|
|
February 1999
This document describes the changes for all 4.3(x) versions of the PIX Firewall software.
In the sections that follow, if an item is associated with a bug fix or workaround, the customer service number follows the note in brackets; for example, [CSCdk00000]. Bugs are summarized in the section "Caveats." If you have a CCO login, you can view additional information about each bug fix at:
http://www.cisco.com/kobayashi/bugs/bugs.html
The information contained in these release notes applies to all PIX Firewall hardware models running software version 4.3 or later.
Version 4.3 requires at least 16 MB (an optional 128 MB upgrade is available).
Version 4.3 supports up to four Ethernet interfaces. Three Token Ring interfaces have been tested with the PIX Firewall.
Version 4.3 includes the following features.
The PIX Firewall Syslog Server (PFSS) runs on a Windows NT system and receives syslog messages from up to 10 PIX Firewalls.
Refer to the logging command page in the Configuration Guide for the PIX Firewall Version 4.3, Chapter 5, "Command Reference" for additional important information about configuring the PIX Firewall for use with PFSS.
Installation and configuration instructions for the PFSS on the Windows NT system are described in the Quick Installation Guide for the PIX Firewall Version 4.3.
The clock set command allows you to set the PIX Firewall's internal clock. The internal clock is used to time stamp syslog messages. You can use the show clock command to display the current time.
You can now access the PIX Firewall console via Telnet from all internal interfaces.
You can now set the enable option on the aaa authentication console command. This command requires that access to the PIX Firewall console be authenticated from a TACACS+ or RADIUS server. After authentication is successful, all changes to the configuration from the serial console are logged to the syslog servers at syslog level 5. Changes made from Telnet console sessions are not logged.
If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.
You can now set port ranges for the TCP and UDP protocols with the aaa authorization command.
You can now disable specific syslog messages with the no logging message syslog_id command, and re-enable specific syslog messages with the logging message syslog_id command. You can display all disabled messages with the show logging disabled command, and re-enable all disabled messages with the clear logging disabled command.
An SNMP object ID (OID) for PIX Firewall now displays in SNMP event traps sent from the PIX Firewall. OID 1.3.6.1.4.1.9.1.227 was assigned as the PIX Firewall system object ID.
You can use the show uauth command to display CiscoSecure version 2.1 or later idletime and timeout values that provide user-based, rather than global, authentication timeouts.
The Cisco Secure user-based timer durations override the duration set with the timeout uauth command.
The virtual telnet command lets you log in to the virtual authentication server on first access and log out on second access to the specified IP address.
The new commands are:
Table 1 lists command changes in version 4.3. All commands are documented in the Configuration Guide for the PIX Firewall Version 4.3.
| Command | Change | Version |
|---|---|---|
aaa | · aaa accounting---lets you specify a protocol and port for accounting services in the form of protocol/port. Accounting now supports both TCP and UDP. · aaa authentication enable console---lets you require authentication to access the PIX Firewall console and lets you log changes made to the PIX configuration from a serial console session. · aaa authorization---lets you specify port ranges which users are authorized to access. | 4.3(1) and 4.3(2) |
failover | The show failover command now provides clearer information when the failover feature is disabled. [CSCdk49733] | 4.3(2) |
floodguard enable|disable | Enables or disables TCP resource control for the AAA authentication proxy. | 4.3(2) |
linkpath | New MTU option lets you specify the packet size for transmissions between the two Private Link PIX Firewall units. | 4.3(2) |
logging | · logging timestamp---lets you specify that syslog messages sent to a syslog server be marked with the current time. · logging host---lets you send syslog messages by either UDP or TCP. · logging message---lets you re-enable a previously disabled syslog message. · no logging message---lets you disable a specific syslog message. [CSCdk76196] · clear logging disabled---lets you reenable all disabled messages. · show logging disabled---lets you view disabled messages. · show logging---lets you view logging information and whether a PFSS server is disabled. | 4.3(1) and 4.3(2) |
show conn | No longer displays the total number of connections that are licensed. This information is now available only in the PIX Firewall reboot startup messages. | 4.3(2) |
show uauth | Now displays CiscoSecure idletime and timeout values. | 4.3(2) |
show version | Now lists the BIOS version. | 4.3(2) |
sysopt | New connection enforcesubnet option [CSCdk62467]. Also, the sysopt security fragguard command is now disabled by default. | 4.3(2) |
timeout | The minimum duration for the xlate option has been reduced to 1 minute. [CSCdk77361] | 4.3(2) |
virtual http | The web browser now lists the correct URL instead of the virtual http command's IP address. [CSCdk16222] | 4.3(2) |
virtual telnet | Lets you log in to the virtual authentication server on first access and log out on second access to the specified IP address. | 4.3(2) |
The version 4.2 tunnel command is obsolete in version 4.3. This command worked with a third-party vendor's IPSEC card that is no longer supported.
