DNS errors, resolving, 1048Doc directory (CSA MC), 986documenting network topology, importance of, 6domain controller mode (CS ACS),
configuring, 628domain stripping on CS ACS, 665DoS attacks
fragmentation, mitigating with CBAC, 191TCP SYN flood, mitigating with CBAC,
189–191downgrading PIX Firewall, 66downloadable ACLs, 652
PIX/IP, syntax, 606troubleshooting, 654–655
DPD (Dead Peer Discovery), 345driver_install.log file, 989
DRP (disaster recovery plan), 1023application partition, recovery procedures,
708–709implementing, 707
dump text files, creating, 657dynamic crypto maps, creating, 327dynamic filters
active, viewing, 603configuring on VPN 3K, 602fields, 604on RADIUS, configuring, 604rules, syntax, 603
dynamic routing protocols for DMVPN networks, 280
dynamic spoke-to-spoke DMVPN configuration, 273–276
dynamically mapped users, replication, 670
EEAP (Extensible Authentication
Protocol), 545–546EAPOL (EAP over LANs), 544egress traffic, 764email notification
configuring, 1068, 1070troubleshooting, 1071–1072
E-mail Proxy (VPN 3000 Concentrator)configuring, 401troubleshooting, 401–402
enable password authenticationconfiguring, 563troubleshooting, 562–564
enablingFirewall MC, Recovery Server, 954SSL, 1049
encryption, 223of CS ACS passwords, 668
error messages, troubleshootingInternal Server Error, 1050Page Cannot Be Found Error, 1050
escalation procedures, documenting, 7ESMTP (Extended Simple Mail
Transfer Protocol), traffic inspection, 183–184ESP (Encapsulating Security Header), 226established keyword (ACLs), 180establishing LAN-to-LAN tunnels, 240–246
establishing LAN-to-LAN tunnels
1090
Ethereal, 125, 199web site, 20
Ethernet, interface IDS-Sensor, 834event classes, configuring on VPN 3000
Concentrator series, 348Event Limiting, 991event log (VPN 3000 Concentrator series),
viewing, 350–352Event Viewer
launching, 1055test events, generating, 1057troubleshooting, 1057
eventsLarge ICMP events, generating, 1057maximum event limit (database),
changing, 1066purging from CSA MC database, 1028–1029writing to securitylog.txt file, 991
exception memory command, generating core dump, 23
exceptions, creating, 1016exec authorization, troubleshooting on Cisco
routers, 440–443expired IDS MC licenses, troubleshooting, 905exporting user and group information from CS
ACS database, 660
Ffact gathering stage, production network
troubleshooting, 10–11Failed Attempts logs, 621failover, 102
on FWSMconfiguring, 149–155forced reboot conditions, 147initialization phase, 146monitoring, 147–148troubleshooting, 144–146, 155–157
on PIX Firewallactive/active failover, configuring, 102,
105–106active/standby mode, 102asymmetrical routing support, 106failover groups, 104hardware and licensing
requirements, 104
failover groups, 104failure of VPN 3K authentication, causes of,
607–608FAQs
regarding 802.1x, 582–584regarding AAA, 472–474
on VPN 3K, 611–612regarding CBAC, 217–218regarding CS ACS, 661–670regarding CSA Agent/CSA MC, 1032–1035regarding CiscoWorks Common Services,
877–881regarding FWSM, 173–174regarding IDS MC, 925–929regarding IPS, 777–781regarding PIX Firewall, 109–110regarding VPN 3000 Concentrator series,
406–410Fast Path packet flow through FWSM, 116–118features of Router MC, 960Field Notices, 54fields
of dynamic filters, 603–604of EAP frames, 546
file systems (PIX), commands, 33files in MDCSupport, analyzing, 886–887filters, configuring dynamic filters on
VPN 3K, 602Firewall MC
activities, unlocking, 941authentication problems, resolving, 939–940browser-related problems, resolving, 937CiscoWorks Common Services database
check pointing, 951compacting, 952–953
Common Services, installing, 935communication architecture, 932debug information, viewing, 932device configurations
deploying, 947importing, 943–946
initialization, 936, 964installation issues, troubleshooting, 934interoperability with other applications, 936jobs, rolling back, 942MDCSupport utility, generated files, 933processes, 931purge-mc-tasks utility, 942
Ethereal
1091
Recovery Serverconfiguring, 953–954enabling, 954
terminal activities, removing, 941–942Firewall module administration on FWSM,
troubleshooting, 128–133firewalls
and IPsec, 284–285deploying between IPsec peers, 340on IPsec endpoints, 340
Flash disk, generating core dumps, 23flow rates, monitoring, 1064–1065fragmentation, mitigating with CBAC, 191front panel indicator lights
IDSM-2, 789NM-CIDS, 833
FTP, 21generating core dumps, 22packet flow through FWSM, 118
FWSMaccess-lists
ACL Partition Manager, 168–169compilation process, 170–172memory utilization, 164–166
connectivityconfiguring, 135–139troubleshooting, 134, 139–142
CP, 113–114CPU utilization, troubleshooting, 143debug commands, 122–123failover
configuring, 149–155forced reboot conditions, 147initialization phase, 146monitoring, 147–148troubleshooting, 144–146, 155–157
FAQs, 173–174Firewall module administration issues,
troubleshooting, 128–133hardware issues, troubleshooting, 127–128image upgrades, performing, 133–134intermittent packet drops, troubleshooting, 144licensing issues, troubleshooting, 126–127Maintenance Partition, 130–132multiple SVI interfaces, configuring, 157–162NP, 114–116packet capturing, 123–124
packet flows, 116Fast Path packet flow, 116–118FTP session packet flow, 118Session Management Path packet flow, 118
password recovery, 132show commands, 120–122syslog, 125
Ggenerating
agent kits, 997–998core dumps, 22
with exception memory command, 23with Flash disk, 23with FTP, 22with rcp, 23with TFTP, 22
Large ICMP events, 1057test events on Event Viewer, 1057
GRE over IPsecconfiguring, 256–257troubleshooting, 257–258
