|
|
March 2000
The Cisco Secure PIX Firewall provides secure networking and NAT (Network Address Translation).
This document contains the following sections:
Version 5.1 requires the following:
1. If you are upgrading from a previous version on a PIX Firewall with a diskette drive, you must create a Boothelper diskette and download the version 5.1 image from TFTP. Attempting to put the image directly on diskette causes the rawrite program to fail.
2. PIX Firewall must have at least 32 MB of RAM memory or the PIX Firewall unit will not boot. Use the show version command to verify how much RAM is in your PIX Firewall unit.
3. PIX Firewall requires at least 2 MB of Flash memory although support is provided for both 2 MB and 16 MB Flash memory cards. The maximum configuration size with the 16 MB Flash memory card is 1 MB. A PIX Firewall unit containing a 16 MB Flash memory card cannot be downgraded to version 4.4(1), 4.4(2), 5.0(1), or 5.0(2) without causing irreparable harm to the Flash memory card.
4. If you use mode configuration with the PIX Firewall, any routers on the IPSec connection must run Cisco IOS Release 12.0.6T or later.
5. If you are upgrading from version 4 or earlier and want to use the IPSec or VPN features or commands, you must have a new activation key. Before getting a new activation key, write down your old key in case you want to downgrade back to version 4. You can have a new activation key sent to you by completing the form at the following site:
6. If you are using PFSS (PIX Firewall Syslog Server), we recommend that you install Windows NT Service Pack 6 to fix Y2K conflicts in Windows NT.
7. If you are upgrading from a previous PIX Firewall version, save your configuration and write down your activation key and serial number. Refer to "Installation Notes" for new installation requirements.
You can use PIX Firewall version 5.1 with the PIX Firewall Manager version 4.3(2)d. Refer to the Release Notes for the PIX Firewall Manager Version 4.3(2)d for more information. You can view this document online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/pfm432d.htm
The PIX Firewall Manager (PFM) lets you manage PIX Firewall units; however, it does not let you configure any PIX Firewall features added after version 4.3(2).
The "Frequently Asked Questions" section in the PFM release notes is new in this release and provides useful troubleshooting information.
Cisco Security Manager (CSM), version 1.1, provides policy-based management support for PIX Firewall units running version 4.2(4), 4.2(5), 4.4(1), 4.4(2), and 4.4(3) software images.
Refer to Appendix A, "Using Unsupported PIX Firewall Commands," in the Cisco Security Manager Tutorial for information about the PIX Firewall commands the CSM supports. You can view the CCO version of the Cisco Security Manager Tutorial at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/ismg/security/tutorial/index.htm
Version 5.1(1) consists of bug fixes and new features.
The sections that follow describe each new feature.
More details are provided in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1. You can view this document online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/index.htm
PIX Firewall now supports an ISA-bus 16 MB Flash memory card for all PIX Firewall models except the PIX 515, which already has a 16 MB Flash memory unit built into the motherboard. Use the new 16 MB Flash memory card to replace your current 2 MB Flash memory card. (You must not use both the old Flash memory card and the new card together.)
Use of the 16 MB Flash memory card increases the maximum configuration size to 1 MB.
The 16 MB Flash memory card driver has been enhanced so that older PIX Firewall models can use the 16 MB card with software version 5.1(1) or later.
The aaa command now supports selection by service. See "aaa Command" for more information.
If you are using a PIX Firewall unit with a diskette drive, the PIX Firewall image no longer fits on a diskette. You need to download the Boothelper file, bh511.bin, from Cisco Connection Online (CCO) to let you download the PIX Firewall image with TFTP. Boothelper only works with version 5.1 or later images and cannot pass the image over a Gigabit Ethernet interface. See "Installation Notes" for more information. You can view Boothelper information online in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1 at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/config.htm
The Cisco Firewall MIB and Cisco Memory Pool MIB are now available. These MIBs provide the following PIX Firewall information via SNMP:
For more information, refer to "Using the Firewall and Memory Pool MIBs" in Chapter 3, "Advanced Configurations" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1. You can view this chapter online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/advanced.htm
The following virtual re-assembly features are new in version 5.1:
fh_insertb: too many fragments(12) in set
You can now log URLs and FTP commands for both inbound and outbound connections. This feature is enabled automatically when you specify syslog level 7 (debugging) with the logging command.
