|
|
August 1999
Versions: 4.2(0), 4.2(1), 4.2(2), 4.2(3), 4.2(4), 4.2(5)
This document describes the changes for all 4.2(x) versions of the PIX Firewall software.
In the sections that follow, if an item is associated with a bug fix or workaround, the customer service number follows the note in brackets; for example, [CSCdm00000]. Bugs are summarized in the section "Resolved Caveats."
Version 4.2(3) and later requires that the PIX Firewall be equipped with a 2 MB Flash card.
Version 4.2(1) and later supports up to four Ethernet interfaces. Three Token Ring interfaces have been tested with the PIX Firewall.
Versions 4.2(4) and 4.2(5) support up to four interfaces, which may be either Token Ring or Ethernet.
Version 4.2 includes the following features.
No new features were added for this version---only bugs were fixed. The resolved bugs are CSCdk19979, CSCdk33996, CSCdm02200, CSCdm12973, CSCdm17608, CSCdm18870, CSCdm24909, CSCdm26456, CSCdm40856, CSCdm45461, CSCdm48728, CSCdm62060, and CSCdm69567. Refer to the section, "Resolved Caveats" for information on each bug. One open caveat was found in this release and is described as the first entry in the section, "Open Caveats."
The port parameter to the aaa authorization command now supports port ranges for UDP and TCP ports; for example, you can authorize access to ports 1024 to 5000 for TCP by specifying tcp/1024-5000.
During upgrade from version 4.1 to 4.2(4) when the previous configuration is converted to the new version, the global command now displays a warning message if the start or end addresses in the global command statement are on different subnets. The global command statement is accepted, with the provision that any network or broadcast addresses specified by the mask for this global are not included in the list of available translation slot addresses. The default value for the netmask parameter in the converted command statement is the mask of the interface's IP address for this global. The default value can be overridden by using the netmask parameter to the global command. [CSCdk88776]
The sysopt security fragguard command that was formerly enabled in version 4.2(3) is now disabled by default.
The linkpath command now lets you specify the MTU for a Private Link session. Refer to "Changed Commands" for more information.
The PIX Firewall can now be upgraded to contain 128 MB of RAM. This permits approximately 260,000 simultaneous connections. Installation instructions are provided with the memory upgrade and can be viewed online in the Quick Installation Guide for the PIX Firewall Version 4.3 at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43qig.htm
The memory upgrade information in this document also applies to version 4.2(3).
You can use the memory upgrade if:
The memory upgrade is not needed if:
The parsing for the nat command has changed to fix reported errors. Refer to "NAT (Network Address Translation)" for more information.
Due to a change in the manufacture of the PIX Firewall motherboards, a new version of motherboard is being introduced that will be supported by the PIX Firewall version 4.2(4) software. Use of this motherboard will not affect any use of the PIX Firewall or use of any peripheral boards or hardware. However, if you downgrade the software from version 4.2(4) to an earlier version that does not support this motherboard, the slots will be addressed in a different order. The order for the PIX 520 revision A (the version number is listed at the rear of the unit) starting from the leftmost slot, is outside, inside, perimeter1, perimeter2. If you downgrade a PIX 520 revision B unit to earlier software, the slot order will become inside, perimeter1, outside, perimeter2.
The TFTP configuration feature that lets you store or load the configuration via TFTP has been improved for speed and reliability.
The Token Ring driver now supports frame sizes greater than 1500 bytes per frame. In addition, former problems with high traffic volumes causing failures is now fixed.
Forces a specified user to reauthenticate with the clear uauth user command.
Only TCP connections from a higher security level interface to a lower security level interface are counted against the connection license; for example, from the inside to the outside, inside to a perimeter interface, a perimeter interface to the outside, or a higher security level perimeter interface to a lower security level perimeter interface. (Security levels are set with the nameif command.) Inbound connections are not denied if the connection license count is exceeded.
Protects PIX Firewall from IP fragmentation attacks. Refer to the sysopt command description in the Configuration Guide for the PIX Firewall for information. This same command also lets you set the TCP maximum segment size and add additional cleanup time to connections that close simultaneously. You should increase the TCP maximum segment size when you have both Token Ring and Ethernet interface cards in your PIX Firewall.
Lets you set the number of minutes a Telnet console session can be idle before PIX Firewall disconnects the session. The default is 5 minutes. Use the telnet timeout command to change the value or the show telnet timeout command to view the current setting.
Permits debug icmp trace and debug sqlnet command output to display on a Telnet console session. You can also use the Telnet console session to start and stop debug packet command output.
The show xlate command now only displays translation information. To view connection information, use the show conn command. To view only the number of used and remaining connections, use the show conn count command.
PIX Firewall sets the IP address of unused interfaces to 127.0.0.1 and the subnet mask for these interfaces to 255.255.255.255.
Identifies an outbound DNS resolve request and only allows a single DNS response. A host may query several servers for a response (in the case that the first server is slow in responding), but only the first answer to the specific question is allowed. All additional answers from other servers are dropped.
Protects PIX Firewall from SYN flood attacks. This feature lets you configure the maximum number of connections and embryonic connections with the static or nat commands. This feature lets a maximum number of unanswered SYN's accumulate before those connection attempts are dropped.
Controls the AAA services' tolerance for unanswered login attempts. This prevents a Denial of Service attack on AAA services. This command is enabled by default with the floodguard command.
PIX Firewall supports up to four single-port 10/100BaseT Ethernet interfaces. Three 4-/16-Mbps Token Ring NICs (Network Interface Cards) have been tested with PIX Firewall. You can also mix Ethernet and Token Ring NICs in the same PIX Firewall.
Simplifies initial configuration of the PIX Firewall. Refer to Appendix C, "Installing the PIX Firewall Setup Wizard" in the Configuration Guide for the PIX Firewall for installation instructions at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/pix42cfg/pix42apc.htm
Provides a centralized configuration and management GUI (Graphical User Interface).
Supports the WebSENSE URL filtering and accounting technology with the filter, url-cache, and url-server commands.
The new commands described in this section were added starting with version 4.2(1).
