1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. CSS11501S-C-K9
  6. Configuration manual

Cisco CSS11501S-C-K9 Configuration Manual

Secure content accelerator
Hide thumbs
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
Table of Contents

Advertisement

Quick Links

Download this manual
Cisco 11000 Series Secure
Content Accelerator
Configuration Guide
April 2003
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel:
408 526-4000
800 553-NETS (6387)
Fax:
408 526-4100
Text Part Number: 78-13124-06

Advertisement

Table of Contents
loading

Related Manuals for Cisco CSS11501S-C-K9

Summary of Contents for Cisco CSS11501S-C-K9

  • Page 1 Cisco 11000 Series Secure Content Accelerator Configuration Guide April 2003 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: 78-13124-06...
  • Page 2 You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: •...
  • Page 3 Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.;...

  • Page 5: Table Of Contents

    C H A P T E R Product Overview Secure Content Accelerator Versions Installing the Hardware and Software C H A P T E R Site Requirements Required Tools and Equipment Shipment Contents Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 6 Using the Configuration Manager C H A P T E R Overview Configuration Security Passwords Access Lists Factory Default Reset Password Before You Begin Initiating a Management Session Serial Management and IP Address Assignment Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 7 Example: Generating a Certificate 4-24 Supporting SNMP 4-25 Example: Configuring SNMP 4-25 Supporting RIP 4-26 Example: Configuring RIP 4-26 Supporting Other Secure Protocols 4-27 Example: Configuring a Secure Mail Server 4-27 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 8 Example: Working with Syslogs 5-13 Example: Restricting Access using an Access List 5-14 Example: Reloading (Rebooting) the Appliance 5-17 Example: Setting an Enable Password 5-18 Example: Configuring SNMP 5-19 SSL Configuration Examples 5-22 Cisco 11000 Series Secure Content Accelerator Configuration Guide viii 78-13124-06...
  • Page 9 More Information 6-10 Specifications A P P E N D I X Electrical Specifications Environmental Specifications Physical Specifications Deployment Examples A P P E N D I X Single Device Load Balancing Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 10 Methods to Manage the Device Initiating a Management Session Serial Management and IP Address Assignment Telnet C-10 Command Listing C-10 Top Level Command Set C-31 Non-Privileged Command Set C-31 clear screen C-31 C-31 enable C-31 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 11 C-40 show ip name-server C-40 show ip routes C-41 show ip statistics C-41 show keepalive-monitor C-41 show log C-42 show memory C-42 show messages C-42 show netstat C-43 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 12 C-55 show ssl session-stats C-56 show ssl statistics C-58 show ssl tcp-tuning C-60 show syslog C-61 show system-resources C-61 show telnet C-62 show terminal C-62 show timezone C-62 show version C-63 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 13 C-71 copy running-configuration startup-configuration C-72 copy startup-configuration C-72 copy startup-configuration running-configuration C-73 copy to flash C-73 copy to running-configuration C-74 copy to startup-configuration C-74 disable C-75 erase running-configuration C-75 Cisco 11000 Series Secure Content Accelerator Configuration Guide xiii 78-13124-06...
  • Page 14 C-83 Configuration Command Set C-84 access-list C-84 clock C-85 C-86 exit C-86 finished C-86 help C-87 hostname C-87 interface C-88 ip address C-88 ip domain-name C-89 ip name-server C-89 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 15 C-101 snmp trap-type generic C-102 sntp interval C-103 sntp server C-104 C-104 syslog C-105 telnet access-list C-106 telnet enable C-107 telnet port C-107 timezone C-108 web-mgmt access-list C-108 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 16 C-116 finished C-116 gencsr C-116 help C-117 import pkcs12 C-118 import pkcs7 C-118 C-119 reverse-proxy-server C-120 secpolicy C-121 server C-122 tcp-tuning C-122 Backend Server Configuration Command Set C-124 activate C-124 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 17 C-131 serverauth ignore C-132 session-cache enable C-132 session-cache size C-133 session-cache timeout C-133 sslv2 enable C-134 sslv3 enable C-134 suspend C-135 tcp-tuning C-135 tlsv1 enable C-136 transparent C-136 urlrewrite C-137 Cisco 11000 Series Secure Content Accelerator Configuration Guide xvii 78-13124-06...
  • Page 18 C-142 exit C-143 finished C-143 help C-143 info C-144 Key Configuration Command Set C-145 binhex C-145 C-145 C-146 exit C-146 finished C-146 genrsa C-146 help C-147 info C-148 net-iis C-148 Cisco 11000 Series Secure Content Accelerator Configuration Guide xviii 78-13124-06...
  • Page 19 C-156 session-cache size C-156 session-cache timeout C-157 sslv2 enable C-157 sslv3 enable C-158 suspend C-158 tcp-tuning C-159 tlsv1 enable C-159 urlrewrite C-160 Security Policy Configuration Command Set C-161 crypto C-161 C-163 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 20 C-170 ephrsa C-171 exit C-171 finished C-171 help C-172 httpheader C-172 info C-175 ip address C-175 keepalive enable C-176 keepalive frequency C-176 keepalive maxfailure C-177 C-177 localport C-178 log-url C-178 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 21 C-187 TCP Tuning Configuration Command Set C-189 2msltime C-189 delay-ack C-190 finwt2time C-191 keepalive C-191 keepalive-cnt C-192 keepalive-intv C-193 max-rexmit C-193 maxrt C-194 maxseg C-194 C-195 nodelay C-196 nopush C-196 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 22 Installing a Firmware Image (Xmodem) Extracting a Device Configuration Resetting the Environment to Factory Defaults Command Set D-11 ? (question mark) D-11 baud D-11 boot D-11 D-11 D-12 eaddr D-12 Cisco 11000 Series Secure Content Accelerator Configuration Guide xxii 78-13124-06...
  • Page 23 Troubleshooting the Hardware SSL Introduction A P P E N D I X Introduction to SSL Port Blocking Mechanism Before You Begin Using Existing Keys and Certificates Apache mod_SSL ApacheSSL Cisco 11000 Series Secure Content Accelerator Configuration Guide xxiii 78-13124-06...
  • Page 24 Cisco Secure Content Accelerator Management Regulatory Information A P P E N D I X Regulatory Standards Compliance Canadian Radio Frequency Emissions Statement FCC Class A CISPR 22 (EN 55022) Class A VCCI Cisco 11000 Series Secure Content Accelerator Configuration Guide xxiv 78-13124-06...
  • Page 25 Figure 5-14 Save Changes Button 5-17 Figure 5-15 Change Password Example 5-18 Figure 5-16 SNMP Configuration Example 5-19 Figure 5-17 SNMP Trap Example 5-20 Figure 5-18 Add SNMP Trap Host Example 5-21 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 26 Figure 5-41 Key Displayed Example 5-41 Figure 5-42 Generate CSR Example 5-42 Figure 5-43 Generate Self-Signed Certificate 5-43 Figure 5-44 Self-Signed Certificate Example 5-44 Figure 5-45 Successfully Generated Self-Signed Certificate 5-45 Cisco 11000 Series Secure Content Accelerator Configuration Guide xxvi 78-13124-06...
  • Page 27 Figure C-1 Command Hierarchy Figure E-1 Troubleshooting Flowchart 1 Figure E-2 Troubleshooting Flowchart 2 Figure E-3 Troubleshooting Flowchart 3 Figure F-1 Port Blocking Figure F-2 Port Blocking with Dropped Traffic Cisco 11000 Series Secure Content Accelerator Configuration Guide xxvii 78-13124-06...
  • Page 28 Figures Cisco 11000 Series Secure Content Accelerator Configuration Guide xxviii 78-13124-06...
  • Page 29 Table C-9 Certificate Configuration Command Description C-23 Table C-10 Certificate Group Configuration Command Description C-23 Table C-11 Key Configuration Command Description C-24 Table C-12 Reverse-Proxy Server Configuration Command Description C-25 Cisco 11000 Series Secure Content Accelerator Configuration Guide xxix 78-13124-06...
  • Page 30 Headers Inserted with httpheader server-cert Command C-174 Table D-1 Firmware Image Selection Table D-2 Firmware Image Selection Table E-1 Troubleshooting the Hardware Table F-1 Secure Content Accelerator Cryptographic Algorithms Table G-1 Regulatory Standards Compliance Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 31: About This Guide

    About This Guide This guide can help you successfully install and configure the Cisco 11000 Series Secure Content Accelerators (SCA and SCA2). It also provides helpful troubleshooting suggestions for potential hardware and software problems. How to Use This Guide This section describes the contents of this guide.
  • Page 32 This appendix presents a short introduction to SSL and a description of how the components are used in configuration. Instructions for generating keys and certificates with OpenSSL is also included chapter. Cisco 11000 Series Secure Content Accelerator Configuration Guide xxxii 78-13124-06...
  • Page 33 (such as the command Courier text line interface) or is returned by the computer. indicates commands and text you enter in a command line. Courier bold text Cisco 11000 Series Secure Content Accelerator Configuration Guide xxxiii 78-13124-06...
  • Page 34 A bulleted list indicates that the order of the list topics is unimportant. • – An indented dashed list indicates that the order of the list topics is unimportant. Cisco 11000 Series Secure Content Accelerator Configuration Guide xxxiv 78-13124-06...

  • Page 35: Obtaining Documentation

    These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com...

  • Page 36: Documentation Feedback

    About This Guide Obtaining Documentation You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/en/US/partner/ordering/index.shtml • Registered Cisco.com users can order the Documentation CD-ROM...

  • Page 37: Obtaining Technical Assistance

    Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.com provides a broad range of features and services to help you with these tasks: Streamline business processes and improve productivity •...
  • Page 38 If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL: http://www.cisco.com/en/US/support/index.html If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.

  • Page 39: Obtaining Additional Publications And Information

    These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case. To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml...
  • Page 40 About This Guide Obtaining Additional Publications and Information iQ Magazine is the Cisco monthly periodical that provides business leaders • and decision makers with the latest information about the networking industry. You can access iQ Magazine at this URL: http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=tru e&kbns=1.html...
  • Page 41 C H A P T E R Overview This chapter describes the features and functions of the Secure Content Accelerator. This chapter contains the following sections: • Product Overview Secure Content Accelerator Versions • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 42: Chapter 1 Overview

    Simply load your own certificate and key when they are available. The Cisco 11000 Series Secure Content Accelerator is compatible with all Cisco content switches—the Cisco LocalDirector, the Catalyst Content Switching Module, and the Cisco CSS 11000 Series Content Services Switches.

  • Page 43: Table 1-1 Secure Content Accelerator Model Differences

    250 MHz Motorola 8240 600 MHz IBM 750CXE 64MB 256MB Flash 16MB 32MB Cryptographic Engine Rainbow FastMap 200 Broadcom 5821 Maximum 1024-bit 4000 RSA Operations/ Second Hardware Digest Hardware Cipher Hardware RNG Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 44 Chapter 1 Overview Secure Content Accelerator Versions Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 45: Site Requirements

    This chapter contains the following sections: Site Requirements • Shipment Contents • • Unpacking the Secure Content Accelerator Installing the Hardware • Panel Descriptions • • Connecting to Power Connecting to Ethernet • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 46: Required Tools And Equipment

    Null modem cable • • Two power cables Secure Content Accelerator compact disk containing: • Secure Content Accelerator documentation – – Release Notes PDF version of this guide – Firmware files – Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 47: Unpacking The Secure Content Accelerator

    The Secure Content Accelerator can be placed on a flat surface as a free-standing unit or rack-mounted in an equipment cabinet. The following sections describe the steps to install the Secure Content Accelerator as a: Free-standing unit • Rack-mounted unit • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 48: Installing As A Free-Standing Unit

    Position the Secure Content Accelerator on a level surface in an area with access to your network cabling. When installing the Secure Content Accelerator note that Ethernet and serial cables attach to the front of the chassis and power cables attach to the back. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 49: Installing As A Rack-Mounted Unit

    The front panel of the Secure Content Accelerator, shown in Figure 2-1, contains the following connectors, switches, and LEDs: Two DB9 serial ports, marked “AUX” and “CONSOLE” • • Two RJ-45 10/100 Ethernet interface ports, marked “SERVER” and “NETWORK” Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 50: Figure 2-1 Secure Content Accelerator Front Panel

    Two power switches • Figure 2-2 Secure Content Accelerator Rear Panel Figure 2-3 shows the LED layout of the SCA Ethernet ports. Table 2-1 describes the function of each LED on the SCA. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 51: Figure 2-3 Sca Ethernet Port Detail

    Figure 2-4 shows the LED layout of the SCA2 Ethernet ports. Table 2-2 describes the function of each LED on the device. Figure 2-4 SCA2 Ethernet Port Detail Reset Switch Test LED 100 ACT LNK Server 100 ACT LNK Network Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 52: Identifying Sca Models

    Plug the power cords into dedicated three-wire grounding receptacles. Switch the power switches to the 1 (on) position. Connect the power supplies to different circuits to further ensure Note appliance availability. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 53: Connecting To Ethernet

    Connect the “Server” port to the servers (or to the “Network” port if using one-port mode). Check the LK LEDs for connection viability. If one or both LK LEDs are not lit, see Appendix E, Troubleshooting, for suggestions. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 54 Chapter 2 Installing the Hardware and Software Connecting to Ethernet Cisco 11000 Series Secure Content Accelerator Configuration Guide 2-10 78-13124-06...

  • Page 55: Using The Quickstart Wizard

    This chapter contains the following sections: Before You Begin • Initiating a Management Session • • Starting the QuickStart Wizard Using the QuickStart Wizard • Using the QuickStart Wizard with a Configured Appliance • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 56: Before You Begin

    Follow these steps to initiate a management session via a serial connection and set an IP address for the device. Note When configuring an SCA2 via a serial connection, the displayed prompt is “SCA2” unless a hostname has been defined for the device. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 57: Telnet

    Telnet After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial console CLI, you can connect to the appliance via telnet. Initiate a telnet session with the IP address previously assigned to the appliance.

