cc/td/doc/product/iaabu/pix
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Release Notes for the Cisco Secure PIX Firewall Version 5.2(1)

Release Notes for the Cisco Secure PIX Firewall Version 5.2(1)

September 2000

Contents

This document includes the following sections:

Introduction

The Cisco Secure PIX Firewall provides secure networking and NAT (Network Address Translation).

System Requirements

The sections that follow list the system requirements for operating a Cisco Secure PIX Firewall unit with version 5.2(1) software.

Memory Requirements

Note   All PIX Firewall units must have at least 32 MB of RAM memory or the PIX Firewall unit will not boot. In addition, all units except the PIX 506 must have 16 MB of Flash memory to boot. The PIX 506 has 8 MB of memory, which works correctly with version 5.2.

The following table lists Flash memory requirements for this release: 
PIX Firewall Model

Flash Memory Required in 5.2

Flash Memory Sold with Unit

 PIX 506


 8 MB


 8 MB (not upgradeable)


 PIX 510 (discontinued)


 16 MB


 2 MB (must be upgraded to 16 MB)


 PIX 515


 16 MB


 16 MB


 PIX 520


 16 MB


 Older units have 2 MB, new units have 16 MB


 PIX 525


 16 MB


 16 MB


 PIX 10000 (discontinued)


 16 MB


 2 MB (must be upgraded to 
16 MB)


 PIX Firewall Classic (discontinued)


 16 MB


 512 KB or 2 MB (must be upgraded to 16 MB)

Software Requirements

The following is required for version 5.2(1):

    1. The PIX Firewall image no longer fits on a diskette. If you are using a PIX Firewall unit with a diskette drive, you need to download the Boothelper file, bh521.bin, from Cisco Connection Online (CCO) to let you download the PIX Firewall image with TFTP.

    2. If you are upgrading from version 4 or earlier and want to use the IPSec or VPN features or commands, you must have a new activation key. Before getting a new activation key, write down your old key in case you want to downgrade back to version 4. You can have a new activation key sent to you by completing the form at the following site:

  http://www.cisco.com/kobayashi/sw-center/internet/pix-56bit-license-request.shtml

    3. If you are using PFSS (PIX Firewall Syslog Server), Cisco recommends you install Windows NT Service Pack 6 to fix year 2000 conflicts in Windows NT.

    4. If you are upgrading from a previous PIX Firewall version, save your configuration and write down your activation key and serial number. Refer to "Installation Notes" for new installation requirements.

Cisco IOS Software Interoperability

If you use IKE Mode Config with the PIX Firewall, any routers on the IPSec connection must run Cisco IOS Release 12.0(6)T or later.

Cisco Secure Policy Manager Interoperability

Cisco Secure Policy Manager (Cisco Secure PM), version 2.1, provides policy-based management support for PIX Firewall units running version 4.2, 4.4, and 5.1 software images. Cisco Secure PM version 2.2 supports PIX Firewall version 5.2.

Refer to the documentation set for Cisco Secure PM at the following site:

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/index.htm

Cisco Secure VPN Client Interoperability

PIX Firewall version 5.2(1) requires Cisco Secure VPN Client version 1.1. The Cisco Secure VPN Client can be used with Windows 95, Windows 98, and Windows NT version 4.0. The Cisco Secure VPN Client is not supported for use with Windows 2000.

Cisco VPN 3000 Concentrator Manager and Client Interoperability

PIX Firewall version 5.2(1) requires Cisco VPN 3000 Client version 2.5 or later and Cisco VPN 3000 Concentrator Manager version 2.5.2 or later. The Cisco VPN 3000 Client can be used with Windows 95, Windows 98, and Windows NT version 4.0. The Cisco VPN 3000 Client is not supported for use with Windows 2000.

PIX Firewall Manager Interoperability

You can use PIX Firewall version 5.2 with the PIX Firewall Manager version 4.3(2)f. Refer to the Release Notes for the PIX Firewall Manager Version 4.3(2)f for more information. You can view this document online at the following site:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm

The PIX Firewall Manager (PFM) lets you manage PIX Firewall units; however, it does not let you configure any PIX Firewall features added after version 4.3(2).

