Cisco PIX 525 Especificaciones Pagina 447
- Pagina / 466
- Tabla de contenidos
- MARCADORES
Valorado. / 5. Basado en revisión del cliente
E-3
Cisco PIX Firewall and VPN Configuration Guide
78-15033-01
Appendix E Supported VPN Standards and Security Proposals
Certification Authorities (CA)
Certification Authorities (CA)
IKE interoperates with the following standard:
X.509v3 certificates—Used with the IKE protocol when authentication requires public keys. Certificate
support that allows the IPSec-protected network to scale by providing the equivalent of a digital ID card
to each device. When two peers wish to communicate, they exchange digital certificates to prove their
identities (thus removing the need to manually exchange public keys with each peer or to manually
specify a shared key at each peer). These certificates are obtained from a certification authority (CA).
X.509 is part of the X.500 standard by the ITU.
CA supports the following standards:
• X.509v3 certificates.
• Public-Key Cryptography Standard #7 (PKCS #7)—A standard from RSA Data Security, Inc. used
to encrypt and sign certificate enrollment messages.
• Public-Key Cryptography Standard #10 (PKCS #10)—A standard syntax from RSA Data Security,
Inc. for certificate requests.
• RSA Keys—RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and
Leonard Adleman. RSA keys come in pairs: one public key and one private key.
Supported Easy VPN Proposals
Table E-1 lists the IKE (Phase 1) security proposals supported by Cisco PIX Firewall when used with
Easy VPN clients.
Ta b l e E-1 Easy VPN Client IKE (Phase 1) Proposals
Proposal Name Authentication Mode
Authentication
Algorithm
Encryption
Algorithm
Diffie- Hellman
Group
CiscoVPNClient-3DES-MD5 Preshared Keys (XAUTH) MD5/HMAC-128 3DES-168 Group 2 (1024 bits)
CiscoVPNClient-3DES-SHA Preshared Keys (XAUTH) SHA/HMAC-160 3DES-168 Group 2 (1024 bits)
CiscoVPNClient-DES-MD5 Preshared Keys (XAUTH) MD5/HMAC-128 DES-56 Group 2 (1024 bits)
CiscoVPNClient-AES128-MD5 Preshared Keys (XAUTH) MD5/HMAC-128 AES-128 Group 2 (1024 bits)
CiscoVPNClient-AES128-SHA Preshared Keys (XAUTH) SHA/HMAC-160 AES-128 Group 2 (1024 bits)
CiscoVPNClient-AES192-MD5 Preshared Keys (XAUTH) MD5/HMAC-128 AES-192 Group 2 (1024 bits)
CiscoVPNClient-AES192-SHA Preshared Keys (XAUTH) SHA/HMAC-160 AES-192 Group 2 (1024 bits)
CiscoVPNClient-AES256-MD5 Preshared Keys (XAUTH) MD5/HMAC-128 AES-256 Group 2 (1024 bits)
CiscoVPNClient-AES256-SHA Preshared Keys (XAUTH) SHA/HMAC-160 AES-256 Group 2 (1024 bits)
IKE-3DES-MD5 Preshared Keys MD5/HMAC-128 3DES-168 Group 2 (1024 bits)
IKE-3DES-SHA Preshared Keys SHA/HMAC-160 3DES-168 Group 2 (1024 bits)
IKE-DES-MD5 Preshared Keys MD5/HMAC-128 DES-56 Group 2 (1024 bits)
IKE-AES128-MD5 Preshared Keys MD5/HMAC-128 AES-128 Group 2 (1024 bits)
IKE-AES128-SHA Preshared Keys SHA/HMAC-160 AES-128 Group 2 (1024 bits)
IKE-AES192-MD5 Preshared Keys MD5/HMAC-128 AES-192 Group 2 (1024 bits)
- Cisco PIX Firewall and VPN 1
- Configuration Guide 1
- CONTENTS 3
- Contents 10
- 78-15033-01 10
- INDEXndex 18
- About This Guide 19
- Document Organization 20
- Document Conventions 21
- Obtaining Documentation 21
- Documentation CD-ROM 22
- Ordering Documentation 22
- Documentation Feedback 22
- Cisco.com 23
- Technical Assistance Center 23
- Cisco TAC Escalation Center 24
- Getting Started 27
- How the PIX Firewall Works 28
- Adaptive Security Algorithm 29
- Address Translation 31
- Cut-Through Proxy 32
- Supported Routing Protocols 32
- Access Control 32