PIX Firewall now supports 1000 Mbps (gigabit) Ethernet. The gigabit interface cards use the gb-ethernet device name and only have one hardware speed and the following options:
An example interface command for a gigabit interface follows:
interface gb-ethernet0 1000auto
Gigabit interface cards do not provide information for the extended show interface command counters introduced in version 5.0(3).
Gigabit Ethernet uses the same MTU as 10/100 Ethernet.
See "Installation Notes" for how to use the Boothelper diskette, and how to download and use a TFTP server, or you can view this information online in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1 at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/config.htm
The following IPSec improvements are new to this release:
The IPSec command interface has the following changes:
1. Any traffic selectable by the access-list command and negotiated by IKE can be used. ICMP type and code cannot be used because there is no mechanism to negotiate these selectors by IKE.
2. Multiple crypto map command statements can be bound to multiple interfaces. However, only one crypto map command statement can be bound to a single interface.
3. sysopt ipsec pl-compatible command---the previous need for static routes for non-IPSec traffic is removed.
4. New debug crypto ipsec command.
You can view command information online in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1 at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/commands.htm
The ActiveX and Java applet filtering implementation has been improved. Formerly, filtering Java applets was handled by the outbound command. The new implementation has been placed in the filter command and lets users receive a web page but with the Java applets disabled. The previous behavior dropped the connection when an applet was encountered.
The ActiveX filtering mechanism, which also is handled by the filter command has been improved to more reliably detect objects and screen out their use.
Point-to-Point Tunneling Protocol (PPTP) is a layer 2 tunneling protocol which lets a remote client use a public IP network to communicate securely with servers at a private corporate network. PPTP can tunnel the IP protocol. RFC 2637 describes the PPTP protocol.
RAS (Registration, Admission, and Status) handles multimedia applications such as video conferencing and Voice over IP that require video and audio encoding. PIX Firewall now supports RAS version 2.
PIX Firewall now supports RIP version 2. This implementation supports Cisco IOS software standards, which conform to RFC 1058, RFC 1388, and RFC 2082 of RIPv2 with text and keyed MD5 authentication.
A number of extensions were added to the route command in this release. Refer to "route Command" for more information.
PIX Firewall now provides the rtsp option to the fixup command. This feature lets PIX Firewall pass RTSP (Real Time Streaming Protocol) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. See "fixup rtsp Command" for more information.
The logging command now lets you specify separate message levels for syslog and SNMP. See "logging Command" for more information.
See "copy tftp flash Command" for more information on copying a new software image via TFTP. This feature permits remote management where a binary image can be uploaded without accessing monitor mode.
The Xauth (extended authentication) feature lets you deploy IPSec to remote users to gain the privacy and packet-level authentication available with IPSec. This feature provides authentication by prompting for user credentials and verifies them with the information stored in Cisco Secure Database in the VPN environment (AAA with VPN).
Extended authentication is negotiated between IKE phase 1 and IKE phase 2 at the same time as mode configuration. Authentication is performed using your existing TACACS+ or RADIUS authentication system.
The extended authentication feature is enabled with the crypto map command.
PIX Firewall now provides support for XDMCP (X Display Manager Control Protocol) to handle an XWindows TCP back connection. XDMCP handling is enabled by default. XDMCP uses UDP port 177. XWindows uses TCP ports 6000 through 6063.
The sections that follow describe the new commands in this release.
The copy tftp flash command lets you change software images without requiring access to the TFTP monitor mode. An image you download is made available to the PIX Firewall on the next reload (reboot).
The copy tftp flash command requires that routing be configured. In certain cases such as with IPSec configuration, a ping from the PIX Firewall to the TFTP server may be successful even without complete routing information. However, the success of the ping command does not guarantee that the copy tftp flash command will be successful.
The vpdn command implements the PPTP feature.
More details are provided in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1. You can view this document online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/index.htm
The aaa include and exclude options let you select which services are permitted or denied from authentication, authorization, and accounting.
The show access-list command now lists a hit count that indicates the number of times an element has been matched during a access-list command search.
The previous restriction that prohibited the use of the access-list command with the conduit or outbound commands has been lifted.
The maximum length of the prompt string is 235 characters.
The show conduit command now lists a hit count that indicates the number of times an element has been matched during a conduit command search.
The clear interface command clears all interface statistics except the number of input bytes. This command no longer shuts down all system interfaces. The clear interface command works with all interface types except gigabit Ethernet.
The crypto map client authentication command enables the extended authentication (Xauth) feature.