PIX Firewall only supports configuration upgrades from version 4.2(x) and later. With versions previous to 4.2(x), save your configuration to an ASCII text file using your terminal configuration program before upgrading, and write down your activation key. Table 2 lists the upgrade path to use to get to the current version.
| If Your Pix Firewall Version is: | Install This Version: |
|---|---|
2.7.x | 3.0, then upgrade to the next version |
3.0 | 4.0.7, then upgrade to the next version |
4.0.7 | 4.1(7), then upgrade to the next version |
4.1(5) or later | 4.2(x), then upgrade to the next version |
4.2(x) | 4.3(2) |
To upgrade from a previous PIX Firewall version:
IP address '0.0.0.0': already in use.These messages can be ignored.
This section contains critically important information.
1. If your PIX Firewall has a serial number of 06002015 or earlier, do not attempt to load PIX Firewall version 4.3 software. If you have one of these units, you must upgrade your Flash memory to the 2 MB Flash memory card. Contact Cisco Customer Support to obtain the 2 MB Flash memory card.
To determine your Flash memory size, reboot your PIX Firewall and look for the following statement:
Flash=string
If string starts with "AT"; for example, Flash=AT29C040A, then you have the 2 MB size and the PIX Firewall version 4.3 software will load correctly. If string starts with "i"; for example, Flash=i28F020, then you have the older 512 KB size and must replace it before loading PIX Firewall version 4.3 software.
2. PIX Firewall supports up to four Ethernet interfaces. Three Token Ring interfaces have been tested with PIX Firewall.
3. The maximum size of the configuration in a 2 MB Flash memory card is 1 MB minus the size of the current software's .bin file. For example, if the .bin file is 609,000 bytes, the maximum size of the configuration is 1 MB = 1,048,576 - 609,000 = 439,576 bytes.
The following sections contain usage information not included in other documentation or requiring special emphasis.
Refer to the outbound command page in the Configuration Guide for the PIX Firewall Version 4.3 for more information on outbound command rules.
www.caguana.com. |
| IN |
| A |
| 204.31.17.11 |
alias 10.1.1.11 204.31.17.11 255.255.255.255
conduit permit tcp host 204.31.17.11 eq www host 192.150.50.7
Unable to connect to remote host: Connection timed out
On PIX Firewall units equipped with Token Ring interfaces, if a network error occurs that places the PIX Firewall in a state where it cannot receive or transmit information and which causes the unit to stop passing packets for 15 seconds, the PIX Firewall automatically reboots.
The maximum number of characters that can be entered in a command line is 512. Additional characters past this limit are ignored.
If you are using DHCP to configure IP addresses for the hosts on the inside network, the DHCP server must provide the IP address, netmask, and gateway (default route) IP address. The default route must point to the PIX Firewall, either directly or via a router.
The established command can potentially open a large security hole in the PIX Firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, users outside the PIX Firewall can access any ports on servers behind the firewall that are accessible with the conduit and static commands.