  • Page 58: Telnet

    Is the above information correct? (y/n): Enter y if the listing is correct. Go to “Using the QuickStart Wizard” below. Enter n if the information is incorrect. You are prompted for the configuration information again. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 59: Using The Quickstart Wizard

    (See Appendix F for a discussion of port blocking.) You can abort the current clear text port designation and enter a different TCP service port, or approve using TCP service port 80 for clear text. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 60 (_), hyphen (-), and period (.) characters. Key names must begin with an alphabetic character and have a limit of 15 characters. Enter the URL for a PEM encoded key file: Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 61 find or load the file, you receive an error message and are allowed to restart certificate assignment. After the certificate is properly loaded, configure a security policy as described below. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 62 RSA key size of 1024, exp ARC2_MD5, DES_SHA1, ARC4_SHA1, MD5, and SHA1 default-RSA key size of 1024, ARC4_MD5, ARC4_SHA1 and exp ARC4_MD5, ARC4_SHA1, ARC2_MD5 RSA key size of 512, exp ARC4_MD5, MD5, and SHA1 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 63 If the information is correct, type y. The logical secure server you have configured is created. If you type n, the server configuration process restarts using the current secure server. Would you like to use the QuickStart wizard to create another ssl-server? (y/n): Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 64 A summary screen shows information about the device, keys, certificates, security policies, and the logical secure servers configured on it. SCA myDevice Keys capacity 255, defined 3 ----------------------------------- Name ----------------------------------- default default-512 default-1024 Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-10 78-13124-06...
  • Page 65 10.1.2.3:80 myCert *not set* Default Gateway: 10.1.14.1 The list of keys includes all those loaded into the device. The columns and their descriptions are shown in the table below. Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-11 78-13124-06...
  • Page 66 The number of the security policy as loaded into the device RC (Reference The number of SSL servers using the security policy Count) PolicyList The names of the individual cryptographic schemes associated with each security policy Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-12 78-13124-06...
  • Page 67 QuickStart wizard finishes. If you type n, the QuickStart wizard finishes. Caution If the configuration is not saved to flash memory, the configuration is lost during a power cycle or when the reload command is used. Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-13 78-13124-06...

  • Page 68: Using The Quickstart Wizard With A Configured Appliance

    Using the QuickStart Wizard with a Configured Appliance Using the QuickStart Wizard with a Configured Appliance If you wish to run the QuickStart wizard for a previously configured Cisco Secure Content Accelerator, follow these steps: Initiate a management session and start the configuration manager as described previously.

  • Page 69: Using The Configuration Manager

    Generating Keys and Certificates Supporting SNMP • Supporting RIP • • Supporting Other Secure Protocols Supporting FIPS • Working with Syslogs • • Disabling SSL Versions Enabling Keepalives • Setting the Idle-Timeout • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 70: Chapter 4 Using The Configuration Manager

    Configuration mode, simply enter end or exit or press CTRL+D. The finished command returns to the Top Level from any mode. Appendix C lists all commands for SSL devices. Refer to Chapter 6 for FIPS Mode instructions. Note Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 71: Configuration Security

    Passwords Cisco Secure Content Accelerator devices use two levels of password protection: access- and enable-level. Access-level passwords control who can access the device via telnet and serial connections. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.

  • Page 72: Factory Default Reset Password

    The nature of the changes depends upon whether you are securing a previously unsecured site, or adding the SSL appliance to an already secure server installation. These changes are described in section “Web Site Changes” in Appendix B. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 73: Initiating A Management Session

    Enter Privileged and Configuration modes and set the IP address using the following commands. Replace the IP address in the example with the appropriate one. SCA> enable SCA# configure (config[SCA])# ip address 10.1.2.5 netmask 255.255.255.0 (config[SCA])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 74: Telnet

    Telnet After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial console CLI, you can connect to the appliance via telnet. Initiate a telnet session with the IP address previously assigned to the appliance.

  • Page 75: Example: Setting Up Basic Device Parameters

    Set an enable password to protect the appliance configuration. The password is requested whenever the enable command is given. Passwords are not echoed to the screen. Note (config[myDevice])# password enable Enter new password: Confirm password: (config[myDevice])# end SCAE Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 76: Example: Setting Up A Secure Server

    Enter Certificate Configuration mode and create a certificate named myCert. Then load the PEM-encoded certificate file. Return to SSL Configuration Mode. (config-ssl[myDevice])# cert my create (config-ssl-cert[myCert])# pem certFile (config-ssl-cert[myCert])# end (config-ssl[myDevice])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 77 Then exit to Top Level mode. (config-ssl[myDevice])# server myServer create (config-ssl-server[myServer])# ip address 10.1.2.4 (config-ssl-server[myServer])# sslport 443 (config-ssl-server[myServer])# remoteport 81 (config-ssl-server[myServer])# key myKey (config-ssl-server[myServer])# cert myCert (config-ssl-server[myServer])# secpolicy myPol (config-ssl-server[myServer])# finished SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 78: Example: Setting Up A Backend Server

    (config-ssl-backend[myBackServ])# ip address Assign port 443 for SSL traffic and port 80 for clear text traffic. (config-ssl-backend[myBackServ])# localport 80 (config-ssl-backend[myBackServ])# remoteport 443 Specify a security policy for the server. (config-ssl-backend[myBackServ])# secpolicy strong Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-10 78-13124-06...

  • Page 79: Example: Setting Up A Reverse-Proxy Server

    Assign port 8080 for clear text traffic. (config-ssl-rproxy[myRevServ])# localport 8080 Specify a security policy for the server. (config-ssl-rproxy[myRevServ])# secpolicy strong Note When using FIPS Mode only security policies configured for FIPS 140-2-compliant operation are available. Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-11 78-13124-06...

  • Page 80: Example: Configuring Secure Url Rewrite

    Enter Server Configuration mode for the server you wish to configure URL rewrites. (config-ssl[SCA])# server myServer (config-ssl-server[myServer])# The urlrewrite command uses the following syntax: urlrewrite <domainName> [sslport <portid>] [clearport <portid>] <redirectonly> Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-12 78-13124-06...
  • Page 81 A wildcard can be used to specify multiple SSL hosts in the same domain. (config-ssl-server[myServer])# urlrewrite *.mybusiness3.com sslport 443 clearport 81 Do not use *.com as a filter. The definition is too broad. Note Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-13 78-13124-06...

  • Page 82: Example: Configuring Sntp Servers

    *.mybusiness3.com For more information about URL rewriting, contact your Cisco representative for a copy of the white paper SSL Offloaders and Contextual Consistency. Example: Configuring SNTP Servers Up to four SNTP servers can be configured on the Secure Content Accelerator.

  • Page 83: Example: Restricting Access Using An Access List

    Web management subsystems. An access list can be used by the SNMP subsystem as well. This example demonstrates how to create two access lists and assign each to a management subsystem. Enter Privileged and Configuration modes. SCA> enable SCA# configure (config[myDevice)# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-15 78-13124-06...

  • Page 84: Configuring An Ethernet Interface

    In the following example, the “Network” interface of myDevice is forced to full duplex. Make sure to save this configuration to flash. (config[myDevice])# interface network (config-if[network])# duplex full (config-if[network])# speed 100 (config-if[network])# finished SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-16 78-13124-06...

  • Page 85: Example: Saving A Configuration File

    Use the same key object names previously used to reference the keys. Step-Up Certificates and Server-Gated Cryptography Cisco Secure Content Accelerator support both Netscape International Step-Up Certificates and Microsoft Server-Gated Cryptography. Ephemeral RSA must be enabled for the device to function properly with these certificates. Load the certificate normally.

  • Page 86: Configuring Certificate Groups

    CACertFile. The name of the PEM-encoded certificate generated by the intermediary CA is localCertFile. The name of the certificate group is CACertGroup. Initiate a management session as described previously. Enter Privileged and Configuration modes. SCA> enable SCA# configure (config[myDevice)# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-18 78-13124-06...
  • Page 87 (config-ssl[myDevice])# server server1 create (config-ssl-server[server1])# ip address 10.1.2.4 (config-ssl-server[server1])# localport 443 (config-ssl-server[server1])# remoteport 81 (config-ssl-server[server1])# secpolicy myPol (config-ssl-server[server1])# certgroup chain CACertGroup (config-ssl-server[server1])# cert localCert (config-ssl-server[server1])# key localKey (config-ssl-server[server1])# finished SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-19 78-13124-06...

  • Page 88: Example: Importing Certificate Groups

    SCA# Example: Importing Certificate Groups PKCS#7 certificate groups can be imported directly into the device. This example demonstrates how to import a PEM-encoded PKCS#7 file into the Cisco Secure Content Accelerator. Initiate a management session as described previously. Enter Privileged and Configuration modes.

  • Page 89: Using Client And Server Certificate Authentication

    Initiate a management session as described previously. Enter Privileged and Configuration modes. SCA> enable SCA# configure (config[myDevice])# Enter SSL Configuration mode and Backend Server Configuration mode for the server myBackServ. (config[myDevice])# ssl (config-ssl[myDevice])# backend-server myBackServ (config-ssl-backend[myBackServ])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-21 78-13124-06...
  • Page 90 Exit to Privileged mode, and save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or when the reload command is used. (config-ssl-backend[myBackServ])# finished SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-22 78-13124-06...

  • Page 91: Example: Configuring Client Certificate Authentication

    Exit to Privileged mode, and save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or when the reload command is used. (config-ssl-server[myServ])# finished SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-23 78-13124-06...

  • Page 92: Generating Keys And Certificates

    Using the HTTPS protocol ensures that your key is transmitted Note securely. Example: Generating a Certificate Enter Privileged, Configuration, and SSL Configuration modes. SCA> enable SCA# configure (config[myDevice])# ssl (config-ssl[myDevice])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-24 78-13124-06...

  • Page 93: Supporting Snmp

    Using the HTTPS protocol ensures that your certificate is Note transmitted securely. Supporting SNMP Cisco Secure Content Accelerator devices have basic support for SNMP functions. The device is shipped with SNMP disabled. This example demonstrates how to set basic SNMP data. Example: Configuring SNMP Initiate a management session as described previously.

  • Page 94: Supporting Rip

    SCA# write flash SCA# Supporting RIP Cisco Secure Content Accelerator devices support Routing Information Protocol (RIP) versions 1 and 2. This example demonstrates how to enable RIP version 1 packet usage. Example: Configuring RIP Initiate a management session as described previously.

  • Page 95: Supporting Other Secure Protocols

    Supporting Other Secure Protocols Supporting Other Secure Protocols Along with SSL, Cisco Secure Content Accelerator devices can support other secure protocols using TLS v1.0, SSL v2.0, and SSL v3.0. IMAPS, POP3S, NNTPS, and LDAPS are some examples. The steps below show how to configure the SSL appliance for setting up a secure server to process only POP3S (S-POP) mail.

  • Page 96: Working With Syslogs

    In certain situations, you may want to disable individual SSL versions. The SCA allows you to enable or disable these on a version-by-version basis for individual servers. Initiate a management session as described previously. Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-28 78-13124-06...

  • Page 97: Enabling Keepalives

    (maxfailure), the virtual server is marked as “suspended”. When the hardware server comes back online, the keepalive messages discover the server and mark it “active” again. Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-29 78-13124-06...
  • Page 98 (config-ssl-server[myServer])# finished SCA# Save the configuration to flash memory. If not saved, the configuration is lost during a power cycle or when the reload command is used. SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-30 78-13124-06...

  • Page 99: Setting The Idle-Timeout

    (config[myDevice])# end SCA# Save the configuration to flash memory. If not saved, the configuration is lost during a power cycle or when the reload command is used. SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-31 78-13124-06...
  • Page 100 Chapter 4 Using the Configuration Manager Setting the Idle-Timeout Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-32 78-13124-06...

  • Page 101: Graphical User Interface Reference

    C H A P T E R Graphical User Interface Reference This chapter describes how to use the Graphical User Interface (GUI) to configure the Cisco Secure Content Accelerator. The GUI provides a convenient, Web browser-based method of configuring the Secure Content Accelerator. Note The GUI cannot be used to configure the Secure Content Accelerator...

  • Page 102: Overview

    CLI command. Web management status is shown in the returned listing as follows: Web Management: disabled Enter Privileged and Configuration modes and enable Web management using these commands: enable configure web-mgmt enable Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 103: Restricting Access To Web Management

    Figure 5-1. Use “admin” for the user name. If no enable password has been configured, the GUI starts at the General content area. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 104: Configuring For Client-Side Access

    (config[myDevice])> ssl (config-ssl[myDevice])> server web create (config-ssl-server[web])> ip address 127.0.0.1 (config-ssl-server[web])> sslport 443 (config-ssl-server[web])> remoteport 80 (config-ssl-server[web])> no transparent (config-ssl-server[web])> cert default-1024 (config-ssl-server[web])> key default-1024 (config-ssl-server[web])> secpolicy all (config-ssl-server[web])> finished myDevice# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 105: Administrative Time Out

    The GUI is divided into two main parts: the area panel on the left and content tabs on the right. Figure 5-2 shows an example of this interface. Take a few moments to familiarize yourself with the screen layout. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 106: Figure 5-2 Basic User Interface Example

    IP statistics, set DNS information • Log: Set syslog message hosts and clear and view the device message log Tools: Reboot the device, manage running and startup configurations, update • firmware, and run diagnostic commands Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 107: General Configuration Examples

    Follow these steps to change the hostname of the device to myDevice. Click General to activate the General content tabs. Click the Settings tab. The Settings page opens, as shown in Figure 5-3 Type “myDevice” in the Device Name text box. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 108: Example: Resetting The Ip Address

    Type the new IP address information including the appropriate netmask and default router in the Internet Address, Netmask, and Gateway text boxes, respectively, on the Settings tab. The Settings page opens, as shown in Figure 5-4. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 109: Example: Configuring An Ethernet Interface

    Click Network to activate the Network tabs. Use the list box in the Network Interface or Server Interface panel of the Settings tab to change the Ethernet interface settings. The Settings page is shown in Figure 5-5. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 110: Example: Enabling Rip

    Figure 5-5 Ethernet Interface Configuration Example Click Update. Example: Enabling RIP Click Network to activate the Network tabs. Click the Settings tab. The Settings page opens, as shown in Figure 5-6. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-10 78-13124-06...