- TurboACL 33
- Downloadable ACLs 33
- VLAN Support 34
- Mail Guard 35
- Flood Guard 35
- DNS Control 35
- ActiveX Blocking 36
- Java Filtering 36
- URL Filtering 36
- Configurable Proxy Pinging 36
- Voice over IP 37
- CTIQBE (TAPI) 38
- RAS Version 2 38
- LDAP Version 2 and ILS 40
- NetBIOS over IP 40
- Virtual Private Networks 41
- Certification Authorities 42
- Using a Site-to-Site VPN 43
- DHCP Server 45
- DHCP Relay 46
- DHCP Client 46
- Using a Syslog Server 49
- FTP and URL Logging 49
- Integration with Cisco IDS 49
- PIX Firewall Failover 50
- Access Modes 51
- Accessing Configuration Mode 52
- Abbreviating Commands 53
- Command Line Editing 54
- Filtering Show Command Output 54
- Command Output Paging 55
- Comments 55
- Configuration Size 56
- Help Information 56
- Where to Go from Here 57
- Establishing Connectivity 61
- Setting Default Routes 63
- How NAT and PAT Work 70
- Configuring NAT and PAT 70
- Using RIP 73
- PIX Firewall 74
- Using OSPF 75
- OSPF Features Supported 76
- Restrictions and Limitations 77
- Using OSPF in Public Networks 78
- Viewing OSPF Configuration 81
- Clearing OSPF Configuration 82
- Testing Connectivity 83
- Basic Configuration Examples 85
- Internet 90
- 209.165.201.3209.165.201.2 92
- 192.168.0.110.0.0.3 92
- 209.165.201.1 92
- 209.165.201.4 92
- Using VLANs with the Firewall 94
- Using Logical Interfaces 95
- VLAN Security Issues 96
- Managing VLANs 97
- Using Outside NAT 98
- Simplifying Routing 99
- 209.165.200.225 100
- 209.165.200.226 100
- Policy NAT 101
- Limitations 104
- Configuring Policy NAT 104
- Overview 106
- Configuring IGMP Timers 109
- Clearing IGMP Configuration 109
- Viewing and Debugging SMR 110
- • RFC 2236 IGMPv2 111
- • RFC 2362 PIM-SM 111
- Enabling Inbound Connections 114
- 10.1.1.2 209.165.201.25 118
- PAT address = 118
- 209.165.201.15 118
- Inside Outside 118
- Port Redirection Example 119
- Configuring AAA 120
- Using MAC-Based AAA Exemption 125
- Basic Configuration 126
- Managing Access to Services 128
- Using TurboACL 130
- Globally Configuring TurboACL 131
- Downloading Access Lists 132
- Software Restrictions 135
- How Object Grouping Works 136
- Using Subcommand Mode 137
- Nesting Object Groups 141
- Removing Object Groups 142
- Filtering ActiveX Objects 143
- Filtering Java Applets 144
- Filtering HTTPS and FTP Sites 146
- Configuring Filtering Policy 147
- Filtering Long URLs 148
- Configuration Procedure 150
- Basic Configuration Procedure 156
- • Overview, page 4-7 158
- Using X.509 Certificates 162
- Using Related Commands 168
- Using DHCP Relay 173
- Configuring the DHCP Client 174
- • debug dhcpc packet 175
- • debug dhcpc detail 175
- • debug dhcpc error 175
- Using the fixup Command 180
- Basic Internet Protocols 182
- • ESP tunnel serialization 186
- • SPI matching 186
- Application Inspection 188
- Sample Configuration 189
- Voice Over IP 190
- CU-SeeMe 191
- Viewing Connection Status 193
- Technical Background 193
- Viewing MGCP Information 196
- Using PAT with SCCP 197
- Viewing SCCP Information 199
- Providing IP Address Privacy 201
- Instant Messaging (IM) 202
- Viewing SIP Information 202
- Multimedia Applications 203
- TCP Stream 205
- VDO LIVE 206
- ILS and LDAP 207
- Step 2 Permit NFS access: 208
- Management Protocols 209
- Remote Shell 210
- How IPSec Works 213
- Internet Key Exchange (IKE) 214
- Configuring IKE 216
- Disabling IKE 218
- CA Overview 220
- Public Key Cryptography 220
- Supported CA Servers 221
- Configuring IPSec 225