Table 1 lists command changes in version 4.2. All commands are documented in the Configuration Guide for the PIX Firewall.
| Command | Change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
All commands | For all commands, the following changes apply:
| ||||||||||
aaa |
| ||||||||||
clear uauth | You can force a user to reauthenticate by specifying the user's login name with the clear uauth and show uauth commands; for example: clear uauth myuser | ||||||||||
conduit |
| ||||||||||
configure | The primary, secondary, and all options are added to the clear config command. | ||||||||||
debug | Version 4.2(3): The debug icmp trace and debug sqlnet commands now send output to the Trace Channel feature. The Trace Channel determines where the output displays depending on whether or not a Telnet console session is running. If a Telnet console session is running, all the output displays on the first Telnet console session; otherwise, the output displays on the serial console session. The debug packet command only displays on the serial console session, but the debug packet command can be started and stopped from a Telnet session. The downside of this feature is that if two different administrators are using the PIX Firewall, one on the console and one on a Telnet session, the Trace Channel can cause the appearance that the debug commands are not working on the console, and the Telnet session will unexpectedly receive the output. | ||||||||||
failover |
| ||||||||||
global |
global (outside) 1 204.31.17.5
| ||||||||||
ip address | The show ip address command displays system IP addresses and current IP addresses which identify the Active unit when the failover feature is in use. | ||||||||||
link |
| ||||||||||
linkpath |
| ||||||||||
name | Version 4.2(3): the name string can now be 16 characters or less and cannot contain a dash (-). | ||||||||||
nat | Version 4.2(4) and later: the nat command parser was changed so that the network mask is the primary key and the IP address is the secondary key. PIX Firewall sorts the list with most specific masks at the beginning, and the least specific masks at the end. If masks match, PIX Firewall puts the entries in ascending IP address order. Note that the nat_id has nothing to do with the sorting. [CSCdm00435] | ||||||||||
show |
| ||||||||||
snmp-server | Up to five SNMP servers can be specified. In version 4.2(4) and later, if you attempt to enter a sixth snmp-server command statement, an error message displays.[CSCdk63835] | ||||||||||
static | The static command lets you optionally specify a pair of interface names as [(if_name,if_name)] and an arbitrary network mask for configuring network statics. | ||||||||||
telnet |
| ||||||||||
timeout |
| ||||||||||
write | The standby option is added to the write command and applies to PIX Firewall failover configurations. |
The following version 4.1 commands are obsolete in version 4.2:
PIX Firewall only supports configuration upgrades from version 4.1(5) and later. With versions previous to 4.1(x), save your configuration to an ASCII text file using your terminal configuration program before upgrading, and write down your activation key. Table 2 lists the upgrade path to use to get to the current version.
| If Your Pix Firewall Version Is: | Install This Version: |
|---|---|
2.7.x | 3.0, then upgrade to the next version |
3.0 | 4.0.7, then upgrade to the next version |
4.0.7 | 4.1(7), then upgrade to the next version |
4.1(5) or later | 4.2(3), 4.2(4), or 4.2(5) |
To upgrade from a previous PIX Firewall version:
IP address '0.0.0.0': already in use.These messages can be ignored.
This section contains critically important information.
1. If your PIX Firewall has a serial number of 06002015 or earlier, do not attempt to load PIX Firewall version 4.2(2), 4.2(3), 4.2(4), or 4.2(5) software. If you have one of these units, you must upgrade your Flash memory to the 2 MB Flash memory card. Contact Cisco Customer Support about how to obtain the 2 MB Flash memory card.
To determine your Flash memory size, reboot your PIX Firewall and look for the following statement:
Flash=string
If string starts with "AT"; for example, Flash=AT29C040A, then you have the 2 MB size and the PIX Firewall version 4.2(x) software will load correctly. If string starts with "i"; for example, Flash=i28F020, then you have the older 512 KB size and must replace it before loading PIX Firewall version 4.2(x) software.
2. Versions 4.2(4) and 4.2(5): connections are not counted against the PIX Firewall license.
Version 4.2(3): the only connections counted toward the PIX Firewall license are outbound TCP connections from the inside or perimeter interfaces. Inbound connections are not denied regardless of the number of outbound connections. ("Outbound" means from any higher security level interface to any lower security level interface.) [CSCdj82405]
3. PIX Firewall supports up to four Ethernet interfaces. Three Token Ring interfaces have been tested with PIX Firewall. If you use a mixed Token Ring and Ethernet environment, use the sysopt connection tcpmss 4056 command to increase the TCP maximum segment size for use with the IP Frag Guard feature (version 4.2(3) only).
4. The maximum size of the configuration in a 2 MB Flash memory card is 400 KB. To view the number of characters in the configuration, use the UNIX wc command or a Windows word processing program, such as Microsoft Word. Previously the release notes reported a greater maximum configuration size for the 2 MB Flash memory card.
5. Version 4.2(3): the sysopt security fragguard command is enabled by default but does not appear in the configuration when enabled. Use the show sysopt command to determine if this command is enabled.
6. If a Telnet console session and serial console session are running at the same time, the debug icmp trace and debug sqlnet output will stop displaying without warning on the serial console and begin appearing on the Telnet session. Before running the debug commands from the serial console session, use the who command to determine if Telnet sessions are present, and then inform other users that you will begin using debug commands. In addition, if both sessions are paging through output at the same time, the Telnet session may hang and cause the PIX Firewall to fail on your next attempt to use the write memory command. [CSCdk69399]
7. PIX Firewall can sustain approximately 350 AAA transactions per minute.
8. PIX Firewall supports up to 300 URL filtering transactions per minute without impacting normal NAT throughput. If your requirement exceeds this range, use the the url-cache command, which can provide significant relief depending on your cache-hit ratio. If the url-cache command does not improve capacity, you should consider purchasing additional PIX Firewall units.
The url-cache command does not update the WebSENSE accounting logs.
9. If you upgrade from a previous PIX Firewall software version, PIX Firewall converts your configuration to the new commands. Before using the PIX Firewall on a network, verify that no commands were lost from your configuration during the conversion process.
10. PIX Firewall has been tested with 100 Mbps, full-duplex Ethernet only with Cisco switches. If the PIX Firewall is connected to a non-Cisco switch, half duplex settings may be required to maintain 100 Mbps throughput.