The debug crypto ipsec command provides new debug messages. You can display debugging messages with the logging command.
The established command has been enhanced to include a new source port. By designating 0 as the destination port, you can use the show established command to display the port as it is allocated. See "XDMCP Support" for more information.
This change is backward compatible with previous PIX Firewall software versions and will not cause problems with an existing configuration.
The fixup rtsp command lets PIX Firewall pass RTSP (Real Time Streaming Protocol) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. PIX Firewall does not support multicast RTSP.
The default port for this command is TCP 554. This command does not fix RTSP UDP connections. PIX Firewall PAT is not supported with the fixup rtsp command. PIX Firewall does not yet have the ability to recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages.
The interface command now supports the gb-ethernet option for gigabit Ethernet.
The logging command now lets you specify different message levels for syslog and SNMP. You can set the message levels for SNMP with the logging history snmp_message_level command. The logging trap syslog_message_level command now only sets the syslog message level.
The logging queue command lets you specify the number of messages in the syslog message queue. The show logging queue command lists the size of the queue, the greatest number of messages in the queue, and the number of messages discarded because queue space was not available to contain them. The size of the queue is limited by available block memory.
The nat command has been extended to let you disable NAT and specify an access list that determines which services users on a higher security level interface can access on a lower security level interface. This command lets you mix and match NAT, stateful inspection with the fixup command, and the aaa command without forcing everything through NAT. The new nat 0 access-list command also lets you enable policy NAT based on destination.
When a failover cable connects two PIX Firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. Previously, when the failover cable connected two PIX Firewall units and you entered the no failover command, failover would automatically re-enable after 15 seconds.
If you reboot the PIX Firewall without entering the write memory command and the failover cable in connected, failover mode automatically enables.
Only enabled rip command statements appear in the configuration in version 5.1.
The following are the extensions to the route command:
route outside 10.2.2.8 255.255.255.248 192.168.1.3 route outside 10.2.2.8 255.255.255.255 192.168.1.1
In the output of the show failover command, the heading "Standby Logical Update Statistics" changed to "Stateful Failover Logical Update Statistics."
The show interface command has been enhanced to include eight new status counters.
Allows PPTP traffic to bypass checking of conduit or access-list command statements. See "vpdn Command" for more information on PPTP commands and an example of the new sysopt command option.
Using the sysopt ipsec pl-compatible command no longer requires static route statements for every host that needs to start non-IPSec connections through the PIX Firewall. The routing is now handled automatically.
1. Refer to either the Installation Guide for the Cisco Secure PIX Firewall Version 5.1 or Chapter 2, "Configuring PIX Firewall" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1 for information on the new Boothelper diskette installation feature and the new configuration version message. Boothelper only works with version 5.1 images. In addition, only specify Boothelper commands in lowercase. You can view this information online at the following site:
2. Do not attempt to load version 5.1 on a PIX Firewall unit containing less than 32 MB of memory. While the PIX Firewall may appear to permit this configuration, upon reboot, the PIX Firewall unit will continuously fail. You can stop this by immediately inserting a previous version diskette into the PIX Firewall unit and then pressing the reboot switch. This note only applies to PIX Firewall units with a diskette drive, not to the PIX 515.
3. A PIX Firewall unit containing a 16 MB Flash memory card cannot be downgraded to version 4.4(1), 4.4(2), 5.0(1), or 5.0(2) without causing irreparable harm to the Flash memory card. [CSCdp38206]
4. Version 5.1 on a PIX 515 cannot be downgraded to pre-version 4.4(1) images. [CSCdp21017]
5. The new include and exclude options to the aaa command are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, the aaa command statements will be removed from your configuration.
The following limitations and restrictions apply to version 5.1(1):
1. If you are using a gigabit Ethernet interface, refer to "Gigabit Interface Restrictions" for important restrictions on the use of this interface.
2. Loading a PIX Firewall image prior to version 5.1 with Boothelper reboots the PIX Firewall.
3. Only use version 5.1 of the PIX Firewall with version 1.1 or later of the Cisco Secure VPN Client.
More details are provided in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1.
Previously, assertions in the code caused an error message to display at the PIX Firewall. In version 5.1(1), assertions now force the PIX Firewall to fail and display a trace output.
