|
|
October 2000
This document contains the following sections:
 |
Note Version 5.1(4) fixes caveat CSCds38708 only. If your configuration includes the fixup protocol smtp port_number command and either a conduit or access-list command statement permitting access to SMTP, you should install version 5.1(4) immediately to counter a vulnerability in the Mail Guard feature. |
Version 5.1 requires the following:
1. The PIX Firewall image no longer fits on a diskette. If you are using a PIX Firewall unit with a diskette drive, you need to download the Boothelper file, bh512.bin, from Cisco Connection Online (CCO) to let you download the PIX Firewall image with TFTP.
2. PIX Firewall must have at least 32 MB of RAM memory or the PIX Firewall unit will not boot. Use the show version command to verify how much RAM is in your PIX Firewall unit.
3. PIX Firewall requires at least 2 MB of Flash memory although support is provided for 2 MB, 8 MB, and 16 MB Flash memory. The maximum configuration size with 16 MB Flash memory is 1 MB; with all other Flash memory, it is 340 KB. A PIX Firewall unit equipped with 16 MB Flash memory cannot be downgraded to version 4.4(1), 4.4(2), 5.0(1), or 5.0(2).
4. If you use mode configuration with the PIX Firewall, any routers on the IPSec connection must run Cisco IOS Release 12.0(6)T or later.
5. If you are upgrading from version 4 or earlier and want to use the IPSec or VPN features or commands, you must have a new activation key. Before getting a new activation key, write down your old key in case you want to downgrade back to version 4. You can have a new activation key sent to you by completing the form at the following site:
6. If you are using PFSS (PIX Firewall Syslog Server), we recommend that you install Windows NT Service Pack 6 to fix Y2K conflicts in Windows NT.
7. If you are upgrading from a previous PIX Firewall version, save your configuration and write down your activation key and serial number. Refer to "Installation Notes" for new installation requirements.
You can use PIX Firewall version 5.1 with the PIX Firewall Manager version 4.3(2)e. Refer to the Release Notes for the PIX Firewall Manager Version 4.3(2)e for more information. You can view this document online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/index.htm
The PIX Firewall Manager (PFM) lets you manage PIX Firewall units; however, it does not let you configure any PIX Firewall features added after version 4.3(2).
The "Frequently Asked Questions" section in the PFM release notes provides useful troubleshooting information.
Cisco Secure Policy Manager (Cisco Secure PM), version 2.1, provides policy-based management support for PIX Firewall units running a version 4.2(n), 4.4(n), or 5.1(n) software image.
Refer to the documentation set for Cisco Secure PM at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/index.htm
Version 5.1 consists of bug fixes and new features. More details are provided in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1. You can view this document online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/index.htm
Version 5.1(4) fixes caveat CSCds38708 only. If your configuration includes the fixup protocol smtp port_number command and either a conduit or access-list command statement permitting access to SMTP, you should install version 5.1(4) immediately to counter a vulnerability in the Mail Guard feature.
Version 5.1(3) fixes caveats CSCds30699 and CSCdr91002 only.
The sections that follow describe each new version 5.1(2) feature.
You can enable Unicast RPF (Reverse Path Forwarding) protection with the new ip verify reverse-path command. With this feature, PIX Firewall provides ingress and egress spoof filtering. This command is described in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1.
The PIX 506 is a simplified PIX Firewall unit that supports two Ethernet interfaces without user-customizable access to the inside unit. This unit provides PIX Firewall functionality with support for the full command set except for the failover and session commands. The PIX 506 contains 32 MB of RAM memory and an 8 MB Flash memory. The maximum configuration size is 340 KB.
|
Note The PIX 506 supports 10BaseT only on both interfaces. |
|
Note The ACT light on the front of the PIX 506 indicates when the software image successfully loads. On the PIX 515, this light has an alternate meaning relating to use with failover. |
Additional changes in this release can be found in the following sections of this document:
The PIX Firewall documentation set has been enhanced to support the PIX 506. In addition, in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1, the information in Chapter 7, formally entitled, "PIX 515 Configuration," was moved to Chapter 2, "Configuring PIX Firewall" and to the Installation Guide for the Cisco Secure PIX Firewall Version 5.1.
The sections that follow describe each new feature.