11. When the PIX Firewall is operating with heavy traffic, do not set the logging console level to 7, debugging. This feature may cause PIX Firewall to fail. Use the logging buffered command to store messages and the show logging command to view them.
12. Do not use the established command without the permitto and permitfrom options. Without these options, the established command can let users attack protected areas of your network. [CSCdk23441]
13. To use the PIX Firewall serial console simultaneously with console Telnet sessions, disable paging at the serial console with the no pager command. Otherwise, a contention problem can arise between Telnet console sessions using More and the serial console using More, which causes the PIX Firewall to fail. [CSCdk69399]
14. If the TACACS+, RADIUS, syslog, or URL servers go offline, the PIX Firewall will continue to send ARP requests for them and exhaust 256-byte memory blocks.
15. The PIX Firewall Manager (PFM) is not compatible with Cisco Resource Manager (CRM) and PFSS, because all three use syslog UDP port 514. Do not run all three applications at the same time.
16. Version 4.2(2): Define all interfaces on your PIX Firewall. For example, if three interface cards are installed, you must have interface and ip address statements in your configuration for each interface, even if a network cable is not connected to an interface.
In version 4.2(3), PIX Firewall sets the default IP address for non-configured interfaces to 127.0.0.1, which identifies itself as a localhost. In addition, the network masks for these interfaces is set to 255.255.255.255, which does not permit traffic through the interface.
17. A host static without a conduit cannot be pinged.
18. Before installing the current version from a previous release, save your configuration on floppy disk and write down your license activation key. You must have a copy of your activation key to restore a previous version from floppy disk.
The following sections contain usage information not included in other documentation or requiring special emphasis.
Unable to connect to remote host: Connection timed out
When using the outbound command, the default behavior is to permit access to all services. [CSCdk34668]
Refer to the outbound command page in the Configuration Guide for the PIX Firewall for more information on outbound command rules. You can view this information online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/pix42cfg/pix42cmd.htm
www.caguana.com. |
| IN |
| A |
| 204.31.17.11 |
alias 10.1.1.11 204.31.17.11 255.255.255.255
conduit permit tcp host 204.31.17.11 eq telnet host 192.150.50.7
On PIX Firewall units equipped with Token Ring interfaces, if a network error occurs that places the PIX Firewall in a state where it cannot receive or transmit information and which causes the unit to stop passing packets for 15 seconds, the PIX Firewall automatically reboots.
Version 4.2(4) and later: PIX Firewall now supports the HTTP POST command during proxy authentication. [CSCdk83285]
If you are using DHCP to configure IP addresses for the hosts on the inside network, the DHCP server must provide the IP address, netmask, and gateway (default route) IP address. The default route must point to the PIX Firewall, either directly or via a router.
Version 4.2(4) and later: PIX Firewall provides support for inbound DLSw (data-link switching) via the use of the static and conduit commands. Special provision for this protocol was made by letting connections stay open as long as SYN-SYN/ACK-SYN is received, even if data has not been received. [CSCdk77341]
The established command can potentially open a large security hole in the PIX Firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, users outside the PIX Firewall can access any ports on servers behind the firewall that are accessible with the conduit and static commands.
The following example illustrates this problem:
static (inside,outside) 204.31.17.42 192.168.1.42 netmask 255.255.255.255 conduit permit tcp host 204.31.17.42 eq http any established tcp
In this example, inside host 192.168.1.42 can be accessed from the outside interface for Web access as permitted by the conduit statement. Because this is a web server (using the HTTP port), access permission is granted to any outside host. However, the established command modifies the effect of the conduit statement and lets any user access any port on the 192.168.1.42 server. [CSCdk23441]
The floodguard command helps protect the AAA Cut-Through Proxy service by reclaiming the PIX Firewall "tcpusers" resource, which is used for the Cut-Through Proxies. Use floodguard 1 to enable this feature.
For AAA, the FTP port must be 21.
Consult with your ISP (Internet service provider) to make sure that all addresses used in globals are routed to your outside router before configuring the PIX Firewall with global addresses.
PIX Firewall does not support the use of the established command with a PAT IP address for the IDENT service. Use the service resetinbound command to reset incoming IDENT connections.
PIX Firewall provides the following connection licenses:
Only TCP connections from a higher security level interface to a lower security level interface are counted against the connection license.
This feature is only compliant with the RFC 821 section 4.5.1 commands. The RFC 1651 EHLO command returns a "500 command unrecognized" reply code.
PIX Firewall now correctly handles path MTU (maximum transmission unit) requests. Path MTU relies on the PIX Firewall to generate an ICMP host unreachable message (code=3) on reception of a packet that needs to be fragmented but has the Don't Fragment flag set in the IP header (type=4). PIX Firewall formerly discarded these packets without returning the host unreachable message. [CSCdk38353]
PIX Firewall supports the following multimedia and video conferencing applications:
Using pager 0 disables screen paging in PIX Firewall.
PIX Firewall supports the following TCP/IP protocols and applications:
Refer to the "Protocols" section in Chapter 1, "Introduction" in the Configuration Guide for the PIX Firewall for information on supported protocols. You can view the configuration guide online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/pix42cfg/pix42int.htm
(a) Create a static to let the outside hosts access the inside server.
(b) Create a UDP conduit for the portmapper port, UDP port 111.
(c) Create a UDP conduit for the NFS port, UDP 2049.
conduit permit udp host 204.31.17.1 eq 111 any conduit permit udp host 204.31.17.1 eq 2049 any
conduit permit tcp host 204.31.17.1 eq 135 any conduit permit tcp host 204.31.17.1 range 1024 65535 any
If RADIUS, SNMP, SMTP, syslog, TACACS+, or URL servers go down or are powered off, the PIX Firewall will ARP for the servers and may exhaust all 256-byte blocks. Traffic through the PIX Firewall will then stop. The workaround is to remove the statements for the servers from your configuration when they go down or are put out of service. [CSCdk34295]
The show version command now lists the processor speed. [CSCdj57072]
PIX Firewall does not pass SPX packets across it.
%PIX-3-202002: Unable to find translation for SRC=ip_address DEST=ip_address has been changed to:
%PIX-3-305005: No translation group found for packet_shown_as_text %PIX-3-305006: xlate_type translation creation failed for packet_shown_as_text
%PIX-3-106010: Deny inbound (No xlate) udp src outside:ip_addr/port
dst inside:ip-_addr
Only use the virtual telnet command after the aaa authentication command.