group attributes (VPN 3K), 589group authentication with RADIUS, configuring
on VPN 3K, 599–600group configuration on VPN 3K, 608Group Lock feature (VPN 3K), 601, 607groups, 985GUI (Firewall MC)
lost passwords, recovering, 663removing terminal activities from
Firewall MC, 941–942
HHairpinning, 334
configuring, 335–337half-open connections, manipulating threshold
values on CBAC routers, 208hardware
IPS support, 683–685on FWSM, troubleshooting, 127–128
hardware requirementsfor IDSM-2, 788
hardware requirements
1092
for NM-CIDS support, 832for PIX Firewall failover, 104
Headless CSAgent software, procuring, 997high availability of PIX firewall for VPN
connections, 344–345high CPU utilization, troubleshooting
on FWSM, 143on PIX Firewall, 95–98
host block, 734hosts, 985HTTP inspection, Java filtering, 204HTTPS, tasks performed on IDS MC, 885hubs, capturing IPS traffic, 763
IIBNSs (Identity-Based Network Services),
541–542, 555802.1X statistics, displaying, 555–557IEEE 802.1x framework, 542–545
standard operation, 544–545machine authentication, 566–567
PEAP, configuring, 567–570ICMP (Internet Control Message Protocol),
traffic inspection, 182IDAPI (Intrusion Detection Application
Programming Interface), 678IDENT protocol, troubleshooting on PIX
Firewall, 102identifying registered CSA MC agents, 1008IDIOM, 681IDM (IPS Device Manager)
IPS sensors, licensing, 719sensors
accessing, 888, 901–902trusted hosts, adding, 890–892trusted hosts, configuring, 889–890
IDS MCApache certificate
regenerating, 897trusted host issues, resolving, 897–898verifying, 896
audit reports, 885communication architecture, 884–885configuration deployment, 917
troubleshooting, 918–920
configuring, best practices, 929corrupt licenses, troubleshooting, 904database pruning, 920debugging, 887–888device table, adding devices to, 1052expired licenses, troubleshooting, 905FAQs, 925–929installing, 902–903MDCSupport file
collecting on Windows platform, 886file contents, analyzing, 886–887
processes, starting/stopping, 884resolving connection problems with sensor, 893secure communication with sensor,
verifying, 893sensors
configuring, 906import process, troubleshooting, 907–908,
1051shunning, case study, 920–925updating signature level, 899–901upgrading, 908–917
service pack version, verifying, 895–896VMS Server, IP addressing, modifying, 898
IDS Sensor Software, naming conventions, 700platform-dependent images, 700–701platform-independent images, 701–702
IdsAlarms.exe utility, 1076IDSdbcompact utility, 1068IDSM-2 (Intrusion Detection Services Module 2)
bladeCommand and Control port
5-minute output rate, checking, 803–805configuring, 801–803
event generation, troubleshooting, 817–818front panel indicator lights, 789hardware issues, troubleshooting
on CatOS, 797–800on Native IOS, 793–797
hardware requirements, 788implementing, best practices, 829installing, 789Maintenance Partition, upgrading, 823–824Promiscuous mode, 805
configuring, 805–813troubleshooting, 814–816
re-imaging, 818–823removing from switch, 790
hardware requirements
1093
serial cable, connecting, 826signature update, installing, 824–825slot assignment, 788sniffing ports, 791supported ports, 790TCP reset, 818upgrading to version 5.x, 826user passwords, recovering, 827–829VACL Capture, 827versus IDS Appliance, 787
IKE (Internet Key Exchange), 229phase 1, 229–232phase 2, 232–233
imagesfor NM-CIDS, 849upgrading on FWSM, 133–134
implementingAAA on VPN 3K, best practices, 612access lists on PIX Firewalls, 34–35
outbound ACLs, 35–36time-range keyword, 34–35
disaster recovery plan, 707–709IDSM-2, best practices, 829
importingCSA MC license, 1007–1008device configurations
with Firewall MC, 943–946with Router MC, 969–970
IDS sensors from IDS MC, 1051troubleshooting, 907–908
NAS to CS ACS database, 659users to existing CS ACS database, 658
inaccessible sensors, troubleshooting, 901–902inbound connections, 69
configuring on PIX Firewall, 69–72information logging level (Router MC), 961ingress traffic, 764initial IPS sensor setup problems,
troubleshooting, 693–696initialization problems, resolving
on Firewall MC, 936on Router MC, 964
Inline Bypass sensor mode (IPS), 682Inline mode (IPS sensor), 681–682
configuring, 757–762troubleshooting, 762–763
inside network, protecting, 178–180
inspectingmulti-channel protocols, 187single channel protocols, 182
application-layer protocols, 183ICMP, 182SMTP, 183UDP, 182URL filtering, 185–187
installation failures on Router MC, troubleshooting, 963
installing. See also removing; uninstallingCiscoWorks Common Services, 870–871
database management, 873minimum requirements, 870problems, troubleshooting, 871–873user management issues, 873with Terminal Services in Remote
Administration mode, 935CS ACS on Windows platform, 625–627CSA MC
best practices, 1036license key, 869minimum requirements, 995problems, troubleshooting, 993–994
CSAgentminimum requirements, 998–999problems, troubleshooting, 997, 1001
Firewall MC, 934IDS MC, 902–903IPS Sensor Appliances, 703
with CD-ROM, 703–704with TFTP server, 704–707
ISDM-2 blade, 789NM-CIDS, 833Security Monitor, 1047signature update on IDSM-2, 824–825
integrating CS ACSwith Novell IDS, 630–636with AD, 627–629with SDI, 636–639
interfaces supported on IPS, 683– 685intermittent packet drops on FWSM,
troubleshooting, 144Internal Server Error messages, troubleshooting,
1050interoperability
of Firewall MC with other applications, 936of NAT and CBAC, 188
interoperability
1094
inter-process communication, 678intrusion-detection module command, 808IOS Firewall feature set, 177
auth-proxy, 212authentication methods, 212configuring, 213–215troubleshooting, 216–217