PIX Firewall now supports an ISA-bus 16 MB Flash memory card for all PIX Firewall models except the PIX 515 and PIX 506, which already have a Flash memory unit built into the motherboard. Use the new 16 MB Flash memory card to replace your current 2 MB Flash memory card. (You must not use both the old Flash memory card and the new card together.)
Use of the 16 MB Flash memory card increases the maximum configuration size to 1 MB.
The 16 MB Flash memory card driver has been enhanced so that older PIX Firewall models can use the 16 MB card with software version 5.1(1) or later.
The aaa command now supports selection by service. See "aaa Command" for more information.
The PIX Firewall image no longer fits on a diskette. If you are using a PIX Firewall unit with a diskette drive, you need to download the Boothelper file, bh512.bin, from Cisco Connection Online (CCO) to let you download the PIX Firewall image with TFTP. Boothelper only works with version 5.1 or later images and cannot pass the image over a Gigabit Ethernet interface. See "Installation Notes" for more information. You can view Boothelper information online in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1 at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/config.htm
The Cisco Firewall MIB and Cisco Memory Pool MIB are now available. These MIBs provide the following PIX Firewall information via SNMP:
For more information, refer to "Using the Firewall and Memory Pool MIBs" in Chapter 3, "Advanced Configurations" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1. You can view this chapter online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/advanced.htm
The following virtual re-assembly features are new in version 5.1:
|
Note Virtual reassembly is currently enabled by default and no mechanism is provided to disable it. |
You can now log URLs and FTP commands for both inbound and outbound connections. This feature is enabled automatically when you specify syslog level 7 (debugging) with the logging command.
PIX Firewall now supports 1000 Mbps (Gigabit) Ethernet. The gigabit interface cards use the gb-ethernet device name and only have one hardware speed and the following options:
An example interface command for a gigabit interface follows:
interface gb-ethernet0 1000auto
Gigabit interface cards do not provide information for the extended show interface command counters introduced in version 5.0(3).
Gigabit Ethernet uses the same MTU as 10/100 Ethernet.
See "Installation Notes" for how to use the Boothelper diskette, and how to download and use a TFTP server, or you can view this information online in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1 at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/config.htm
The following IPSec improvements are new to this release:
The IPSec command interface has the following changes:
1. Any traffic selectable by the access-list command and negotiated by IKE can be used. ICMP type and code cannot be used because there is no mechanism to negotiate these selectors by IKE.
2. Multiple crypto map command statements can be bound to multiple interfaces. However, only one crypto map command statement can be bound to a single interface.
3. sysopt ipsec pl-compatible command—the previous need for static routes for non-IPSec traffic is removed.
4. New debug crypto ipsec command.
You can view command information online in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1 at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/commands.htm
The ActiveX and Java applet filtering implementation has been improved. Formerly, filtering Java applets was handled by the outbound command. The new implementation has been placed in the filter command and lets users receive a web page but with the Java applets disabled. The previous behavior dropped the connection when an applet was encountered.
|
Note The previous outbound java command is being phased out. Cisco recommends that you convert all Java filtering configurations to the filter java command. |
The ActiveX filtering mechanism, which also is handled by the filter command has been improved to more reliably detect objects and screen out their use.
Point-to-Point Tunneling Protocol (PPTP) is a layer 2 tunneling protocol which lets a remote client use a public IP network to communicate securely with servers at a private corporate network. PPTP can tunnel the IP protocol. RFC 2637 describes the PPTP protocol.
RAS (registration, admission, and status) handles multimedia applications such as video conferencing and Voice over IP that require video and audio encoding. PIX Firewall now supports RAS version 2.
PIX Firewall now supports RIP version 2. This implementation supports Cisco IOS software standards, which conform to RFC 1058, RFC 1388, and RFC 2082 of RIPv2 with text and keyed MD5 authentication.
A number of extensions were added to the route command in this release. Refer to "route Command" for more information.
PIX Firewall now provides the rtsp option to the fixup command. This feature lets PIX Firewall pass RTSP (Real Time Streaming Protocol) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. See "fixup rtsp Command" for more information.
The logging command now lets you specify separate message levels for syslog and SNMP. See "logging Command" for more information.
See "copy tftp flash Command" for more information on copying a new software image via TFTP. This feature permits remote management where a binary image can be uploaded without accessing monitor mode.
The Xauth (Extended Authentication) feature lets you deploy IPSec to remote users to gain the privacy and packet-level authentication available with IPSec. This feature provides authentication by prompting for user credentials and verifies them with the information stored in Cisco Secure Database in the VPN environment (AAA with VPN).
Extended Authentication is negotiated between IKE phase 1 and IKE phase 2 at the same time as mode configuration. Authentication is performed using your existing TACACS+ or RADIUS authentication system.
The extended authentication feature is enabled with the crypto map command.
|
Note The Xauth feature requires version 1.1 of the Cisco Secure VPN Client. |
PIX Firewall now provides support for XDMCP (X Display Manager Control Protocol) to handle an XWindows TCP back connection. XDMCP handling is enabled by default. XDMCP uses UDP port 177. XWindows uses TCP ports 6000 through 6063.
The sections that follow describe the new commands in this release.
The copy tftp flash command lets you change software images without requiring access to the TFTP monitor mode. An image you download is made available to the PIX Firewall on the next reload (reboot).
The copy tftp flash command requires that routing be configured. In certain cases such as with IPSec configuration, a ping from the PIX Firewall to the TFTP server may be successful even without complete routing information. However, the success of the ping command does not guarantee that the copy tftp flash command will be successful. This command is described on the copy tftp flash command page in Chapter 6, "Command Reference" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1.
You can enable RFC 2267 Denial of Service (DoS) protection with the new ip verify reverse-path command. This command is described on the ip verify command page in Chapter 6, "Command Reference" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1.
The vpdn command implements the PPTP feature. This command is described on the vpdn command page in Chapter 6, "Command Reference" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1.
More details are provided in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1. You can view this document online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/index.htm
|
Note The include and exclude options are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, the aaa command statements will be removed from your configuration. |
The maximum number of AAA servers PIX Firewall lets you specify is 14, not 16 that is described in the aaa-server command page in Chapter 6, "Command Reference" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1.
The maximum length of the prompt string is 235 characters.
The show conduit command now lists a hit count that indicates the number of times an element has been matched during a conduit command search.
The clear configure command no longer sets interfaces into the shutdown state. Previously, the interface command for the inside interface would appear as follows after using the clear configure command:
interface inside auto shutdown
The clear interface command clears all interface statistics except the number of input bytes. This command no longer shuts down all system interfaces. The clear interface command works with all interface types except gigabit Ethernet.
The crypto map client authentication command enables the extended authentication (Xauth) feature.
The debug crypto ipsec command provides new debug messages. You can display debugging messages with the logging command.
The established command has been enhanced to include a new source port. By designating 0 as the destination port, you can use the show established command to display the port as it is allocated. See "XDMCP Support" for more information.
This change is backward compatible with previous PIX Firewall software versions and will not cause problems with an existing configuration.
The fixup rtsp command lets PIX Firewall pass RTSP (Real Time Streaming Protocol) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. PIX Firewall does not support multicast RTSP.
The default port for this command is TCP 554. This command does not fix RTSP UDP connections. PIX Firewall PAT is not supported with the fixup rtsp command. PIX Firewall does not yet have the ability to recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages.
The interface command now supports the gb-ethernet option for Gigabit Ethernet.
The logging command now lets you specify different message levels for syslog and SNMP. You can set the message levels for SNMP with the logging history snmp_message_level command. The logging trap syslog_message_level command now only sets the syslog message level.
The logging queue command lets you specify the number of messages in the syslog message queue. The show logging queue command lists the size of the queue, the greatest number of messages in the queue, and the number of messages discarded because queue space was not available to contain them. The size of the queue is limited by available block memory.
The nat command has been extended to let you disable NAT and specify an access list that determines which services users on a higher security level interface can access on a lower security level interface. This command lets you mix and match NAT, stateful inspection with the fixup command, and the aaa command without forcing everything through NAT. The new nat 0 access-list command also lets you enable policy NAT based on destination.
When a failover cable connects two PIX Firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. Previously, when the failover cable connected two PIX Firewall units and you entered the no failover command, failover would automatically re-enable after 15 seconds.
If you reboot the PIX Firewall without entering the write memory command and the failover cable is connected, failover mode automatically enables.
Only enabled rip command statements appear in the configuration in version 5.1.
The following are the extensions to the route command:
route outside 10.2.2.8 255.255.255.248 192.168.1.3 route outside 10.2.2.8 255.255.255.255 192.168.1.1
The items in the top row of the "Standby Logical Update Statistics" section of the show failover command are as follows:
The items in the first column provide an object static count for each statistic:
The show interface command has been enhanced to include eight new status counters. In version 5.1(2) and later, the "unicast rpf drops" counter was added to list the number of packets dropped through use of the new ip verify reverse-route command.
The show version command now lists the size of Flash memory; for example, the following line appears in the output to indicate 16 MB Flash memory:
Flash i28F640J5 @ 0x300, 16MB
An example of the show xlate command output is as follows:
Global 10.130.0.101 Local 10.130.0.101 static Global 10.130.0.100 Local 10.130.0.100 static
The xlate command page in Chapter 6, "Command Reference," in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1 incorrectly lists connection information in the command output. You can view connection information with the show local-host command.
Allows PPTP traffic to bypass checking of conduit or access-list command statements. See "vpdn Command" for more information on PPTP commands and an example of the new sysopt command option.
Using the sysopt ipsec pl-compatible command no longer requires static route statements for every host that needs to start non-IPSec connections through the PIX Firewall. The routing is now handled automatically.
The url-filter command now can process a URL up to 1024 characters long.
1. Refer to either the Installation Guide for the Cisco Secure PIX Firewall Version 5.1 or Chapter 2, "Configuring PIX Firewall" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1 for information on the new Boothelper diskette installation feature and the new configuration version message. Boothelper only works with version 5.1 images. In addition, only specify Boothelper commands in lowercase. You can view this information online at the following site:
2. Do not attempt to load version 5.1 on a PIX Firewall unit containing less than 32 MB of memory. While the PIX Firewall may appear to permit this configuration, upon reboot, the PIX Firewall unit will continuously fail. You can stop this by immediately inserting a previous version diskette into the PIX Firewall unit and then pressing the reboot switch. This note only applies to PIX Firewall units with a diskette drive, not to the PIX 515.
3. After installing additional memory in a PIX 520, do not remove the memory strips after you install them and have powered on the unit, or the PIX Firewall unit will become inoperable. [CSCdr14559]
4. A PIX Firewall unit containing a 16 MB Flash memory card cannot be downgraded to version 4.4(1), 4.4(2), 5.0(1), or 5.0(2). [CSCdp38206]
5. Version 5.1 on a PIX 515 cannot be downgraded to pre-version 4.4(1) images. [CSCdp21017]
6. The new include and exclude options to the aaa command are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, the aaa command statements will be removed from your configuration.
The following limitations and restrictions apply to version 5.1:
1. If you are using a Gigabit Ethernet interface, refer to "Gigabit Interface Restrictions" for important restrictions on the use of this interface.
2. Loading a PIX Firewall image prior to version 5.1 with Boothelper reboots the PIX Firewall.
3. Only use version 5.1 of the PIX Firewall with version 1.1 or later of the Cisco Secure VPN Client.
More details are provided in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1.
Previously, assertions in the code caused an error message to display at the PIX Firewall. In version 5.1, assertions now force the PIX Firewall to fail and display a trace output.
Web browsers such as Internet Explorer or Netscape Navigator only display the first 23 characters of the string you indicate in the auth-prompt command. This limitation is imposed by the browser and is not a PIX Firewall fault. [CSCdp85254]
Under heavy traffic on the 4-port Ethernet board, use of the console becomes much slower. Cisco recommends configuring such units during lighter traffic intervals. [CSCdp14222]
The following commands have been added to the default configuration. The default configuration contains the commands that are enabled when you first install PIX Firewall:
aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius floodguard enable isakmp identity hostname
See "Default Configuration" in Chapter 1, "Introduction" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.1 for the other commands provided in the default configuration. You can view this chapter online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/intro.htm
A DNS server on a higher level security interface needing to get updates from a root name server on the outside interface cannot use PAT (Port Address Translation). Instead, a static command statement must be added to map the DNS server to a global address on the outside interface. [CSCdp48115]
The following notes apply to the failover feature:
The former PIX Firewall failure message was changed from "Watchdog timer failure - ARF!" to "Watchdog timer failure - Internal system timeout failure -- please provide the output that follows to customer support."
fixup protocol ftp strict ftp access-list acl_in permit tcp any any eq ftp access-group acl_in in interface inside nat (inside) 1 0 0 global (outside) 1 209.165.201.5 netmask 255.255.255.224
The following open caveats apply to use of the Gigabit Ethernet interface:
The following sections provide useful information about IPSec.
ca configure myca ca 5 15 crloptional
Only use version 5.1 of the PIX Firewall with version 1.1 or later of the Cisco Secure VPN Client.
When two policies are configured on the Cisco Secure VPN Client for different PIX Firewall interfaces, after the PIX Firewall unit initiates a rekey, the Client loses the ability to differentiate between the interfaces. This condition causes the message, "Cannot match Policy Entry for received IDs" to display and can cause a loss of connections. Once dropped, the tunnels cannot be re-established. [CSCdp88761]
The crypto map map_name interface if_name command causes any currently running SAs (security associations) to be deleted.
isakmp identity address
PIX Firewall does not proxy ARP for addresses in the mode config pool. To enable connectivity of a remote client to the internal network, addresses in the mode config pool cannot overlap with any of the directly connected networks to the PIX Firewall. In addition, static route command statements need to be configured on the internal networks to direct traffic destined for the mode config pool to the PIX Firewall.
If you enter the show crypto ipsec sa command and the screen display is stopped with the More prompt, and if the SA lifetime expires while the screen display is stopped, subsequent display information may refer to a stale SA and the SA lifetime values that display will be invalid. [CSCdm59768]
The PIX Firewall has an implicit default route to the outside interface for configuring NAT.
The LED on the rear panel of a PIX 515 labeled FDX actually shows whether a link is up or down. The LED labeled LINK actually displays network activity. In addition, the four-port Ethernet card contains two LEDs at each interface connector. The left LED indicates 100 Mbps network connectivity and whether the link is up or down and the right LED indicates network activity.
PFSS (PIX Firewall Syslog Server) now renames log files using the last modification date as the file type. For example, if PFSS needs to create a monday.log file and the filename already exists, PFSS checks the last modification date for the original file and finds, for example, that it was last modified on January 24, 2000. PFSS then renames the original file monday.012400 and moves it to the backup directory, which is named "backup." Then PFSS creates monday.log for the current log data.
PFSS attempts to create the backup directory whenever PFSS is restarted. If the directory exists, PFSS adds a message in the pfss.log file as follows:
mmm dd yyyy hh:mm:ss ThreadInit: Could not create backup directory
where mmm dd yyyy hh:mm:ss is a timestamp. This message can be ignored if the backup directory exists. If the directory does not exist and you see this message, then you should determine why the directory cannot be created.
PIX Setup Wizard disables the pager command while configuring the PIX Firewall. After the wizard completes, use the clear pager command to return it to the default value. [CSCdr01768]
PIX Firewall uses port 1521 for SQL*Net. This the default port used by Oracle for SQL*Net; however, this value does not agree with IANA port assignments. [CSCdp33907]
The following syslog changes occurred in version 5.1:
%PIX-5-500003: Bad TCP hdr length (hdrlen=bytes, pktlen=bytes) from src_addr/sport to dest_addr/dport, flags: tcp_flags, on interface int_name
%PIX-4-500004: Invalid transport field for protocol=ip_proto, from src_addr/src_port to dest_addr/dest_port
|
Note Some syslog messages contain linefeeds. Because the Solaris version of syslog, known as syslogd, only stores the first line sent, logging information on these messages is incomplete. One such message, appears truncated on a Solaris system as follows: [CSCdp87564]%PIX-6-602301: sa created, |
Inbound and outbound URLs are now logged by setting the logging command to the debugging option. However, URL filtering only affects outbound connections.
The maximum length of a URL string passing through the PIX Firewall can now be up to 1024 characters in length.
Table 1 lists open caveats.
| DDTS Number | Description | Found in Version |
|---|---|---|
CSCdr41456 | All enabled interfaces must be connected between the Active and Standby units. If an interface is not in use, use the shutdown option to the interface command to disable the interface. | 5.1(2) |
CSCdr14559 | After installing additional memory in a PIX 520, do not remove the memory strips after you install them and have powered on the unit, or the PIX Firewall unit will become inoperable. | 5.1(2) |
CSCdr01768 | PIX Setup Wizard disables the pager command while configuring the PIX Firewall. After the wizard completes, use the clear pager command to return it to the default value. | 5.1(2) |
CSCdp93890 | When configuring ISAKMP for certificate-based authentication, it is important to match the ISAKMP identity type with the certificate type. See "ISAKMP Notes" for more information. | 5.1(1) |
CSCdp92050 | The Boothelper TFTP image cannot be sent to the PIX Firewall over a gigabit interface. Ensure that the PIX Firewall unit has at least one 10/100 Ethernet interface to convey the image to the PIX Firewall. | 5.1(1) |
CSCdp88761 | When two policies are configured on the Cisco Secure VPN Client for different PIX Firewall interfaces, after the PIX Firewall unit initiates a rekey, the Client loses the ability to differentiate between the interfaces. This condition causes the message, "Cannot match Policy Entry for received IDs" to display and can cause a loss of connections. Once dropped, the tunnels cannot be re-established. | 5.1(1) |
CSCdp87564 | Some syslog messages contain linefeeds. Because the Solaris version of syslog, known as syslogd, only stores the first line sent, logging information on these messages is incomplete. One such message, appears truncated on a Solaris system as follows: %PIX-6-602301: sa created, | 5.1(1) |
CSCdp86785 | If an ISAKMP SA expires, the IPSec tunnel for the expired ISAKMP SA continues for the remaining time. If a PIX Firewall peer reboots before the ISAKMP SA expires, the keepalive fails to note that the other peer is not there and packets are silently dropped until the SA expires. | 5.1(1) |
CSCdp88443 | The clear interface command clears all interface statistics except the number of input bytes. This command no longer shuts down all system interfaces. The clear interface command works with all interface types except gigabit Ethernet. | 5.1(1) |
CSCdp85254 | Web browsers such as Internet Explorer or Netscape Navigator only display the first 23 characters of the string you indicate in the auth-prompt command. This limitation is imposed by the browser and is not a PIX Firewall fault. | 5.1(1) |
CSCdp67251 | The fixup protocol sqlnet command only works with Oracle, not with NetWare SQLNET. | 5.1(1) |
CSCdp64331 | A gigabit interface must not be shut down for more than 5 minutes. After that, the PIX Firewall unit must be rebooted to regain access to the interface. | 5.1(1) |
CSCdp48115 | A DNS server behind the PIX Firewall cannot use PAT; however, adding a static command statement can be used as a workaround. | 5.1(1) |
CSCdp42625 | When using the VeriSign CA, always use the crloptional parameter to the ca configure command. | 5.1(1) |
CSCdp38206 | A PIX Firewall unit containing a 16 MB Flash memory card cannot be downgraded to version 4.4(1), 4.4(2), 5.0(1), or 5.0(2). | 5.1(1) |
CSCdp14222 | Under heavy traffic on the 4-port Ethernet board, use of the console becomes much slower. Cisco recommends configuring such units during lighter traffic intervals. | 5.1(2) |
CSCdm59768 | If you enter the show crypto ipsec sa command and the screen display is stopped with the More prompt, and if the SA lifetime expires while the screen display is stopped, subsequent display information may refer to a stale SA and the SA lifetime values that display will be invalid. | 5.1(1) |
Table 2 lists resolved caveats.
| DDTS Number | Description | Fixed in Version |
|---|---|---|
CSCds38708 | The fixup protocol smtp command no longer permits commands it would normally screen out from being appended to the SMTP DATA command. | 5.1(4) |
CSCds30699 | PIX Firewall continues to filter SMTP commands if the DATA command fails. Previously, the Mail Guard feature would stop filtering if the DATA command failed. The Mail Guard feature is enabled with the fixup protocol smtp port_number command, which is enabled in the PIX Firewall unit's default configuration. | 5.1(3) |
CSCdr91002 | Multiple SMTP commands contained in a single packet are no longer permitted and are now dropped. | 5.1(3) |
CSCdr46152 | The access-list command now works correctly with the name command so that names store correctly in the configuration. | 5.1(2) |
CSCdr03568 | Traceroute through the PIX Firewall now works correctly with PAT. Previously, PIX Firewall would only let information return about the first hop from the PIX Firewall. | 5.1(2) |
CSCdr02190 | PIX Setup Wizard no longer displays PAT IP addresses twice. | 5.1(2) |