- Transform Sets 226
- Crypto Maps 226
- Access Lists 228
- IPSec SA Lifetimes 230
- Basic IPSec Configuration 231
- Using Dynamic Crypto Maps 233
- Site-to-Site Redundancy 236
- Using NAT Traversal 236
- Manual Configuration of SAs 237
- Viewing IPSec Configuration 240
- Clearing SAs 240
- Using Pre-Shared Keys 243
- Figure 7-1 VPN Tunnel Network 244
- Step 1 Define a host name: 244
- Scenario Description 249
- Figure 7-2 VPN Tunnel Network 250
- Step 11 Define a crypto map: 261
- PIX Firewall 1 Configuration 263
- PIX Firewall 2 Configuration 265
- Services Module 267
- Manual Configuration with NAT 277
- Managing VPN Remote Access 281
- Enabling Redundancy 284
- Bypassing AAA Authentication 285
- Configuring the PIX Firewall 290
- Using PPTP for Remote Access 299
- PPTP Configuration 300
- PPTP Configuration Example 301
- Privilege Levels 304
- User Authentication 305
- Command Authorization 307
- TACACS+ Command Authorization 310
- Recovering from Lockout 311
- Using Network Time Protocol 312
- Enabling NTP 313
- Viewing System Time 317
- Setting the System Clock 317
- option is 318
- Using Telnet 322
- Trace Channel Feature 323
- Obtaining an SSH Client 324
- Viewing SSH Status 326
- Enabling Auto Update Support 327
- Managing Auto Update Support 328
- Capturing Packets 329
- Packet Capture Output Formats 331
- Packet Capture Examples 332
- Using Syslog 334
- Disabling Syslog Messages 336
- Configuration 337
- Logging Behavior 339
- Syslog Message Format 340
- Managing IDS Syslog Messages 341
- Using SNMP 343
- MIB Support 344
- SNMP CPU Utilization 344
- SNMP Usage Notes 345
- SNMP Traps 346
- Viewing Failover Status 349
- Verifying Memory Usage 350
- Viewing The Connection Count 351
- Viewing System Buffer Usage 352
- Using PIX Firewall Failover 355
- Failover System Requirements 356
- Understanding Failover 357
- Failover and State Links 358
- State Link 359
- Configuration Replication 360
- Failover Triggers 361
- Configuring the Primary Unit 366
- Forcing Failover 374
- Disabling Failover 374
- Monitoring Failover 375
- Basic Failover Questions 377
- LAN-Based Failover Questions 379
- Stateful Failover Questions 379
- Cable-Based Failover Example 380
- LAN-Based Failover Example 381
- Obtaining an Activation Key 384
- Entering a New Activation Key 384
- 1. Install the new image 385
- 2. Reboot the system 385
- 4. Reboot the system 385
- Getting a TFTP Server 389
- Downloading Software with FTP 390
- Using Boothelper 392
- TFTP Download Error Codes 397
- Acronyms and Abbreviations 399
- Access Clients 405
- Introduction 406
- PIX Firewall Configuration 407
- Token Enabled 408
- Next Tokencode Mode 408
- New PIN Mode 409
- L2TP Overview 413
- Tunnel mode 414
- Transport mode 414
- Enabling IPSec Debug 419
- Figure B-5 VPN Client Access 420
- APPENDIX 427
- Configuring the Inside Server 429
- TCP/IP Reference Information 431
- Protocols and Applications 435
- Using Subnet Masks 437
- Uses for Subnet Information 439
- Using Limited IP Addresses 439
- Addresses in the .128 Mask 439
- Addresses in the .192 Mask 440
- Addresses in the .224 Mask 440
- Addresses in the .240 Mask 440
- Addresses in the .248 Mask 441
- Addresses in the .252 Mask 442
- Proposals 445
- Supported Easy VPN Proposals 447
Relacionado con productos y manuales para Los Sistemas De Control De Acceso De Seguridad Cisco PIX 525
(105 paginas)© 2020, manymanuals.es. Todos los derechos reservados | 0.072 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales