|
|
December 1999
The Cisco Secure PIX Firewall provides secure networking.
These release notes contains the following sections:
Version 5.0 requires at least 2 MB of Flash memory and at least 32 MB of RAM memory, although it will boot in 16 MB of RAM and work with a small configuration. The maximum configuration size is 350 KB for all PIX Firewall models. Use the show version command to verify how much memory is in your Flash memory and RAM. Installation instructions for replacing Flash or RAM memory are described in the Installation Guide for the Cisco Secure PIX Firewall Version 5.0.
The sections that follow describe each new feature in this release. See "Important Notes" for additional information on new features.
The following features are available in version 5.0(1).
The current AAA accounting feature now logs all Internet traffic. Previously, it only logged Telnet, HTTP, and FTP traffic. AAA authorization now handles all well-known protocols such as NNTP and ICQ, as well as any other traffic that can be specified by a UDP or TCP port number or an IP protocol number.
AAA now logs AAA authenticated usernames on FTP stored and retrieved syslog messages for FTP puts and gets.
Access lists can now be specified in support of the IPSec feature. In addition, in conjunction with the access-group command, the access-list command can replace the outbound command or conduit command.
PIX Firewall now supports H.323 version 1 with RAS (Registration, Admission, and Status) version 1. This feature handles the increased popularity of multimedia applications such as video conferencing and Voice over IP that require video and audio encoding. These applications use a high number of dynamically negotiated data and control channels to handle the various visual and auditory streams. A RAS channel carries bandwidth change, registration, admission, and status messages (following the recommendations in H.225.0) between endpoints and gatekeepers. A gatekeeper is an H.323 entity on the network that provides H.323 terminals.
The support for this service provides channel cut-through, which includes a RAS channel used for the discovery of gatekeepers and endpoint registration. RAS messages are encoded using ASN.1 PER encoding rules. The default ports are 1718 and 1719; port 1718 is the well-known gatekeeper UDP discovery port, and port 1719 is the well-known gatekeeper UDP registration and status port.
In conjunction with the RAS support, PIX Firewall now supports Cisco Multimedia Conference Manager (MCM), a video conferencing product.
The IPSec (IP Security) feature is based on the Cisco IOS IPSec implementation and provides seamless functionality with those IPSec-compliant products that already work with Cisco IOS IPSec, such as the Cisco Secure VPN Client.
IPSec provides a mechanism for secure data transmission. IPSec ensures confidentiality, integrity, and authenticity of data communications across a public IP network.
The PIX Firewall IPSec feature uses the existing Private Link circuit board.
This feature replaces the previous Private Link capability and contains the new access-list, ca, crypto, ipsec, isakmp, and map commands.
The PIX Firewall IPSec implementation supports both data transmission through the PIX Firewall for establishing a VPN security gateway and termination at the PIX Firewall for remote management of a security client.
PIX Firewall Manager version 4.3(2)c now works with PIX Firewall version 5.0, but does not support any new feature or command from either version 4.4 or version 5.0. You can use this interface for managing syslog messages and configuring many of the PIX Firewall features. Refer to the Release Notes for the PIX Firewall Manager Version 4.3(2)c for more information. You can view this document online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/pfm432c.htm
A new version of the PIX Firewall Setup Wizard is available that works with PIX Firewall version 5.0. The Setup Wizard lets you simplify the PIX Firewall installation. Refer to the Chapter 9, "Installing the PIX Firewall Setup Wizard," in the Installation Guide for the Cisco Secure PIX Firewall Version 5.0 for more information. This product is available on CCO for download in the PIX Firewall directory. The installation filename is psw501.exe. You can view the installation guide online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/instlgd/index.htm
PIX Firewall has been renamed as the Cisco Secure PIX Firewall. The name change is being gradually incorporated into the product and while the software and book titles have changed, you will need to access software on CCO using the older spelling. By the next release, the name change will be completed throughout the network.
With IPSec configured, you can now remotely manage a PIX Firewall from the outside interface with Telnet access to the console.
The Stateful Failover feature provides a mechanism for hardware and software redundancy by allowing two identical PIX Firewall units to serve the same functionality in case one fails in an unattended environment. Normally, one PIX Firewall is considered the Active unit while the other is the Standby unit. The Active unit actively performs normal network functions while the Standby unit only monitors, ready to take control should the Active unit fail.
The Stateful Failover feature has been enhanced so that the stateful connection information is passed on to the Standby unit during a failover. Previously, the existing connections would be lost after a switchover because stateful connection information was not passed on to the Standby unit.
As a result, client applications had to perform a new connect to restart communication. Currently, during a failover, the Active unit passes all stateful connection information to the Standby unit, thereby continuing a connection with the client application.
The Stateful Failover feature uses the new failover link command to specify a LAN link for passing state information.
PIX Firewall now supports Voice over IP in its H.323 RAS feature; however, Cisco CallManager, also known as the "skinny protocol," is not supported.
The following commands are new in version 5.0:
The following new options were added to existing commands:
The age, link, and linkpath commands have been removed. VPN support is now handled with the IPSec feature.
The following notes contain valuable installation information:
1. Refer to the Installation Guide for the Cisco Secure PIX Firewall Version 5.0 for installation information.
2. The ISA slot Private Link card, also known as the PL1 card, is no longer supported by the PIX Firewall. Refer to the Installation Guide for the Cisco Secure PIX Firewall Version 5.0 for information about how to remove this card.
For new installations, each network interface is disabled. Each interface you intend to use must be explicitly enabled. In a new installation if you use the write terminal command to locate the interface command statements, each interface appears with the shutdown command as shown in this example for a unit with two Ethernet interfaces:
interface ethernet0 auto shutdown interface ethernet1 auto shutdown
To enable access to these interfaces, enter the interface commands in your configuration as follows:
interface ethernet0 auto interface ethernet1 auto
Before upgrading, write down your activation key and save a copy of your configuration.
1. The clear flashfs command must be used before downgrading a PIX Firewall from version 5 back to any version 4 release. Neglecting this step may cause Flash memory problems during a subsequent upgrade to a version 5 release, even if you make the upgrade months in the future.
This point is critical and you must remember to always use the clear flashfs command before you downgrade from version 5.
An example of how you can accidentally corrupt your Flash memory is as follows. Starting a downgrade, you enter the clear flashfs command and reboot. As the unit reboots, you realize that you did not insert the version 4 diskette and that the firewall is just restarting the current version.
At this point, you should let the version restart and then enter the clear flashfs command before rebooting. However, if you are used to the previous behavior of the PIX Firewall, you can easily get into a problem as follows.
Without waiting for the reboot to complete, you insert the version 4 diskette and press the reboot switch. At this moment, you have gone from version 5 to version 4 without entering the clear flashfs command. Version 4 will work correctly, but if you later upgrade to version 5 or later, the Flash memory will have problems in the special file system area of the Flash memory that is new to version 5.
You can fix the problems with Flash memory by inserting the version 5 diskette, starting the new version, and immediately issuing the clear flashfs, and reload commands. Do not use the write memory command until after the unit reboots from this fix.
2. The datafile area, used to store the PKI data in version 5.0, has no parallel in version 4 and will be lost during downgrades to version 4.
3. If you downgrade from version 5.0 to a version 4 release, the activation key used in version 5.0 will not work in version 4. Before upgrading from a version 4 release, write down your activation key and save a copy of your configuration. In any downgrade, commands unique to version 5.0 will be lost in the earlier version.
The following limitations and restrictions are present in this release:
1. You must have a new activation key before you can use any of the IPSec features or commands. You can have a new activation key sent to you by completing the form at:
2. A PIX Firewall providing IPSec termination to Cisco Secure VPN Clients may not at the same time provide IPSec peer termination with another gateway device, such as another PIX Firewall or Cisco router.
3. DNAT IP addresses are not supported with IPSec in version 5.0(1). (DNAT IP addresses are created with the alias command.)
4. The maximum configuration size in this release is 350 KB.
Read the following notes for additional information on this version. Notes listed here may be fixed before the Configuration Guide for the Cisco Secure PIX Firewall Version 5.0 is reprinted next.
The clear config secondary command does not clear TFTP entries. The documentation for previous versions of PIX Firewall incorrectly indicated that this command would clear TFTP entries.
If the right parentheses is accidentally omitted when entering the interface option in the aaa-server, alias, apply, global, nat, static, or url-server commands, the following message appears:
invalid global IP address
You will need to reenter the command correctly until the error message no longer appears. This takes from 5 to 10 times to correct itself.
The change of a domain or host name causes the change of the fully qualified domain name. Once the fully qualified domain name is changed, delete the RSA key pairs with the ca zeroize rsa command and delete related certificates with the no ca identity ca_nickname command.
1. On PIX10000 and older PIX Firewall units using version 5.0 when failover is disabled, the following messages may appear during startup and can be ignored:
**** WARNING ***
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
2. Stateful Failover does not save state for HTTP Web connections. These connections can re-establish themselves quickly on their own. In addition, RIP state information is not stored, but is re-established within 30 seconds.
3. The Stateful Failover dedicated interface needs to be one of the following:
(a) Cat 5 crossover cable directly connecting the Primary unit to the Secondary unit.
(b) 100BaseTX half duplex hub using straight Cat 5 cables.
(c) 100BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch.
4. Because of the increased speed requirements, use of Stateful Failover on Token Ring interfaces or on LANs using VPN is not supported.
5. The PIX Firewall failover Standby unit is intended to be used solely for failover and not in standalone mode. If a failover unit is used in standalone mode, the unit will reboot at least once every 24 hours until the unit is returned to failover duty. When the unit reboots, the following message displays at the console:
=========================NOTICE ==========================
This machine is running in secondary mode without
a connection to an active primary PIX. Please
check your connection to the primary system.
REBOOTING....
==========================================================
6. If a failover-only PIX Firewall is not attached to a failover cable or is attached to the Primary end of a failover cable, then it will hang at boot time. It must be a Secondary unit.
7. Because the PIX Firewall clock is stored in the CMOS, you need do to specify the clock set time command on the Active PIX Firewall to synchronize the time on both PIX Firewall units.
8. In the event of a failover, information on idle TCP connections is not always sent to the Standby unit when using Stateful Failover. This can cause idle TCP connections to be dropped. The information is sent correctly approximately 66% of the time, but approximately 34% of the time it is not.
FDDI interfaces cannot be shut down using the shutdown option to the interface command.
In version 5.0, interfaces are shut down by default and must be explicitly enabled by reentering the interface command for each interface you want to operate.
The following sections provide important information about using IPSec with the PIX Firewall.
PIX Firewall only supports the Entrust and VeriSign certification authority (CA) servers. Support for other servers will be provided in the next major release. PIX Firewall only supports Entrust version 4.0. VeriSign support is provided through the VeriSign Private Certificate Services (PCS) and the OnSite service, which lets you establish a CA system for issuing digital certificates.
IPSec depends on the PIX Firewall clock being set (using the clock command). The PKI (public key infrastructure) feature uses the clock to check that the CRL (certificate revocation list) has not expired.
1. In version 5.0, PIX Firewall provides new debug commands (described in "New Commands"). We recommend you start these commands before creating IPSec command statements.
2. Output from the debug crypto ipsec and debug crypto isakmp commands does not display in a Telnet console session.
3. If creating certificates with Entrust, use the debug crypto ca command to ensure that the certificate is created correctly. Important error messages only display when the debug command is enabled. If you enter the fingerprint value incorrectly, the only warning message that the value is not correct appears in the debug crypto ca command output.
4. Output of the show ipsec sa command lists the PCP protocol. This is a compression protocol that came with the Cisco IOS code on which the PIX Firewall IPSec implementation is based; however, PIX Firewall does not support the PCP protocol.
1. If you use the Entrust CA, PIX Firewall supports the newest VPN Connector version 4.1 (build 4.1.0.337).
2. If creating certificates with Entrust, use the debug crypto ca command to ensure that the certificate is created correctly. Important error messages only display when the debug command is enabled. If you enter the fingerprint value incorrectly, the only warning message that the value is not correct appears in the debug crypto ca command output.
1. PIX Firewall sets the sysopt connection tcpmss 1380 value by default even though this command does not appear in the default configuration. The calculation for setting the TCP maximum segment size to 1380 bytes is as follows:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
1500 bytes is the MTU for Ethernet connections.
2. Use the sysopt connection permit-ipsec command in IPSec configurations to permit IPSec traffic to pass through the PIX Firewall without a conduit check. If the sysopt connection permit-ipsec command is not configured, you must explicitly configure a conduit command statement to permit IPSec traffic to traverse the PIX Firewall.
IKE negotiations with a remote peer may hang when a PIX Firewall has numerous tunnels that originate from the PIX Firewall and terminate on a single remote peer. This problem occurs when perfect forward secrecy (PFS) is not enabled and the local peer requests many simultaneous rekey requests. If this problem occurs, the IKE SA will not recover until it has timed out or until you manually clear it with the clear isakmp sa command. PIX Firewall units configured with many tunnels to many peers or many clients sharing the same tunnel are not affected by this problem. If your configuration is affected, enable PFS with the crypto map mapname seqnum set pfs command.
1. If you do not have a DES or Triple DES activation key, an ISA Private Link card no longer causes an export message to appear in the startup messages.
2. The PCI slot Private Link VPN card is now accessed by IPSec. Use of this card accelerates IPSec processing.
3. The former ISA slot Private Link cards are no longer supported with version 5.0 software and should be removed.
1. If you use the VeriSign CA, specify the crloptional option to the ca configure command.
2. Neither Cisco IOS or PIX Firewall currently works with the VeriSign CRL.VeriSign is reportedly working on a fix for this.
3. Using the RSA-sig feature with the VeriSign certification authority, PIX Firewall is able to establish a security association with a router, but the security association eventually fails. When the failure occurs, the router displays "Querying key pair failed." The PIX Firewall retransmits the phase 1 authentication indefinitely.
1. When VPN is not enabled, the following error message appears when you enter a VPN-related command, such as crypto, ca, isakmp, or any command that may have a hidden association with VPN, such as the clear config command:
VPN-DES is not enabled with current activation key.
2. PIX Firewall negotiates indefinitely when its peer has a revoked IPSec certificate.
PIX Firewall does not support multicast RAS messages in this release.
PIX Firewall Setup Wizard version 5.0(1) does not support the new failover link option that enables Stateful Failover. You can set this command manually from the PIX Firewall command line interface.
The MIB-II ifEntry.ifAdminStatus object returns 1 if the interface is accessible and 2 if you administratively shut down the interface using the shutdown option to the interface command.
If you have access to CCO, you can obtain the latest version of the PIX Firewall software online at:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
When DNS traffic is logged, the ID field in the DNS response packet appears in the source port field.
If you do not specify an interface name, the telnet command adds command statements to the configuration to let the host or network access the Telnet console from all internal interfaces, but not the outside interface. When you use the show telnet command, this assumption may not seem to make sense. For example, if you enter the telnet command without a network mask or interface name:
telnet 192.168.1.1
If you then use the show telnet command, PIX Firewall inserts a command statement for each internal interface:
show telnet 192.168.1.1 255.255.255.255 inside 192.168.1.1 255.255.255.255 intf2 192.168.1.1 255.255.255.255 intf3
The purpose of the show telnet command is that, were it possible, the 192.168.1.1 host could access the Telnet console from any of these internal interfaces. In addition, to remove access to the host, you must delete each associated command statement as shown in the following example:
no telnet 192.168.1.1 255.255.255.255 inside no telnet 192.168.1.1 255.255.255.255 intf2 no telnet 192.168.1.1 255.255.255.255 intf3
The PIX 515 requires that you download images from a TFTP server, which you can download for free from Cisco at:
http://www.cisco.com/cgi-bin/tablebuild.pl/tftp
Table 1 lists the open caveats in version 5.0(1):
| DDTS Number | Description |
|---|---|
CSCdp03116 | A PIX Firewall providing IPSec termination to Cisco Secure VPN Clients may not at the same time provide IPSec peer termination with another gateway device, such as another PIX Firewall or Cisco router. |
CSCdp02637 | Under heavy traffic over a number of hours of operating, displaying ISAKMP security associations can cause the PIX Firewall to reboot. |
CSCdp02616 | A typographical error accidentally entered on a command line can cause a spurious error message even after the command is reentered correctly. If you reenter the correct command a second time, the command is then accepted. |
