|
|
June 1999
This document describes the changes for the 4.4(1) version of the PIX Firewall software.
In the sections that follow, if an item is associated with a bug fix or workaround, the customer service number follows the note in brackets; for example, [CSCdk00000]. Bugs are summarized in the section "Caveats." If you have a CCO login, you can view additional information about each bug fix at:
http://www.cisco.com/kobayashi/bugs/bugs.html
The information contained in these release notes applies to all PIX Firewall hardware models running software version 4.4 or later.
Version 4.4 requires at least 16 MB (an optional 128 MB upgrade is available). You can verify how much memory you have with the show version command.
Version 4.4 supports one of the following interface combinations:
Version 4.4 includes the following features.
The sections that follow describe the features in version 4.4(1).
PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS.
AAA server groups are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 16 tag groups and each group can have up to 16 AAA servers for a total of up to 256 AAA servers.
The aaa command references the tag group. The aaa-server command replaces the radius-server and tacacs-server commands.
Refer to the Configuration Guide for the PIX Firewall Version 4.4 for a description of the aaa and aaa-server commands.
ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. These controls cause potential problems for the network clients such as, causing workstations to fail, introducing network security problems, or being used to attack servers.
This feature blocks HTML <object> tags and comments them out within the HTML web page. This functionality has been added to the filter command with the activex option.
PIX Firewall supports two FDDI network interfaces. These interfaces cannot be used with Ethernet or Token Ring interfaces.
The Cisco FDDI card complies with ANSI specification ASC X3T9.5, which is a peer to the Ethernet IEEE802.3 or Token Ring IEEE802.5 specifications. The FDDI driver supports failover. The show interface and show version commands indicate that a FDDI card is installed.
The new PIX 515 provides an entry into the low-cost firewall market and contains two Ethernet 10/100 interfaces on its motherboard, 16 MB Flash memory, and 32 MB of RAM. The basic model with 32 MB of RAM will accept up to 68,000 simultaneous connections.
Images are downloaded via TFTP across the network from any interface.
Refer to the "PIX 515" section in the "Important Notes" section for more information.
For the PIX 515, there are two available license keys. The basic key allows the use of two Ethernet interfaces without failover support, while the unrestricted key enables use of failover and up to six Ethernet interfaces.
PIX Firewall now supports an optional Cisco 4-port Ethernet interface card. This component provides four 10/100 Ethernet connections and has autosense capability. Connectors on the 4-port card are numbered top to bottom sequentially; however, the actual device number depends on the slot in which the 4-port card is installed. Table 1 shows how the top connector is numbered
| Slot 0 Contains | Slot 1 Contains | Slot 2 Contains | 4-Port Top Connector is: |
|---|---|---|---|
4-Port | Any | Any | ethernet0 |
Ethernet | 4-Port | Any | ethernet1 |
Ethernet | Ethernet | 4-Port (required location on PIX 515) | ethernet2 |
Token Ring | 4-Port | Any | ethernet0 |
Token Ring | Token Ring | 4-Port | ethernet0 |
Token Ring | Ethernet | 4-Port | ethernet1 |
Ethernet | Token Ring | 4-Port | ethernet1 |
With the inclusion of a 4-port Ethernet card and two single port Ethernet or Token Ring interface cards, the PIX Firewall can support up to 6 interfaces.
TCP half-close connections can now be separately managed with the new half-closed option to the timeout command. Also, half-close connections now do not add to the maximum connection count that you can set with the nat and static commands.
The auth-prompt command can now display separate authentication prompts for user authentication via Telnet depending on whether the login is accepted or rejected.
Because the PIX 515 does not have a diskette drive, you need to send a binary image to the PIX 515 using the Trivial File Transfer Protocol (TFTP). The PIX 515 has a special mode called monitor mode that lets you retrieve the binary image over the network. When you power on or reboot the PIX 515, it waits 10-seconds during which you can send a BREAK character or press the Escape key to activate monitor mode. While in monitor mode, you can enter commands that let you specify the location of the binary image, download it, and reboot the PIX 515 from the new image. If you do not activate monitor mode, the PIX 515 boots normally from Flash memory.
Refer to the monitor command page in Chapter 5, "Command Reference" in the Configuration Guide for the PIX Firewall Version 4.4 for more information on this feature.
The following are new commands in version 4.4(1):
Table 2 lists command changes in version 4.4.
Command | Change | Version | ||||
|---|---|---|---|---|---|---|
aaa |
aaa-server AuthOut protocol radius aaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 5 aaa authentication any outbound 0 0 0 0 AuthOut
| 4.4(1) | ||||
auth-prompt |
| 4.4(1) | ||||
filter |
filter activex port local_ip mask foreign_ip mask
| 4.4(1) | ||||
show interface | Information is shown for FDDI and 4-port adapters. | 4.4(1) | ||||
show version | Lists information for FDDI, the license type, and the PIX Firewall model type. | 4.4(1) | ||||
sysopt | The sysopt connection enforcesubnet command now applies only to inbound connections. To configure the PIX Firewall to detect spoofed IP addresses, use explicit conduit deny command statements in the configuration; for example: conduit deny ip any in_host_net1 in_host_net1_mask conduit deny ip any in_host_net2 in_host_net2_mask Replace in_host_netn with the addresses on the internal network. | 4.4(1) | ||||
terminal | Sets the width for displaying command output. The terminal width is controlled by the command: terminal width nn, where nn is the width in characters. Permissible values are 0, which means 511 characters, or a value in the range of 40 to 511. If you enter a line break, it is not possible to backspace to the previous line. | 4.4(1) | ||||
timeout | The half-closed hh:mm:ss option lets you set the duration that a TCP half-close connection can exist before being freed. | 4.4(1) | ||||
write memory |
Another session is busy writing configuration to memory Please wait a moment for it to finish
| 4.4(1) |
The following commands have been removed in version 4.4:
In addition, the PIX Firewall Setup Wizard and the PIX Firewall Manager products have been dropped from the PIX Firewall product line.
PIX Firewall only supports configuration upgrades from version 4.2(x) and later. With versions previous to 4.2(x), save your configuration to an ASCII text file using your terminal configuration program before upgrading, and write down your activation key. Table 3 lists the upgrade path to use to get to the current version.
| If Your Pix Firewall Version is: | Install This Version: |
|---|---|
2.7.x | 3.0, then upgrade to the next version |
3.0 | 4.0.7, then upgrade to the next version |
4.0.7 | 4.1(7), then upgrade to the next version |
4.1(5) or later | 4.2(x), then upgrade to the next version |
4.2(x) | 4.4 |
This section contains critically important information.
The following sections contain usage information not included in other documentation or requiring special emphasis.
The maximum length of an interface name is 48 characters, not 255 as stated in the previous Configuration Guide for the PIX Firewall Version 4.3, or 49 as stated in the error message in the software.
The startup messages and the show interface and show version commands now list the Ethernet card type correctly. Formerly, all Ethernet cards were listed as i82557.
The maximum size of a configuration is 1 MB. This is true for both the PIX 515 with its 16 MB Flash memory card, the PIX 520 with its 2 MB Flash memory card, and any previous PIX Firewall models with the 2 MB Flash memory card.
The md5 option to the link command does not work as described in the online help for the link command and will cause spurious results if used as described. [CSCdm42633]
To use the md5 option:
Step 1 Create a link with the associated key.
Step 2 Specify the md5 option.
For example:
link (inside) 192.150.49.133 1 123abc link (inside) 192.150.49.133 md5
The first link command statement creates an encrypted path from the current Private Link-equipped PIX Firewall to the remote PIX Firewall at 192.150.49.133. The encryption key is in the first (of 7) key group and has the value 123abc. The second link command statement specifies that MD5 authentication will be required for this link.
One Port Address Translation (PAT) global statement is permitted per interface, but not two or more for a specific interface. This feature has been available since version 4.2(4) but was not documented.
Telnet access to the PIX Firewall's console is available from all internal interfaces, but not the outside interface. [CSCdk91375]
Refer to the previous versions of the PIX Firewall release notes for information on bugs in previous releases. On the Web, you can view previous versions of the PIX Firewall release notes at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
If you have CCO access, you can view additional information about each open or resolved caveat at:
http://www.cisco.com/kobayashi/bugs/bugs.html
The open caveats for version 4.4(1) are:
Unable to find key" appears on the PIX Firewall command line for every interval specified by the age command until you either complete the Private Link configuration or reboot the PIX Firewall.
Also, open caveats in version 4.3(2) still apply to this product with the exception of those fixed in version 4.4(1). The version 4.3(2) open caveats can be viewed online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pixrn43.htm#xtocid778260
Table 4 lists resolved DDTS bug reports that need clarification or those reports that change the command interface.
If you have CCO access, you can view additional information about each open or resolved caveat at:
http://www.cisco.com/kobayashi/bugs/bugs.html
| DDTS Number | Description | Fixed in Version |
|---|---|---|
CSCdm39607 | PIX Firewall now reports the correct number of outbound SNMP packets in the MIB-II ifOutUcastPkts object. | 4.4(1) |
CSCdm37763 | During TCP close, when connection information is not provided from an internal host, RESET is now sent with the RESET packet. This helps the internal application know that the connection was dropped by the remote host. Previously, the application would hang with packets ping-ponging between the firewall and the host, which caused the |
|
CSCdm35458 | 80-byte blocks were increased from 80 to 400 to ease congestion. This problem indicates that WebSENSE traffic stopped; however, the configuration showed that syslog servers were specified in the configuration, but the hosts did not actually have syslog servers on them. This slowed performance significantly. | 4.4(1) |
CSCdm33323 | A TFTP transfer of a large configuration initiated from a Telnet console session no longer causes a failover. | 4.4(1) |
CSCdm29338 | The username has been added to syslog message 3030002. This message appears when a user successfully downloads data from an FTP site. This message is sent to a syslog server when the logging trap 6 or logging trap 7 commands are used to start sending messages to a syslog server. | 4.4(1) |
CSCdm28487 | The watchdog timer no longer expires when transferring large configurations to Flash memory. In addition, where previous PIX Firewall versions would halt traffic during the execution of the write memory command; version 4.4 lets traffic continue while this command completes. Another feature of this fix is that if another PIX Firewall console user tries to change the configuration while you are executing the write memory command, the user receives the following messages: Another session is busy writing configuration to memory Please wait a moment for it to finish After the write memory command completes, PIX Firewall lets the other command complete. | 4.4(1) |
CSCdm28416 | ActiveX blocking does not occur when users access an IP address referenced by the alias command. | 4.4(1) |
CSCdm26420 | The number of licensed connections no longer displays in the startup messages. | 4.4(1) |
CSCdm26280 | The debug packet command no longer causes the firewall to fail. | 4.4(1) |
CSCdm24909 | Token Ring interfaces no longer stop transmitting and reset. | 4.4(1) |
CSCdm24665 | The write memory command was improved to make the write to Flash memory twice as fast. | 4.4(1) |
CSCdm24379 | A large TFTP configuration transfer no longer causes failover to the Standby unit. | 4.4(1) |
CSCdm22473 and CSCdj06431 | The 302001 syslog message was enhanced to add the originating IP address. An example of this message is: 302001: Built outbound TCP connection 18 for faddr 192.150.50.153/80 gaddr 214.31.17.38/1115 laddr 10.0.0.3/1115 | 4.4(1) |
CSCdm21227 | PIX Firewall no longer produces non-existent framing errors on Token Ring. | 4.4(1) |
CSCdm21198 | PIX Firewall no longer drops packets greater than 1512 KB with Token Ring. | 4.4(1) |
CSCdm20741 | A 16-character TFTP server name no longer causes write net to fail or causes the PIX Firewall to reboot automatically after you enter the write net command. | 4.4(1) |
CSCdm16148 | The filter url command no longer depends on the presence of the fixup protocol http command. | 4.4(1) |
CSCdm14861 | The sysopt connection enforcesubnet command now applies only to inbound connections. | 4.4(1) |
CSCdm14393 | AAA TACACS+ with failover no longer causes intermittent failover or Telnet timeout failures. | 4.4(1) |
CSCdm13521 | A syslog message is now sent each time a URL server is no longer available. | 4.4(1) |
CSCdm11244 | The clear config all command now clears rip command settings. | 4.4(1) |
CSCdm10667 | The clock set command now displays an error message if a year is entered outside the range of 1998 to 2097. | 4.4(1) |
CSCdm06039 | When a WebSENSE server goes down, the PIX Firewall now switches to the next server faster than the previous time of 2 to 3 minutes. | 4.4(1) |
CSCdm05900 | For Ethernet, PIX Firewall only supports the Intel 10/100, Cisco 4-port, and 3Com 3c590 and 3c595 cards. All other Ethernet cards generate an error message and the card is then ignored. | 4.4(1) |
CSCdm05752 | The number of 256-byte blocks increased from 80 to 160. | 4.4(1) |
CSCdm05309 | PIX Firewall returns the following error message | 4.4(1) |
CSCdm04819 | TFTP now works correctly with configuration records delineated with CR/LF or LF. | 4.4(1) |
CSCdm04627 | Telnet sessions through the PIX Firewall are no longer dropped after the second uauth timeout. | 4.4(1) |
CSCdm02200 | The global command no longer assigns the same global address to two different local addresses. | 4.4(1) |
CSCdk93596 | The new clear blocks and clear interface commands were created to clear the counters to improve troubleshooting. | 4.4(1) |
CSCdk91375 | Telnet access to the PIX Firewall's console is available from all internal interfaces, but not from the outside interface. | 4.4(1) |
CSCdk91107 | An improperly configured Private Link MTU setting (one greater than or equal to the physical MTU setting on the relevant PIX Firewall interface) causes Private Link to fail. | 4.4(1) |
CSCdk90988 | The PIX Firewall Syslog Server (PFSS) now puts the disk empty watch and disk full watch settings in the pfss.log file. In version 4.3, viewing these settings required use of the Windows regedit command. | 4.4(1) |
CSCdk84953 | The startup messages and the show interface and show version commands now list the Ethernet card type correctly. Formerly, all Ethernet cards were listed as i82557. | 4.4(1) |
CSCdk84863 | The logging host command now displays protocol values correctly. Previously these values were always 0. | 4.4(1) |
CSCdk82814 | The aaa authentication command now only lets you enter port ranges for the TCP and UDP protocols. | 4.4(1) |
CSCdk76685 | The aaa authentication enable command is no longer parsed incorrectly as the aaa authentication any command. | 4.4(1) |
CSCdk67889 | The Atmel Flash driver can now write to the second megabyte of the Flash memory. | 4.4(1) |
CSCdk59836 | Syslog messages 111001, 111003, 111004, 111005, 111007, and 199001 now list the IP address of the host issuing the command. | 4.4(1) |
CSCdk58988 | The show failover command output has been added to the show tech-support command. | 4.4(1) |
CSCdk52804 | The fixup protocol smtp command handles ESMTP by responding with | 4.4(1) |
CSCdk44171 | Creates the terminal width command to let you specify the width of display output. | 4.4(1) |
CSCdk43210 | After adding a conduit or static command statement, the standard procedure is to use the clear xlate command. Under very unusual circumstances and after waiting at least five minutes to see if the previous addresses clear, you may have to reboot the PIX Firewall. | 4.4(1) |
CSCdk41405 | Outbound lists can now use the gopher protocol. | 4.4(1) |
CSCdk40788 | Prompts in the startup messages now echo what you enter. Previously, when you entered a response, the startup messages resumed without displaying your response. | 4.4(1) |
CSCdk37916 | When an outbound connection is denied based on an outbound command setting, PIX Firewall no longer waits for a timeout to occur. Now the connection is refused immediately and the following message appears: 106002: TCP connection denied by outbound list | 4.4(1) |
CSCdk19979 | PIX Firewall no longer assigns a single global address to multiple local IP addresses. | 4.4(1) |
CSCdk05686 | Previously PIX Firewall silently dropped an input NAT entry if it was a duplicate of an existing one. PIX Firewall now displays a message if this happens. | 4.4(1) |
CSCdj86678 | Syslog messages for inbound denies are now consistent with those sent because of NAT and PAT events. The 106001 message has been changed to: For an unassigned NAT address, the message is: | 4.4(1) |
CSCdj06431 | Refer to fix for CSCdm22473 for resolution of this problem. | 4.4(1) |
Use this document in conjunction with the following PIX Firewall documents:
All of these documents, including these release notes, apply to all PIX Firewall hardware versions, including the PIX Firewall, PIX10000, PIX 510, PIX 515, and PIX 520 models.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Sat Dec 11 20:31:20 PST 1999
Copyright 1989-1999©Cisco Systems Inc.