detecting with show version command, 200supported Cisco router platforms, 213
IP addressesassigning to IDS-Sensor interface, 839DNS errors, resolving, 1048on VMS Server, modifying, 898
IP fragmentation, mitigating with CBAC, 191IP inspection on CBAC routers,
troubleshooting, 202ip port-map command, 189iplog command, 691IPS (Intrusion Prevention System)
AnalysisEngine, 678best practices, 781–785capturing traffic
with MPLS IP IDS, 776–777with RSPAN, 773–775with SPAN, 763–770with VACL, 775–776
CLI, 678combined sensor mode, 683communication protocols, 678–681deployment architecture, 676–677FAQs, 777–781Inline Bypass sensor mode, 682Inline sensor mode, 681–682MainApp, 677–678monitoring device, troubleshooting event
reception issues, 726–733NM-CIDS, 831
ACL checks, case study, 852application partition, re-imaging,
854–857available images, 849CEF forwarding path, case study, 850Command and Control port, configuring,
844–845connecting to, 840–842console access, 839, 843–844disconnecting from, 842–843dropped packets, case study, 853
encryption, case study, 852front-panel indicator lights, 833GRE tunnels, case study, 853hardware issues, troubleshooting,
836–838hardware/software requirements, 832installing, 833IPS insertion points, case study, 851managing from IOS router, 848–849NAT, case study, 851network setup, 831packet capturing, configuring, 846–848removing from router, 833slot assignment, 833supported ports, 834–835time stamp configuration, 857–858
Promiscuous sensor mode, 682–683sensors
blocking function, verifying, 744–745blocking issues, troubleshooting,
733–743, 753configuration, backing up, 782–783connecting to network, 784connectivity issues, resolving, 720–725,
746–752initial setup issues, 693–696Inline mode, 757–763MBS, 754NAC function, verifying, 745–746software installation/upgrade issues,
699–717TCP reset, 754–757upgrading to IPS 5.0, 715–717user management issues, 696–698
Sensor Appliances, installing, 703–707show commands, 686–690supported hardware and interfaces, 683–685traffic, capturing, 763
IPS 5.0, licensing, 717–720IPsec
aggressive mode negotiation, 231–232AH, 226backup servers, redundancy on VPN 3000
Concentrator series, 415debug commands, 300ESP, 226firewall issues, troubleshooting, 284–285, 340
inter-process communication
1095
GRE over IPsecconfiguring, 256–257troubleshooting, 257–258
IKE, 229phase 1, 229–232phase 2, 232–233
interaction with CBAC, 193IOS routers, VPN troubleshooting
debug commands, 238PKI, 258–265Remote Access client VPN connections,
265–270LAN-to-LAN tunnels, 239
establishing, 240–246phase 1 establishment failures, 247–251phase 2 establishment failures, 252–254traffic flow, troubleshooting, 254–255
LAN-to-LAN VPN tunnels between PIX firewalls
configuring, 302, 305–308crypto maps, creating, 305–306data not passing through, troubleshooting,
322–323MTU issues, 340–342Phase I failures, 309–319Phase II failures, 319–321transform sets, creating, 304tunnel groups, creating, 305
main mode negotiation, 229–231MTU issues, troubleshooting, 285–286NAT-related problems, troubleshooting,
282–284exemptions, 338
over NAT-T, configuring, 338–339over TCP, configuring, 339Phase 1 tunnel negotiations, show commands,
233–235Phase 2 tunnel negotiations, show commands,
235–236PKI
configuring, 258–261troubleshooting, 261–265
Remote Access VPNs on PIX firewallconfiguring, 323, 325–327debug output for successful tunnel
build-up, 328–331split tunneling, 342–344stateful failover, obtaining resiliency
through, 287–288
stateless failover, obtaining resiliency through, 288–295
tunnel not passing through traffic, 333–334unestablished tunnels, troubleshooting,
332–333SAs, 228split tunneling issues, troubleshooting, 286transparent tunneling options, 340transport mode, 226tunnel mode, 227–228tunnels,
tearing down, 238verifying configuration of, 237
J-KJava blocking, configuring on CBAC, 184jobs (Firewall MC), rolling back, 942Jonas logs, 963
keyed message digest, 225Knoppix security CD, 21
L
LAC routers, troubleshooting, 464–467LAN-to-LAN IPsec VPN tunnels, 239
configuring, 302, 305–308crypto maps, creating, 305–306data not passing through, troubleshooting,
322–323establishing, 240–246MTU issues, 340–342on VPN 3000 Concentrator series,
troubleshooting, 356–363Phase 1 establishment failures, troubleshooting,
247–251, 309–319Phase 2 establishment failures, troubleshooting,
252–254, 319–321traffic flow, troubleshooting, 254–255transform sets, creating, 304tunnel groups, defining, 305
Large ICMP events, generating, 1057launching
CiscoWorks Common Services on web browser, 861
launching
1096
CSA MCproblems, troubleshooting, 1010–1013slow launches, troubleshooting,
1013–1014Event Viewer, 1055Security Monitor, 1050
LED indicator lights, on Catalyst 6500 IDSM-2 blade, 789on VPN 3000 Concentrator series, 354on NM-CIDS, 833
libpcap format files, 691license keys (CSA MC), installing, 869licensing
for CiscoWorks Common Services, troubleshooting, 869
for CSA MC, 1005–1007importing, 1007–1008troubleshooting, 1009–1010
for FWSM, troubleshooting, 126–127for IDS MC
corrupt licenses, troubleshooting, 904expired licenses, troubleshooting, 905
for IPS software, 717–718procuring license from Cisco.com, 718sensors, 719–720
for PIX Firewall, 54–56for VMS, 865–868
limitations of ACLs, 177of Virtual Firewall, 86
LLQ (Low-Latency Queuing), configuring on PIX Firewall, 93–94
LNS (L2TP Network Server) routers, troubleshooting, 468–471
load balancing on VPN 3000 Concentrator series, 413
loading Event Viewer, 1057local database installation (CSA MC),
troubleshooting, 994local group authentication, configuring on VPN