Web browsers such as Internet Explorer or Netscape Navigator only display the first 23 characters of the string you indicate in the auth-prompt command. This limitation is imposed by the browser and is not a PIX Firewall fault. [CSCdp85254]
The following commands have been added to the default configuration. The default configuration contains the commands that are enabled when you first install PIX Firewall:
aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius floodguard enable isakmp identity address
See "Default Configuration" in Chapter 1, "Introduction" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1 for the other commands provided in the default configuration. You can view this chapter online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/intro.htm
A DNS server on a higher level security interface needing to get updates from a root name server on the outside interface cannot use PAT (Port Address Translation). Instead, a static command statement must be added to map the DNS server to a global address on the outside interface. [CSCdp48115]
The following notes apply to the failover feature:
The former PIX Firewall failure message was changed from "Watchdog timer failure - ARF!" to "Watchdog timer failure - Internal system timeout failure -- please provide the output that follows to customer support."
PIX Firewall now restricts FTP commands so that only FTP servers can submit a 227 reply and only FTP clients can submit a PORT command. Furthermore, the only PORT command permitted can only be one port number lower than the FTP control channel. This change removes the wildcard port for connections created from the PORT command. PIX Firewall now also enforces that the first SYN packet from the dynamic back channel must be from the expected side. [CSCdp86352]
The following open caveats apply to use of the gigabit Ethernet interface:
The following sections provide useful information about IPSec.
ca configure myca ca 5 15 crloptional
Only use version 5.1 of the PIX Firewall with version 1.1 or later of the Cisco Secure VPN Client.
When two policies are configured on the Cisco Secure VPN Client for different PIX Firewall interfaces, after the PIX Firewall unit initiates a rekey, the Client loses the ability to differentiate between the interfaces. This condition causes the message, "Cannot match Policy Entry for received IDs" to display and can cause a loss of connections. Once dropped, the tunnels cannot be re-established. [CSCdp88761]
The crypto map map_name interface if_name command causes any currently running SAs (security associations) to be deleted.
PIX Firewall does not proxy ARP for addresses in the mode config pool. To enable connectivity of a remote client to the internal network, addresses in the mode config pool cannot overlap with any of the directly connected networks to the PIX Firewall. In addition, static route command statements need to be configured on the internal networks to direct traffic destined for the mode config pool to the PIX Firewall.
If you enter the show crypto ipsec sa command and the screen display is stopped with the More prompt, and if the SA lifetime expires while the screen display is stopped, subsequent display information may refer to a stale SA and the SA lifetime values that display will be invalid. [CSCdm59768]
The name command does not support dashes in the name you specify. [CSCdp58692]
The PIX Firewall has an implicit default route to the outside interface for configuring NAT.
PFSS (PIX Firewall Syslog Server) now renames log files using the last modification date as the file type. For example, if PFSS needs to create a monday.log file and the filename already exists, PFSS checks the last modification date for the original file and finds, for example, that it was last modified on January 24, 2000. PFSS then renames the original file monday.012400 and moves it to the backup directory, which is named "backup." Then PFSS creates monday.log for the current log data.
PFSS attempts to create the backup directory whenever PFSS is restarted. If the directory exists, PFSS adds a message in the pfss.log file as follows:
mmm dd yyyy hh:mm:ss ThreadInit: Could not create backup directory
where mmm dd yyyy hh:mm:ss is a timestamp. This message can be ignored if the backup directory exists. If the directory does not exist and you see this message, then you should determine why the directory cannot be created.
The Stateful Failover Logical Update Statistics output that displays when you use the show failover command only applies to Stateful Failover, not to the basic failover functionality. The statistics table only displays if a failover link has been configured.
PIX Firewall uses port 1521 for SQL*Net. This the default port used by Oracle for SQL*Net; however, this value does not agree with IANA port assignments. [CSCdp33907]
The following syslog changes occurred in version 5.1:
%PIX-6-602301: sa created,
Inbound and outbound URLs are now logged by setting the logging command to the debugging option. However, URL filtering only affects outbound connections.
