Configuration Guide
Page 8
... Client-Side Access 5-4 Administrative Time Out 5-5 Web Management User Interface 5-5 General Configuration Examples 5-7 Example: Setting the Device Name (Hostname) 5-7 Example: Resetting the IP Address 5-8 Example: Configuring an Ethernet Interface 5-9 Example: Enabling RIP 5-10 Example: Adding a Route to the Routing Table 5-11 Example: Working with Syslogs 5-13 Example: Restricting Access using an Access List 5-14 Example: Reloading (Rebooting) the Appliance 5-17 Example: Setting an Enable Password 5-18 Example: Configuring SNMP 5-19 SSL Configuration Examples 5-22 Cisco 11000 Series Secure...
... Client-Side Access 5-4 Administrative Time Out 5-5 Web Management User Interface 5-5 General Configuration Examples 5-7 Example: Setting the Device Name (Hostname) 5-7 Example: Resetting the IP Address 5-8 Example: Configuring an Ethernet Interface 5-9 Example: Enabling RIP 5-10 Example: Adding a Route to the Routing Table 5-11 Example: Working with Syslogs 5-13 Example: Restricting Access using an Access List 5-14 Example: Reloading (Rebooting) the Appliance 5-17 Example: Setting an Enable Password 5-18 Example: Configuring SNMP 5-19 SSL Configuration Examples 5-22 Cisco 11000 Series Secure...
Configuration Guide
Page 10
...B-19 Connecting the Device to a Terminal Server B-30 Web Site Changes B-30 Transparent Local-Listen B-31 Command Summary C-1 Input Data Format Specification C-2 Text Conventions C-2 Editing and Completion Features C-3 Command Hierarchy C-5 Configuration Security C-6 Passwords C-6 Access Lists C-7 Factory Default Reset Password C-7 Methods to Manage the Device C-7 Initiating a Management Session C-9 Serial Management and IP Address Assignment C-9 Telnet C-10 Command Listing C-10 Top Level Command Set C-31 Non-Privileged Command Set C-31 clear screen C-31 cls C-31 enable C-31 Cisco 11000 Series...
...B-19 Connecting the Device to a Terminal Server B-30 Web Site Changes B-30 Transparent Local-Listen B-31 Command Summary C-1 Input Data Format Specification C-2 Text Conventions C-2 Editing and Completion Features C-3 Command Hierarchy C-5 Configuration Security C-6 Passwords C-6 Access Lists C-7 Factory Default Reset Password C-7 Methods to Manage the Device C-7 Initiating a Management Session C-9 Serial Management and IP Address Assignment C-9 Telnet C-10 Command Listing C-10 Top Level Command Set C-31 Non-Privileged Command Set C-31 clear screen C-31 cls C-31 enable C-31 Cisco 11000 Series...
Configuration Guide
Page 25
... Example 5-8 Resetting IP Information Configuration Example 5-9 Ethernet Interface Configuration Example 5-10 RIP Configuration Example 5-11 Routing Table Configuration Example 5-12 Adding a Route Example 5-12 Syslog Configuration Example 5-13 Access List Configuration Example 5-14 Add Access List Entry Example 5-15 Subsystem Access Configuration Example 5-16 Device Reloading Example 5-17 Save Changes Button 5-17 Change Password Example 5-18 SNMP Configuration Example 5-19 SNMP Trap Example 5-20 Add SNMP Trap Host Example 5-21 Cisco 11000 Series Secure Content Accelerator Configuration Guide...
... Example 5-8 Resetting IP Information Configuration Example 5-9 Ethernet Interface Configuration Example 5-10 RIP Configuration Example 5-11 Routing Table Configuration Example 5-12 Adding a Route Example 5-12 Syslog Configuration Example 5-13 Access List Configuration Example 5-14 Add Access List Entry Example 5-15 Subsystem Access Configuration Example 5-16 Device Reloading Example 5-17 Save Changes Button 5-17 Change Password Example 5-18 SNMP Configuration Example 5-19 SNMP Trap Example 5-20 Add SNMP Trap Host Example 5-21 Cisco 11000 Series Secure Content Accelerator Configuration Guide...
Configuration Guide
Page 38
... resolve your technical issues by using the Cisco TAC website, you can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. If you have a valid service contract but most business operations continue. • Priority level 2 (P2)-Your production network is not restored quickly. xxxviii Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 No...
... resolve your technical issues by using the Cisco TAC website, you can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. If you have a valid service contract but most business operations continue. • Priority level 2 (P2)-Your production network is not restored quickly. xxxviii Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 No...
Configuration Guide
Page 42
You can secure a server for testing purposes immediately using a pre-loaded default key and certificate rather than wait up to a week for increased configuration security • Management via command line and Web-based graphical user interfaces • Hardware server keepalive support • Arbitrary HTTP headers • TCP tuning facility • Syslog facility support • Authentication logging • SSL version control • RIP client version 1 and 2 support • Multiple SNTP server support • SNMP MIB-II...
You can secure a server for testing purposes immediately using a pre-loaded default key and certificate rather than wait up to a week for increased configuration security • Management via command line and Web-based graphical user interfaces • Hardware server keepalive support • Arbitrary HTTP headers • TCP tuning facility • Syslog facility support • Authentication logging • SSL version control • RIP client version 1 and 2 support • Multiple SNTP server support • SNMP MIB-II...
Configuration Guide
Page 46
... Secure Content Accelerator, read the Site Preparation and Safety Guide. Secure Content Accelerator documentation - This guide contains important safety information you install, operate, or service the system, read the electrical, environmental, and physical requirements as described in Appendix A. Firmware files Cisco 11000 Series Secure Content Accelerator Configuration Guide 2-2 78-13124-06 Release Notes - Warning Before you should know before working with the system. PDF version...
... Secure Content Accelerator, read the Site Preparation and Safety Guide. Secure Content Accelerator documentation - This guide contains important safety information you install, operate, or service the system, read the electrical, environmental, and physical requirements as described in Appendix A. Firmware files Cisco 11000 Series Secure Content Accelerator Configuration Guide 2-2 78-13124-06 Release Notes - Warning Before you should know before working with the system. PDF version...
Configuration Guide
Page 64
A default gateway is needed to connect outside of the SCA? (y/n): Type y, and enter a password. SCA myDevice Keys capacity 255, defined 3 Name Id RC V default 1 0 Y default-512 2 0 Y default-1024 3 0 Y 3-10 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 Re-enter it . You must set a name for this device: A default gateway is needed for the SSL appliance. SETUP CONFIGURATION PASSWORD PROTECTION Would you like to set a default gateway for this device? (y/n/q): y Enter a default gateway for this device? (y/n/q): Type y, and...
A default gateway is needed to connect outside of the SCA? (y/n): Type y, and enter a password. SCA myDevice Keys capacity 255, defined 3 Name Id RC V default 1 0 Y default-512 2 0 Y default-1024 3 0 Y 3-10 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 Re-enter it . You must set a name for this device: A default gateway is needed for the SSL appliance. SETUP CONFIGURATION PASSWORD PROTECTION Would you like to set a default gateway for this device? (y/n/q): y Enter a default gateway for this device? (y/n/q): Type y, and...
Configuration Guide
Page 84
...64258;ash. (config[myDevice])# interface network (config-if[network])# duplex full (config-if[network])# speed 100 (config-if[network])# finished SCA# 4-16 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 In the following example, the "Network" interface of myDevice is used. (config[myDevice])# finished SCA# write flash SCA# Note In FIPS Mode, access lists can be configured but assigned only to the Web management subsystem. (config[myDevice])# web-management access-list 1 5. Configuring an Ethernet Interface The Ethernet interfaces on the SSL...
...64258;ash. (config[myDevice])# interface network (config-if[network])# duplex full (config-if[network])# speed 100 (config-if[network])# finished SCA# 4-16 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 In the following example, the "Network" interface of myDevice is used. (config[myDevice])# finished SCA# write flash SCA# Note In FIPS Mode, access lists can be configured but assigned only to the Web management subsystem. (config[myDevice])# web-management access-list 1 5. Configuring an Ethernet Interface The Ethernet interfaces on the SSL...
Configuration Guide
Page 118
Click Update to the device. 1. General Configuration Examples Chapter 5 Graphical User Interface Reference Example: Setting an Enable Password The Enable password is requested prior to connecting to set the password. Click Access to use in the New Password text box, and retype it in the Confirm New Password text box. 4. Type the password to activate the Access tabs. The Password page opens automatically, as shown in the Old Password text box. If an Enable password has already...
Click Update to the device. 1. General Configuration Examples Chapter 5 Graphical User Interface Reference Example: Setting an Enable Password The Enable password is requested prior to connecting to set the password. Click Access to use in the New Password text box, and retype it in the Confirm New Password text box. 4. Type the password to activate the Access tabs. The Password page opens automatically, as shown in the Old Password text box. If an Enable password has already...
Configuration Guide
Page 151
... an enable-level password of current passwords: Note FIPS Mode passwords must be at least 8 characters. Enter new password: Confirm new password: 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide 6-3 A caution is available only via the serial console. and enable-level passwords previously set containing the alphabet, Arabic numerals, period (.), hyphen (-), underscore (_), and a. Firmware signature verification is a two-step process: starting the FIPS Mode process and rebooting the device...