3K, 596Local mode (CiscoWorks Common
Services), 862local user authentication, configuring on VPN
3K, 597–599locking VPN 3K users to specific groups, 601
log directory CSA Agent files, 988CSA MC, 986
log events, viewing on VPN 3K, 589log files
CSA MC Log, 987for CSA Agent, 988–992securitylog.txt, writing events to, 991size of, monitoring, 1065–1066
“Logged in Users” report, 668logging
Event Limiting, 991syslog configuration on PIX Firewall, 50–53
logical PIX firewallsSee Security Contexts
login authenticationconfiguring, 559–560troubleshooting, 561–562
lost GUI passwords, recovering, 663low memory issues, troubleshooting on PIX
Firewall, 98–101
Mmachine authentication
activating on Cisco switches, 566–567PEAP, configuring, 567–570
Main mode negotiation (IPsec), 229–231MainApp, 677–678Maintenance Partition (FWSM), 130–132major/minor software, upgrading, 710
to IPS 5.0, 716–717managed devices, troubleshooting connectivity
with sensor, 746–752Management Center, 985management model for CSA, 983–985managing NM-CIDS from IOS router, 848–849man-in-the-middle attacks, 80manipulating half-open connection threshold
values on CBAC routers, 208manual operations
adding trusted hosts to IDM sensors, 892
performing backups on CSA MC database, 1023–1024
uninstalling CS ACS, 661
launching
1097
MAPI Proxy (VPN 3000 Concentrator)configuring, 399–400troubleshooting, 400–401
mappingCS ACS group names to VPN 3K
group names, 598NHRP issues, resolving, 278–279
maximum event limit (database), changing, 1066MBS (Master Blocking Sensor), 737
configuring, 741–743troubleshooting, 754
MDCSUPPORTMDCSupport, 863
collecting on Windows platform, 886contents, analyzing, 886–887files collected by, 864
MDCSupportInformation.zip filecontents of, 933file summary, 864installation log files, 864
memory utilization, troubleshooting on PIX Firewall, 98–101
memory.dmp file, 990message digest, 225messages, RADIUS, 427mGRE interface, 271minimum installation requirements
CiscoWorks Common Services , 870CSA MC, 995CSAgent, 998–999
misconfigured ACLs, troubleshooting on CBAC, 202
misconfigured IP inspection, troubleshooting on CBAC routers, 203
misconfigured URL filtering, troubleshooting, 205
mitigatingIP fragmentation with CBAC, 191TCP SYN flood attacks with CBAC, 189, 191
mls ip ids command, 813configuring on switch running Native
IOS, 809modifying
application-to-port mappings, 188–189IP addressing on VMS Server, 898
monitoringdatabase, disk utilization, 1066devices, flow rates, 1064–1065
disk usage, 992log files, size of, 1065–1066
monitoring interface (NM-CIDS), 834MPF (Modular Policy Framework), 37–38MPLS IP IDS, configuring IPS traffic capture,
776–777MSDE database
compacting, 1030repairing, 1031–1032
MTU problems with IPsec, troubleshooting, 285–286, 340–342
multi-channel protocolsinspecting, 187, 205securing with CBAC, 180
multi-homed machines, running CiscoWorks Common Services on, 879
multiple context mode (PIX Firewall), 84–90multiple mode (FWSM), access list memory
utilization, 164–166multiple SVI interfaces, configuring on FWSM,
157–162
NNAC (Network Access Controller) function,
verifying, 745–746naming conventions
after CSA MC upgrade, 1004of IDS Sensor Software, 700
platform-dependent images, 700–701platform-independent images, 701–702
NARs (Network Access Restrictions)configuring, 648–651troubleshooting, 651–652
NAS (Network Access Server), 421, 639bulk importing, 667
NAT (Network Address Translation)interoperability with CBAC, 188troubleshooting on CBAC router, 202with IPsec, 282–284
NAT exemptions, 338nat-control, implementing on PIX Firewall, 36Native IOS
IDSM-2, troubleshooting hardware issues, 793–797
show commands, 792NAT-T (NAT Traversal), configuring, 338–339
NAT-T (NAT Traversal), configuring
1098
NBMA (Non-Broadcast Multiple Access), 271network analyzers, 20network failures
proactive troubleshooting methods, 5–7types of, 7
network resources, protecting on PIX Firewall, 111
NHRP (Next Hop Resolution Protocol), 271NMBA addresses, 272NM-CIDS (Cisco IDS Network Module), 831
application partition, re-imaging, 854–857case studies
ACL checks, 852CEF forwarding path, 850dropped packets, 853encryption, 852GRE tunnels, 853IP insertion points, 851NAT, 851
Command and Control port, configuring, 844–845
console access, 839console access, troubleshooting, 843–844front-panel indicator lights, 833hardware issues, troubleshooting, 836–838hardware/software requirements, 832images, 849installing, 833managing from Cisco IOS router, 848–849network setup, 831packet capture, configuring, 846–848removing from router, 833slot assignment, 833supported ports, 834–835time stamping configuration, 857–858upgrading to version 5.0, 849
Notifier daemon, 1055Novell IDS, troubleshooting CS ACS
integration, 630–636NPs (network processors)
FWSM architecture, 114–116NP3, access-list utilization on FWSM, 164–166
NSDB (Network Security Database), 785viewing from Security Monitor, 1073
nslookup command, 19NT/RADIUS password authentication feature,
testing, 610–611
Oobtaining
Common Services software production license, 867
IPsec resiliencywith stateful failover, 287–288with stateless failover, 288–295
options for csutil.exe, 655–656outbound connections, 69
configuring on PIX Firewall, 69–72Output Interpreter, 54
PPackage.cab file, contents of, 622–624packet capturing
configuring on NM-CIDS, 846–848on FWSM, 123–124
packet command, 692packet drops. troubleshooting
on CBAC routers, 210on FWSM, 144
packet flowsthrough CS ACS, 619–620through FWSM, 116
Fast Path packet flow, 116–118FTP session packet flow, 118Session Management packet flow, 118