  • Page 111: Example: Adding A Route To The Routing Table

    Click Update. Example: Adding a Route to the Routing Table Click Network to activate the Network tabs. Click the Route tab. The Route page opens, as shown in Figure 5-7. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-11 78-13124-06...

  • Page 112: Figure 5-8 Adding A Route Example

    Scroll to the bottom of the page, if necessary, to see the Add Route button. Click Add Route. The Add Route window opens as shown in Figure 5-8. Figure 5-8 Adding a Route Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-12 78-13124-06...

  • Page 113: Example: Working With Syslogs

    Enter the appropriate port ID, and select the desired facility from the Facility drop-down list box. Click Update. Use the View Log tab to display the syslog and clear the syslogs. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-13 78-13124-06...

  • Page 114: Example: Restricting Access Using An Access List

    Click the Access Control Lists tab. The Access Control Lists page opens, as shown in Figure 5-10. Figure 5-10 Access List Configuration Example Click Add Access Entry. The Add Access Control List window opens, as shown in Figure 5-11. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-14 78-13124-06...

  • Page 115: Figure 5-11 Add Access List Entry Example

    Appendix C for more information.) Click OK to create the access list entry and close the window. Click the Subsystem tab. The Subsystem page opens, as shown in Figure 5-12. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-15 78-13124-06...
  • Page 116 Type the number of the access list just created in the Access Control List Id text box of the Web Management panel. (You can also change the TCP port on this tab.) Click Update. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-16 78-13124-06...

  • Page 117: Example: Reloading (Rebooting) The Appliance

    Any changes you have made but have not saved are lost. Figure 5-14 Save Changes Button Click Reboot on the Restart page. The appliance reboots using the configuration stored in flash memory. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-17 78-13124-06...

  • Page 118: Example: Setting An Enable Password

    Click Update to set the password. To remove an existing Enable password entirely, clear the Enable Note checkbox, type the existing password in the Old Password text box. Click Update. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-18 78-13124-06...

  • Page 119: Example: Configuring Snmp

    Click Update after changing the value in each field and selecting the Enabled check box. Click the Traps tab. The Traps page opens, as shown in Figure 5-17. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-19 78-13124-06...

  • Page 120: Figure 5-17 Snmp Trap Example

    Figure 5-17 SNMP Trap Example Click Add Trap Host to specify a host to which to send trapping messages. The Add Trap Host window opens, as shown in Figure 5-18. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-20 78-13124-06...

  • Page 121: Figure 5-18 Add Snmp Trap Host Example

    Threshold/Hysteresis Low text box. Additional information is presented in the online Help for Note this tab. Click Help in the top right corner of the window. Click Update to set the configuration. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-21 78-13124-06...

  • Page 122: Ssl Configuration Examples

    GUI. Click SSL to activate the SSL tabs. Click the Private Keys tab. The Private Keys page opens, as shown in Figure 5-19. Figure 5-19 Private Keys Tab Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-22 78-13124-06...

  • Page 123: Figure 5-20 Add Private Key Example

    file, and paste it into the Paste Private Key Here text box on the Paste tab. For an example of key generation, see “ Example: Generating an RSA Private Key”.) Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-23 78-13124-06...

  • Page 124: Figure 5-21 Importing A Private Key File Example

    Next, load a certificate to assign to the secure server. In this example, a certificate is imported into the GUI. Click the Certificates tab. The Certificates page opens, as shown in Figure 5-22. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-24 78-13124-06...

  • Page 125: Figure

    Chapter 5 Graphical User Interface Reference SSL Configuration Examples Figure 5-22 Certificates Tab Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-25 78-13124-06...

  • Page 126: Figure

    Chapter 5 Graphical User Interface Reference SSL Configuration Examples Click Add Certificate. The Add Certificate window opens, as shown in Figure 5-23. Figure 5-23 Add Certificate Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-26 78-13124-06...

  • Page 127: Figure

    Several security policies are pre-loaded into the Secure Content Accelerator. You can use any of these or create your own policy when configuring a server. This examples demonstrates how to create a user-defined security policy. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-27 78-13124-06...

  • Page 128: Figure 5-25 Security Policies Tab

    Chapter 5 Graphical User Interface Reference SSL Configuration Examples Click the Security Policies tab. The Security Policies page opens, as shown in Figure 5-25. Figure 5-25 Security Policies Tab Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-28 78-13124-06...

  • Page 129: Figure 5-26 Add Security Policy Example

    CTRL+clicking the entries in the Security Policy Algorithms list box. Click OK to create the policy. Now, set up the secure server. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-29 78-13124-06...

  • Page 130: Figure 5-27 Secure Servers Tab

    Click the Secure Servers tab. The Secure Servers page opens, as shown in Figure 5-27. Figure 5-27 Secure Servers Tab Click Add Secure Server. The Add Secure Server window opens, as shown in Figure 5-28. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-30 78-13124-06...

  • Page 131: Figure 5-28 Add Secure Server Information Example

    If you wish to use a log server, enter the appropriate information in the Log Server IP text boxes. You can disable any of the SSL/TLS versions by clearing your choice in the SSL Version Support check boxes. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-31 78-13124-06...

  • Page 132: Figure 5-30 Ssl Session Cache Example

    (including wildcard, if appropriate) in the URL Clear-Text Port text box. Edit the port definitions, if necessary. Click Add, as shown in Figure 5-31, to define the URL rewrite rule. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-32 78-13124-06...

  • Page 133: Figure 5-31 Add Url Rewrite Rule Example

    For more information, see the “Example: Configuring Secure URL Rewrite” section on page 4-12. Select the desired options in the Client Certificate Authentication panel, shown in Figure 5-32. Figure 5-32 Add Secure Server Information Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-33 78-13124-06...

  • Page 134: Figure 5-33 Add Http Headers Example

    Click OK to create the secure server on the Secure Content Accelerator. The same procedures are used to create and edit backend servers and reverse-proxy servers. Options presented in the window change, depending upon the type of server being configured. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-34 78-13124-06...

  • Page 135: Example: Creating And Using Certificate Groups

    Certificate Group”, below, for a demonstration. Click SSL to activate the SSL tabs. Click the Certificate Groups tab. The Certificate Groups page is shown in Figure 5-35. Figure 5-35 Certificate Groups Tab Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-35 78-13124-06...

  • Page 136: Figure

    Either click Edit next to an existing secure server, or click Add Secure Server to create a new server. The appropriate secure server window opens. Locate the Server Certificate and Security Policy panel. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-36 78-13124-06...

  • Page 137: Example: Supporting Other Secure Protocols

    Select strong from the Security Policy list box. Select default-1024 from the Certificate list box. Select default-1024 from the Private Key list box. These options are shown in Figure 5-38. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-37 78-13124-06...

  • Page 138: Example: Generating An Rsa Private Key

    Example: Generating an RSA Private Key This example demonstrates how to generate an RSA private key named myOwnKey. Click SSL to activate the SSL tabs. Click Add Private Key. The Add Private Key window opens. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-38 78-13124-06...

  • Page 139: Figure 5-39 Generating A Private Key

    DES encryption and can be saved to a file. Display key using Des3 Encryption: The private key is displayed using • 3DES encryption and can be saved to a file. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-39 78-13124-06...

  • Page 140: Figure 5-40 Key Not Displayed Example

    Encryption were selected, the key is generated and a window opens, displaying the encrypted key. This is shown in Figure 5-41. Click Download Encrypted Private Key to make a backup copy of the key, if desired. Click Close. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-40 78-13124-06...

  • Page 141: Figure 5-41 Key Displayed Example

    Chapter 5 Graphical User Interface Reference SSL Configuration Examples Figure 5-41 Key Displayed Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-41 78-13124-06...

  • Page 142: Example: Generating A Self-Signed Certificate

    Click Add Certificate. The Add Certificate window opens. Click the Generate CSR/Self-signed Certificate tab. The Generate CSR/Self-signed Certificate page opens, as shown in Figure 5-42. Figure 5-42 Generate CSR Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-42 78-13124-06...

  • Page 143: Figure

    Select the appropriate header from the CSR Header list box. Click OK. The certificate is created and the Generate Certificate Signing Request (CSR) opens, as shown in Figure 5-43. Figure 5-43 Generate Self-Signed Certificate Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-43 78-13124-06...

  • Page 144: Figure

    Click Self-sign this CSR to generate a self-signed digital certificate to be used for testing while you wait for the certificate to be signed. The Generate Self-signed Certificate window opens, as shown in Figure 5-44. Figure 5-44 Self-Signed Certificate Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-44 78-13124-06...

  • Page 145: Figure

    The Generate Self-signed Certificate window is shown in Figure 5-45. Click Close. Figure 5-45 Successfully Generated Self-Signed Certificate Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-45 78-13124-06...

  • Page 146: Example: Importing A Pkcs#7 Certificate Group

    Select the encoding option for the file to import by clicking the appropriate Encoding option button. Either type the name and path of the PKCS#7 file to import, or click Browse and navigate to and select the file. Click OK. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-46 78-13124-06...

  • Page 147: Example: Importing A Pkcs#12 Certificate Group

    Type the key password in the Password text box. Either type the name and path of the PKCS#12 file to import, or click Browse and navigate to and select the file. Click OK. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-47 78-13124-06...

  • Page 148: Running The Secure Server Wizard

    Follow the instructions and prompts in the wizard to configure the secure server. When you have completed configuring the server, you can immediately configure another one or exit the Secure Server wizard. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-48 78-13124-06...

  • Page 149: Fips Operation

    FIPS 140-2-compliant operation. This chapter contains the following sections: • FIPS Capabilities Using FIPS Mode • Command Changes • • Returning to Normal Operation More Information • Note FIPS operation is only available on the SCA2. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 150: Chapter 6 Fip Operation

    Using FIPS Mode A tamper-evident sticker is affixed to the Secure Content Note Accelerator. When using the device for FIPS-compliant operation, this sticker must remain in place and untouched. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 151 You need to provide an access-level password of at least 8 characters. Enter new password: Confirm password: You need to provide an enable-level password of at least 8 characters. Enter new password: Confirm new password: Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 152 “FailSafe” password as described in “Factory Default Reset Password” section on page 4-4. All configuration will be lost! Use the enable-level password to enter Privileged Mode. Enter the enable-level password: Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 153: Creating A Server In Fips Mode

    Assign an IP address, key, certificate, and FIPS-compliant security policy. [FIPS] ssl-server[mySecServ]#> ip address 10.1.114.30 [FIPS] ssl-server[mySecServ]#> key myOwnKey [FIPS] ssl-server[mySecServ]#> cert myOwnCert [FIPS] ssl-server[mySecServ]#> secpolicy fips [FIPS] ssl-server[mySecServ]#> Exit to Top Level Mode. [FIPS] ssl-server[mySecServ]#> finished [FIPS] SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 154 FIPS security policy. [FIPS] ssl-config[SCA]#> server mySecServ [FIPS] ssl-server[mySecServ]#> secpolicy myFIPS [FIPS] ssl-server[mySecServ]#> Exit to Top Level Mode. [FIPS] ssl-server[mySecServ]# finished [FIPS] SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 155: Command Changes

    Differing Command Behaviors Some commands behave differently while the Secure Content Accelerator is in FIPS Mode. These commands and notes about their usage are presented in Table 6-2, below. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 156: Table 6-2 Fips Mode Command Changes

    FIPS Mode passwords must be at least eight characters in length and are limited to a character set containing the alphabet, Arabic numerals, period (.), hyphen (-), underscore (_), and !@#$%^&*+=[]{};:<>?~ . Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 157: Returning To Normal Operation

    Press y when prompted to reboot the Secure Content Accelerator. After the device reboots, you are prompted for the access-level password. When the password is accepted, the “[FIPS]” portion of the prompt is removed, reflecting normal operation of the Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 158: More Information

    Chapter 6 FIPS Operation More Information More Information For more information about the NIST Cryptographic Module Validation Program, see http://csrc.nist.gov/cryptval/cmvp.htm. Cisco 11000 Series Secure Content Accelerator Configuration Guide 6-10 78-13124-06...