PIX Firewall is year 2000 compliant.
The following caveats apply to PIX Firewall release 4.2(n). Refer to the previous versions of the PIX Firewall release notes for information on bugs in previous versions. You can view previous versions of the PIX Firewall release notes online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
If you have CCO access, you can view additional information about each open or resolved caveat at:
http://www.cisco.com/kobayashi/bugs/bugs.html
The following issues are unresolved in this release:
static (inside,outside) 204.31.17.1 10.1.1.2 static (inside,outside) 204.31.17.1 10.9.9.9
alias (inside) 192.168.1.4 204.31.17.121 255.255.255.255
alias (inside) 204.31.17.121 192.168.1.4 255.255.255.255
Table 3 lists resolved version 4.2(n) DDTS bug reports.
| DDTS Number | Description | Release |
|---|---|---|
CSCdm69567 | Use of an HTTP POST command now works correctly without causing a failure. Previously, customers with short uauth timeouts in their configuration or with a large number of authenticated users were more likely to be affected by this problem. | 4.2(5) |
CSCdm62060 | The outbound command's except option now works correctly. | 4.2(5) |
CSCdm48728 | The PIX Firewall now correctly updates its ARP cache when a gratuitous ARP broadcast is sent on the network. | 4.2(5) |
CSCdm45461 | A Cisco IOS TN3270 client now echoes characters correctly when passing through a PIX Firewall. | 4.2(5) |
CSCdm40856 | Entering the no aaa authentication telnet command no longer causes the PIX Firewall to fail. | 4.2(5) |
CSCdm26456 | Currently the virtual http command redirects by IP address after authenticating. So if a user accesses a web site, after they are authenticated, they are sent to the IP address of the web site. This can cause problems at certain web sites, particularly those that use cookies to authenticate, because the browser will not be sent the cookie unless it sees a hostname it recognizes. | 4.2(5) |
CSCdm24909 | Token Ring interfaces no longer stop transmitting and reset. | 4.2(5) |
CSCdm18770 | The virtual http command now works correctly after the clear uauth command is executed. | 4.2(5) |
CSCdm17608 | PIX Firewall no longer replies to gratuitous ARP requests unless the address exists on a PIX Firewall interface. This fix allows a Windows NT system to pass a gratuitous ARP to test to see if another host has taken its IP address. If the address belongs to a PIX Firewall interface, the PIX Firewall replies to the ARP request. Other regular ARP queries are still proxied if they are in the global or static pool. | 4.2(5) |
CSCdm12973 | Entering two Class B addresses in a global command caused the "watchdog timer" to expire, which then caused the PIX Firewall to fail. The following is an example command that caused a failure: global (outside) 2 172.168.0.1-172.168.255.254 | 4.2(5) |
CSCdm03318 | The outbound command now checks the protocol so that a protocol-unspecific best match will be replaced when a more specific protocol statement was found and matched with the packet being checked. Formerly, an implicit permit could override an explicit deny; this is no longer the case. | 4.2(4) |
CSCdm02200 | One global pool address is no longer assigned to two or more local IP addresses | 4.2(5) |
CSCdm00435 | The nat command parser was changed so that the network mask is the primary key and the IP address is the secondary key. PIX Firewall sorts the list with most specific masks at the beginning, and the least specific masks at the end. If masks match, PIX Firewall puts the entries in ascending IP address order. Note that the nat_id has nothing to do with the sorting. | 4.2(4) |
CSCdk92804 | The former syslog message %PIX-2-106006: Deny inbound UDP has been dropped. This message was a duplicate of message %PIX-3-106010, which has been enhanced to now state: %PIX-3-106010: Deny inbound (No xlate) udp src outside:ip_addr/port dst inside:ip-_addr | 4.2(4) |
CSCdk92547 | PIX Firewall no longer fails during a passive FTP session that runs longer than the duration set by the timeout xlate command. | 4.2(4) |
CSCdk91549 | The display of the network mask in PAT global command statements in the configuration changed. Refer to "Changed Commands" for more information. | 4.2(4) |
CSCdk88776 | During upgrade from version 4.1 to 4.2(4) when the previous configuration is converted to the new version, the global command now displays a warning message if the start or end addresses in the global command statement are on different subnets. | 4.2(4) |
CSCdk87134 | The MTU of all linkpaths associated with a Private Link tunnel is updated when a PIX Firewall receives an ICMP fragmentation needed message (ICMP message type 3, code 4). | 4.2(4) |
CSCdk87045 | Command parsing is fixed so that PIX Firewall no longer fails when commands are entered with just three arguments. This bug noted that entering no tacacs (inside) caused PIX Firewall to fail. | 4.2(4) |
CSCdk84226 | PIX Firewall now explicitly filters directed network layer broadcasts to address 255.255.255.255. These multicast broadcasts could pass through the PIX Firewall's data link layer when incorrect ARP mapping occurred by other hosts. The bug noted that the inside interface was passing broadcasts through the PIX Firewall. | 4.2(4) |
CSCdk83802 | Syslog message PIX-2-108002 now displays the IP addresses in the correct order. | 4.2(4) |
CSCdk83300 | Outbound lists now work correctly when the mask is different than the class of the IP address. For example, the outbound command would have previously failed if configured with Class C netmask for a Class B IP address as follows: outbound 1 deny 172.16.6.0 255.255.255.0 0 tcp | 4.2(4) |
CSCdk83285 | When proxy authenticating HTTP, PIX Firewall now correctly recognizes the POST command. The POST command transmits HTML cookies. | 4.2(4) |
CSCdk82957 | Remote shell (rsh) now functions correctly with an HP 9000 if the EFT sysopt connection safeclose command is used. | 4.2(4) |
CSCdk81282 | Syslog no longer displays incorrect characters in syslog messages, such as negative port numbers. This condition formerly existed while an outbound command statement was denying outbound access through a PAT global. | 4.2(4) |
CSCdk79683 | PIX Firewall no longer closes connections when a single FIN is received. Instead, it now waits for two FINs to close the connection. | 4.2(4) |