The "Frequently Asked Questions" section in the PFM release notes provides useful troubleshooting information.

Determining the Software Version

Use the show version command to verify the software version of your PIX Firewall unit.

Upgrading to a New Software Release

If you have a Cisco Connection Online (CCO) login, you can obtain software from the following site:

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

New and Changed Information

New Hardware Features in Release 5.2(1)

PIX 525

The new PIX 525 model has the fastest performance and highest capacity of any of the PIX Firewall series.

The PIX 525 provides the following features: 

Features

PIX 525 - R

PIX 525 - UR

 Failover


 No


 Yes


 RAM


 128 MB


 256 MB


 Processor 


 600 MHz


 600 MHz


 Flash memory


 16 MB


 16 MB


 Fixed 10/100 Mbps interfaces


 2


 2


 PCI slots


 3


 3


 Maximum interfaces


 6


 8


 Supported Interfaces


 Fast Ethernet


 Fast Ethernet and Gigabit Ethernet 


 Power Supplies


 Single AC power supply


 Single AC power supply

FDDI interfaces are not supported for use on the PIX 525 in version 5.2(1).

Failover Serial Connection

The failover serial connection has been increased from 9600 baud to 117,760 baud (115K). The maximum supported length for the failover serial cable is 6 feet.

Note   Use the failover cable that is shipped with the PIX Firewall unit. If you use a replacement cable, it must have the same specifications as the supplied cable (length, type, and pinouts).

Inside and Outside Port Restriction Change

With the 5.2 software release, there are no longer restrictions on having to use specific Ethernet ports as the inside and outside network ports. Any port, whether fixed or a PCI expansion port, and any interface type, FDDI, Token Ring, Fast Ethernet, or Gigabit Ethernet, can be assigned to be the inside or outside network port.

Use the following notes, restrictions, and instructions for configuring inside and outside network ports:

    clear|no|show nameif hardware_if if_name security_level
  The following is an example of the default interface name information using the show nameif command:
    nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 pix/intf2 security10
nameif ethernet3 pix/intf3 security15
nameif token-ring0 pix/intf4 security20
nameif gb-ethernet0 pix/intf5 security25

New Software Features in Release 5.2(1)

The following features are new in version 5.2(1). Refer to the Configuration Guide for the Cisco Secure PIX Firewall Version 5.2 for information about each software feature. IPSec features are described in the new IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2.

AAA access-list Support

The new match access_list_name option was added to the aaa command.

Certification Authority Servers—Baltimore and Microsoft

In addition to supporting the Entrust and VeriSign certification authority (CA) servers, the PIX Firewall now also supports CA servers developed by Baltimore Technologies and Microsoft.

Cisco VPN 3000 Client (Formerly the Altiga VPN Client)

Remote access VPN users employing the Cisco VPN 3000 Client, version 2.5, can now securely access their private enterprise network through the PIX Firewall, version 5.2.

Note   Be sure to configure the IKE Mode Config prior to configuring support for the VPN 3000 Client. In configuring IKE Mode Config, specify that the VPN Client initiates the IKE Mode Config.
Note   The Cisco VPN 3000 Client does not support Windows 2000 use.

Deny Xlate for Network or Broadcast Address for Inbound Traffic

For all inbound traffic, PIX Firewall now denies translations for destination IP addresses identified as network address or broadcast addresses. PIX Firewall utilizes the global IP and mask from a static command statement to differentiate regular IP addresses from network or broadcast addresses. If a global IP address is a valid network address with a matching network mask, then PIX Firewall disallows the xlate for network or broadcast IP addresses with inbound packet.

DHCP Server and Client Support

Support for Dynamic Host Configuration Protocol (DHCP) server and DHCP client within the PIX Firewall is now available with the release of version 5.2.

Failover Polling Time

The new failover poll seconds command lets you determine how long failover waits before sending special failover "hello" packets between the Primary and Standby units over all network interfaces and the failover cable. The default is 15 seconds. The minimum value is 3 seconds and the maximum is 15 seconds. Set to a lower value for Stateful Failover. With a faster poll time, PIX Firewall can detect failure and trigger failover faster. However, faster detection may cause unnecessary switchovers when the network is temporarily congested or a network card starts slowly.

FTP—Prevent Embedded Commands

The strict option to the fixup protocol ftp command prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.

H.323 V2

H.323 is a suite of protocols defined by the International Telecommunication Union (ITU) for multimedia conferences over LANs. H.323 supports H.323 VoIP gateways and VoIP gatekeepers. H.323 version 2 adds the following functionality to the PIX Firewall:

ICMP Access Lists

Enable or disable pinging to an interface. With pinging disabled, the PIX Firewall cannot be detected on the network. The new icmp command implements this feature. This feature is also referred to as configurable proxy pinging.

IP Fragmentation Syslog Messages

Syslog messages PIX-4-209003, PIX-4-209004, and PIX-4-209005 have been added to disclose IP fragmentation attacks.

IDS Syslog Messages

Cisco Secure Intrusion Detection System (Cisco Secure IDS) is an IP-only feature that provides some level of flexibility for the user to customize the amount of traffic that needs to be audited and logged.

PAT Enhancements

The following PAT enhancements were added:

  global [(int_name)] nat_id address | interface
  The following example enables PAT using the IP address at the outside interface in global configuration mode:
    ip address outside 192.150.49.1
nat (inside) 1 0 0 
global (outside) 1 interface

  The interface IP address used for PAT is the address associated with the interface when the xlate (translation slot) is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT.


  When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall unit's outside interface.





 Mapping Different Internal Subnets to Different PAT Addresses



  The following example maps hosts on the internal network 10.1.0.0/16 to global address 192.168.1.1 and hosts on the internal network10.1.1.1/16 to global address 209.165.200.225 in global configuration mode.




    nat (inside) 1 10.1.0.0 255.255.255.0
nat (inside) 2 10.1.1.1 255.255.255.0
global (outside) 1 192.168.1.1 netmask 255.255.255.0
global (outside) 2 209.165.200.225 netmask 255.255.255.224

 Backing Up PAT Addresses



  The following example configures two port addresses for setting up PAT on hosts from the internal network 10.1.0.0/16 in global configuration mode.




    nat (inside) 1 10.1.0.0 255.255.0.0
global (outside) 1 209.165.200.225 netmask 255.255.255.224
global (outside) 1 192.168.1.1 netmask 255.255.255.0

  With this configuration, address 192.168.1.1 will only be used when the port pool from address 209.165.200.225 is at maximum capacity.




 ping Command Enhancement


 The PIX Firewall ping command no longer requires an interface name. If an interface name is not specified, PIX Firewall checks the routing table to find the address you specify. You can specify an interface name to indicate through which interface the ICMP echo requests are sent. 


 


 Radius Authorization


 PIX Firewall now allows a RADIUS server to send user group attributes to the PIX Firewall in the RADIUS authentication response message. Authorization is granted with the access-list command statement.


 SIP Support


 Session initiation protocol (SIP), as defined by the Internet Engineering Task Force (IETF), enables call handling sessions—particularly two-party audio conferences, or "calls." SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the ports for the media stream. Using SIP, the PIX Firewall can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers. SIP and SDP are defined in the following RFCs:



 SSH


 SSH (Secure Shell) is an application running on top of a reliable transport layer, such as TCP/IP that provides strong authentication and encryption capabilities. PIX Firewall supports the SSH remote shell functionality as provided in SSH version 1. SSH version 1 also works with Cisco IOS software devices. Up to five SSH clients are allowed simultaneous access to the PIX Firewall console. 







Note   You must generate an RSA key-pair for the PIX Firewall before clients can connect to the PIX Firewall console. To use SSH, your PIX Firewall must have a DES or 3DES activation key. 









Note   SSH permits up to 100 characters in a username and up to 50 characters in a password.









Note   SSH and failover are not supported for use together in version 5.2(1).




 Obtaining an SSH Client


 The following sites let you download an SSH v1.x client. Because SSH version 1.x and v2 are entirely different protocols and not compatible, be sure you download a client that supports SSH v1.x.



  http://hp.vector.co.jp/authors/VA002416/teraterm.html
  

  A security enhancement for Tera Term Pro is available at the following site:


  http://www.zip.com.au/~roca/ttssh.html
  




  http://www.openssh.com
  




  http://www.lysator.liu.se/~jonasw/freeware/niftyssh/
  



 TCP Intercept


 Prior to version 5.2, PIX Firewall offered no mechanism to protect systems reachable via a static and TCP conduit from TCP SYN segment attacks. With the new TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN segment bound for the affected server is intercepted. 


 This feature requires no change to the PIX Firewall command set, only that the embryonic connection limit on the static command now has a new behavior.


 Unicast Reverse Path Forwarding


 Due to the potential danger of IP spoofing in the IP protocol, measures need to be taken to reduce the risk of IP spoofing when possible. Unicast Reverse Path Forwarding, or reverse route lookups, prevent IP spoofing under certain circumstances. This mechanism provides ingress filtering and egress filtering. 


 Ingress filtering checks inbound packets for IP source address integrity. This function is limited to addresses for networks in the enforcing entities local routing table. If the incoming packet does not have a source address that is represented by a route, then it is impossible to know whether the packet arrived on the best possible path back to its origin. This is often the case because routing entities cannot maintain routes for every network. 


 Egress filtering verifies that packets destined for hosts outside the managed domain have IP source addresses verifiable by routes in the enforcing entities local routing table. 


 If an exiting packet does not arrive on the best return path back to the originator, then the packet should be dropped and the activity logged. Egress filtering prevents internal users from launching attacks using IP source addresses outside of the local domain. Because most attacks use IP spoofing to hide the identity of the attacking host, egress filtering makes the task of tracing the origin of an attack much easier. When employed, egress filtering enforces that IP source addresses are obtained from a valid pool of network addresses. Addresses local to the enforcing entity and therefore easily traceable. 


 Websense Filtering by Username and Group


 The Websense Server (UFS) works with the PIX Firewall to deny users from access to web sites based on the company security policy.


 Websense protocol version 4 enables group and username authentication between a host and a PIX Firewall. The PIX Firewall performs a username lookup, and then the Websense server handles URL filtering and username logging. 


 Websense protocol version 4 contains the following enhancements:



 Command Changes

 
 All new commands, options, and changes are described in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.2.


 New Commands in Version 5.2(1)


 The following commands are new in version 5.2(1):



 New Command Options in Version 5.2(1)


 The following command options are new in version 5.2(1):



  If a debug command does not use Trace Channel, each session operates independently, which means any commands started in the session only appear in the session. By default, a session not using Trace Channel has output disabled by default.





 Command Changes in Version 5.2(1)


filter url port|except local_ip local_mask foreign_ip foreign_mask [allow]


The port option was available in past versions but did not appear in the documentation.




    %PIX-4-404101: ISAKMP: Failed to allocate address for client from pool poolname
 



    isakmp key ******** address ip_addr netmask mask
 



    isakmp key ******** address ip_addr netmask mask

 Syslog Message Changes

 
 The sections that follow list changes to syslog messages in version 5.2. All messages are described in detail in System Log Messages for the Cisco Secure PIX Firewall Version 5.2.


 New Messages in Version 5.2(1)


 The following syslog messages are new in version 5.2(1):


%PIX-2-106017: Deny IP due to Land Attack from IP_addr to IP_addr

%PIX-1-106021: Deny num reverse path check from IP_addr to IP_addr on interface int_name

%PIX-1-106022: Deny num connection spoof from IP_addr to IP_addr on interface int_name

%PIX-6-109015: Authorization denied (acl=acl_ID) for user 'username' from 
src_addr/src_port to dest_addr/dest_port on interface int_name

%PIX-3-109016: Downloaded authorization access-list acl_ID not found for user 'username'

 


%PIX-4-209003: Fragment database limit of num exceeded: src = IP_addr, dest = IP_addr, 
proto = protocol, id = id

%PIX-4-209004: Invalid IP fragment, size = num exceeds maximum size = size: src = 
IP_addr, dest = IP_addr, proto = protocol, id = id

%PIX-4-209005: Discard IP fragment set with more than num elements: src = IP_addr, dest = 
IP_addr, proto = protocol, id = id


 


%PIX-3-313001: Denied ICMP type=type, code=code from IP_addr on interface int_name

%PIX-6-314001: Pre-allocate RTSP UDP backconnection for faddr faddr/fport to laddr 
laddr/lport

%PIX-3-315001: Denied SSH session from IP_addr on interface int_name

%PIX-6-315002: Permitted SSH session from IP_addr on interface int_name for user 
"user_id"

%PIX-6-315003: SSH login session failed from IP_addr on (num attempts) on interface 
int_name by user "user_id"

%PIX-3-315004: Fail to establish SSH session because PIX RSA host key retrieval failed.

%PIX-6-315011: SSH session from IP_addr on interface int_name for user "user_id" 
terminated normally

%PIX-6-315011: SSH session from IP_addr on interface int_name for user "user_id" 
disconnected by SSH server, reason: "text" (status_code_in_hex)


 


%PIX-4-4000nn: IDS:sig_num sig_msg from IP_addr to IP_addr on interface int_name

%PIX-4-404101: ISAKMP: Failed to allocate address for client from pool pool_idsha

%PIX-4-405101: Unable to Pre-allocate H225 Call Signalling Connection for faddr 
faddr[/fport] to laddr laddr[/lport]

%PIX-4-405102: Unable to Pre-allocate H245 Connection for faddr faddr[/fport] to laddr 
laddr[/lport]

 
%PIX-6-604101: DHCP client interface int_name: Allocated ip = IP_addr, mask = mask, gw = 
IP_addr

%PIX-6-604102: DHCP client interface int_name: address released

%PIX-6-604103: DHCP daemon interface int_name: address granted MAC_addr (IP_addr)

%PIX-6-604104: DHCP daemon interface int_name: address released MAC_addr (IP_addr)


 Removed Messages in Version 5.2(1)


 The following syslog messages were removed in version 5.2(1):


%PIX-2-106003: Connection denied src laddr dest faddr due to JAVA Applet on interface 
int_name.

%PIX-3-201007: Unable to allocate new udp connections (faddr/fport-laddr/lport)

%PIX-3-203001: ESP Error: No Key SPI hex SRC IP_addr DEST IP_addr


 Documentation Changes


 All IPSec configuration information is now in the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2. This guide is available both online and in the PIX Firewall accessory kit.


 Installation Notes

 
 Always configure a default route command statement to the outside interface in every configuration you create. This is especially important for use with IPSec.


 Limitations and Restrictions

 
 No new limitations and restrictions were added in version 5.2(1).


 Important Notes

 
 AAA


 The inbound and outbound options to the aaa command apply only to the network interfaces in the first two slots of the PIX Firewall.


 CRLs


 When CRL checking is configured as mandatory, PIX Firewall takes about two minutes to poll the CRL from the VeriSign CA Server during ISAKMP negotiation. As a result, ISAKMP negotiation fails with the message "ISAKMP (0): Unknown error in cert validation, 0" and packets are lost until PIX Firewall receives the CRL. [CSCdr89880]


 Cisco Secure VPN Client



  The problem occurs when IKE Mode Config is configured and PIX Firewall runs out of addresses created by the ip local pool command and the next VPN Client tries to come in.


  The behavior is as follows:


  This caveat does not exist for the Cisco VPN 3000 Client version 2.5. [CSCdr48442]




 Cisco VPN 3000 Client 


 The following restrictions apply to using PIX Firewall with the Cisco VPN 3000 Client:



  For example, if you ping from the client and check the inbound and outbound SPIs, Cisco VPN 3000 Client can be seen to use the third (latest) SPI to send the ping, but PIX Firewall uses the second SPI, the one before the last, to respond to the ping. The result is that the ping responses return to the Cisco VPN 3000 Client, but are dropped. [CSCdr83223]





 Cisco VPN 3000 Concentrator Manager


 The following restrictions apply to use with the Cisco VPN 3000 Concentrator Manager series:



 Failover


 Refer to the "Failover" section in Chapter 3, "Advanced Configurations" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.2 for a new procedure for configuring failover.


 The PIX Firewall DHCP client does not support failover configurations.


 FDDI


 FDDI interfaces are supported on the PIX 525 with the caveat that no other interface card can be used with FDDI cards. In addition, the Ethernet interfaces on the motherboard must be shut down using the shutdown option to the interface command.