  • Page 159: Appendix

    A P P E N D I X Specifications This appendix presents the specifications for both Secure Content Accelerator versions. It contains the following sections: • Electrical Specifications Environmental Specifications • Physical Specifications • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 160: Electrical Specifications

    (all current-carrying conductors). Environmental Specifications Table A-2 describes the Secure Content Accelerator environmental specifications. Table A-2 Environmental Specifications Specification Secure Content Accelerator Ambient Operating Temperature 41°-105° F (5°-40° C) (maximum) Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 161: Physical Specifications

    Table A-3 describes the Secure Content Accelerator physical specifications. Table A-3 Physical Specifications Specification Secure Content Accelerator Chassis Dimensions (H x W x D) 10x1.75x17 inches (25x4.4x42.5 cm) Shipping Weight 6 lbs (2.72 kg) Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 162 Appendix A Specifications Physical Specifications Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 163: Appendix

    This appendix contains the following sections: Single Device • Load Balancing • • Use with the CSS Connecting the Device to a Terminal Server • Web Site Changes • • Transparent Local-Listen Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 164: Appendix B Deployment Example

    If the load balancer is using URL- or cookie-related load balancing, install the appliance in front of the load balancer. In this configuration, the load balancer receives clear text packets decrypted by the SSL device. Figure B-2 shows a typical installation. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 165: Figure B-2 Secure Content Accelerator Installation With A Load Balancer

    “Server” Ethernet interface to the load balancer. For information about configuring the Secure Content Accelerator in conjunction with the CSS 11000 Series Content Services Switch (hereinafter referred to as the CSS), see “Use with the CSS”. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 166: Use With The Css

    Secure Content Accelerator or the CSS. However, the deployment provides a low level of scalability, based upon the capacity of the CSS. An example deployment is shown in Figure B-3. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 167: Figure B-3 Secure Content Accelerator In-Line Installation

    TCP service port to the CSS. All port 80 traffic is bridged transparently to the CSS. Table B-1 shows basic configuration actions for both the CSS and Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 168: Table B-1 In-Line Installation Device Configuration

    0.0.0.0 0.0.0.0 10.176.11.1 1 !************************* INTERFACE ************************* interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.10.1 255.255.255.0 circuit VLAN8 ip address 10.176.11.2 255.255.255.0 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 169 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/secure/*" active Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 170 15 ### SNTP ### sntp interval 86400 ### Static Routes ### ip route 0.0.0.0 0.0.0.0 10.176.10.1 metric 1 ### RIP ### no rip ### DNS ### no ip name-serverno ip domain-name Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 171 “SSL” ephrsa keepalive frequency 5 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 172: One-Armed Non-Transparent Proxy

    The resulting log file can be utilized by all popular log analysis tools. Figure B-4 shows a typical deployment. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-10 78-13124-06...

  • Page 173: Figure B-4 Secure Content Accelerator One-Armed Non-Transparent Proxy Installation

    443 traffic terminates on Secure Content Accelerator devices each connected to the CSS via a single port. Table B-2 shows basic configuration actions for both the CSS and Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-11 78-13124-06...
  • Page 174 Below is a sample configuration for the CSS. !Generated on 11/18/2000 17:38:37 !Active version: ap0400007s configure !*************************** GLOBAL *************************** bridge spanning-tree disabled ip route 0.0.0.0 0.0.0.0 10.100.1.1 1 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-12 78-13124-06...
  • Page 175 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active service ssl1-443 port 443 protocol tcp ip address 10.176.1.3 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-13 78-13124-06...
  • Page 176 443 protocol tcp ip address 10.176.1.6 active service ssl4-444 port 444 protocol tcp ip address 10.176.1.6 active service ssl5-443 port 443 protocol tcp ip address 10.176.1.7 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-14 78-13124-06...
  • Page 177 81 url "/*" active content ssl vip address 10.176.11.100 protocol tcp port 443 add service ssl1-443 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-15 78-13124-06...
  • Page 178 10.176.11.101 port 443 add service ssl2-444 add service ssl1-444 add service ssl3-444 add service ssl4-444 add service ssl5-444 add service ssl6-444 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-16 78-13124-06...
  • Page 179 ### SNTP ### sntp interval 86400 ### Static Routes ### ip route 0.0.0.0 0.0.0.0 10.176.10.1 metric 1 ### RIP ### no rip ### DNS ### no ip name-serverno ip domain-name Cisco 11000 Series Secure Content Accelerator Configuration Guide B-17 78-13124-06...
  • Page 180 ### SSL Subsystem ### server myserver create ip address 10.176.10.20 localport 443 remoteport 81 key default-512 cert default-512 secpolicy default sslv2 enable sslv3 enable tlsv1 enable session-cache size 20480 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-18 78-13124-06...

  • Page 181: One-Armed Transparent Proxy

    The one-armed transparent proxy deployment is the most complex to configure, but it provides a high degree of scalability and extended features, including IP address accounting. Figure B-5 shows a typical deployment. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-19 78-13124-06...

  • Page 182: Figure B-5 Secure Content Accelerator One-Armed Transparent Proxy Installation

    CSS properly. Static routes must be added to the CSS so that traffic that should not pass • through the Secure Content Accelerator devices is routed properly. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-20 78-13124-06...
  • Page 183 Accelerator devices and management stations requiring ICMP or SNMP to operate will not have access to SSL processing. Table B-3 shows basic configuration actions for both the CSS and Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-21 78-13124-06...
  • Page 184 Create Layer 5 rules for secure content • • Create content rules as required for non-secure content • Define ACLs and upstream router service to ensure proper routing of traffic not terminated on the CSS Cisco 11000 Series Secure Content Accelerator Configuration Guide B-22 78-13124-06...
  • Page 185 4 interface ethernet-5 bridge vlan 5 interface ethernet-6 bridge vlan 6 interface ethernet-7 bridge vlan 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.1.1 255.255.255.0 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-23 78-13124-06...
  • Page 186 10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-24 78-13124-06...
  • Page 187 10.176.4.3 active service ssl5 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.5.3 active service ssl6 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.6.3 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-25 78-13124-06...
  • Page 188 10.176.11.100 active !**************************** ACL **************************** acl 8 clause 10 permit any any destination any apply circuit-(VLAN8) Cisco 11000 Series Secure Content Accelerator Configuration Guide B-26 78-13124-06...
  • Page 189 50 permit udp any eq 2932 destination any prefer upstream-router clause 99 permit any any destination any apply circuit-(VLAN6) apply circuit-(VLAN5) apply circuit-(VLAN4) apply circuit-(VLAN3) apply circuit-(VLAN2) apply circuit-(VLAN1) Cisco 11000 Series Secure Content Accelerator Configuration Guide B-27 78-13124-06...
  • Page 190 ### SNTP ### sntp interval 86400 ### Static Routes ### ip route 0.0.0.0 0.0.0.0 10.176.1.1 metric 1 ### RIP ### no rip ### DNS ### no ip name-serverno ip domain-name Cisco 11000 Series Secure Content Accelerator Configuration Guide B-28 78-13124-06...
  • Page 191 “SSL” ephrsa keepalive frequency 5 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-29 78-13124-06...

  • Page 192: Connecting The Device To A Terminal Server

    Connecting the Device to a Terminal Server The Secure Content Accelerator can be connected to a terminal server, such as the Cisco 2511 Access Server. You will need a standard RJ45-DB9F adapter (CAB-9AS-FDTE, part number 74-0495-01). Attach the RJ45-DB9F adapter to the CONSOLE port of the Secure Content Accelerator.

  • Page 193: Transparent Local-Listen

    The content and services portion of the CSS configuration is nearly identical to the configuration used in non-transparent proxy mode, while the network portion of the CSS configuration mirrors that used in transparent mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-31 78-13124-06...
  • Page 194 ECMP (or some other hashing mechanism) is still necessary for proper routing of traffic within the offloading triangle. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-32 78-13124-06...

  • Page 195: Appendix

    Editing and Completion Features • • Command Hierarchy • Configuration Security Methods to Manage the Device • Initiating a Management Session • • Top Level Command Set Configuration Command Set • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 196: Input Data Format Specification

    Items within angle brackets (“<>”) are required information. Items within square brackets (“[]”) are optional information. Items separated by a vertical bar (“|”) are options. You can choose any of them. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 197: Appendix C Command Summary

    Displays the previous command in the command history CTRL+U Erases characters from the cursor to the beginning of the line CTRL+W Erases the previous word CTRL+Z Leaves current mode and returns to Top Level mode Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 198 The TAB key can also be used to finish a command if the command is uniquely identified by user input. SCA> show cop[TAB] results in SCA> show copyrights Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 199: Command Hierarchy

    Secure Content Accelerator device fit into the logical hierarchy show in Figure C-1. Figure C-1 Command Hierarchy TOP LEVEL NON-PRIVILEGED COMMANDS PRIVILEGED CONFIGURATION INTERFACE CERTIFICATE CERTIFICATE SECURITY SERVER BACKEND REVERSE-PROXY TCP-TUNING GROUP POLICY SERVER SERVER TCP-TUNING TCP-TUNING TCP-TUNING Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 200: Configuration Security

    Passwords Cisco Secure Content Accelerator devices use two levels of password protection: access- and enable-level. Access-level passwords control who can access the device via telnet and serial connections. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.

  • Page 201: Access Lists

    All configuration is lost when using the factory default reset Caution password. Methods to Manage the Device You can configure the Cisco Secure Content Accelerator using one of three methods, two of which use the CLI configuration manager. Serial connection, configuration manager •...
  • Page 202 Chapter 3. Brief instructions are also included for initiating a management session using the configuration manager. For instructions on using the telnet and serial console CLI configuration managers, see Chapter 4 for instructions on using the GUI, see Chapter 5. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 203: Initiating A Management Session

    Enter Privileged and Configuration modes and set the IP address using the following commands. Replace the IP address in the example with the appropriate one. SCA> enable SCA# configure (config[SCA])# ip address 10.1.2.5 (config[SCA])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 204: Telnet

    URL in the form of HOST/PATH/FILENAME using the http://, https://, ftp://, or tftp:// prefix. Telnet After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial connection configuration manager, you can connect to the appliance via telnet.

  • Page 205: Table C-3 Non-Privileged Command Description

    37 Displays DNS information for the device. show flows, page 37 Displays IP connection information for the device. show history, page 37 Displays the last commands executed. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-11 78-13124-06...
  • Page 206 Displays enable password configuration status. page 44 show password Displays the configured password idle-timeout idle-timeout, page 44 period. show processes, page 44 Displays information, by thread, about processes running on the device. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-12 78-13124-06...
  • Page 207 61 Displays the list of hosts to which diagnostic messages from the device are sent. show system-resources, Displays system memory and CPU usage for the page 61 device. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-13 78-13124-06...
  • Page 208 Clears the IP routing table on the device. clear line, page 69 Closes a specified management session. clear log, page 69 Clears diagnostics message buffer. clear messages, page 70 Empties the diagnostic message buffer on the device. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-14 78-13124-06...

  • Page 209: Table C-4 Privileged Command Description

    fips enable, page 76 Starts FIPS-compliant mode for a device in Privileged mode. quick-start, page 76 Runs the QuickStart wizard for the device. refresh, page 77 Updates device information in the configuration manager. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-15 78-13124-06...

  • Page 210: Table C-5 Configuration Command Description

    Allows the administrator to set the date or time end, page 86 Leaves Configuration Mode and returns to Privileged Mode. exit, page 86 Leaves Configuration Mode and returns to Privileged Mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-16 78-13124-06...
  • Page 211 Stores the registration code of the device. rip, page 94 Enables Routing Interface Protocol (RIP) for the current device. no snmp, page 95 Disables SNMP and clears all SNMP data. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-17 78-13124-06...
  • Page 212 Allows telnet management sessions for the device. telnet port, page 107 Specifies the TCP service port to use for telnet management sessions. timezone, page 108 Specifies the time zone of the device’s location. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-18 78-13124-06...
  • Page 213 Top Level mode. help, page 112 Displays help information for the specified command speed, page 112 Forces the speed of the current Ethernet interface to 10 Mbps or 100 Mbps. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-19 78-13124-06...

  • Page 214: Table C-7 Ssl Configuration Command Description

    Reverse-Proxy Server Configuration mode for that server. secpolicy, page 121 Creates and/or configures the specified security policy and enters Security Policy Configuration mode for the security policy. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-20 78-13124-06...
  • Page 215 127 Allows keepalive messages to be sent to the hardware server corresponding to the current virtual backend server. keepalive frequency, Specifies the interval between keepalive messages. page 127 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-21 78-13124-06...
  • Page 216 136 Enables the backend server to function as a transparent proxy (default). urlrewrite, page 137 Sets or remove a specified URL rewrite rule for the current backend server. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-22 78-13124-06...

  • Page 217: Table C-9 Certificate Configuration Command Description

    142 Adds the specified, existing certificate object into the current certificate group. end, page 142 Exits Certificate Group Configuration mode, activates all changes, and returns to SSL Configuration mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-23 78-13124-06...

  • Page 218: Table C-11 Key Configuration Command Description

    148 Displays current information about the key being created or edited. net-iis, page 148 Loads a private key exported from IIS 4 only into the key entity. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-24 78-13124-06...

  • Page 219: Table C-12 Reverse-Proxy Server Configuration Command Description

    Creates an association between this server and the specified security policy. serverauth enable, page 155 Enables server certificate authentication. serverauth ignore, page 155 Specifies the server authentication errors to ignore. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-25 78-13124-06...

  • Page 220: Table C-13 Security Policy Configuration Command Description

    Leaves Security Policy Configuration Mode and returns to Top Level mode. help, page 164 Displays help information for the specified command. info, page 164 Displays current information about the security policy being edited or created. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-26 78-13124-06...

  • Page 221: Table C-14 Server Configuration Command Description

    Leaves Server Configuration Mode and returns to Top Level mode. help, page 172 Displays help information for the specified command. httpheader, page 172 Specifies the header information to pass to hardware servers. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-27 78-13124-06...
  • Page 222 Specifies the port on which the logical secure server receives SSL traffic. The SSL traffic is decrypted and sent to the physical server using the TCP service port previously specified with the remoteport command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-28 78-13124-06...

  • Page 223: Table C-15 Tcp Tuning Configuration Command Description

    193 Specifies the number of times an unacknowledged segment is retransmitted. maxrt, page 194 Specifies the amount of time a TCP connection will remain open after a peer stops responding. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-29 78-13124-06...
  • Page 224 202 ts, page 203 Controls use of the time stamp TCP option. wnd-scale, page 204 Controls use of the time stamp TCP option. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-30 78-13124-06...