CSCdm95406 | The ca conf command has a parameter to specify the number of enrollment attempts the PIX Firewall should make. The default value of zero indicates that the PIX Firewall should continue trying to enroll until it gets a response from the certification authority (CA). This setting is appropriate to most environments. However, if you configure this command for a specific number of enrollment attempts, and the PIX Firewall does not get a response from the CA within that specified limit, then before any subsequent enrollment attempts, use the no ca conf command followed by the original ca conf command to clear the retry counter. |
CSCdm94541 | Entering an Entrust fingerprint incorrectly creates an unusable certificate. The error message that indicates an error occurred only appears in the output of the debug crypto ca command, not as a regular error message on the console. For this reason, always use the debug crypto ca command before creating a certificate. |
CSCdm92876 | In the event of a failover, idle TCP connection information is not always sent to the Standby unit when using Stateful Failover, which can cause the idle TCP connection to be dropped. The information is sent correctly approximately 66% of the time, but approximately 34% of the time it is not. |
CSCdm69004 | PIX Firewall negotiates indefinitely when its peer has a revoked IPSec certificate. |
CSCdm64261 | Using the RSA-sig feature with the VeriSign certification authority, PIX Firewall is able to establish a security association with a router, but the security association eventually fails. When the failure occurs, the router displays "Querying key pair failed." The PIX Firewall retransmits the phase 1 authentication indefinitely. |
Table 2 lists the externally found caveats fixed in version 5.0(1):
| DDTS Number | Description |
|---|---|
CSCdm66305 | PIX Firewall now displays an error if you enter static command statements in which the IP address range overlaps. Previously, you could enter command statements such as the following: static (inside,outside) 209.165.201.1 192.168.1.1 static (inside,outside) 209.165.201.0 192.168.1.1 This caused two global IP addresses to be assigned to the same local address. |
CSCdm66259 | Syslog IP address options now list the correct values. |
CSCdm61027 | Token Ring MTU (maximum transmission unit) code no longer has a 16-byte miscalculation. Formerly, if you set the MTU of the Token Ring interface to be the same size as the Ethernet in a mixed environment, packet loss then occurs on the Token Ring. |
CSCdm55622 | PIX Failover no longer assigns an incorrect MAC address before the configuration is stored after failover. Formerly, when failover occurs, the secondary PIX Firewall became active before the reconfiguration of the NIC of the failover unit is complete. |
CSCdm55298 | PIX Firewall now allows TFTP to be done on interfaces other than the inside. An interface argument has been added to the tftp-server command. |
CSCdm50692 | If another task is using the Flash memory device, such as when two administrators accessing the console from Telnet both issue the show config command, the following message now displays: The flash device is in use by another task. |
CSCdm45429 | The teardown syslog messages now state who sent the TCP Reset message. More information has been added to syslog messages in the PIX Firewall. |
CSCdm44424 | PIX Firewall fails with an assertion error if the unit only has 8 MB of RAM. 16 MB of RAM is required to run versions 4.4 and 5.0 and later. |
CSCdm06714 | PIX Firewall now supports Voice over IP in its H.323 feature. |
CSCdk89540 | The PIX Firewall command line parser now checks for overlapping static command statement addresses. |
CSCdk59856 | PIX Firewall now supports Cisco Multimedia Conference Manager (MCM), a video conferencing product, which is described in the section, "H.323 RAS Support." |
CSCdk50579 | The new sysopt nodnsalias inbound command disconnects DNS A record fixups from interaction with the alias command. Formerly, when a DNS server was on a perimeter interface, use of the alias command required reversing the two argument IP addresses for the command to work correctly. This new command applies this fix to all inbound DNS A record fixups. |
CSCdk10767 | PIX Firewall now supports the access-list and access-group commands that operate the same as those in Cisco IOS. |
CSCdj17840 | SNMP traps can now be passed through the PIX Firewall in a connection. |
Use this document in conjunction with the PIX Firewall documentation available online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
Cisco provides PIX Firewall technical tips at:
http://www.cisco.com/warp/public/110/index.shtml#pix
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Wed Jan 5 16:26:10 PST 2000
Copyright 2000©Cisco Systems Inc.