packets, troubleshooting IPsec MTU issues, 285–286
Page Cannot Be Found Error messages (Security Monitor), 1050
PAM (Port Application Mapping), 188–189Passed Authentication log, turning on, 621Password Expiry, testing, 610–611passwords
encryption (CS ACS), 668recovering
from FWSM, 132from IDSM-2, 827, 829from PIX Firewall, 56–60
PEAP (Protected EAP)configuring, case study, 574–580machine authentiation, configuring, 567–570
performance issues on CBAC, troubleshooting, 205–210
NBMA (Non-Broadcast Multiple Access)
1099
Perl directory (CSA MC), 986Phase 1 tunnel negotiations
IPsec LAN-to-LAN VPN failures, 309–319show commands, 233–235
Phase 2 tunnel negotiationIPsec LAN-to-LAN VPN failures, 319–321show commands, 235–236tearing down tunnels, 238
ping command, 17pinging CBAC router incoming interface, 201PIX firewalls
access listsenabling/disabling, 35implementing, 34outbound, 35–36time-range keyword, 34–35
activation keys, 56ASA, characteristics of, 29–30commands
capture, 47–49debug application-protocol, 47debug fixup tcp|udp, 47debug icmp trace, 46–47debug pix process, 47show asp drop command, 41–42show blocks, 43show connection command, 40show cpu usage command, 42show local-host command, 40–41show output filters, 44–45show service-policy command, 41show tech-support, 45show traffic, 42show xlate command, 39–40
connectionsconfiguring, 69–72troubleshooting, 72–76
CPU utilization, troubleshooting, 95–98Downloadable PIX ACL, 653failover
active/active failover, configuring, 105–106
active/standby failover, 102asymmetrical routing support, 106failover groups, 104hardware and licensing requirements, 104
FAQs, 109–110file system commands, 33
Hairpinning, 334–337high availability on VPN connections,
obtaining, 344–345IDENT protocol, troubleshooting on PIX
Firewall, 102licensing issues, troubleshooting, 54–56memory utilization, troubleshooting, 98–101MPF, 37–38multiple context mode, configuring, 87–90nat-control, configuring, 36packet processing, 30–32password recovery issues, troubleshooting,
56–60protecting network resources, best practices,
110–111QoS issues, troubleshooting, 90, 92–94Remote Access VPNs
configuring, 323, 325–327debug output for successful tunnel
build-up, 328–331tunnel not passing through traffic,
333–334unestablished tunnels, troubleshooting,
332–333Security Contexts, 84
multiple context mode, 84–86software upgrade/downgrade issues,
troubleshooting, 60–68syslog, 50–53tools, 53traceback, 53Transparent Firewall, 38–39, 78
configuring, 79–82troubleshooting, 82–83
Virtual Firewall, 84–86PKI
configuring, 258–259, 261troubleshooting, 261–265
platform-dependent images, naming conventions, 700–701
platform-independent images, naming conventions, 701–702
policies, 985–987Policies directory (CSA MC), 986policing, configuring on PIX Firewall, 90–92polling issues with CSA MC, troubleshooting,
1014–1015
polling issues with CSA MC, troubleshooting
1100
port forwarding, VPN 3000 Concentratorconfiguring, 396–397troubleshooting, 397–399
port-level authentication, 542ports
ISDM-2 switch support, 790mapping information, changing, 188–189NM-CIDS, configuring Command and Control
interface, 834–835, 844–845Post-Block ACL, 735Pre-Block ACL, 734privilege levels, assigning to VPN 3K users, 592proactive troubleshooting methods, 5–7processes running
on Firewall MC, 931on IDS MC, 884on Router MC, 959on SecMon, 884
procuringCSA MC license, 1007CSAgent license, 1007CSAgent software, 997–998IPS 5.0 license from Cisco.com, 718
production license for Common Services software, obtaining, 867
production network failures, 8, 12–13defining the problem, 9–10gathering the facts, 10–11
Profiler, 1022Promiscuous mode (IDSM-2), 805
configuring, 805on switch running CatOS, 810–813on switch running Native IOS, 806–809
troubleshooting, 814–816Promiscuous sensor mode (IPS), 682–683protecting
inside network, 178–180PIX Firewall, best practices, 110–111
protocol analyzers, 20pruning
IDS MC database, 920troubleshooting, 1067–1068
public key algorithms, 224purge-mc-tasks utility, 942purging CSA MC database, 1028–1029
Q–RQoS, 90
LLQ, configuring on PIX Firewall, 93–94policing, PIX Firewall configuration, 90–92
RADIUS, 425–426, 609authentication operation, 426–427authorization operation, 426–427configuring on Cisco IOS routers, case study,
462–463dynamic filters, configuring, 604group authentication, configuring on VPN 3K,
599–600user authentication, configuring on VPN 3K,
596–597versus TACACS+, 428–429
rcp, generating core dumps, 23RDEP (Remote Data Exchange Protocol), 1041RDEP2, 679real-time alerts, configuring, 192–193reclaiming disk space, 1011records, pruning from IDS MC database, 920recover application-partition command, 709recovering
application partition, 708–709lost GUI passwords, 663user passwords from IDSM-2, 827–829
recovering lost passwordsfrom FWSM, 132from GUI, 663from PIX Firewall, 56–60
recovery packages, 702Recovery Server (Firewall MC)
configuring, 953–954enabling, 954
redirecting archive/backup files away from Database Disk, 1063
redundancyfailover
active/active failover, configuring, 105–106
active/standby failover, 102configuring on FWSM, 149–155monitoring on FWSM, 147–148troubleshooting on FWSM, 144, 146–147,
155–157
port forwarding, VPN 3000 Concentrator
1101
on VPN 3000 Concentrator seriesclustering, 412–414using IPsec Backup Servers, 415using VVRP, 410–411
Reflexive ACLs, 180regenerating Apache certificates, 897registered CSA MC agents, identifying, 1008registering CSA MC, 868re-imaging
IDSM-2, 818–823NM-CIDS application partition, 854–857
Remote Access VPN connectionson PIX firewall, troubleshooting, 323–327
debug output for successful tunnel build-up, 328–331