  • Page 225: Top Level Command Set

    Availability: Serial, Telnet; FIPS Mode (serial only) Clears the display, leaving only one prompt line. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) enable Enters or leaves Privileged Mode. enable no enable Cisco 11000 Series Secure Content Accelerator Configuration Guide C-31 78-13124-06...

  • Page 226: Exit

    Related Commands quit (Non-Privileged Command Set) help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-32 78-13124-06...

  • Page 227: Monitor

    Pauses the configuration manager until a key is pressed. paws Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) ping Sends ICMP packets to the specified IP address. ping <ipaddr|name> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-33 78-13124-06...

  • Page 228: Quit

    When executed from telnet, the telnet connection is closed. Related Commands exit (Non-Privileged Command Set) set monitor-interval Sets the number of seconds between monitor-prefixed command refreshes. set monitor-interval <value> no set monitor-interval Cisco 11000 Series Secure Content Accelerator Configuration Guide C-34 78-13124-06...

  • Page 229: Show Arp

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands show version (Non-Privileged Command Set) show cpu Displays CPU utilization information the device. show cpu [continuous] [interval <value>] Cisco 11000 Series Secure Content Accelerator Configuration Guide C-35 78-13124-06...

  • Page 230: Show Date

    Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands rdate-server (Configuration Command Set) show device Displays information about the device. show device Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-36 78-13124-06...

  • Page 231: Show Dns

    Displays the last commands executed. show history Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands show terminal (Top Level Command Set) terminal history (Top Level Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-37 78-13124-06...

  • Page 232: Show Interface

    Displays information for the “Network” interface. server Displays information for the “Server” interface. continuous Displays errors continuously. interval Specifies an interval for display updates. value The interval in seconds. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-38 78-13124-06...

  • Page 233: Show Interface Statistics

    If a single interface is not specified, statistics are displayed for both interfaces. If continuous is specified, statistics are updated every second. Use the interval option to specify an interval for display updates. Press any key to stop displaying statistics. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-39 78-13124-06...

  • Page 234: Show Ip Domain-Name

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands ip domain-name (Configuration Command Set) show dns (Non-Privileged Command Set) show ip domain-name (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-40 78-13124-06...

  • Page 235: Show Ip Routes

    Displays a list of keepalive-monitor IP addresses for one or more devices. show keepalive-monitor Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) SSL errors from IP addresses specified with the keepalive-monitor command are ignored. Related Commands keepalive-monitor (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-41 78-13124-06...

  • Page 236: Show Log

    The zones flag is used to display information for each memory zone. show messages Displays the diagnostic message buffer for the device. show messages Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-42 78-13124-06...

  • Page 237: Show Netstat

    Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands password (Configuration Set) show password access Displays access password configuration status. show password access Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-43 78-13124-06...

  • Page 238: Show Password Enable

    Availability: Serial, Telnet; FIPS Mode (serial only). Related Commands password (Configuration Set) show processes Displays information, by thread, about processes running on the device. show processes Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-44 78-13124-06...

  • Page 239: Show Rdate-Server

    Displays the routing table stored in the device. show route Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands show ip routes (Top Level Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-45 78-13124-06...

  • Page 240: Show Sessions

    (Configuration Command Set) show sntp-server Displays SNTP-server information for the device. show sntp-server Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) The SNTP server is used for date and time information. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-46 78-13124-06...

  • Page 241: Show Ssl

    Syntax Description certname The name of the certificate. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify a certificate name, all certificate entity information is displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-47 78-13124-06...

  • Page 242: Show Ssl Certgroup

    (Non-Privileged Command Set) show ssl key (Non-Privileged Command Set) show ssl secpolicy (Non-Privileged Command Set) show ssl server (Non-Privileged Command Set) show ssl statistics (Non-Privileged Command Set) ssl (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-48 78-13124-06...

  • Page 243: Show Ssl Errors

    Error Description SSL Negotiation Errors The number of SSL negotiation failures Total SSL Connections Rejected The number of SSL connections rejected when the pre-defined limit of connections has been exceeded Cisco 11000 Series Secure Content Accelerator Configuration Guide C-49 78-13124-06...
  • Page 244 Generated when reading from a remote server server Broken Connection Read Errors Generated when reading from a remote from remote server server after the remote server as reset the connection Cisco 11000 Series Secure Content Accelerator Configuration Guide C-50 78-13124-06...
  • Page 245 "Operation already in progress" "lower error" "I/O error" "Destination host is down" "Unsupported protocol" "Destination network is down" "Destination host unreachable" "Destination network unreachable" "Protocol Family not supported" "Prototype error" Cisco 11000 Series Secure Content Accelerator Configuration Guide C-51 78-13124-06...
  • Page 246 "Operation already in progress" "lower error" "I/O error" "Destination host is down" "Unsupported protocol" "Destination network is down" "Destination host unreachable" "Destination network unreachable" "Protocol Family not supported" "Prototype error" Cisco 11000 Series Secure Content Accelerator Configuration Guide C-52 78-13124-06...

  • Page 247: Table C-17 Abbreviations Used For Show Ssl Errors Continuous

    (Non-Privileged Command Set) show ssl secpolicy (Non-Privileged Command Set) show ssl server (Non-Privileged Command Set) show ssl statistics (Non-Privileged Command Set) ssl (Configuration Command Set) See the section “SSL Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-53 78-13124-06...

  • Page 248: Show Ssl Key

    See the sections “SSL Configuration Command Set” and “Key Configuration Command Set”. show ssl secpolicy Displays summary data for the specified security policy on the device. show ssl secpolicy [polname] Syntax Description polname The name of the security policy. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-54 78-13124-06...

  • Page 249: Show Ssl Server

    If you do not specify a secure server name, all secure server information is displayed. Related Commands show ssl (Non-Privileged Command Set) show ssl cert (Non-Privileged Command Set) show ssl certgroup (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-55 78-13124-06...

  • Page 250: Show Ssl Session-Stats

    Use the interval keyword to specify an interval for display updates. Press any key to stop displaying information. Table C-18 below presents a description of the items in the output. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-56 78-13124-06...

  • Page 251: Table C-18 Output Description For Show Ssl Session-Stats

    (All Servers) An SSL session cache miss has occurred. Reuse Attempt on Timed Out Session (All Servers) An SSL session cache (RATS) reuse attempt has occurred for a session id that has timed out. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-57 78-13124-06...

  • Page 252: Show Ssl Statistics

    (Configuration Command Set) See the section “SSL Configuration Command Set”. show ssl statistics Displays SSL statistics summed over all secure logical servers on the device. show ssl statistics [continuous] [interval <value>] Cisco 11000 Series Secure Content Accelerator Configuration Guide C-58 78-13124-06...

  • Page 253: Table C-19 Output Description For Show Ssl Statistics

    The number of SSL connections refused Total SSL Connections Rejected The number of SSL connections rejected when the pre-defined limit of connections has been exceeded Total Connections Accepted The number of client connections accepted Cisco 11000 Series Secure Content Accelerator Configuration Guide C-59 78-13124-06...

  • Page 254: Show Ssl Tcp-Tuning

    Keyword indicating all TCP tuning information should be displayed. servername Specifies the server for which TCP tuning parameters should be displayed. defaults Keyword indicating default TCP tuning values should be displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-60 78-13124-06...

  • Page 255: Show Syslog

    Availability: Serial, Telnet; FIPS Mode (serial only) Use the continuous option to update the information every second. Use the interval option to specify an interval for display updates. Press any key to stop displaying information. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-61 78-13124-06...

  • Page 256: Show Telnet

    (Non-Privileged Command Set) terminal pager (Non-Privileged Command Set) terminal reset (Non-Privileged Command Set) terminal width (Non-Privileged Command Set) show timezone Displays timezone information for the device. show timezone Cisco 11000 Series Secure Content Accelerator Configuration Guide C-62 78-13124-06...

  • Page 257: Show Version

    (Configuration Command Set) web-mgmt port (Configuration Command Set) show telnet (Non-Privileged Command Set) terminal baud Sets the baud for communicating with the Secure Content Accelerator. terminal baud <1200|2400|4800|9600|19200|38400|115200> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-63 78-13124-06...

  • Page 258: Terminal History

    The number of commands to store in the history buffer. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable the history list. The default is 25. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-64 78-13124-06...

  • Page 259: Terminal Length

    Enables the terminal pager. terminal pager no terminal pager Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Using the no form of the command disables the pager. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-65 78-13124-06...

  • Page 260: Terminal Reset

    Sets the width of the terminal window. terminal width <width> Syntax Description width The desired width of the terminal window. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-66 78-13124-06...

  • Page 261: Traceroute

    The number of hops to trace. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) When issued from a serial or telnet connection, the command returns information based upon the device’s hardware. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-67 78-13124-06...

  • Page 262: Privileged Command Set

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands show ip routes (Non-Privileged Command Set) show routes (Non-Privileged Command Set) ip route (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-68 78-13124-06...

  • Page 263: Clear Ip Statistics

    Use the show sessions command to display the open management sessions. Related Commands show sessions (Non-Privileged Command Set) clear log Clears diagnostics message buffer. clear log Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-69 78-13124-06...

  • Page 264: Clear Messages

    (Non-Privileged Command Set) show ssl statistics (Non-Privileged Command Set) clear ssl statistics Resets all SSL statistics for the device. clear ssl statistics Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-70 78-13124-06...

  • Page 265: Configure

    (Privileged Command Set) copy startup-configuration (Privileged Command Set) copy startup-configuration running configuration (Privileged Command Set) copy to running-configuration (Privileged Command Set) copy to startup-configuration (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-71 78-13124-06...

  • Page 266: Copy Running-Configuration Startup-Configuration

    (Privileged Command Set) copy running-configuration startup-configuration (Privileged Command Set) copy startup-configuration running configuration (Privileged Command Set) copy to running-configuration (Privileged Command Set) copy to startup-configuration (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-72 78-13124-06...

  • Page 267: Copy Startup-Configuration Running-Configuration

    (Privileged Command Set) copy to running-configuration (Privileged Command Set) copy to startup-configuration (Privileged Command Set) copy to flash Uploads a Cisco Secure Content Accelerator image file to the device flash. copy to flash [url] Syntax Description The URL of the file.

  • Page 268: Copy To Running-Configuration

    [url] Syntax Description The URL of the file. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify a URL, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-74 78-13124-06...

  • Page 269: Disable

    Availability: Serial, Telnet Related Commands copy running-configuration (Privileged Command Set) copy to running-configuration (Privileged Command Set) erase startup-configuration (Privileged Command Set) erase startup-configuration Erases the startup-configuration on the device. erase startup-configuration Cisco 11000 Series Secure Content Accelerator Configuration Guide C-75 78-13124-06...

  • Page 270: Fips Enable

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) When using the quick-start command in FIPS Mode to Note create a server, only the FIPS and weak security policies are available. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-76 78-13124-06...

  • Page 271: Refresh

    The access list identifier. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify an access list id, information for all access lists is displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-77 78-13124-06...

  • Page 272: Show Diagnostic-Report

    Related Commands show device (Non-Privileged Command Set) show memory (Non-Privileged Command Set) show memory zones (Non-Privileged Command Set) show netstat (Non-Privileged Command Set) show processes (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-78 78-13124-06...

  • Page 273: Show Running-Configuration

    (Privileged Command Set) show startup-configuration (Privileged Command Set) show snmp Displays SNMP configuration information for the device. show snmp Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-79 78-13124-06...

  • Page 274: Show Startup-Configuration

    (Privileged Command Set) copy startup-configuration (Privileged Command Set) copy startup-configuration running-configuration (Privileged Command Set) copy to flash (Privileged Command Set) erase start-up-configuration (Privileged Command Set) show running-configuration (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-80 78-13124-06...

  • Page 275: Write Flash

    (Privileged Command Set) copy startup-configuration (Privileged Command Set) copy startup-configuration running-configuration (Privileged Command Set) copy to flash (Privileged Command Set) erase startup-configuration (Privileged Command Set) show running-configuration (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-81 78-13124-06...

  • Page 276: Write Messages

    Related Commands copy running-configuration startup-configuration (Privileged Command Set) copy startup-configuration running-configuration (Privileged Command Set) copy to running-configuration (Privileged Command Set) erase running-configuration (Privileged Command Set) show running-configuration (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-82 78-13124-06...

  • Page 277: Write Terminal

    Appendix C Command Summary Top Level Command Set write terminal Displays the running-configuration of the device. write terminal Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-83 78-13124-06...

  • Page 278: Configuration Command Set

    A device can have up to 999 configured access lists. Use the no form of the command to delete the entire specified access list. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-84 78-13124-06...

  • Page 279: Clock

    (Privileged Command Set) snmp access-list (Configuration Command Set) telnet access-list (Configuration Command Set) web-mgmt access-list (Configuration Command Set) clock Allows the administrator to set the date or time. clock <date|time> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-85 78-13124-06...

  • Page 280: End

    Leaves Configuration Mode and returns to Privileged Mode. exit Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) finished Leaves Configuration Mode and returns to Top Level mode. finished Cisco 11000 Series Secure Content Accelerator Configuration Guide C-86 78-13124-06...

  • Page 281: Help

    Use the no form of the command to clear the hostname of the current device. The command prompt reflects the new name the next time Note Configuration mode is entered. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-87 78-13124-06...

  • Page 282: Interface

    <<ipaddr> [netmask < >]>|<ipaddr/netabbr>> netmask no ip address Syntax Description ipaddr The IP address to assign to the device. netmask <netmask> The netmask for the device. netabbr The netmask abbreviation. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-88 78-13124-06...

  • Page 283: Ip Domain-Name

    (Configuration Command Set) ip name-server Sets the one or more name servers to use with the device. ip name-server <ipaddr> Syntax Description ipaddr The IP address of the Domain Name Server. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-89 78-13124-06...