CSCdr01766 | PIX Setup Wizard now handles the nat 0 access-list command correctly. | 5.1(2) |
CSCdp95629 | The Standby failover unit no longer sends Websense requests to the Websense server. This problem was noted in versions 4.4, 5.0, and 5.1. An identical fix will be provided in the next 4.4 release. | 5.1(2) |
CSCdp88122 | An SQL*Net version 1 or truncated packet no longer crashes PIX Firewall. | 5.1(1) |
CSCdp86352 | PIX Firewall now prevents FTP clients from initiating FTP server commands. | 5.1(1) |
CSCdp85781 | PIX Firewall no longer fails if aaa-server protocol commands are entered with common letters in the protocol names, and if an aaa authentication command is entered using one of the protocol names. Previously, after the aaa command was entered, PIX Firewall would display the following assertion error before crashing: assertion "groupid >= 0" failed: file "uauth_server.c", line 439 This caveat exists in versions 4.4, 5.0, and 5.1. An identical fix will be provided in the next 4.4 release. | 5.1(2) |
CSCdp85718 | Failover no longer stops traffic when the 1550-byte pool exhausts. If this pool exhausts and cannot be reallocated on the Standby unit, it will now reboot without affecting the Active unit. | 5.1(1) |
CSCdp78256 | A 1550-byte memory block leak no longer occurs if an incoming SNMP request is invalid. | 5.1(1) |
CSCdp76529 | Syslog and the show uauth command no longer displays wrong username information when used simultaneously. | 5.1(2) |
CSCdp74795 | The source IP address in SNMP traps is no longer reversed; for example, 10.1.1.1 no longer displays as 1.1.1.10. | 5.1(1) |
CSCdp74486 | If a bad TCP header length is detected, syslog message PIX-6-302002 reports an incorrect number of bytes transferred. The PIX-5-500003 syslog message has been added to indicate when a bad TCP header length occurs. | 5.1(2) |
CSCdp68315 | XCB PIX AAA: HTTP Authentication no longer fails for usernames longer than 24 characters. The new limit on usernames is 30 characters and the limit on a password is 15 characters. | 5.1(2) |
CSCdp65228 | Syslog message %PIX-2-108002 now lists the IP address in the correct order. Previously an IP address such as 10.1.1.1 was listed in the message as 1.1.1.10. | 5.1(1) |
CSCdp64321 | The 1000auto option to the interface command now gets written to the configuration. When the PIX Firewall reboots, the gigabit interface is then automatically shut down. | 5.1(2) |
CSCdp60485 | If a new peer successfully negotiates an IPSec tunnel to protect the same set of identities as an old tunnel, PIX Firewall switches to the new peer and maintains the old tunnel for 30 seconds to let traffic subside. | 5.1(1) |
CSCdp59021 | PIX Firewall no longer continuously reboots after downgrading to the version 4.4(3) image. | 5.1(1) |
CSCdp58991 | AAA accounting is no longer unidirectional. Now secondary connections are assigned the same direction as the control connection. This lets uauth associate and dynamically allocate the connections from the same control connection with the same identity. Accounting will then trigger for the matched identity. | 5.1(1) |
CSCdp57339 | The MTU of an interface no longer is set to 0. Previously, entering the write erase command followed by rebooting, and then not explicitly setting the MTU, caused IPSec to initialize the tunnel with an MTU of 0. | 5.1(1) |
CSCdp58692 | The name command now accepts dashes in the name you specify. An example is as follows: name 10.1.1.2 tftp-server-inside copy tftp://tftp-server-inside/pix512.bin flash | 5.1(2) |
CSCdp56795 | Syslog message %PIX-2-1006002 only displays the protocol as a number instead of as a name. This is also fixed in all future PIX Firewall versions. The text for this message is now one of the following:
where 1 means ICMP, 6 means TCP, and 17 means UDP. Previously, PIX Firewall listed the protocol by name in some messages and by number in others. The messages now consistently use the protocol number. | 5.1(1) |
CSCdp56150 | The Private Link PL/2 card is now recognized correctly. The use of this card improves IPSec processing speed. | 5.1(1) |
CSCdp55033 | When a packet is received with a bad checksum, PIX Firewall now discards the packet without closing the TCP connection. Previously, if after a connection was closed, a subsequent packet arrived, PIX Firewall caused a reset that stopped traffic on the connection. | 5.1(1) |
CSCdp53852 | The fixup smtp command now correctly translates multi-line banners. | 5.1(1) |
CSCdp52877 | The debug icmp trace command no longer also enables the debug fixup_smtp command. | 5.1(1) |
CSCdp52185 | Version 5.1 provides the access-list command port selector for IPSec. | 5.1(1) |
CSCdp51830 | Access lists now handle ICMP echo-request and echo-reply correctly. | 5.1(1) |
CSCdp49186 | Limited broadcasts sent to 255.255.255.255 now work correctly with the PIX Firewall. While the broadcast is not forwarded through the PIX Firewall, this feature lets RIP updates work correctly. | 5.1(1) |