MTU issues, 340–342tunnel not passing through traffic,
333–334unestablished tunnels, 332–333
on VPN 3000 Concentrator series, troubleshooting, 364–371
client routing, 377–381Internet inaccessibility, 381–382local LAN inaccessibility, 382tunnel establishment, 372–377
split tunneling, configuring, 342–344remote database installation (CSA MC),
troubleshooting, 994removing
CSA MC components, 995–997CSAgent from Windows systems, 999–1000ISDM-2 blade from switch, 790NM-CIDS from router, 833terminal activities from Firewall MC,
941–942repairing CSA MC database, 1031–1032replication, 640
Bidirectional, 647“cascade”, 645CS ACS
configuring, 640, 644troubleshooting, 644–647
of dynamically mapped users, 670REPLY packets (TACACS+), 422reports
daily alarm reports, scheduling, 1073generation failures, troubleshooting, 1060
pruning reports, 1067Router MC, 963
resolvingconnection problems between IDS MC and
sensor, 893CS ACS Crypto Errors, 661DNS errors, 1048
restoringCiscoWorks Common Services, 875–876, 950CSA MC database, 1025–1027data, 657Router MC database, 973
Roles, 862rollback feature (Firewall MC), 942Router MC
ACS, setup procedures, 979–980authentication problems, resolving, 967backup/restore operations, troubleshooting, 973browser issues, troubleshooting, 965, 967checking status of, 960communication architecture, 960dangling connections, 968database
backing up, 972restoring, 973
debug information, collecting/viewing, 961–962
device configurationsdeploying, 970–971importing, 969–970
features, 960installation failures, troubleshooting, 963logging levels, setting, 961processes, 959reports, 963user permissions, case study, 974–975, 978
RRI (Reverse Route Injection), 345RSPAN (remote SPAN), configuring IPS traffic
capture, 773–775rules
CSA MC, 985database/event, creating, 1064for dynamic filters, syntax, 603
Rx SPAN, 764
Rx SPAN
1102
SSamples directory (CSA MC), 986SAs, 228saving crash information to Flash on PIX
Firewall, 53scheduling daily alarm reports, 1073SDEE (Security Device Event Exchange),
679–680, 1041SDI (Secure ID), CS ACS integration, 636– 639SecMon
database Pruning, 920processes, starting/stopping, 884
security administrators, 984Security Contexts, 84
multiple context mode, 84– 90Security Monitor
best practices, 1077database maintenance issues,
troubleshooting, 1062DNS errors, resolving, 1048email notification
configuring, 1068–1070troubleshooting, 1071–1072
Event Viewerlaunching, 1055troubleshooting, 1057
inability to launch, troubleshooting, 1050inability to receive events, troubleshooting, 726,
728–733installation guidelines, website, 1047Internal Server Error messages,
troubleshooting, 1050licensing issues, troubleshooting, 1051NSDB, viewing, 1073Page Cannot Be Found Error messages,
troubleshooting, 1050report generation failures, troubleshooting,
1060sensor connection status, troubleshooting,
1053–1055strange behavior, troubleshooting, 1051tabs, 1048user management, 1045
securitylog.txt file, writing events to, 991
selectingslot for ISDM-2 placement, 788traffic capture method on IDSM-2, 827UDP connection timeout for CBAC, 207–208
sensor modescombined modes, 683Inline Bypass mode, 682Inline mode, 681–682Promiscuous mode, 682–683
sensorsactive processes, verifying, 893–895blocking
for specific signatures, troubleshooting, 753
process, verifying, 923–924connectivity, 721–725IDM
accessing, 888trusted hosts, adding/configuring,
889–892IDS, importing from IDS MC, 1051IDS MC
configuring, 906deploying, 917–920import process, troubleshooting , 907–908shunning, case study, 920–925upgrade process, troubleshooting,
908–917inaccessibility, troubleshooting, 901–902IPS, troubleshooting
ACLs, 734–735backing up configuration, 782–783blocking, 734–745connecting to network, 784connectivity with managed device,
746–752initial setup issues, 693–696Inline mode, configuring, 757–762Inline mode, troubleshooting, 762–763MBS, 737, 741–744software installation/upgrade issues,
699–717supported managed devices and
versions, 735TCP reset, 754–757user management issues, 696–698
Samples directory (CSA MC)
1103
licensing, 719–720with CLI, 719–720with IDM, 719
resolving connection problems with IDS MC, 893
signature level, updating, 899–901upgrading to IPS 5.0, 715–717verifying secure communication with
IDS MC, 893serial cable, connecting to IDSM-2 blade, 826server selftest information, displaying, 988service packs, IDS MC
upgrading sensors, 908–910verifying version of, 895–896
service-module command, connecting to NM-CIDS, 840
services, CSAdmin, 615–616Session Management packet flow through
FWSM, 118Shared File Components (CS ACS), 653–654Shared Profile (command authorization),
configuring, 444shims, disabling, 1016–1017show aaa servers command, 430show aaa user command, 430show access-list command, 655show accounting command, 554show asp drop command, 41–42show authorization command, 554show blocks command, 43show commands
for IPsec Phase 1 tunnel negotiations, 233–235for IPsec Phase 2 tunnel negotiations, 235–236for Native IOS, 792FWSM-related, 120–122
show configuration command, 687show connection command, 40show cpu usage command, 42show crypto ipsec command, 299–300show crypto map command, 237show dot1x all command, 556show dot1x statistics command, 557show events command, 687show interfaces command, 689show ip inspect command, 194–195show local-host command, 40–41show localusers command, 552show module command, 791show output filters command, 44–45