The following example illustrates this problem:
static (inside,outside) 204.31.17.42 192.168.1.42 netmask 255.255.255.255 conduit permit tcp host 204.31.17.42 eq http any established tcp
In this example, inside host 192.168.1.42 can be accessed from the outside interface for Web access as permitted by the conduit command statement. Because this is a web server (using the HTTP port), access permission is granted to any outside host. However, the established command modifies the effect of the conduit command statement and lets any user access any port on the 192.168.1.42 server. [CSCdk23441]
PIX Firewall now supports failover in a switched environment.
The floodguard command helps protect the AAA Cut-Through Proxy service by reclaiming the PIX Firewall "tcpusers" resource, which is used for the Cut-Through Proxies. Use the floodguard enable command to enable this feature.
For AAA, the FTP port must be 21.
Consult with your ISP (Internet service provider) to make sure that all addresses used in globals are routed to your outside router before configuring the PIX Firewall with global addresses.
PIX Firewall does not support the use of the established command with a PAT IP address for the IDENT service. Use the service resetinbound command to reset incoming IDENT connections.
The former version Installation Addendum for the DC PIX Firewall has been combined into the Quick Installation Guide for the PIX Firewall Version 4.3.
This feature is only compliant with the RFC 821 section 4.5.1 commands. The RFC 1651 EHLO command returns a "500 command unrecognized" reply code.
PIX Firewall now correctly handles path MTU (maximum transmission unit) requests. Path MTU relies on the PIX Firewall to generate an ICMP host unreachable message (code=3) on reception of a packet that needs to be fragmented but has the Don't Fragment flag set in the IP header (type=4). PIX Firewall formerly discarded these packets without returning the host unreachable message. [CSCdk38353]
PIX Firewall supports the following multimedia and video conferencing applications:
Using pager 0 disables screen paging in PIX Firewall.
Step 1 On the Windows NT system, move the old logs to a new filesystem (or back up and remove them). Make sure this creates enough free disk space for more log messages.
Step 2 On the PIX Firewall enter configuration mode and check that the PFSS host is correctly disabled from the PIX Firewall by entering the show logging command and look for the "disable" keyword, which means that no new connections are allowed through the PIX Firewall.
Step 3 Disable logging to the PFSS host by entering the no logging host interface ip_address command for the disabled host.
Step 4 Re-enable logging by entering the logging host interface ip_address tcp/1468 command for the disabled host.
Step 5 Check that the PFSS host is now enabled by reentering the show logging command. The disable keyword should now be gone.
Step 6 Use the show conn command to determine if new connections have started. If none have, start a Telnet or FTP session through the PIX Firewall to start new connections.
If new connections do not restart, reboot the PIX Firewall.
PIX Firewall supports the following TCP/IP protocols and applications:
Refer to the "Protocols" section in Chapter 1, "Introduction" in the Configuration Guide for the PIX Firewall Version 4.3 for information on supported protocols.
If you configure RIP passive on a perimeter interface using the rip command, the PIX Firewall passively listens for RIP information on that interface; however, that information is not used to make forwarding decisions.
(a) Create a static command statement to let the outside hosts access the inside server.
(b) Create a UDP conduit command statement for the portmapper port, UDP port 111.
(c) Create a UDP conduit command statement for the NFS port, UDP 2049.
conduit permit udp host 204.31.17.1 eq 111 any conduit permit udp host 204.31.17.1 eq 2049 any
conduit permit tcp host 204.31.17.1 eq 135 any conduit permit tcp host 204.31.17.1 range 1024 65535 any
The information for the Setup Wizard is now listed in the Quick Installation Guide for the PIX Firewall Version 4.3.
The show version command now lists the processor speed. [CSCdj57072]
PIX Firewall does not pass SPX packets across it.
%PIX-6-199002: PIX startup completed. Beginning operation." syslog message cannot be blocked with the new no logging message command that lets you block individual syslog messages.
107001: %I attempted to ping %I (%I)
106013: Dropping echo request from %I to PAT address %I 106014: Deny inbound %s, pkt_as_ascii()
%PIX-3-202002: Unable to find translation for SRC=ip_address DEST=ip_address has been changed to:
%PIX-3-305005: No translation group found for packet_shown_as_text %PIX-3-305006: xlate_type translation creation failed for packet_shown_as_text
The following affect Telnet console sessions:
For configurations that you download via TFTP, do not put comments in the configuration file because the PIX Firewall may fail while reading the configuration.