... an enable-level password of current passwords: Note FIPS Mode passwords must be at least 8 characters. Enter new password: Confirm new password: 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide 6-3 A caution is available only via the serial console. and enable-level passwords previously set containing the alphabet, Arabic numerals, period (.), hyphen (-), underscore (_), and a. Firmware signature verification is a two-step process: starting the FIPS Mode process and rebooting the device...
Configuration Guide
Page 174
... Examples Table B-2 One-Armed Non-Transparent Proxy Installation Device Configuration CSS Configuration • Create a VLAN for the upstream router • Create one VLAN for all connected Secure Content Accelerator devices • Create a separate VLAN for the servers • Create a service for each Secure Content Accelerator IP address and destination port pair • Create services as required for each server (adding "keepalive" attributes as necessary) • Create a default route to the upstream router • Create...
... Examples Table B-2 One-Armed Non-Transparent Proxy Installation Device Configuration CSS Configuration • Create a VLAN for the upstream router • Create one VLAN for all connected Secure Content Accelerator devices • Create a separate VLAN for the servers • Create a service for each Secure Content Accelerator IP address and destination port pair • Create services as required for each server (adding "keepalive" attributes as necessary) • Create a default route to the upstream router • Create...
Configuration Guide
Page 201
... access or enable password, you first install the Secure Content Accelerator. A device can use the CLI configuration manager. • Serial connection, configuration manager - A device must be used as a factory reset. - No access lists exist when you can be set password during a serial configuration session. You are asked to single-port mode via a serial cable. - The FailSafe password can assign them only the SNMP subsystem. Appendix C Command Summary Methods to Manage the Device Access Lists Access lists control which use a factory-set...
... access or enable password, you first install the Secure Content Accelerator. A device can use the CLI configuration manager. • Serial connection, configuration manager - A device must be used as a factory reset. - No access lists exist when you can be set password during a serial configuration session. You are asked to single-port mode via a serial cable. - The FailSafe password can assign them only the SNMP subsystem. Appendix C Command Summary Methods to Manage the Device Access Lists Access lists control which use a factory-set...
Configuration Guide
Page 211
... device. Adds a DNS suffix to the list to use with the device. Enables pass through the single "Network" Ethernet port. Disables SNMP and clears all SNMP data. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-17 Sets the one -port, page 92 mode pass-thru, page 92 password, page 92 rdate-server, page 93 registration-code, page 94 rip, page 94 no snmp, page 95 Description Leaves Configuration Mode and returns to the device routing table. Sets the default route...
... device. Adds a DNS suffix to the list to use with the device. Enables pass through the single "Network" Ethernet port. Disables SNMP and clears all SNMP data. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-17 Sets the one -port, page 92 mode pass-thru, page 92 password, page 92 rdate-server, page 93 registration-code, page 94 rip, page 94 no snmp, page 95 Description Leaves Configuration Mode and returns to the device routing table. Sets the default route...
Configuration Guide
Page 232
... errors continuously. show interface [network | server] Syntax Description network server Displays information for the "Network" interface. The interval in seconds. C-38 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 show interface statistics (Non-Privileged Command Set) interface (Configuration Command Set) See the section "Interface Configuration Command Set". Specifies an interval for the "Server" interface. Related Commands show interface errors (Non-Privileged Command Set) show interface errors Displays error...
... errors continuously. show interface [network | server] Syntax Description network server Displays information for the "Network" interface. The interval in seconds. C-38 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 show interface statistics (Non-Privileged Command Set) interface (Configuration Command Set) See the section "Interface Configuration Command Set". Specifies an interval for the "Server" interface. Related Commands show interface errors (Non-Privileged Command Set) show interface errors Displays error...
Configuration Guide
Page 233
... both interfaces. Press any key to stop displaying errors. FIPS Mode (serial only) If a single interface is specified, statistics are displayed for both interfaces. Press any key to stop displaying statistics. 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-39 show interface statistics (Non-Privileged Command Set) interface (Configuration Command Set) See the section "Interface Configuration Command Set". Displays information for the "Network" interface. Displays...
... both interfaces. Press any key to stop displaying errors. FIPS Mode (serial only) If a single interface is specified, statistics are displayed for both interfaces. Press any key to stop displaying statistics. 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-39 show interface statistics (Non-Privileged Command Set) interface (Configuration Command Set) See the section "Interface Configuration Command Set". Displays information for the "Network" interface. Displays...