show radius command, 553show radius statistics command, 430show running config command, 15show running logging command, 52show running-config command, 300show security acl command, 792show service-policy command, 41, 94show span command, 792show statistics command, 687–688show tacacs command, 430, 553show tech-support, 45show tech-support command, 689show test command, 792show traffic command, 42show trunk command, 792show users command, 430show version command, 15, 686–687,
689–690, 791verifying installed IOS Firewall
feature set, 200show vlan brief command, 558show xlate command, 39–40shunning on IDS MC sensor, case study, 920 –925signature levels, updating on IDS MC sensors,
899–901signature updates, installing on IDSM-2,
824–825signatures, IDS MC
upgrading IDS MC sensors, 908–910verifying version of, 895–896
single channel protocol inspection
application-layer, 183ICMP, 182SMTP, 183UDP, 182
securing on inside network, 179–180single-mode (FWSM), access list memory
utilization, 164–166size of log files, monitoring, 1065–1066slot assignment of NM-CIDS on router, 833slow CSA MC launches, troubleshooting,
1013–1014SMTP
email notificationconfiguring, 1068–1070troubleshooting, 1071–1072
traffic inspection, 183–184
SMTP
1104
sniffer software, 49Ethereal, 199
sniffer traces, capturing, 199sniffing ports on IDSM-2, 791software
installation/upgrade problems (IPS), troubleshooting, 699–717
requirementsfor ISDM-2 blade, 788for NM-CIDS support, 832
upgrade/downgrade issues, troubleshooting on PIX Firewall, 60–61, 63–66, 68
Software Advisor Tool, verifying correct IOS Firewall version, 200
source port, 764SPAN (Switched Port Analyzer)
configuring on Catalyst 2900/3600XL, 765–767on Catalyst 2950/3550 and 3750, 767–770on Catalyst 4000/6000 running CatOS,
770–771on Catalyst 4000/6000 running Native
IOS, 771–772on switch running CatOS, 810on switch running Native IOS, 806–807
IPS traffic capture, configuring, 763, 765on Catalyst 2900/3500XL, 765, 767on Catalyst 2950, 767–770on Catalyst 3550, 767–770on Catalyst 3750, 767–770
SPI (security parameter index), 228split tunneling
configuring, 342–344troubleshooting, 286
spoke–to-spoke tunnels, creating, 275SQL Server 2000, compacting, 1031SSH, tasks performed on IDS MC, 885SSL
CSA MC communication architecture, 987enabling, 1049
SSL VPNclientless mode, 390
configuring, 390troubleshooting, 391–395
thick client modeconfiguring, 402–403troubleshooting, 403–405
thin client mode, 395–396E-mail Proxy, configuring, 401E-mail Proxy, troubleshooting,
401–402MAPI Proxy, configuring,
399–400MAPI Proxy, troubleshooting,
400–401port forwarding, 397–399
START packets (TACACS+), 422starting IDS MC/SecMon processes, 884stateful failover
for VPN connections, 345obtaining IPsec resiliency, 287–288
stateless failover, obtaining IPsec resiliency, 288–295
static ACLs, established keyword, 180status indicator lights
IDSM-2, 789NM-CIDS, 833
status of Router MC processes, checking, 960stopping
CSAgent service, 991deployed jobs, 942
supplicant, 542supported tokens on VPN 3K, 604suspending NM-CIDS sessions, 842switch management, 558
accountingconfiguring, 565troubleshooting, 566
authorizationconfiguring, 564–565troubleshooting, 565
enable password authentication, troubleshooting, 562–564
login authentication, troubleshooting, 559–562switching path on CBAC, troubleshooting
performance issues, 209symmetric cryptographic algorithms, 224syntax
for database backups, 656for downloadable PIX/IP ACLs, 606for dynamic filter rules, 603rtrformat utility, 990
sniffer traces, capturing
1105
syslogs, 21activating on Cisco routers, 193configuring on PIX Firewall, 50–53on FWSM, 125
System Image, re-imaging IDSM-2, 818–823system images, upgrading to IPS 5.0, 716sysvars.cf file, 991
Ttabs, Security Monitor, 1048TACACS+, 421
AAA packet flows, 422–423accounting operation, 424authentication operation, 422–423authorization operation, 424configuring on VPN 3K, 590–592versus RADIUS, 428–429
TCP reset, 754–757on IDSM-2, 818
TCP SYN flood attacks, mitigating with CBAC, 189–191
tcpdump command, 690tearing down IPsec tunnels, 238telnet, connecting to NM-CIDS, 841–842telnet command, 18terminating CSAgent service, 991test events, generating on Event Viewer, 1057testing
authentication, 593–594core dump setup, 24NT/RADIUS password expiration feature,
610–611TFTP, 20
generating core dumps, 22Thick Client SSL VPN mode (VPN 3000
Concentrator series)configuring, 402–403troubleshooting, 403–405
Thin Client SSL VPN mode (VPN 3000 Concentrator series), 395–396
“time exceeded” error messages, 18time stamping on NM-CIDS, configuring,
857–858time-range command, 34–35Tmp directory (CSA MC), 986tomcat logs, 962
traceback, configuring on PIX Firewall, 53traceroute command, 18traffic capture method on IDSM-2, configuring
with mls ip ids command, 813on switch running Native IOS, 809
with SPANon switch running CatOS, 810on switch running Native IOS, 806–807
with VACLon switch running CatOS, 811on switch running Native IOS, 807–809
traffic filtering, ACLslimitations of, 177wide holes, 181
traffic inspectionof multi-channel protocols, 187of single channel protocols, 182
application-layer protocols, 183ICMP, 182SMTP, 183UDP, 182
transform sets, 325creating, 304
translation details, displaying for PIX Firewall, 39–40
transparent firewalls, 38–39, 193configuring, 79–82, 193troubleshooting on PIX Firewall, 78, 82–83
transparent tunneling options, 340transport mode, 226trusted hosts
adding to IDM sensors, 890–892configuring on IDM sensors, 889–890
tunnel groups, VPN 3K, 326attributes, 589authentication, 588–589defining for LAN-to-LAN tunnels, 305
tunnel mode, 227–228turning off
debugging, 555Passed Authentication log, 621
turning on CSA Agent debug mode, 989Tx SPAN, 765
Tx SPAN
1106
UUDP