 On the PIX 520 and earlier models, when FDDI interface cards are used, no other interface card can be used on the unit.


 The PIX 515 does not support use of any FDDI interface cards.


 License Key Downgrade


 If you downgrade your license key from a UR to an R, thereby restricting the number of supported interfaces, PIX Firewall removes all commands from your configuration that reference the unsupported interfaces. In addition, open caveat CSCdr52181 notes that PIX Firewall also removes all nat and static commands from the configuration.


 SMTP


 Multiple SMTP commands contained in a single packet are no longer permitted and are now dropped.


 Token-based Authentication for VPN Clients


 The PIX Firewall now supports token-based authentication systems through the use of the crypto map token authentication command. PIX Firewall supports the following token-based authentication systems and modes for use with the Cisco VPN 3000 Client:



 The PIX Firewall supports the SDI RADIUS token-based authentication system using Next Token mode or New Pin mode for use with the Cisco Secure VPN Client, version 1.1. 


 Token based authentication has not been verified for the following vendors/products: 



 For more information about the crypto map token authentication command, see the crypto map command page in Chapter 12, "Command Reference" of the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2.


 Caveats

 





Note   Please use the Bug Navigator on CCO to view additional caveat information.




 Open Caveats - Release 5.2(1)



  SSH and failover are not supported for use together in version 5.2(1). If used together, an RSA key created before failover will not appear on the Standby unit after failover occurs.





  PIX Firewall is not able to create an IPSec tunnel with a 2048 RSA key using a PIX Firewall "Classic" model.





  PIX Firewall fails to get certificates if downgraded from 5.2(1) when used with the Microsoft Certification Authority.





  When IPSec traffic is not present between a PIX Firewall to a PIX Firewall, when the IPSec and ISA lifetimes expire, both IPSec and ISA SAs are deleted. When IPSec traffic is not present between a PIX Firewall and a Cisco VPN 3000 Concentrator, when the lifetimes expire, the SAs are not deleted and the units rekey.





  H.323 call setup is not supported by failover.





  The Cisco VPN 3000 Client on Windows 95 or Windows 98 does not take the WINS server address pushed to it from the PIX Firewall if an IP address is statically configured on the client. For static configurations, users must manually configure the adapters with WINS information. This works correctly on Cisco VPN 3000 Client on Windows NT. On Windows 95 or Windows 98, dynamic WINS support works with DHCP enabled adapters; that is, PPP or NIC adapters that get their information dynamically.





  Always configure a default route command statement to the outside interface in every configuration you create. This is especially important for use with IPSec.





  ICMP types 3, 4, 5, 11, 12, 13, 14, 15, 16, 17, and 18 fail with PAT.





  During the PIX Firewall unit's enrollment request to a Baltimore CA server, the process fails. This failure occurs when using the ca enroll command to obtain CA-signed certificates for each of the two special-purpose RSA key pairs the PIX Firewall generated (using the ca generate rsa specialkey command). When the failure occurs, PIX Firewall displays the following error messages:




    CRYPTO_PKI: status = 100: certificate is granted
CRYPTO_PKI: Error: Invalid format for BER encoding while
##########In GetRecipientInfo: 315
CRYPTO_PKI: status = 266: failed to open the envelope
The certificate enrollment request failed!
 



  When CRL checking is configured as mandatory, PIX Firewall takes about two minutes to poll the CRL from the VeriSign CA Server during ISAKMP negotiation. As a result, ISAKMP negotiation fails with the message "ISAKMP (0): Unknown error in cert validation, 0" and packets are lost until PIX Firewall receives the CRL.





  SSH permits up to 100 characters in a username and up to 50 characters in a password.





  When PIX Firewall creates multiple IPSec SPIs (security parameter indexes), the Cisco VPN 3000 Client uses the latest SPI to send data, but PIX Firewall does not. PIX Firewall does not keep track of the SPIs in the order they were created. PIX Firewall uses the SPI with the highest lifetime, but the latest SPI ends up with less lifetime than the one before.