Table 1 lists open caveats:
| DDTS Number | Description |
CSCdp93890 | When configuring ISAKMP for certificate-based authentication, it is important to match the ISAKMP identity type with the certificate type. See "ISAKMP Notes" for more information. |
CSCdp92050 | The Boothelper TFTP image cannot be sent to the PIX Firewall over a gigabit interface. Ensure that the PIX Firewall unit has at least one 10/100 Ethernet interface to convey the image to the PIX Firewall. |
CSCdp88761 | When two policies are configured on the Cisco Secure VPN Client for different PIX Firewall interfaces, after the PIX Firewall unit initiates a rekey, the Client loses the ability to differentiate between the interfaces. This condition causes the message, "Cannot match Policy Entry for received IDs" to display and can cause a loss of connections. Once dropped, the tunnels cannot be re-established. |
CSCdp87564 | Some syslog messages contain linefeeds. Because the Solaris version of syslog, known as syslogd, only stores the first line sent, logging information on these messages is incomplete. One such message, appears truncated on a Solaris system as follows: %PIX-6-602301: sa created, |
CSCdp86785 | If an ISAKMP SA expires, the IPSec tunnel for the expired ISAKMP SA continues for the remaining time. If a PIX Firewall peer reboots before the ISAKMP SA expires, the keepalive fails to note that the other peer is not there and packets are silently dropped until the SA expires. |
CSCdp88443 | The clear interface command clears all interface statistics except the number of input bytes. This command no longer shuts down all system interfaces. The clear interface command works with all interface types except gigabit Ethernet. |
CSCdp85254 | Web browsers such as Internet Explorer or Netscape Navigator only display the first 23 characters of the string you indicate in the auth-prompt command. This limitation is imposed by the browser and is not a PIX Firewall fault. |
CSCdp67251 | The fixup protocol sqlnet command only works with Oracle, not with NetWare SQLNET. |
CSCdp64331 | A gigabit interface must not be shut down for more than 5 minutes. After that, the PIX Firewall unit must be rebooted to regain access to the interface. |
CSCdp64321 | The 1000auto option to the interface command does not get written to the configuration. When the PIX Firewall reboots, the gigabit interface is then automatically shut down. As soon as the PIX Firewall reboots, re-enter the interface command to restart the interface. |
CSCdp58692 | The name command does not support dashes in the name you specify. |
CSCdp48115 | A DNS server behind the PIX Firewall cannot use PAT; however, adding a static command statement can be used as a workaround. |
CSCdp42625 | When using the VeriSign CA, always use the crloptional parameter to the ca configure command. |
CSCdp38206 | A PIX Firewall unit containing a 16 MB Flash memory card cannot be downgraded to version 4.4(1), 4.4(2), 5.0(1), or 5.0(2) without causing irreparable harm to the Flash memory card. |
CSCdm59768 | If you enter the show crypto ipsec sa command and the screen display is stopped with the More prompt, and if the SA lifetime expires while the screen display is stopped, subsequent display information may refer to a stale SA and the SA lifetime values that display will be invalid. |
Table 2 lists resolved caveats:
| DDTS Number | Description |
|---|---|
CSCdp88122 | An SQL*Net version 1 or truncated packet no longer crashes PIX Firewall. |
CSCdp86352 | PIX Firewall now prevents FTP clients from initiating FTP server commands. |
CSCdp85718 | Failover no longer stops traffic when the 1550-byte pool exhausts. If this pool exhausts and cannot be reallocated on the Standby unit, it will now reboot without affecting the Active unit. |
CSCdp78256 | A 1550-byte memory block leak no longer occurs if an incoming SNMP request is invalid. |
CSCdp74795 | The source IP address in SNMP traps is no longer reversed; for example, 10.1.1.1 no longer displays as 1.1.1.10. |
CSCdp65228 | Syslog message %PIX-2-108002 now lists the IP address in the correct order. Previously an IP address such as 10.1.1.1 was listed in the message as 1.1.1.10. |
CSCdp60485 | If a new peer successfully negotiates an IPSec tunnel to protect the same set of identities as an old tunnel, PIX Firewall switches to the new peer and maintains the old tunnel for 30 seconds to let traffic subside. |
CSCdp59021 | PIX Firewall no longer continuously reboots after downgrading to the version 4.4(3) image. |
CSCdp58991 | AAA accounting is no longer unidirectional. Now secondary connection(s) are assigned the same direction as the control connection. This lets uauth associate and dynamically preallocate the connection(s) from the same control connection with the same identity. Accounting will then trigger for the matched identity. |
CSCdp57339 | The MTU of an interface no longer is set to 0. Previously, entering the write erase command followed by rebooting, and then not explicitly setting the MTU, caused IPSec to initialize the tunnel with an MTU of 0. |