CSCdk78956 | The outbound command now permits a mask of 255.255.255.255. | 4.2(4) |
CSCdk78707 | Under conditions such as low memory or memory corruption, PIX Firewall no longer generates frequent syslog messages containing the phrase, "PIX-2-SYS-CHUNKBOUNDS attempted to exceed freelist causing failover." | 4.2(4) |
CSCdk78398 | Inbound mail is no longer denied when conduits are present. This problem occurred because an internally-coded embryonic connection timer was set too low. The embryonic state has been changed to track initial SYN sequences and not when data begins to flow. Also the embryonic connection timer continues to be updated until both sides of a TCP connection have begun the close down sequence. | 4.2(4) |
CSCdk78041 | When the failover Primary and Standby configurations are synchronized, a message displays reminding you not to disturb the units. | 4.2(4) |
CSCdk77349 | Token Ring no longer stops transmitting packets when the buffer index is incremented. | 4.2(4) |
CSCdk77341 | Connections are not terminated as long as SYN-SYN/ACK-SYN is received, even if data has not been received. | 4.2(4) |
CSCdk77068 | The telnet timeout command was changed from being an absolute timer to an inactivity timer. The version 4.2(3) documentation erroneously reported that the timer was an inactivity timer. | 4.2(4) |
CSCdk76744 | The sysopt security fragguard is now disabled by default. If enabled, and a high amount of traffic is experienced, this command may cause the PIX Firewall to fail. | 4.2(4) |
CSCdk76293 | The embryonic connection timeout was formerly hardcoded at 150 seconds. This timer has been changed so that the embryonic state excludes the data that has been seen; as long as a 3-way SYN is accepted, the connection is now subject to the duration set by the timeout conn command. | 4.2(4) |
CSCdk75115 | International characters, those above ASCII 127, can now be entered in a Telnet console session. However, such characters will be rejected by the PIX Firewall command interpreter. Formerly entering these characters caused the PIX Firewall to fail. | 4.2(4) |
CSCdk74427 | PIX Firewall no longer fails when receiving a UDP packet with length 0 or less, and when there is a server listening on the port. | 4.2(4) |
CSCdk72479 | Syslog message "108001: SMTP made noop" has been improved to eliminate garbage characters at the end of the message. | 4.2(4) |
CSCdk72461 | PIX Firewall now checks IP addresses and network masks for correct syntax. Formerly, nonsensical values could be added such as a netmask of 1.2.3.4. This affects the global, ip address, outbound, route, and static commands. | 4.2(4) |
CSCdk67488 | PIX Firewall no longer reboots repeatedly when supplied with a long list of name statements. | 4.2(3) |
CSCdk66685 | The fixup protocol smtp command now works correctly with multiline SMTP banners. | 4.2(3) |
CSCdk66556 | Inbound pings through an authorized connection now work correctly. This formerly failed over a static when NAT was disabled (nat 0). | 4.2(3) |
CSCdk66331 | PIX Firewall no longer puts the wrong subnet mask in the routing table when the rip inside passive command is enabled. | 4.2(4) |
CSCdk65675 | The show failover command no longer causes an assertion error. | 4.2(3) |
CSCdk65454 | PIX Firewall now delimits HTTP headers with CR-LF-CR-LF to make it HTTP 1.1 compliant, which is described in Section 4.1 of RFC-2068. | 4.2(3) |
CSCdk63839 | The snmp-server command now lets you enter the contact and location strings with spaces. Formerly, the spaces were compressed out of the string. | 4.2(4) |
CSCdk63835 | Up to five SNMP servers can be specified. In version 4.2(4), if you attempt to enter a sixth server command statement, a clear error message displays. Formerly, the error message was "SNMP ioctl() error, unable to set." | 4.2(4) |
CSCdk61913 | PIX Firewall now permits multiple shared subnets on the same wire.This change permits backward compatibility with the behavior of version 4.0.7. To accomplish this change, PIX Firewall no longer rejects route statements when the next hop route destination is on the same subnet. In addition, the interface specifications in the static and global statements are used to select the correct routing table. | 4.2(3) |
CSCdk61170 | Inbound SQL*Net now works correctly. | 4.2(3) |
CSCdk60423 | Duplicate entries in the outbound are now ignored. | 4.2(3) |
CSCdk59508 | The show xlate and show conn commands now list different information than previous PIX Firewall versions. | 4.2(3) |
CSCdk59467 | The failover command now correctly recovers if an automatic update of the two units is interrupted. | 4.2(3) |
CSCdk59306 | The alias command now creates the correct netmask if a mask is not specified. | 4.2(3) |
CSCdk59304 | The new sysopt connection timewait command adds an additional 15 seconds to a connection being closed to let simultaneous closes complete successfully. | 4.2(3) |
CSCdk59286 | For Telnet console access, in pages 10 and 11 of RFC 854, a CR character must be sent as a two-character sequence CR-NULL with the exception of CR-LF which represents a "single logical" new line command when in NVT ASCII mode. Unfortunately, the QVT Telnet client does not follow this requirement in the RFC. To be compatible, Telnet console access has been modified for this exception with CR-LF now produces a "logical newline." CR-NULL produces "CR only" and the exception to NVT ASCII is: CR-any_character, which is a CR followed by any_character. | 4.2(4) |
CSCdk58699 | The pager command now displays the proper number of lines before prompting you to continue. | 4.2(3) |
CSCdk58145 | The name command now works correctly without sporadic failures. | 4.2(3) |
CSCdk58142 | The name command now accepts up to 16 characters for the name, and a dash character no longer is accepted in a name. | 4.2(3) |
CSCdk57769 | PIX Firewall no longer hangs and causes a failover switch while modifying a WebSENSE database. | 4.2(3) |
CSCdk57230 | Large ping packets no longer get dropped in dual NAT (alias command use). | 4.2(3) |
CSCdk57153 | PIX Firewall no longer reboots during a ping of an outside host through a PAT connection started via user authentication. | 4.2(3) |
CSCdk57150 | Outbound DNS lookups no longer fails with PAT and user authentication. | 4.2(3) |
CSCdk57107 | The alias command now provides the correct netmask when not specified. | 4.2(3) |