  • Page 284: Ip Route

    Use the no form of the command to delete the specified static route entry from the device’s routing table. Related Commands show ip routes (Non-Privileged Command Set) show route (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-90 78-13124-06...

  • Page 285: Ip Route Default

    The source IP address from which SSL errors are to be ignored. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Up to two IP addresses, set individually, are allowed. Related Commands show keepalive-monitor (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-91 78-13124-06...

  • Page 286: Mode One-Port

    Sets the access- or enable-level password for the current device or sets the idle timeout period. password <access | enable | idle-timeout <minutes>> no password <access | enable> no password idle-timeout Cisco 11000 Series Secure Content Accelerator Configuration Guide C-92 78-13124-06...

  • Page 287: Rdate-Server

    Specifies and RDATE-protocol server to be used for date and time information on the device. rdate-server <ipaddr> no rdate-server Syntax Description ipaddr The IP address of the RDATE server. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-93 78-13124-06...

  • Page 288: Registration-Code

    Enables Routing Interface Protocol (RIP) for the current device. rip [v1|v2] no rip [v1|v2] Syntax Description Specifies RIP v1. Specifies RIP v2. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-94 78-13124-06...

  • Page 289: No Snmp

    (Non-Privileged Command Set) snmp access-list (Non-Privileged Command Set) snmp contact (Configuration Command Set) snmp default community (Configuration Command Set) snmp enable (Configuration Command Set) snmp location (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-95 78-13124-06...

  • Page 290: Snmp Access-List

    (Configuration Command Set) snmp trap-host (Configuration Command Set) snmp trap-type enterprise (Configuration Command Set) snmp trap-type generic (Configuration Command Set) telnet access-list (Configuration Command Set) web-mgmt access-list (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-96 78-13124-06...

  • Page 291: Snmp Contact

    (Configuration Command Set) snmp default community Assigns a default community for the SNMP subsystem to use when sending trapping information. snmp default community <comName> no snmp default community Cisco 11000 Series Secure Content Accelerator Configuration Guide C-97 78-13124-06...

  • Page 292: Snmp Enable

    Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable SNMP without clearing SNMP data. The device must be rebooted (reloaded) before this command takes Note effect. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-98 78-13124-06...

  • Page 293: Snmp Location

    (Configuration Command Set) snmp default community (Configuration Command Set) snmp enable (Configuration Command Set) snmp trap-host (Configuration Command Set) snmp trap-type enterprise (Configuration Command Set) snmp trap-type generic (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-99 78-13124-06...

  • Page 294: Snmp Trap-Host

    (Configuration Command Set) snmp default community (Configuration Command Set) snmp enable (Configuration Command Set) snmp location (Configuration Command Set) snmp trap-type enterprise (Configuration Command Set) snmp trap-type generic (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-100 78-13124-06...

  • Page 295: Snmp Trap-Type Enterprise

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-101 78-13124-06...

  • Page 296: Snmp Trap-Type Generic

    Enables generic SNMP traps. snmp trap-type generic no snmp trap-type generic Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable generic SNMP traps. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-102 78-13124-06...

  • Page 297: Sntp Interval

    Related Commands show device (Non-Privileged Command Set) show sntp (Non-Privileged Command Set) sntp server (Configuration Command Set) write terminal (Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-103 78-13124-06...

  • Page 298: Sntp Server

    Related Commands show device (Non-Privileged Command Set) show sntp (Non-Privileged Command Set) sntp interval (Configuration Command Set) write terminal (Privileged Command Set) Enters SSL Configuration mode for the current device. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-104 78-13124-06...

  • Page 299: Syslog

    Keyword indicating a specific syslog facility should be used. facilityid A numeral (from 0 to 7, inclusive) specifying the syslog facility to be used. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-105 78-13124-06...

  • Page 300: Telnet Access-List

    Availability: Serial, Telnet Use the no form of the command to remove the specified access list. The access list still exists but is no longer used by the telnet subsystem. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-106 78-13124-06...

  • Page 301: Telnet Enable

    The TCP service port to be used to manage the current device via a telnet session. default Keyword indicating that the telnet service port be returned to the default of 23. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-107 78-13124-06...

  • Page 302: Timezone

    GMT offset integer is not. Related Commands show date (Non-Privileged Command Set) web-mgmt access-list Assigns an existing access list to be used with web browser-based management requests. web-mgmt access-list <id> no web-mgmt access-list <id> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-108 78-13124-06...

  • Page 303: Web-Mgmt Enable

    Use the no form of the command to diable web browser-based management access. Related Commands show web-management (Non-Privileged Command Set) web-mgmt access-list (Configuration Command Set) web-mgmt port (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-109 78-13124-06...

  • Page 304: Web-Mgmt Port

    The port assignment is used at the next Web management connection attempt. Related Commands access-list (Configuration Command Set) show web-management (Non-Privileged Command Set) web-mgmt access-list (Configuration Command Set) web-mgmt enable (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-110 78-13124-06...

  • Page 305: Interface Configuration Command Set

    Sets the current interface to full duplex. half Sets the current interface to half duplex. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Exits Interface Configuration mode and returns to Configuration mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-111 78-13124-06...

  • Page 306: Finished

    Forces the speed of the current Ethernet interface to 10 Mbps or 100 Mbps. speed <10|100> Syntax Description Sets the current interface speed to 10 Mbps. Sets the current interface speed to 100 Mbps. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-112 78-13124-06...

  • Page 307: Ssl Configuration Command Set

    15 characters. Related Commands show ssl (Non-Privileged Command Set) show ssl server (Non-Privileged Command Set) See the section “Backend Server Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-113 78-13124-06...

  • Page 308: Cert

    The following example creates a certificate object named myCert and enters Certificate Configuration mode for the certificate object myCert. cert myCert create Related Commands show ssl cert (Non-Privileged Command Set) See the section “Certificate Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-114 78-13124-06...

  • Page 309: Certgroup

    The following example creates a certificate object named myCertGroup and enters Certificate Group Configuration mode for certificate group myCertGroup. cert myCertGroup create Related Commands show ssl certgroup (Top Level Command Set) See the section “Certificate Group Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-115 78-13124-06...

  • Page 310: End

    Leaves SSL Configuration Mode and returns to Top Level mode. finished Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) gencsr Generates a certificate signing request and/or self-signed certificate. gencsr <key <keyname>> [newhdr] [digest md5|sha1] [output <filename|url>] Cisco 11000 Series Secure Content Accelerator Configuration Guide C-116 78-13124-06...

  • Page 311: Help

    Related Commands See the section “Key Configuration Command Set”. help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-117 78-13124-06...

  • Page 312: Import Pkcs12

    Imports and processes a PKCS#7 file to create a certificate objects and a certificate group. import pkcs7 <name> <der|pem> [prefix <prefixText>] |url]] Syntax Description name The user-defined name of the certificate group object. Indicates the file is DER-encoded. Indicates the file is PEM-encoded. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-118 78-13124-06...

  • Page 313: Key

    Key names can consist of Arabic numerals and upper- and lowercase alphabetic, underscore (_), hyphen (-), and period (.) characters. Key names must begin with an alphabetic character or underscore and have a limit of 15 characters. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-119 78-13124-06...

  • Page 314: Reverse-Proxy-Server

    Arabic numerals and upper- and lowercase alphabetic, underscore (_), hyphen (-), and period (.) characters. Reverse-proxy server names must begin with an alphabetic character or underscore and have a limit of 15 characters. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-120 78-13124-06...

  • Page 315: Secpolicy

    The following example creates a security policy named mypolicy and enters Security Policy Configuration mode for the security policy mypolicy. secpolicy mypolicy create Related Commands show ssl secpolicy (Non-Privileged Command Set) See the section “Security Policy Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-121 78-13124-06...

  • Page 316: Server

    15 characters. Related Commands show ssl server (Non-Privileged Command Set) See the section “Server Configuration Command Set”. tcp-tuning Enters TCP Tuning Configuration mode at the global level. tcp-tuning no tcp-tuning Cisco 11000 Series Secure Content Accelerator Configuration Guide C-122 78-13124-06...
  • Page 317 Availability: Serial, Telnet; FIPS Mode (serial only) The no form of the command is used to return all TCP tuning values to factory default. Related Commands See the section “TCP Tuning Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-123 78-13124-06...

  • Page 318: Backend Server Configuration Command Set

    The no form of the command is used to disable server authentication using the certificate group. When using the no form of the command, you need not specify any certificate group name. Only one certificate group can be used. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-124 78-13124-06...

  • Page 319: End

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) finished Leaves Backend Server Configuration Mode and returns to Top Level mode. finished Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-125 78-13124-06...

  • Page 320: Help

    Sets the specified IP address for the backend server. ip address <ipaddr> [netmask <mask>] no ip address Syntax Description ipaddr The IP address to assign to the backend server. netmask <mask> The netmask valid for the IP address. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-126 78-13124-06...

  • Page 321: Keepalive Enable

    1 to 255 seconds (inclusive); the default is 5 seconds Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands keepalive enable (Backend Server Configuration Command Set) keepalive maxfailure (Backend Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-127 78-13124-06...

  • Page 322: Keepalive Maxfailure

    Availability: Serial, Telnet; FIPS Mode (serial only) Traffic sent on this TCP service port is not secured by SSL during Caution transmission to the server. It must be secured by another means. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-128 78-13124-06...

  • Page 323: Log-Url

    Specifies the TCP service port through which redirected secure connections are sent. remoteport <port|default> Syntax Description port The used to transfer secure traffic. default Sets the port specification to 443. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-129 78-13124-06...

  • Page 324: Secpolicy

    Related Commands secpolicy (SSL Configuration Command Set) show ssl secpolicy (Non-Privileged Command Set) See the section “Security Policy Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-130 78-13124-06...

  • Page 325: Serverauth Domain-Name

    Availability: Serial, Telnet; FIPS Mode (serial only) Using the no form of the command disables server certificate authentication. Related Commands certgroup serverauth (Backend Server Configuration Command Set) serverauth ignore (Backend Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-131 78-13124-06...

  • Page 326: Serverauth Ignore

    Related Commands certgroup serverauth (Backend Server Configuration Command Set) serverauth enable (Backend Server Configuration Command Set) session-cache enable Enables session caching. session-cache enable no session-cache enable Cisco 11000 Series Secure Content Accelerator Configuration Guide C-132 78-13124-06...

  • Page 327: Session-Cache Size

    (Backend Server Configuration Mode) session-cache timeout Specifies the session cache length before being timed out. session-cache timeout <seconds> Syntax Description seconds Specifies the number of seconds before the cache times out. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-133 78-13124-06...

  • Page 328: Sslv2 Enable

    Using the no form of the command disables SSL version 3 protocols. You cannot disable SSL version 2 and 3 and TLS protocols. This command is not available in FIPS mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-134 78-13124-06...

  • Page 329: Suspend

    Related Commands activate (Backend Server Configuration Mode) tcp-tuning Enters TCP Tuning Configuration mode at for this server. tcp-tuning Cisco 11000 Series Secure Content Accelerator Configuration Guide C-135 78-13124-06...

  • Page 330: Tlsv1 Enable

    When transparent proxy behavior is disabled, the device accepts connections on the IP address of the Secure Content Accelerator rather than on the server address. The no form of the command is used to disable this behavior. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-136 78-13124-06...

  • Page 331: Urlrewrite

    URL rewrite information can be displayed by using the command show ssl server. Related Commands show ssl server (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-137 78-13124-06...

  • Page 332: Certificate Configuration Command Set

    [url] Syntax Description The location of the file. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not enter the URL, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-138 78-13124-06...

  • Page 333: End

    Leaves Certificate Configuration Mode and returns to Top Level mode. finished Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-139 78-13124-06...

  • Page 334: Info

    If you do not enter the file name or URL, you are prompted for it. Related Commands pem-paste (Certificate Configuration Command Set) pem-paste Allows a PEM-encoded X.509 certificate to be pasted into the configuration manager. pem-paste Cisco 11000 Series Secure Content Accelerator Configuration Guide C-140 78-13124-06...
  • Page 335 You can use a text editor to copy the certificate from a file. After the certificate is pasted, you must press Enter twice to complete the command. If a password is required, you are prompted for it. Related Commands pem (Certificate Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-141 78-13124-06...

  • Page 336: Certificate Group Configuration Command Set

    See the section “Certificate Configuration Command Set”. Exits Certificate Group Configuration mode, activates all changes, and returns to SSL Configuration mode. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-142 78-13124-06...

  • Page 337: Exit

    The name of the command. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify a command, help information is displayed for all Certificate Group Commands Cisco 11000 Series Secure Content Accelerator Configuration Guide C-143 78-13124-06...

  • Page 338: Info

    Appendix C Command Summary Configuration Command Set info Displays current information about the certificate group being created or edited. info Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-144 78-13124-06...

  • Page 339: Key Configuration Command Set

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not enter the URL, you are prompted for it. If a password is required, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-145 78-13124-06...

  • Page 340: End

    Leaves Key Configuration Mode and returns to Top Level mode. finished Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) genrsa Generates an RSA key. genrsa [bits <512|1024>] [encrypt <des|des3>] [seed <seedstring>] [output <filename|url>] Cisco 11000 Series Secure Content Accelerator Configuration Guide C-146 78-13124-06...

  • Page 341: Help

    PEM-encoded file named mykey.pem. genrsa bits 1024 encrypt des seed lemon output mykey.pem help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-147 78-13124-06...

  • Page 342: Info

    If you do not enter the URL, you are prompted for it. If a password is required, you are prompted for it. Loads a PEM-encoded X.509 private key into the key entry. pem [url] Syntax Description The location of the file. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-148 78-13124-06...

  • Page 343: Pem-Paste

    You can use a text editor to copy the key from a file. After the key is pasted, you must press Enter twice to complete the command. If a password is required, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-149 78-13124-06...