CSCdp56795 | Syslog message %PIX-2-1006002 only displays the protocol as a number instead of as a name. This is also fixed in all future PIX Firewall versions. The text for this message is now one of the following: · 1 Connection denied by outbound list list_ID src laddr/lport dest faddr/fport · 6 Connection denied by outbound list list_ID src laddr/lport dest faddr/fport · 17 Connection denied by outbound list list_ID src laddr/lport dest faddr/fport where 1 means ICMP, 6 means TCP, and 17 means UDP. Previously, PIX Firewall listed the protocol by name in some messages and by number in others. The messages now consistently use the protocol number. |
CSCdp56150 | The Private Link PL/2 card is now recognized correctly. The use of this card improves IPSec processing speed. |
CSCdp55033 | When a packet is received with a bad checksum, PIX Firewall now discards the packet without closing the TCP connection. Previously, if after a connection was closed, a subsequent packet arrived, PIX Firewall caused a reset that stopped traffic on the connection. |
CSCdp53852 | The fixup smtp command now correctly translates multi-line banners. |
CSCdp52877 | The debug icmp trace command no longer also enables the debug fixup_smtp command. |
CSCdp52185 | Version 5.1 provides the access-list command port selector for IPSec. |
CSCdp51830 | Access lists now handle ICMP echo-request and echo-reply correctly. |
CSCdp49186 | Limited broadcasts sent to 255.255.255.255 now work correctly with the PIX Firewall. While the broadcast is not forwarded through the PIX Firewall, this feature lets RIP updates work correctly. |
CSCdp45416 | PFSS (PIX Firewall Syslog Server) now renames log files using the last modification date as the file type. For example, if PFSS needs to create a monday.log file and the filename already exists, PFSS checks the last modification date for the original file and finds, for example, that it was last modified on January 24, 2000. PFSS then renames the original file monday.012400 and moves it to the backup directory. Then PFSS creates monday.log for the current log data. |
CSCdp44875 | PIX Firewall no longer gets into an unrecoverable crash when reloaded after using the clear flashfs command without loading a new image. |
CSCdp41051 | The terminal no monitor command now works correctly. |
CSCdp38828 | The PIX Firewall failure message was changed from "Watchdog timer failure - ARF!" to "Watchdog timeout!". |
CSCdp33907 | PIX Firewall uses port 1521 for SQL*Net even though this value does not agree with the IANA port assignments. |
CSCdp23931 | Adds syslog message %PIX-2-106020: Deny IP teardrop fragment (size = num, offset = num) from IP_addr to IP_addr. This message occurs when the PIX Firewall discards an IP packet with a teardrop signature with either a small offset or fragment overlapping. You should treat this event as a hostile attempt to circumvent the firewall or an intrusion detection system. |
CSCdp05727 | Allows an interface to be the gateway for the route command. The PIX Firewall now uses ARP to determine the real destination address if the next hop address is the outgoing interface address. |
CSCdp00115 | All isakmp command policies now appear in the configuration. See "ISAKMP Notes" for more information. |
CSCdm79900 | Request for separate levels of debug for syslog and SNMP logging. See "Separate SNMP and Syslog Message Levels" for more information. |
CSCdm74155 | PIX Firewall now supports the copy tftp flash command. See "copy tftp flash Command" for more information. |
CSCdm62488 | DNS packets are no longer altered by the alias command in both directions. Use the version 5.0 sysopt noaliasdns outbound|inbound command to disable DNS Address record fixups from interaction with the alias command. Using a separate command for inbound and another for outbound disables DNS A record fixups. |
CSCdm23996 | PIX Firewall now has RIP version 2 support to ensure that incorrect routes are not learned from unauthorized neighbors. |
CSCdk77815 | As of PIX Firewall version 5.0, the show conduit and show access-list commands list a hit count after each ACL (Access Control List) element that indicates the number of times an element has been matched during the access-list or conduit command statement search. |
CSCdk76181 | The PIX Firewall now has a nat (interface) 0 access-list acl_name that provides no nat capability for both inbound and outbound connections. See "nat Command" for more information. |
CSCdk22364 | The aaa command statement now accepts a protocol and port specification for what used to be the except option. The except option has been replaced by the include and exclude options. See "aaa Command" for more information. |
CSCdk06669 | Support for new Cisco Firewall MIB. |
CSCdj95449 | Support for enhancements to the established command. |
Use this document in conjunction with the PIX Firewall documentation at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
Cisco provides PIX Firewall technical tips at the following site:
http://www.cisco.com/warp/public/110/index.shtml#pix
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW).
The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Thu Mar 2 20:48:31 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.