connection timeout, selecting, 207–208traffic inspection, 182, 203–205
uninstalling. See also removingCS ACS, 661CSA MC, 995
Unknown User Policy, configuring, 609–610unlocking Firewall MC activities, 941updating
CSAgent, 1004–1005signature level on IDS MC sensors, 899–901
upgradingCisco IOS code base on CBAC routers, 209CiscoWorks Common Services license, 868CS ACS on Windows platform, 625–626CSA MC, 1002CSA MCL
on same system, 1002–1003on separate system, 1003–1004
IDS MC sensors, 908–910failures, troubleshooting, 910–917
IDSM-2 to version 5.x, 826IPS Sensor Appliances, 703
with CD-ROM, 703–704with TFTP server, 704–707
Maintenance Partition on IDSM-2, 823–824Major/Minor Software, 710NM-CIDS, 849PIX Firewall, 61–63
in failover setup, 68ROM Monitor mode, 63–66
Router MC, troubleshooting failures, 963to IPS 5.0, 715–717
URL filteringactivating, 186configuring on CBAC, 185–187on CBAC routers, troubleshooting, 211troubleshooting, 205
user attributes (VPN 3K), 589user authentication
on CiscoWorks Common Services, case study, 876–877
on VPN 3K, 588–589with RADIUS, configuring, 596–597
user managementon CiscoWorks Common Services, 862, 873on IPS, troubleshooting, 696–698on Security Monitor, 1045
user passwords, recovering from IDSM-2, 827–829
user permissions on Router MC, case study, 974–975, 978
users, deletingin multiple groups, 669on CS ACS, 659
utilitiescsutil.exe
arguments, 655–656syntax, 655
IdsAlarms.exe, 1076IDSdbcompact, 1068MDCSUPPORT, 863–864purge-mc-tasks, 942
VVACLs (VLAN ACLs)
blocking, 736configuring
on switch running CatOS, 811on switch running Native IOS, 807–809
IPS traffic capture, configuring, 775–776VACL Capture (IDSM-2), 827verifying
active processes on sensors, 893–895Apache certificate on IDS MC, 896blocking process configuration on sensors,
744–745, 923–924CBAC CPU utilization, 205–206core dump configuration, 24Firewall MC installation, 934IPsec tunnel configuration, 237NAC function, 745–746network connectivity with ping command, 17Router MC installation, 963secure communication between IDS MC and
sensor, 893service pack version on IDS MC, 895–896version of IDS MC, 895–896
UDP
1107
viewingevent log on VPN 3000 Concentrator series,
350–352Firewall MC debug information, 932log events on VPN 3K, 589NSDB from Security Monitor, 1073processes on IDS MC/SecMon, 884Router MC debug information, 961–962
Virtual Firewall, 84–86Virtual Reassembly option (IOS Firewalls), 191VMS (VPN/Security Management Solution)
CiscoWorks Common Servicesbacking up, 874–875FAQs, 877–881installing, 870–873
problems, troubleshooting, 871–873user management issues, 873
managing, best practices, 881restoring, 875–876running on mult-homed machines, 879user authentication, case study, 876–877
licensing issues, 865–866obtaining Common Services production
license, 867upgrading Common Services license, 868
VMS Server, modifying IP addressing, 898VPDNs (Virtual Private Dial-up Networks)
LAC router, troubleshooting, 464–467LNS router, troubleshooting, 468–471on Cisco IOS routers, case study, 458–462troubleshooting on Cisco IOS routers,
case study, 464–472VPN 3000 Concentrator series
AAAsession timeouts, avoiding, 593TACACS+, configuring, 590–592
Administer Sessions window, 352authentication, 590
causes of failure, 607–608FAQs, 406–410Cisco Secure ACS server, configuring, 590–591communicating with CS ACS RADIUS server,
597–599concentrator management, 587configuration files, 354CRSHDUMP.TXT file, 354
Digital Cerficates, 383–384on VPN client, 382–383troubleshooting, 384–389
dynamic filters, configuring, 602E-mail Proxy
configuring, 401troubleshooting, 401–402
event classes, configuring, 348event log, viewing, 350–352failure, causes of, 607group authentication with RADIUS,
configuring, 599–600group configuration, 608group names, mapping to CS ACS group
names, 598LAN-to-LAN tunnel issues
configuring, 356troubleshooting, 359–63
LED indicators, 354local group and user authentication,
configuring, 595–596local user authentication, configuring, 597–599log events, viewing, 589MAPI Proxy
configuring, 399–400troubleshooting, 400–401
port forwardingconfiguring, 396–397troubleshooting, 397–399
privilege levels, assigning to users, 592RADIUS Server, configuring, 609redundancy
using clustering, 412–414using IPsec Backup Servers, 415using VVRP, 410–411
Remote Access VPN connectionsconfiguring, 364–365troubleshooting, 365–382
SSL VPNclientless mode, 390–395Thick Client mode, 402–405thin client mode, 395–396
supported tokens, 604tunnel group authentication, 588–589user authentication, 588–589
with RADIUS, configuring, 596–597
VPN 3000 Concentrator series
1108
users, locking to specific group, 601VPN client log, 354–355X-Auth, troubleshooting, 594–596
VPNson Cisco IOS routers, DMVPN, 270–280stateful failover, 345transparent tunneling options, 340
VVRP (Virtual Router Redundancy Protocol), redundancy on VPN 3000 Concentrator series, 410–411
Wweb browsers
CiscoWorks Common Services, launching, 861on Firewall MC, troubleshooting, 937on Router MC, troubleshooting, 965–967
websitesEthereal, 20Knoppix tool, 2Security Monitor installation guidelines, 1047
well-known ports, changing port-to-application mappings, 188–189
wide holes, 181Windows operating system
CS ACSinstalling, 625–627related registries, 663
CSAgent, removing, 999–1000IDS MC
MDCSupport file, 886–887MDCSupport file, collecting, 886
system information, displaying, 988Windows NT/2000 Domain Authentication,
configuring Unknown User Policy, 609–610winmsd command, 988worry state, IKE keepalives, 345
X-Y-ZX-Auth, troubleshooting, 594–596
on Cisco routers, 457XML parser, 1044
VPN 3000 Concentrator series