  • Page 344: Reverse-Proxy Server Configuration Command Set

    (Reverse-Proxy Server Configuration Command Set) certgroup serverauth Assigns a certificate group to be used for server certificate authentication. certgroup serverauth <certgroupname> no certgroup serverauth Syntax Description certgroupname The name of the certificate group. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-150 78-13124-06...

  • Page 345: End

    Availability: Serial, Telnet; FIPS Mode (serial only) exit Exits Reverse-Proxy Server Configuration mode, activates all changes, and returns to SSL Configuration mode. exit Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-151 78-13124-06...

  • Page 346: Finished

    If you do not specify a command, help information is displayed for all Reverse-Proxy Server Configuration Commands info Displays current information about the reverse-proxy server being edited or created. info Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-152 78-13124-06...

  • Page 347: Localport

    Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to remove the specified log-url server from the list. Only one log-url server can be configured. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-153 78-13124-06...

  • Page 348: Secpolicy

    Related Commands secpolicy (SSL Configuration Command Set) show ssl secpolicy (Non-Privileged Command Set) See the section “Security Policy Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-154 78-13124-06...

  • Page 349: Serverauth Enable

    Ignore certificate expiration errors. cert-not-yet-valid Ignore errors caused by using the certificate before it is valid. invalid-ca Ignore errors caused by an unrecognized CA. domain-name Ignore errors due to an invalid domain name. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-155 78-13124-06...

  • Page 350: Session-Cache Enable

    The number of cached sessions. The default is 1024. The acceptable range is 1 to 76,800 (SCA) or 1 to 307,200 (SCA2). Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-156 78-13124-06...

  • Page 351: Session-Cache Timeout

    SSL version 2 and 3 and TLS protocols. This command is not available in FIPS mode. Related Commands sslv3 enable (Reverse-Proxy Server Configuration Command Set) tlsv1 enable (Reverse-Proxy Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-157 78-13124-06...

  • Page 352: Sslv3 Enable

    If you are editing an existing reverse-proxy server and you use the suspend • command alone, the all open connections on the server are finished, and no new connections are accepted. No connections are accepted until the activate command is used. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-158 78-13124-06...

  • Page 353: Tcp-Tuning

    SSL version 2 and 3 and TLS protocols. The command no tlsv1 enable is not available in FIPS mode. Related Commands sslv2 enable (Reverse-Proxy Server Configuration Command Set) sslv3 enable (Reverse-Proxy Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-159 78-13124-06...

  • Page 354: Urlrewrite

    URL rewrite information can be displayed by using the command show ssl server. Related Commands show ssl server (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-160 78-13124-06...

  • Page 355: Security Policy Configuration Command Set

    Cryptographic Scheme Encryption Authentication Exchange Assignments ARC4-MD5 ARC4 (128) RSA (1024) strong, default, all ARC4-SHA ARC4 (128) SHA1 RSA (1024) strong, default, all DES-CBC3-MD5 3DES (168) RSA (1024) strong, all Cisco 11000 Series Secure Content Accelerator Configuration Guide C-161 78-13124-06...
  • Page 356 If you enter crypto weak and no crypto NULL-MD5 commands, the NULL-MD5 cryptography scheme is removed from the current security policy. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-162 78-13124-06...

  • Page 357: End

    Availability: Serial, Telnet; FIPS Mode (serial only) exit Exits Security Policy Configuration mode, activates all changes, and returns to SSL Configuration mode. exit Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-163 78-13124-06...

  • Page 358: Finished

    If you do not specify a command, help information is displayed for all Security Policy Configuration Commands info Displays current information about the security policy being edited or created. info Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-164 78-13124-06...

  • Page 359: Server Configuration Command Set

    The name of the certificate. default The pre-loaded default certificate. default-1024 The pre-loaded 1024-bit default certificate. default-512 The pre-loaded 512-bit default certificate. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-165 78-13124-06...

  • Page 360: Certgroup Chain

    flag, you need not specify any certificate group name. Only one certificate chain is allowed. Related Commands certgroup (SSL Configuration Command Set) show ssl certgroup (Non-Privileged Command Set) See also “Certificate Group Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-166 78-13124-06...

  • Page 361: Certgroup Clientauth

    Enables client certificate authentication. clientauth enable no clientauth enable Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable client certificate authentication. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-167 78-13124-06...

  • Page 362: Clientauth Error

    HTML error page listing the reason for the error. Then the SSL session is disconnected. ignore The server silently ignores the authentication error and continues the SSL connection. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-168 78-13124-06...

  • Page 363: Clientauth Verifydepth

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands certgroup clientauth (Server Configuration Command Set) clientauth enable (Server Configuration Command Set) clientauth error (Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-169 78-13124-06...

  • Page 364: End

    HTML page specified by the url argument. The SSL session is disconnected. The location of the error page for redirection. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) The default behavior is failhtml. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-170 78-13124-06...

  • Page 365: Ephrsa

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) finished Leaves Server Configuration Mode and returns to Top Level mode. finished Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-171 78-13124-06...

  • Page 366: Help

    Adds the server certificate to the HTTP stream. pre-filter Pre-filters the client header. prefix Allows a prefix string to be added to the HTTP stream. This text must be entered within quotes. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-172 78-13124-06...

  • Page 367: Table C-20 Headers Inserted With Httpheader Client-Cert Command

    Public key algorithm hostname-ClientCert-RSA-Exponent Public exponent hostname-ClientCert-RSA-Modulus-Size RSA private key size hostname-ClientCert-RSA-Modulus RSA modulus hostname-ClientCert-RSA-Public-Key-Size RSA public key size hostname-Clientcert-Serial-Number Certificate serial number hostname-ClientCert-Signature-Algorithm Certificate signature algorithm hostname-ClientCert-Signature Certificate signature Cisco 11000 Series Secure Content Accelerator Configuration Guide C-173 78-13124-06...

  • Page 368: Table C-21 Headers Inserted With Httpheader Session Command

    The following table presents the header fields sent using the httpheader server-cert command. Table C-22 Headers Inserted with httpheader server-cert Command Header Field Description hostname-ServerCert-Certificate-Version x509 Certificate version hostname-ServerCert-Data-Signature-Algorithm x509 Hashing and encryption mechanisms hostname-ServerCert-Fingerprint Hash output Cisco 11000 Series Secure Content Accelerator Configuration Guide C-174 78-13124-06...

  • Page 369: Info

    Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) ip address Sets the specified IP address for the logical secure server. ip address <ipaddr> [netmask <mask>] no ip address Cisco 11000 Series Secure Content Accelerator Configuration Guide C-175 78-13124-06...

  • Page 370: Keepalive Enable

    Specifies the interval between keepalive messages. keepalive frequency <seconds> Syntax Description seconds The number of seconds between keepalive messages; the range is 1 to 255 seconds (inclusive); the default is 5 seconds Cisco 11000 Series Secure Content Accelerator Configuration Guide C-176 78-13124-06...

  • Page 371: Keepalive Maxfailure

    <keyname | default | default-1024 | default 512> Syntax Description keyname The name of the key. default The pre-loaded default key. default-1024 The pre-loaded 1024-bit default key. default-512 The pre-loaded 512-bit default key. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-177 78-13124-06...

  • Page 372: Localport

    Related Commands remoteport (Server Configuration Command Set) sslport (Server Configuration Command Set) log-url Specifies a host for logging of URL requests. log-url <ipaddr> [port <portid>] [facility <facilityid>] no log-url <ipaddr> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-178 78-13124-06...

  • Page 373: Remoteport

    It must be secured by another means. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands localport (Server Configuration Command Set) sslport (Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-179 78-13124-06...

  • Page 374: Secpolicy

    Related Commands secpolicy (SSL Configuration Command Set) show ssl secpolicy (Non-Privileged Command Set) See the section “Security Policy Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-180 78-13124-06...

  • Page 375: Session-Cache Enable

    1 to 76,800 (SCA) or 1 to 307,200 (SCA). Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands session-cache enable (Server Configuration Mode) session-cache timeout (Server Configuration Mode) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-181 78-13124-06...

  • Page 376: Session-Cache Timeout

    The SSL handshake is continued and the client is redirected to another HTML page specified by the url argument. The SSL session is disconnected. The location of the error page for redirection. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-182 78-13124-06...

  • Page 377: Sslport

    Related Commands localport (Server Configuration Command Set) remoteport (Server Configuration Command Set) sslv2 enable Enables SSL version 2 protocols. sslv2 enable no sslv2 enable Usage Guidelines Availability: Serial, Telnet Cisco 11000 Series Secure Content Accelerator Configuration Guide C-183 78-13124-06...

  • Page 378: Sslv3 Enable

    (Server Configuration Command Set) suspend Suspends the function of the server. suspend [now] Syntax Description Suspends actions of the server immediately. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-184 78-13124-06...

  • Page 379: Tcp-Tuning

    Related Commands See the section “TCP Tuning Configuration Command Set”. tlsv1 enable Enables TLS version 1 protocols. tlsv1 enable no tlsv1 enable Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-185 78-13124-06...

  • Page 380: Transparent

    The device listens on the hardware server’s IP address for incoming client connections and uses the client’s IP address for connecting to the hardware server. This is default behavior. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-186 78-13124-06...

  • Page 381: Urlrewrite

    An * (asterisk) wild card character can be used to specify more than one server in a single domain, e.g., “*.company.com”. Up to 32 URL rewrite rules can be configured. Use the no form of the command to clear the specified rule. If more Cisco 11000 Series Secure Content Accelerator Configuration Guide C-187 78-13124-06...
  • Page 382 URL rewrite information can be displayed by using the command show ssl server. Related Commands show ssl server (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-188 78-13124-06...

  • Page 383: Tcp Tuning Configuration Command Set

    The number of seconds a segment can exist on the network before being discarded; the valid range is from 5 to 300 seconds (inclusive). default The factory default. At the time of publication, the factory default is 5 seconds. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-189 78-13124-06...

  • Page 384: Delay-Ack

    If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1122. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-190 78-13124-06...

  • Page 385: Finwt2Time

    The number of seconds a to keep a TCP connection open without active traffic; the valid range is from 0 to 65535 seconds (inclusive). default The factory default. At the time of publication, the factory default is 60 seconds. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-191 78-13124-06...

  • Page 386: Keepalive-Cnt

    If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1122. Related Commands keepalive (TCP Tuning Configuration Command Set) keepalive-intv (TCP Tuning Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-192 78-13124-06...

  • Page 387: Keepalive-Intv

    The number of number of keepalives that are sent; the valid range is from 1 to 65535 (inclusive). default The factory default. At the time of publication, the factory default is 12. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-193 78-13124-06...

  • Page 388: Maxrt

    Use the no form of the command to return the maxrt to the global value. If no global settings exist for a parameter, the factory default parameter is used instead. maxseg Specifies the maximum TCP segment size. maxseg <bytes|default> no maxseg Cisco 11000 Series Secure Content Accelerator Configuration Guide C-194 78-13124-06...

  • Page 389: Mtu

    If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 894. Note This parameter can only be set at the global level. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-195 78-13124-06...

  • Page 390: Nodelay

    See RFC 896. nopush Controls whether data is sent if the segment size (maxseg) is not full. nopush <0|1|on|off|default> no nopush Syntax Description nopush is disabled. nopush is enabled. nopush is enabled. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-196 78-13124-06...

  • Page 391: Probe-Max

    30000 to 65535 milliseconds (inclusive). default The factory default. At the time of publication, the factory default is 60000 milliseconds. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-197 78-13124-06...

  • Page 392: Probe-Min

    Use the no form of the command to return the probe-min to the global value. If no global settings exist for a parameter, the factory default parameter is used instead. Related Commands probe-max (TCP Tuning Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-198 78-13124-06...

  • Page 393: Push-All

    Related Commands nopush (TCP Tuning Configuration Command Set) rto-def Specifies the default retransmission timeout. rto-def <milliseconds|default> no rto-def Cisco 11000 Series Secure Content Accelerator Configuration Guide C-199 78-13124-06...

  • Page 394: Rto-Max

    65535 milliseconds (inclusive). default The factory default. At the time of publication, the factory default is 64000 milliseconds. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-200 78-13124-06...

  • Page 395: Rto-Min

    If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1122 and RFC 2988. Related Commands rto-def (TCP Tuning Configuration Command Set) rto-max (TCP Tuning Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-201 78-13124-06...

  • Page 396: Slow-Start

    See RFC 2001 and RFC 2581. stdurg Controls the octet pointed to by the urgent pointer. stdurg <0|1|on|off|default> no stdurg Cisco 11000 Series Secure Content Accelerator Configuration Guide C-202 78-13124-06...
  • Page 397 Time stamping is disabled. Time stamping is enabled. Time stamping is enabled. Time stamping is disabled. default 1 (on); time stamping is enabled. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-203 78-13124-06...

  • Page 398: Wnd-Scale

    Use the no form of the command to return the ts to the global value. If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1323. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-204 78-13124-06...

  • Page 399: Appendix

    ) in the console. The >> prompt displayed when the device has failed any self-tests is self-test failure>>. This appendix contains the following sections: Text Conventions • Getting Help • • Examples Command Set • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 400: Appendix D Minimax Command Summary

    Though a command string may be displayed on multiple lines in this Note guide, it must be entered on a single line with not returns except at the end of the complete command. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 401: Getting Help

    Help for individual commands having arguments is available by partially typing the command and pressing Enter. An example is below. >>ip ip what? address -- assign an ip address route -- assign default route >> Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 402: Examples

    Check the environment by entering the following command. An example of the associated response is included. >>env cbaud=9600 autoboot=N autorun=N verbose=false netaddr=10.1.2.5 netmask=255.255.255.0 gwaddr=10.1.2.254 bootfile=/flash/maxos.bz2 TZ=GMT10DST TERM=ansi FIPS_MODE=0 COLUMNS=80 ROWS=25 bootdevice=/flash/maxos.bz2 build=200208160004 version=4.1.0 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 403: Installing A Firmware Image (Netcat

    firmware has been corrupted. This example uses the Netcat application to stream the image to MiniMax. The firmware image can be found on the distribution CD accompanying the device and at the Cisco Web site. Netcat allows for reading and writing data across network sockets. It is freely available for most operating systems here: Unix: ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/netcat...