CSCdk55691 | The aaa authentication command has a new unsupported EFT feature that lets you prohibit RADIUS UDP access through the PIX Firewall unless specifically permitted. This capability is a precursor for support of RADIUS authorization in a future release. For TACACS+, you can prohibit UDP access with the aaa authorization command. The new command syntax adds the protocol/port options to the aaa authentication command. Refer to the aaa command page in the Configuration Guide for the PIX Firewall for a description of this syntax as it is used with the aaa authorization command. | 4.2(3) |
CSCdk53627 | PIX Firewall no longer fragments packets in a mixed Token Ring and Ethernet environment. | 4.2(3) |
CSCdk52923 | Inbound pings from the outside no longer fail when they have proper authorization. | 4.2(3) |
CSCdk52863 | PIX Firewall no longer lets inbound ICMP fragments pass through firewall. | 4.2(3) |
CSCdk51545 | Private Link now correctly handles large packets with the DF (Don't Fragment) bit set. Formerly, Private Link would drop the packets silently. | 4.2(3) |
CSCdk50549 | PIX Firewall no longer fails when a 15-character IP address is used. | 4.2(3) |
CSCdk50529 | An FTP back connection no longer ignores the norandomseq setting of the parent connection. | 4.2(3) |
CSCdk50224 | UDP IP fragments no longer cause PIX Firewall failure. This bug is the basis of the new IP Frag Guard feature provided with the sysopt security fragguard command. | 4.2(3) |
CSCdk49981 | Use of nslookup from a perimeter interface no longer can query a host on the inside interface without proper authorization. | 4.2(3) |
CSCdk49808 | The aaa authorization command's handling of network addresses now works correctly with interfaces other than the inside. | 4.2(3) |
CSCdk49068 | The debug icmp trace command no longer causes spontaneous failover. | 4.2(3) |
CSCdk47520 | SQL*Net now connects correctly through PIX Firewall. | 4.2(3) |
CSCdk47456 | The secondary failover host no longer sends RIP broadcasts while in standby mode. | 4.2(3) |
CSCdk47341 | Unconfiguring RIP with failover active no longer causes the Secondary unit to fail. | 4.2(3) |
CSCdk47338 | The secondary failover host no longer sends RIP broadcasts while in standby mode. | 4.2(3) |
CSCdk47235 | PIX Firewall no longer reboots and crashes sporadically. The previous behavior would show in the syslog messages that PIX Firewall was switching to failover when neither the failover hardware was present or the failover command enabled. This problem was also seen when passing large packets through the PIX Firewall. | 4.2(3) |
CSCdk47051 | PIX Firewall no longer displays an error message on bootup about Token Ring failure. The previous behavior displayed this message: (main.c:2268) cmd_taken(1) failed. | 4.2(3) |
CSCdk46673 | PIX Firewall no longer corrupts e-mail passing through the unit when Mail Guard issues a NOOP command on receipt of a command that is not part of its RFC 821 permitted command set. The corruption caused sections of the email to be replaced with a series of Xs. Syslog messages would contain the statement "SMTP made noop" when the NOOP command was issued. | 4.2(3) |
CSCdk46553 | Entering the mailhost command no longer causes PIX Firewall to fail. | 4.2(3) |
CSCdk46243 | Inbound UDP authorization now requires authentication. | 4.2(3) |
CSCdk45124 | The fixup protocol sqlnet command now works. | 4.2(3) |
CSCdk44746 | When upgrading from a previous PIX Firewall version, global commands in the configuration now receive the correct network mask. The previous behavior ignored subnetting during the command conversion. | 4.2(3) |
CSCdk44220 | PIX Firewall no longer displays the message "Smallest mtu" in the configuration. This was a debugging command that was removed from the code. | 4.2(3) |
CSCdk42950 | PIX Firewall now handles RIF information properly for interaction between Token Ring and HSRP router on the same ring. | 4.2(3) |
CSCdk42655 | The aaa authorization command no longer accepts out as a shortened form of outbound. | 4.2(3) |
CSCdk42254 | The outbound command with a negative list_id no longer causes failures. | 4.2(3) |
CSCdk41882 | Syslog messages are no longer stated to originate from port 0. This bug made it appear that syslog messages were not being received at the syslog server. | 4.2(3) |
CSCdk41825 | The write floppy command no longer crashes failover-equipped PIX Firewalls. | 4.2(3) |
CSCdk41688 | The aaa authorization command now works correctly when outbound UDP authorization is enabled. | 4.2(3) |
CSCdk40896 | Authorization for UDP now works correctly on same port previously authorized for TCP. | 4.2(3) |
CSCdk40673 | Checking failover status no longer causes PIX Firewall to fail. | 4.2(3) |
CSCdk40528 | Failover no longer causes a race condition between the Active and Standby units. To correct the problem, a 10-second delay was added before the no failover active command takes effect. | 4.2(2) |
CSCdk39478 | If you cut and paste text from your console computer into the configuration, check it carefully afterwards. Some lines may be dropped during the process due to buffer overflow. | 4.2(2) |
CSCdk38353 | PIX Firewall now correctly handles path MTU (maximum transmission unit) requests. Path MTU relies on the PIX Firewall to generate an ICMP host unreachable message (code=3) on reception of a packet that needs to be fragmented but has the Don't Fragment flag set in the IP header (type=4). PIX Firewall formerly discarded these packets without returning the host unreachable message. | 4.2(2) |
CSCdk38092 | The Private Link key now correctly accepts 14 hexadecimal characters. | 4.2(2) |
CSCdk37223 | For the aaa, radius-server, and tacacs-server commands, 16 TACACS+, RADIUS, or URL servers are supported. | 4.2(2) |
CSCdk36912 | When DNS traffic is logged, the ID field in the DNS response packet appears in the source port field. It is normal to see a UDP state with a "d" flag; such as: Global 192.159.1.1 Local 10.8.8.11 static nconns 0 econns 0 flags s UDP out 204.31.17.2:12345 in 10.8.8.11:67890 idle 0:01:30 flags d | 4.2(2) |
CSCdk36498 | The maximum password length for accessing the console is 16 characters with the aaa authentication telnet console command. | 4.2(2) |
CSCdk36273 | Hosts behind the PIX Firewall are no longer subject to DoS attacks to inside static IP addresses. Inside hosts are not susceptible to DoS attacks even when attacked with a high volume of IP fragments to penetrate across statics. | 4.2(2) |