PIX Firewall is year 2000 compliant.
The following caveats apply to PIX Firewall release 4.3(n). Refer to the previous versions of the PIX Firewall release notes for information on bugs in previous releases. On the Web, you can view previous versions of the PIX Firewall release notes at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
If you have CCO access, you can view additional information about each open or resolved caveat at:
http://www.cisco.com/kobayashi/bugs/bugs.html
The following are major issues in version 4.3(2):
Table 3 lists open caveats.
| DDTS Number | Description | Noted in Version |
|---|---|---|
CSCdk89056 | If TCP syslog is used with the PIX Firewall Syslog Server (PFSS) and failover is present, the PIX Firewall can fail to send syslog messages to the PFSS and may cause traffic to stop on the PIX Firewall. | 4.3(2) |
CSCdk86695 | Putting comments in a configuration downloaded by TFTP can cause the PIX Firewall to fail. | 4.3(1) |
CSCdk84112 | Syslog does not work properly after clear syslog command. | 4.3(1) |
CSCdk81282 | Syslog prints a garbled message when denying outbound access under PAT configuration. | 4.3(1) |
CSCdk78707 | Under conditions such as low memory or memory corruption, PIX Firewall may generate frequent syslog messages containing the phrase, "PIX-2-SYS-CHUNKBOUNDS attempted to exceed freelist causing failover." | 4.3(1) |
CSCdk70747 | The virtual telnet command hangs after second Telnet attempt is entered quickly. | 4.3(1) |
CSCdk76685 | The aaa authen enable command is parsed as the aaa authen any command. | 4.3(1) |
CSCdk69851 | PIX Firewall does not allow a password change to a shorter length with RADIUS. | 4.3(1) |
CSCdk68618 | Inbound Telnet fails with DNAT uauth to the fourth interface from outside. | 4.3(1) |
CSCdk68345 | Rebooting the failover Standby unit during configuration replication results in configuration loss. | 4.3(1) |
CSCdk67889 | The Atmel Flash driver cannot write to the second megabyte of the Flash memory. | 4.3(1) |
CSCdk67887 | An incorrect byte value appears in TCP teardown syslog messages. | 4.3(1) |
CSCdk64250 | The conduit permit icmp any any command is required to permit Telnet to work between Private Link sites. | 4.3(1) |
CSCdk50579 | When a DNS server is on the outside and users on the inside need to access a server on the perimeter interface, you would use the alias command to permit DNS responses to resolve correctly through the PIX Firewall. However, in this case, you must reverse the parameters for the local IP address and foreign IP address. For example: alias (inside) 192.168.1.4 204.31.17.121 255.255.255.255 Host inside 10.1.1.1 goes to www.example.com which resolves at an outside ISP DNS to 204.31.17.121. The PIX Firewall fixes this DNS response sending the host a response of 192.168.1.4. The host uses its gateway (the PIX Firewall) to go to 192.168.1.4 which the PIX Firewall now aliases back to the 204.31.17.121. Because this is actually 192.168.1.4, a server on the perimeter interface of the PIX Firewall, the packet is dropped because the PIX Firewall sent the packet to the outside interface, which is the incorrect interface. Workaround: Reverse the alias parameters as follows: alias (inside) 204.31.17.121 192.168.1.4 255.255.255.255 This works properly because everything happens backwards. The DNS is now modified to 204.31.17.121 and the host inside uses its gateway (the PIX Firewall) to get there, the PIX Firewall aliases this back to 192.168.1.4 and routes it out the perimeter interface to the correct host and the TCP connection is established. | 4.3(2) |
CSCdk19912 | If the packet containing the data being modified in a FTP or SQL*Net packet is retransmitted, the adjustment records twice. This causes the sequence number for all subsequent packets to be incorrect. This can result in failed connections for both FTP and SQL*Net. | 4.3(1) |
Table 4 lists resolved DDTS bug reports.