  • Page 404: Installing A Firmware Image (Xmodem

    This example uses the Xmodem to download the image to MiniMax over the console serial line. The firmware image can be found on the distribution CD accompanying the device and at the Cisco Web site. Use the following table to identify the firmware image for use.

  • Page 405: Table D-2 Firmware Image Selection

    Use the terminal emulation application’s commands to initiate sending the image file indicated in Table D-2 above via xmodem. The image file transfer can take up to an hour depending on Note the baud. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 406: Extracting A Device Configuration

    Set up the terminal emulation program to capture text. Enter the following command to list the configuration to the window. >> cat /flash/startup-config Stop the text capture. Before loading the saved configuration file, you must reload the Note keys. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 407: Resetting The Environment To Factory Defaults

    Enter resetenv to return the device to factory settings. You are not prompted to continue. The process begins once Note you have types the command and pressed Enter. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 408 Check the environment again by entering the following command. An example of the associated response is included. >>env cbaud=9600 autoboot=N autorun=N verbose=false netaddr=192.0.2.254 netmask=255.255.255.0 gwaddr= bootfile=/flash/maxos.bz2 TZ=GMT10DST TERM=ansi FIPS_MODE=0 COLUMNS=80 ROWS=25 Cisco 11000 Series Secure Content Accelerator Configuration Guide D-10 78-13124-06...

  • Page 409: Command Set

    The new baud for the connection. boot Boots the device with the current flash image. boot Lists the specified file to the terminal. cat <filename> Syntax Description filename The path and filename to list. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-11 78-13124-06...

  • Page 410: Eaddr

    Option indicating that interface speed will be configured. Option indicating the specified Ethernet interface(s) should be configured as 10Mbit/sec. Option indicating the specified Ethernet interface(s) should be configured as 100Mbit/sec. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-12 78-13124-06...

  • Page 411: Env

    The example below shows how to set the last three octets of the MAC addresses of both interfaces, beginning with the address specified. >> eaddr -ib 010000 Prints the nvram environment to the console. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-13 78-13124-06...

  • Page 412: Hinv

    Keywords identifying the address to change. ipaddr The new IP address. maskbits The numeral indicating the appropriate mask to use; this netmask shortcut is used only with the address keyword. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-14 78-13124-06...

  • Page 413: Netstat

    Displays open file descriptors and sockets on the device. netstat printenv Prints the nvram environment to the console. printenv rdate-server Assigns an RDATE server. rdate-server <ipaddr> Syntax Description ipaddr The IP address of the RDATE server to use. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-15 78-13124-06...

  • Page 414: Reboot

    Deletes a file from the flash file directory. rm <filename> Syntax Description filename The name of the file to delete. Related Commands sbridge Connects the specified Ethernet port and starts the bridge. sbridge [network|server] Cisco 11000 Series Secure Content Accelerator Configuration Guide D-16 78-13124-06...
  • Page 415 Specifies file download information is to be displayed. Specifies ARP information is to be displayed. route Specifies route information is to be displayed. Usage Guidelines If no system is specified, a help message is displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-17 78-13124-06...

  • Page 416: Version

    Appendix D MiniMax Command Summary Command Set version Displays firmware version information. version Processes a downloaded image file, if available, and copies it to the flash. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-18 78-13124-06...

  • Page 417: Appendix

    A P P E N D I X Troubleshooting This appendix provides general troubleshooting information for the Secure Content Accelerator. This appendix contains the section “Troubleshooting the Hardware” Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 418: Troubleshooting The Hardware

    SSL device and other networking hardware agree. Using the CLI, enter the show interface command to display the settings for the appliance Ethernet interfaces. Make sure you have a valid networking topology. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 419 Use a serial management session to connect to the device. The serial console displays either A serious error has occurred. Please see >> self-test Appendix D, “MiniMax Command Summary” for failure>> more information. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 420 “Returning to Normal Operation” in Chapter 6 for more information. Few security policies are available when The device is operating in FIPS Mode. Only configuring servers. security policies containing FIPS 140-2-compliant algorithms are available in FIPS Mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 421 The device might be operating in FIPS Mode. exit the configuration mode. Only servers configured with FIPS 140-2-compliant algorithms are available to traffic. The assigned security policy must contain at lease one FIPS-compliant algorithm. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 422: Figure E-1 Troubleshooting Flowchart

    RMA Unit: Faulty responsive? serial connection Is 1- or 2-port Set intended mode correctly operation mode; set? reload device Are the network Configure network settings correct? settings Go to next flowchart Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 423: Figure E-2 Troubleshooting Flowchart

    Does "show localport and netstat" display transparency proper listening settings; reload if sockets? necessary Is the proxy Continue with set to transparent next flowchart operation? Refer to the Configuration Guide Deployment section Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 424: Figure E-3 Troubleshooting Flowchart

    Are any firewalls or suite operability or ACLs in place? use a different client Eliminate ACLs or filters preventing access Does the device operate as expected? Continue with configuration and operation as desired Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 425: Appendix

    Introduction to SSL • Port Blocking Mechanism • • Before You Begin Using Existing Keys and Certificates • Configuration Security • • Cisco SSL Configuration Components Cisco Secure Content Accelerator Management • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 426: Introduction To Ssl

    You can configure the Cisco Secure Content Accelerator using either the GUI or CLI, or through the QuickStart wizard (available through both the CLI and GUI).

  • Page 427: Figure F-1 Port Blocking

    TCP service port 80 for both basic HTTP connections and for transfer of decrypted secure data between the devices and the server. Below are some alternatives for this scenario. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 428: Before You Begin

    When prompted either to name a key or certificate file or check the name of a key or certificate file, please ensure the names follow these conventions. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 429: Apache Mod_Ssl

    Click Copy to file. The Certificate Manager Export Wizard opens. Click Next. Select the DER-encoded binary X.509 radio button. Click Next. Specify a file name and location. Click Next. Click Finish. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 430: Iis 5 On Windows 2000

    Right-click the Web site object and click Properties in the shortcut menu. Click the Directory Security tab. Click View Certificate in the Secure Communications panel. The Certificate Viewer appears. Click the Details tab. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 431: Configuration Security

    Passwords Cisco Secure Content Accelerator devices use two levels of password protection: access- and enable-level. Access-level passwords control who can access the device via telnet and serial connections. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.

  • Page 432: Access Lists

    • • An associated key specifying the public/private key pair to use A single certificate or certificate group to use • A security policy specifying the cryptographic scheme(s) to use • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 433: Real Server Ip Addresses

    X.509 files, IIS4 backup format (NET-IIS), PKCS#12 files, and PCKS#7 certificate groups. Step-Up Certificates and Server-Gated Cryptography Cisco Secure Content Accelerator devices support both Netscape International Step-Up Certificates and Microsoft Server-Gated Cryptography. No special configuration is needed for the device to function properly with these certificates.

  • Page 434: Security Policies

    GUI. Security Policies Cisco Secure Content Accelerator can process a wide range of single and composite cryptography schemes. The following table shows a comparison of the individual schemes. If you configure the device to use the weak security policy, all schemes marked as “weak”...
  • Page 435 None None weak, default, all NULL-SHA None SHA1 None weak, default, all 1 ARC4 is compatible with RC4™ RSA Data Security. 2 ARC2 is compatible with RC2™ RSA Data Security. Cisco 11000 Series Secure Content Accelerator Configuration Guide F-11 78-13124-06...

  • Page 436: Cisco Secure Content Accelerator Management

    Appendix F SSL Introduction Cisco Secure Content Accelerator Management Cisco Secure Content Accelerator Management You can configure the Cisco Secure Content Accelerator using one of three methods, two of which use the CLI configuration manager. • Serial connection, configuration manager An IP address need not have been assigned for appliance management.
  • Page 437 For instructions on using telnet or serial console CLI configuration managers, see Chapter 4; for instructions on using the GUI, see Chapter 5. To use the Secure Content Accelerator in FIPS-compliant operation mode, see Chapter 6. Cisco 11000 Series Secure Content Accelerator Configuration Guide F-13 78-13124-06...
  • Page 438 Appendix F SSL Introduction Cisco Secure Content Accelerator Management Cisco 11000 Series Secure Content Accelerator Configuration Guide F-14 78-13124-06...

  • Page 439: Appendix

    Accelerator. This appendix includes the following sections: Regulatory Standards Compliance • Canadian Radio Frequency Emissions Statement • • FCC Class A CISPR 22 (EN 55022) Class A • VCCI • Cisco 11000 Series Secure Content Accelerator Configuration Guide G-15 78-13124-06...

  • Page 440: Regulatory Standards Compliance

    • Canadian Radio Frequency Emissions Statement This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada. Cisco 11000 Series Secure Content Accelerator Configuration Guide G-16 78-13124-06...

  • Page 441: Fcc Class A

    To maintain compliance with the limits of a Class A digital device, Cisco requires that you use quality interface cables when connecting to this device. During testing for certification Category 5 cables were used.

  • Page 442: Cispr 22 (En 55022) Class A

    Warning This is a class A product. In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures. VCCI Cisco 11000 Series Secure Content Accelerator Configuration Guide G-18 78-13124-06...
  • Page 443 Memory area in which device configuration may be saved; configuration Flash memory information not stored in the flash memory is lost during a power cycle or when the device is rebooted or reloaded. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 444 The user-specified non-secure TCP port used by the Cisco Secure Content Remote Port Accelerator to send decrypted data to and receive data to be encrypted from the logical secure server.
  • Page 445 An application-level protocol used to monitor and perform basic configuration Simple Network of network devices. Management Protocol (SNMP) The user-specified secure TCP port monitored by the Cisco Secure Content Server Port Accelerator for secure transaction requests. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 446 Glossary Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 447 C-127 keepalive frequency Apache mod_SSL command C-128 keepalive maxfailure ApacheSSL command C-128 localport C-35 command C-129 log-url C-111 auto command C-129 remoteport command C-130 secpolicy command C-131 serverauth domain-name Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 448 4-18 FailSafe password description 4-18, 10 reloading the device 3-13, 5-17 GUI example 5-35 unauthorized modifications See also certificate unsecured transmissions C-128, C-179 certificate configuration use of keys and certificates Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 449 C-31 description completion features free-standing installation configuration front panel QuickStart wizard grounding configuration manager installation backend server configuration command MiniMax commands C-124 mounting brackets certificate configuration command set C-138 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 450 GUI 5-17 clear text and SSL ports setting device IP address with GUI client authentication with GUI 5-33 setting syslog hosts with GUI 5-13 client-side Web access Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 451 CSS, use with C-75 erase startup-configuration examples Ethernet in-line configuration manager example 4-16 one-armed proxy B-10 connecting one-armed transparent B-19 example (CLI) configuring client authentication 4-23 configuring server authentication 4-21 example, configuration manager Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 452 Ethernet interface product overview configuring a reverse-proxy server 5-34 free-standing installation configuring a secure server 5-30 front panel configuring a security policy 5-27 configuring backend server 5-34 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 453 C-126, C-140, C-144, C-148, C-152, C-164, C-175 generating a certificate 5-42 info input data format generating an RSA key 5-38 C-88 importing a certificate group 5-46, 5-47 interface interface configuration interface Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 454 C-177 keepalive monitor command C-148 C-91 keepalive-monitor command C-149 pem-paste keepalives configuration manager example 4-30 configuration manager example C-128, C-153, C-178 localport default C-129, C-153, C-178 log-url exporting file formats Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 455 B-19 probe-max C-198 single device probe-min C-199 use with the CSS push-all C-196 nodelay non-privileged command set C-31 C-196 nopush C-95 C-76 no snmp quick-start QuickStart wizard description C-8, 13 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 456 C-150 C-120 reverse-proxy-server reverse-proxy server configuration C-121, C-130, C-154, C-180 secpolicy command C-150 activate secure server command C-150 certgroup serverauth configuration manager example command C-151 description command C-151 exit Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 457 3-2, 4-5, C-9 command C-177 keepalive monitor symbolic hostnames C-8, 12 command C-177 terminal settings 3-3, 4-5, C-9 command C-178 localport using the QuickStart wizard command C-178 log-url C-122 server Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 458 C-35 C-46 show copyrights show sessions C-35 C-79 show cpu show snmp C-36 C-46 show date show sntp C-36 C-46 show device show sntp-server C-78 C-47 show diagnostic-report show ssl Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 459 C-95 no snmp command environmental C-79 show snmp command C-96 physical snmp access-list command C-97 C-112 snmp contact speed command C-97 snmp default community command C-98 Cisco configuration components snmp enable Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 460 C-191 finwt2time command C-117 help command C-192 keepalive-cnt command C-118 import pkcs12 command C-191 keepalive command C-118 import pkcs7 command C-193 keepalive-intv command C-119 command C-193 max-rexmit command C-120 reverse-proxy-server Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

  • Page 461: Troubleshooting E

    3-3, 4-6, C-10 symbolic hostnames C-8, 12 warning using the QuickStart wizard CISPR 22 (EN 55022) Class A C-107 telnet enable equipment rack stability C-107 telnet port grounding C-63 terminal baud power systems Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
  • Page 462 C-110 web-mgmt port website configuration B-30 Windows 2000 IIS 5 Windows NT IIS 4 C-204 wnd-scale C-81 write flash C-81 write memory C-82 write messages C-82 write network C-83 write terminal Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...

This manual is also suitable for:

Css-11154-ac11000 series

Table of Contents