CSCdk36092 | The clear radius-server and clear tacacs-server commands do not have any arguments. In addition, before using these commands, remove the aaa commands from the configuration that references the AAA servers. | 4.2(2) |
CSCdk35931 | Denying one service with the outbound command no longer denies other services. | 4.2(2) |
CSCdk35899 | The maximum timeout value for the radius-server and tacacs-server commands is 30 seconds. | 4.2(2) |
CSCdk35552 | The TCP random sequence value can no longer be predicted. | 4.2(2) |
CSCdk34855 | For the aaa command, four attempts are allowed for Telnet authentication, infinite for HTTP, and only one for FTP. | 4.2(2) |
CSCdk34853 | For the aaa, radius-server, and tacacs-server commands, 16 TACACS+, RADIUS, or URL servers are supported. | 4.2(2) |
CSCdk34799 | The use of the traceroute command through a PAT global now works correctly. | 4.2(2) |
CSCdk34696 | FTP works correctly when two PIX Firewall units' outside interfaces are connected to each other. | 4.2(2) |
CSCdk34668 | PIX Firewall no longer denies access to all services when an outbound command statement is used in the configuration. The default is to permit all services until explicitly denied. | 4.2(2) |
CSCdk33996 | PIX Firewall no longer lets non-dnat addresses go out on an existing dnat connection. | 4.2(5) |
CSCdk33877 | PIX Firewall now correctly handles outbound encapsulated ICMP messages of types 3, 4, 5, 11, and 12. | 4.2(2) |
CSCdk33802 | Failed authentication message no longer displays on the PIX Firewall console. | 4.2(3) |
CSCdk33420 | A workaround has been provided for situations in which an attempt at authorization fails but a second attempt times out. Refer to the "AAA" usage note for more information. | 4.2(2) |
CSCdk32369 | The configure floppy command does not check to see if a diskette is present. | 4.2(3) |
CSCdk31770 | PIX Firewall now supports PAT with rsh (Rshell). | 4.2(2) |
CSCdk31760 | PIX Firewall now correctly accesses the next AAA server when the current server becomes inaccessible. | 4.2(2) |
CSCdk30996 | When a SYN packet arrives with PSH bit turned on, PIX Firewall allows the outbound traffic through the firewall. | 4.2(2) |
CSCdk29494 | Denying one service with the outbound command no longer denies other services. | 4.2(2) |
CSCdk29476 | PIX Firewall no longer removes all outbound statements from the configuration when the no outbound 1 permit 0.0.0.0 command is issued. | 4.2(2) |
CSCdk29475 | Refer to "RPC Use" in the section, "Important Notes" for more information. | 4.2(2) |
CSCdk28193 | PIX Firewall no longer fails every 5 minutes when the fixup protocol smtp command is enabled. | 4.2(2) |
CSCdk27770 | PIX Firewall now permits passive FTP through a PAT global. | 4.2(2) |
CSCdk26803 | The FTP port command now works correctly with PAT (Port Address Translation). The previous behavior caused FTP sessions to hang when the FTP ls command was entered when the only global statement in the PIX Firewall configuration was for PAT. | 4.2(2) |
CSCdk25962 | PIX Firewall no longer fails after a user upgrades from a previous version of the PIX Firewall software. | 4.2(2) |
CSCdk25517 | The apply command now correctly works with an interface specification in the command. | 4.2(2) |
CSCdk25487 | SNMP MIBs now correctly provide return values when accessed through the PIX Firewall. | 4.2(2) |
CSCdk25383 | Refer to "RPC Use" in the section, "Important Notes" for more information. | 4.2(2) |
CSCdk23717 | PIX Firewall is no longer susceptible to a SYN denial of service attack through AAA authentication. | 4.2(2) |
CSCdk23711 | PIX Firewall no longer fails after the unit is upgraded to version 4.2. The previous failures occurred because FTP mishandled the association between an xlate and a connection. | 4.2(2) |
CSCdk23441 | Only use the established command with the permitto and permitfrom options. Without these options, the established command can be used to gain access to restricted parts of your network. | 4.2(3) |
CSCdk23329 | PIX Firewall now lets FTP work when HTTP authentication is enabled. With this fix, when HTTP authentication in enabled, users are prompted for login credentials when accessing the network with a web browser. In addition, TCP sessions other than HTTP that are not denied by outbound lists are allowed through without requiring authentication. | 4.2(2) |
CSCdk22976 | Telnet to an MS-Exchange server on port 25 across the PIX Firewall no longer causes every character to be accompanied by carriage-return, linefeed characters. | 4.2(2) |
CSCdk22832 | PIX Firewall no longer fails after the aaa accounting command is set to monitor outbound connections. Previously, when an outbound connection started, the PIX Firewall would fail. | 4.2(2) |
CSCdk22568 | Failover now works correctly when the PIX Firewall is configured to broadcast a default route using RIP. | 4.2(2) |
CSCdk22371 | The Mail Guard feature now works correctly when sending an SMTP EHLO command to an MS Exchange server. Previously, the MS Exchange server would hang upon receipt of the EHLO command through the PIX Firewall. The Mail Guard feature is enabled on the PIX Firewall with the fixup protocol smtp command. Also refer to bug fix CSCdk09763 for further EHLO improvements. | 4.2(2) |
CSCdk21511 | PIX Firewall now automatically upgrades users with a 64-connection license to a 128-connection license. | 4.2(2) |
CSCdk21408 | AAA authentication no longer becomes inoperable when embryonic connections are exceeded. The previous behavior let inbound and outbound connections through without authentication after the limit was exceeded. | 4.2(2) |
CSCdk21312 | The aaa authentication command now works correctly for inbound user authentication. Previously, use of the aaa authentication except command would fail. For example, the following commands failed so that the mail server at 10.1.1.1 would be challenged for login credentials and would not deliver mail: aaa authentication any inbound 0.0.0.0 0.0.0.0 aaa authentication except inbound 10.1.1.1 255.255.255.255 | 4.2(2) |
CSCdk21113 | PIX Firewall no longer converts network conduit statements to host conduit statements when upgrading from a previous PIX Firewall version. Previously, if a 4.1(6) configuration contained the following conduit statement: conduit (inside,outside) 204.31.17.0 0 tcp 0 0 The PIX Firewall installation conversion script incorrectly converted the statement to the following by adding the host option: conduit permit tcp host 204.31.17.0 any | 4.2(2) |