Configuration Guide
Page 241
... Cisco 11000 Series Secure Content Accelerator Configuration Guide C-47 FIPS Mode (serial only) Related Commands show ssl cert (Non-Privileged Command Set) show ssl certgroup (Non-Privileged Command Set) show ssl errors (Non-Privileged Command Set) show ssl key (Non-Privileged Command Set) show ssl secpolicy (Non-Privileged Command Set) show ssl server (Non-Privileged Command Set) show ssl statistics (Non-Privileged Command Set) ssl (Configuration Command Set) See the section "SSL Configuration Command Set...
... Cisco 11000 Series Secure Content Accelerator Configuration Guide C-47 FIPS Mode (serial only) Related Commands show ssl cert (Non-Privileged Command Set) show ssl certgroup (Non-Privileged Command Set) show ssl errors (Non-Privileged Command Set) show ssl key (Non-Privileged Command Set) show ssl secpolicy (Non-Privileged Command Set) show ssl server (Non-Privileged Command Set) show ssl statistics (Non-Privileged Command Set) ssl (Configuration Command Set) See the section "SSL Configuration Command Set...
Configuration Guide
Page 351
...figuration Mode) session-cache timeout Specifies the session cache length before the cache times out. Related Commands sslv3 enable (Reverse-Proxy Server Configuration Command Set) tlsv1 enable (Reverse-Proxy Server Configuration Command Set) 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-157 You cannot disable SSL version 2 and 3 and TLS protocols. sslv2 enable no sslv2 enable Usage Guidelines Availability: Serial, Telnet Using the no...
...figuration Mode) session-cache timeout Specifies the session cache length before the cache times out. Related Commands sslv3 enable (Reverse-Proxy Server Configuration Command Set) tlsv1 enable (Reverse-Proxy Server Configuration Command Set) 78-13124-06 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-157 You cannot disable SSL version 2 and 3 and TLS protocols. sslv2 enable no sslv2 enable Usage Guidelines Availability: Serial, Telnet Using the no...
Configuration Guide
Page 404
Examples Appendix D MiniMax Command Summary 6. Using the command console, change the active directory to the directory where Netcat is located. 7. nc -w 5 10.5.162.105 11768 Copy the firmware image file indicated in Table D-1 to the one where Netcat and the image file are located. 8. Enter the following command, substituting the IP address of the SSL device and appropriate firmware image filename if necessary.
Examples Appendix D MiniMax Command Summary 6. Using the command console, change the active directory to the directory where Netcat is located. 7. nc -w 5 10.5.162.105 11768 Copy the firmware image file indicated in Table D-1 to the one where Netcat and the image file are located. 8. Enter the following command, substituting the IP address of the SSL device and appropriate firmware image filename if necessary.
Configuration Guide
Page 436
The FailSafe password can be set to single-port mode via a serial cable. - A device cannot be used as it appears in the configuring computer's file system. When using the GUI, you can use symbolic hostnames in any of which use this format: ftp://username:password@host/directory/filename F-12 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 When using serial or telnet management, the file...
The FailSafe password can be set to single-port mode via a serial cable. - A device cannot be used as it appears in the configuring computer's file system. When using the GUI, you can use symbolic hostnames in any of which use this format: ftp://username:password@host/directory/filename F-12 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06 When using serial or telnet management, the file...
Configuration Guide
Page 450
... ports 2 client authentication with GUI 5-33 client-side Web access 5-4 device name with GUI 5-7 enabling RIP with GUI 5-10 Ethernet interface 4-16 Ethernet interface with GUI 5-9 generating a certificate 4-24 generating a key with CLI 4-24 GUI 5-1, 6-1, C-7, 12 importing a certificate group with GUI 5-46, 5-47 key 3-6, 4-8 key with GUI 5-22 management method comparison C-7, 12 non-privileged command set C-31 other secure protocols 4-27, 5-37 password 3-10 privileged command set C-68 QuickStart wizard 3-1 reloading with GUI 5-17 remote configuration manager...
... ports 2 client authentication with GUI 5-33 client-side Web access 5-4 device name with GUI 5-7 enabling RIP with GUI 5-10 Ethernet interface 4-16 Ethernet interface with GUI 5-9 generating a certificate 4-24 generating a key with CLI 4-24 GUI 5-1, 6-1, C-7, 12 importing a certificate group with GUI 5-46, 5-47 key 3-6, 4-8 key with GUI 5-22 management method comparison C-7, 12 non-privileged command set C-31 other secure protocols 4-27, 5-37 password 3-10 privileged command set C-68 QuickStart wizard 3-1 reloading with GUI 5-17 remote configuration manager...