CSCdp45416 | PFSS (PIX Firewall Syslog Server) now renames log files using the last modification date as the file type. For example, if PFSS needs to create a monday.log file and the filename already exists, PFSS checks the last modification date for the original file and finds, for example, that it was last modified on January 24, 2000. PFSS then renames the original file monday.012400 and moves it to the backup directory. Then PFSS creates monday.log for the current log data. | 5.1(1) |
CSCdp44875 | PIX Firewall no longer gets into an unrecoverable crash when reloaded after using the clear flashfs command without loading a new image. | 5.1(1) |
CSCdp41051 | The terminal no monitor command now works correctly. | 5.1(1) |
CSCdp38828 | The PIX Firewall failure message was changed from "Watchdog timer failure - ARF!" to "Watchdog timeout!". | 5.1(1) |
CSCdp33907 | PIX Firewall uses port 1521 for SQL*Net even though this value does not agree with the IANA port assignments. | 5.1(1) |
CSCdp23931 | Adds syslog message %PIX-2-106020: Deny IP teardrop fragment (size = num, offset = num) from IP_addr to IP_addr. This message occurs when the PIX Firewall discards an IP packet with a teardrop signature with either a small offset or fragment overlapping. You should treat this event as a hostile attempt to circumvent the firewall or an intrusion detection system. | 5.1(1) |
CSCdp05727 | Allows an interface to be the gateway for the route command. The PIX Firewall now uses ARP to determine the real destination address if the next hop address is the outgoing interface address. | 5.1(1) |
CSCdp00115 | All isakmp command policies now appear in the configuration. See "ISAKMP Notes" for more information. | 5.1(1) |
CSCdm79900 | Request for separate levels of debug for syslog and SNMP logging. See "Separate SNMP and Syslog Message Levels" for more information. | 5.1(1) |
CSCdm74155 | PIX Firewall now supports the copy tftp flash command. See "copy tftp flash Command" for more information. | 5.1(1) |
CSCdm62488 | DNS packets are no longer altered by the alias command in both directions. Use the version 5.0 sysopt noaliasdns outbound|inbound command to disable DNS Address record fixups from interaction with the alias command. Using a separate command for inbound and another for outbound disables DNS A record fixups. | 5.1(1) |
CSCdm23996 | PIX Firewall now has RIP version 2 support to ensure that incorrect routes are not learned from unauthorized neighbors. | 5.1(1) |
CSCdk77815 | As of PIX Firewall version 5.0, the show conduit and show access-list commands list a hit count after each ACL (Access Control List) element that indicates the number of times an element has been matched during the access-list or conduit command statement search. | 5.1(1) |
CSCdk76181 | The PIX Firewall now has a nat (interface) 0 access-list acl_name that provides no nat capability for both inbound and outbound connections. See "nat Command" for more information. | 5.1(1) |
CSCdk22364 | The aaa command statement now accepts a protocol and port specification for what used to be the except option. The except option has been replaced by the include and exclude options. See "aaa Command" for more information. | 5.1(1) |
CSCdk06669 | Support for new Cisco Firewall MIB. | 5.1(1) |
CSCdj95449 | Support for enhancements to the established command. | 5.1(1) |
Use this document in conjunction with the PIX Firewall documentation at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
Cisco provides PIX Firewall technical tips at the following site:
http://www.cisco.com/warp/public/110/index.shtml#pix
You can access the most current Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Registered CCO users can order the Documentation CD-ROM and other Cisco Product documentation through our online Subscription Services at http://www.cisco.com/cgi-bin/subcat/kaojump.cgi.
Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).
Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.
Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.
You can access CCO in the following ways:
You can e-mail questions about using CCO to cco-team@cisco.com.
The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.
To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.
To contact by e-mail, use one of the following:
Language | E-mail Address |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate and value your comments.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Access Registrar, AccessPath, Are You Ready, ATM Director, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, iQuick Study, iQ Readiness Scorecard, The iQ Logo, Kernel Proxy, MGX, Natural Network Viewer, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Collision Free, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document/website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its resellers. (0008R)
Copyright © 2000, Cisco Systems, Inc.
All rights reserved.
Posted: Mon Oct 2 19:10:50 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.