CSCdk20305 | Pings to broadcast addresses no longer are answered with the broadcast address as the source address. The previous behavior resulted because PIX Firewall incorrectly swapped the source and destination addresses in the ICMP packet. | 4.2(2) |
CSCdk20122 | PIX Firewall now permits 2,560 aaa authentication except statements. | 4.2(2) |
CSCdk19979 | One global pool address is no longer assigned to two or more local IP addresses. | 4.2(5) |
CSCdk19656 | PIX Firewall no longer fails during failover when PIX Firewall contains 3Com network interface cards. | 4.2(2) |
CSCdk17897 | Use of the conduit command no longer results in random configuration corruption. In one instance, a conduit command was removed and PIX Firewall inserted 8000 identical conduit statements into the configuration. | 4.2(3) |
CSCdk17808 | Syslog output now displays correctly when the write command is issued. | 4.2(2) |
CSCdk17788 | At startup, the PIX Firewall now correctly displays an export control warning message when an encryption device is detected in the unit. | 4.2(2) |
CSCdk17784 | Cisco recommends that you do not change the default port assigned to FTP with the fixup protocol command. Once changed, all traffic into the PIX Firewall will only work on the port you specify. Default FTP traffic through the PIX Firewall will no longer work. | 4.2(2) |
CSCdk16222 | Do not use the virtual http command when an inside client is configured to access a proxy server located on an unprotected interface of the PIX Firewall. | 4.2(2) |
CSCdk16053 | Refer to CSCdk21312 for resolution description. | 4.2(2) |
CSCdk15978 | PIX Firewall no longer fails after the aaa accounting command is set to monitor outbound connections. Previously, when an outbound connection started, the PIX Firewall would fail. | 4.2(2) |
CSCdk15527 | Failover on PIX Firewall units configured with two Token Ring interfaces now works properly. | 4.2(1) |
CSCdk14305 | Performing a write memory command followed by a reload command no longer changes the outbound command list. | 4.2(2) |
CSCdk11848 | Private Link now accepts the full 56-bit key. Previously 8 bits of the key were ignored. A new parity feature has been added so that an additional 8 bits have been added to the key just for parity to ensure that the key is passed correctly across the link. | 4.2(2) |
CSCdk11335 | PIX Firewall now sends a syslog message when the uauth inactivity timer expires. This feature lets sites charge for connection time starting with the "%PIX-2-109001: Auth start for user" syslog message and ending when the uauth inactivity timer expires. | 4.2(2) |
CSCdk11011 | Syslog no longer shows the amount of data as a negative number. | 4.2(1) |
CSCdk10909 | The host name no longer disappears after reading in a large configuration from diskette. | 4.2(2) |
CSCdk09763 | PIX Firewall now handles UNIX sendmail programs that send the EHLO command without a linefeed even though the RFC specifies that a CRLF must be sent. PIX firewall now sends "500 Command unrecognized" to suppress the negotiation of EHLO commands regardless of whether the sending client sends the EHLO with or without a linefeed. | 4.2(2) |
CSCdk06673 | Syslog failover and reset messages were moved to the logging command's level 1 alerts. Formerly these messages were in levels 2 and 6 respectively. | 4.2(2) |
CSCdk05737 | The conduit command now correctly accepts a zero in a port field to mean all ports. In version 4.2 and later, you can also specify all ports by not including a port value in the command. | 4.2(1) |
CSCdk04509 | PIX Firewall now correctly handles aaa authentication statements that reference different authentication server types (RADIUS or TACACS+) for inbound and outbound connections. | 4.2(2) |
CSCdk04242 | Outbound user authentication now works correctly with a PAT global address. | 4.2(1) |
CSCdk04054 | The ip protocol is now recognized correctly. | 4.2(1) |
CSCdk03381 | AAA accounting now works when a connection is created. | 4.2(3) |
CSCdk03375 | PIX Firewall no longer runs the aaa accounting routines when this feature is not requested. This fix improves PIX Firewall performance. | 4.2(2) |
CSCdk00333 | PAT now correctly handles ICMP MTU resize packets. | 4.2(1) |
CSCdj94418 | The apply command now works correctly. Previously, outbound lists would not work correctly until the apply statement was removed and then reinserted. | 4.2(2) |
CSCdj93649 | The new linkpath 0 0 ip_address command options let you specify the default Private Link route path. Refer to the Configuration Guide for the PIX Firewall for more information. | 4.2(1) |
CSCdj92046 | Outbound lists denying access to all outbound users except for specifically allowed addresses now block outbound attempts from denied users, including attempts on high ports. | 4.2(1) |
CSCdj90814 | Private Link no longer fails when blasted with prefragmented UDP packets. | 4.2(2) |
CSCdk85168 | The global command now displays a PAT address correctly. | 4.2(2) |
CSCdj84604 | PAT now works correctly with passive FTP. | 4.2(2) |
CSCdj82419 | HP OpenView can now browse perimeter networks on the PIX Firewall. | 4.2(1) |
CSCdj70621 | PIX Firewall's debug icmp trace command now displays ICMP packets arriving, departing, and traversing the PIX Firewall. | 4.2(1) |
CSCdj57072 | The show version command now lists the processor speed. | 4.2(1) |
CSCdk54553 | PAT now works correctly when a fragmented packet arrives in reverse order. | 4.2(2) |
The version 4.2(3) Configuration Guide for the PIX Firewall describes the telnet timeout command as an inactivity timer. For version 4.2(3), it was an absolute timer. In version 4.2(4) and later, it became an inactivity timer as described in the documentation.
Use this document in conjunction with the following PIX Firewall documents:
All of these documents, including these release notes, apply to the PIX Firewall, PIX10000, PIX 510, and PIX 520 hardware models. Refer to the Release Notes for the PIX Firewall Version 4.4(1) for information on the PIX 515.
Cisco provides PIX Firewall technical tips at:
http://www.cisco.com/warp/public/110/index.shtml#pix
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Thu Aug 5 20:26:48 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.