|
|
November 24, 1999
The Cisco Secure PIX Firewall provides secure networking and network address translation.
This document contains the following sections:
Version 5.0 requires at least 2 MB of Flash memory and at least 32 MB of RAM memory, although it will boot in 16 MB of RAM and work with a small configuration. The maximum configuration size is 350 KB for all PIX Firewall models. Use the show version command to verify how much memory is in your Flash memory and RAM. Installation instructions for replacing Flash or RAM memory are described in the Installation Guide for the Cisco Secure PIX Firewall Version 5.0.
Version 5.0(2) consists of bug fixes and new features. No commands were removed. This document describes only changes that occurred in version 5.0(2). For information on 5.0(1) features, installation notes, limitations and restrictions, usage notes, and caveats, refer to the 5.0(1) release notes at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/pixrn501.htm
Unless noted otherwise, all information in the version 5.0(1) release notes apply to version 5.0(2).
The sysopt ipsec pl-compatible command is new in version 5.0(2). This command provides Private Link compatibility to the IPSec feature. When this command is in use, foreign PIX Firewall users can access the current PIX Firewall over a virtual private network (VPN) link.
The Private Link compatibility feature simulates the version 4 Private Link feature by allowing incoming packets to terminate on the inside interface and to bypass NAT processing.
To allow an inside host to access the Internet using clear text or an encrypted tunnel, the PIX Firewall determines if a packet is destined for a tunnel or not. To make this determination, PIX Firewall routes a packet to the outside destination interface where the crypto map of tunnels are bound. Because the PIX Firewall bypasses NAT processing, it cannot use the NAT xlate (translation) table and requires that you enter static route command statements for all subnets of all interfaces that use the intra-PIX Firewall routing.
With version 4 Private Link, PIX Firewall required you to enumerate all subnets of all interfaces using the route command; however, Private Link did not require static route command statements for subnets defined in the global pool or with static command statements because they were created automatically and stored in the xlate table.
Although the PIX Firewall currently can simulate the Private Link inside termination with the use of the sysopt ipsec pl-compatible command, the termination on the inside interface is not a true termination. The use of the sysopt ipsec pl-compatible command allows IPSec packets to bypass the NAT and ASA features, and enables incoming IPSec packets to terminate on the inside interface only after initially terminating on the outside interface.
1. The show version command output now includes the activation key after the serial number at the end of the display.
2. The prompt string in the auth-prompt command can be a maximum of 177 characters in this release instead of 256.
No new installation notes were added in version 5.0(2).
The following limitations and restrictions were added in version 5.0(2):
1. The sysopt ipsec pl-compatible command stops all non-IPSec traffic unless you add static route command statements for every host on every internal interface wanting to start connections to a lower security interface.
2. The clear access-list command stops all PIX Firewall traffic.
The following usage notes apply to version 5.0(2):
The clear access-list command stops all traffic through the PIX Firewall.
Version 5.0 supports Token Ring interfaces with a high speed Ethernet Stateful Failover interface connection. Version 5.0 also supports FDDI interfaces with non-Stateful Failover.
1. PIX Firewall only supports the Entrust and VeriSign certification authority (CA) servers. Support for other servers will be provided in the next major release. PIX Firewall only supports Entrust version 4.0. VeriSign support is provided through the VeriSign Private Certificate Services (PCS) and the OnSite service that lets you establish a CA system for issuing digital certificates.
2. When you use mode config on the PIX Firewall, the routers handling the IPSec traffic must also support mode config.
3. The second note in the Limitations and Restrictions section of the Release Notes for the Cisco Secure PIX Firewall Version 5.0(1) that stated "A PIX Firewall providing IPSec termination to Cisco Secure VPN Clients may not at the same time provide IPSec peer termination with another gateway device, such as another PIX Firewall or Cisco route" is no longer correct.
PFSS (PIX Firewall Syslog Server) version 4.4(2) is now available for use with PIX Firewall version 5.0(1) and version 5.0(2). If you have a CCO login, you can download the pfss442.exe file at this site:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix
If you have an existing PIX Firewall configuration on a TFTP server and store a shorter configuration with the same file name on the TFTP server, some TFTP servers will leave some of the original configuration after the first ":end" mark. This does not affect the PIX Firewall because the configure net command stops reading when it reaches the first ":end" mark. However, this may cause confusion if you view the configuration and see extra text at the end of the configuration. This does not occur if you are using Cisco TFTP Server version 1.1 for Windows NT.
There are no new open caveats in version 5.0(2).
Table 1 lists the resolved caveats fixed in version 5.0(2):
Use this document in conjunction with the PIX Firewall documentation at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
Cisco provides PIX Firewall technical tips at the following site:
http://www.cisco.com/warp/public/110/index.shtml#pix
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW).
The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Sat Dec 11 20:34:57 PST 1999
Copyright 1989-1999©Cisco Systems Inc.