| DDTS Number | Description | Fixed in Version |
|---|---|---|
CSCdk90359 | Added SNP protocol literal for Sitara Networks Protocol, protocol 109. | 4.3(2) |
CSCdk90358 | Removed the "licensed" count from the show conn command and made the information only available in the startup messages. | 4.3(2) |
CSCdk88270 | Under heavy traffic, Token Ring failover now works correctly. | 4.3(2) |
CSCdk84226 | The inside interface no longer passes broadcasts. | 4.3(2) |
CSCdk83300 | Outbound list now works correctly when the mask is different than the interface. | 4.3(2) |
CSCdk82957 | Remote shell (rsh) now functions correctly with an HP 9000 if the EFT sysopt connection safeclose command is used. | 4.3(2) |
CSCdk81214 | PIX Firewall now only reports the state of an interface as up for SNMP MIB II if the interface card is available and has a working cable plugged in. | 4.3(2) |
CSCdk78952 | A checksum was requested for copying a configuration via TFTP or to diskette. The request was resolved by adding a "Config OK" message to indicate successful completion and syntax validation of the configuration file. An error displays as the "Config Failed" message. | 4.3(2) |
CSCdk77361 | The minimum duration for the xlate option to the timeout command was reduced to 1 minute. | 4.3(2) |
CSCdk76196 | PIX Firewall now lets you block specific syslog messages with the new no logging message command. However, the " | 4.3(2) |
CSCdk62467 | PIX Firewall provides the new sysopt connection enforcesubnet command that filters out self route packets directly or indirectly. | 4.3(2) |
CSCdk62465 | Loopback networks no longer pass through the PIX Firewall. | 4.3(1) |
CSCdk62456 | PIX Firewall is no longer susceptible to the land.c attack. | 4.3(1) |
CSCdk59859 | PIX Firewall now denies source broadcast and destination broadcast packets. | 4.3(1) |
CSCdk59465 | PIX Firewall now allows use of Cisco Secure version 2.1 or later user-based absolute and inactivity timers. The show uauth command now lists these and the durations override the timeout uauth command duration. | 4.3(1) |
CSCdk57557 | The aaa accounting command now works for both TCP and UDP. | 4.3(2) |
CSCdk56811 | Cisco System OID 1.3.6.1.4.1.9.1.227 was assigned as the PIX Firewall system object ID. | 4.3(2) |
CSCdk56401 | Syslog message 107001 was removed: 107001: %I attempted to ping %I (%I) Two new syslogs were added to replace 107001: 106013: Dropping echo request from %I to PAT address %I 106014: Deny inbound %s, pkt_as_ascii() | 4.3(2) |
CSCdk50571 | The network browser authentication prompt was improved. | 4.3(2) |
CSCdk49733 | The show failover command has been improved so that when failover is disabled, PIX Firewall provides the following information: Failover Off Cable Status: My side not connected Reconnect timeout: 0:00:00 | 4.3(2) |
CSCdk16222 | The virtual http command now works correctly with an external proxy server. The former behavior caused the "Error 501 Not Implemented" error message to display in the web browser and a syslog message that started with "109001: Auth start for user '???'." The fix for this bug has an additional benefit in that the requested URL now correctly displays in the web browser, not the virtual http command's IP address. | 4.3(2) |
CSCdj92811 | The PIX Firewall now checks static command statements to ensure that the interfaces are specified in the correct order as (high,low); for example, (inside,dmz). If entered incorrectly, the following error message appears: internal_if_name nn has a lower security value than external_if_name nn The internal_if_name represents the first interface name and external_if_name represents the second interface name. The nn number is the security level of the interface that was set with the nameif command. | 4.3(2) |
Use this document in conjunction with the following PIX Firewall documents:
All of these documents, including these release notes, apply to all PIX Firewall hardware versions, including the PIX Firewall, PIX10000, PIX 510, and PIX 520 models.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Tue Mar 9 21:23:38 PST 1999
Copyright 1989-1999©Cisco Systems Inc.