  For example, if you ping from the client and check the inbound and outbound SPIs, Cisco VPN 3000 Client can be seen to use the third (latest) SPI to send the ping, but PIX Firewall uses the second SPI, the one before last, to respond to the ping. The result is that the ping responses return to the Cisco VPN 3000 Client, but are dropped.





  In version 5.1 and prior versions, when you enabled the debug command, output messages displayed at an active terminal session, such as the console or a Telnet session.


  In version 5.2 and future versions, PIX Firewall supports multiple console sessions, which means that debug command output messages can be sent to multiple sessions simultaneously, as long as the sessions are enabled. Each session is enabled or disabled independently and there is no effect on other sessions.





  The Cisco VPN 3000 Concentrator Manager series ignores all keepalive messages originating from the PIX Firewall unit.





  PIX Firewall/Cisco VPN 3000 Concentrator Manager: traffic does not restart after power cycling the concentrator.





  The Cisco VPN 3000 Client does not support Group 2 for IKE transform sets.





  From within the Cisco VPN 3000 Client status window, while a tunnel is available, if you press the Space key twice, the client hangs.





  Use of the SNMP ip.ipAddrTable entry requires that all interfaces have unique addresses. If interfaces have not been assigned IP addresses, by default, their IP addresses are all set to 127.0.0.1. Having duplicate IP addresses causes the SNMP management station to loop indefinitely. The workaround is to assign each interface a different address. For example, you can set one address to 127.0.0.1, another to 127.0.0.2, and so on.





  When starting a SSH session, a dot (.) displays on the PIX Firewall console before the SSH user authentication prompt appears. 


  The dot appears as follows:




    pixfirewall(config)# .
pixfirewall(config)# .
 

  The display of the dot does not affect the functionality of SSH. The dot appears on at the console when generating a server key or when decrypting a message using private keys during SSH key exchange, before user authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator that verifies that the PIX Firewall is busy and has not hung.





  Cisco VPN 3000 Client has to use split tunneling to connect to a remote PIX Firewall unit if the Cisco VPN 3000 Client is going to browse through the private network on the inside of the remote PIX Firewall unit, as well as the local network of the Cisco VPN 3000 Client.





  In version 5.2, when keys and certificates generated with the crloptional parameter to the ca command are replaced with new ones, ISAKMP negotiation fails. This caveat previously worked correctly in version 5.1. This caveat was observed after creating keys and certificates, sending traffic, and removing the keys and certificates on both PIX Firewall units. After new keys and certificates were created with the crloptional parameter to the ca command and new traffic started, ISAKMP negotiations failed.





  An ip local pool range cannot have multiple subnets.





  Port numbers are not appearing in syslog when using ACL.





  If PIX Firewall crashes, it attempts to run the show tech-support command. A long configuration can cause further crashes. 





  PIX Firewall using RADIUS or TACACS+ requires username and password pairs for authentication, but only authorizes based on IP addresses. Once a multiuser host has been authenticated, all other users on that host are granted authentication. This may allow unauthorized users access to services normally denied them.


  Setting the uauth timeout to zero partially solves this problem, but makes Web browsing difficult for authorized users because they must reauthenticate for every new page they view.





  The Cisco VPN 3000 Concentrator Manager, only supports a limited number of IPSec transform sets. The Cisco VPN 3000 Concentrator Manager does not support the AH protocol. The supported transform sets are as follows:




    esp-des esp-md5-hmac
esp-des esp-sha-hmac
esp-3des esp-md5-hmac
esp-3des esp-sha-hmac
esp-null esp-md5-hmac
 



  If you downgrade your license key from a UR to an R, thereby restricting the number of supported interfaces, PIX Firewall removes all commands from your configuration that reference the unsupported interfaces. In addition, PIX Firewall also removes all nat and static commands from the configuration.





  PIX Firewall behaves differently when used with and without Xauth in combination with IKE Mode Config when used with the Cisco Secure VPN Client. Refer to the second bullet item in "Cisco Secure VPN Client" for more information. 





  The aaa authorization except command does not work for UDP.





  Crash in Crypto PKI RECV thread during certificate enrollment.





  The following syslog message incorrectly displays a field as "<>":


  %PIX-3-106014: Deny inbound icmp src outside:IP_addr dst <>:IP_addr (type 0, code 0)





  Small ARP timeouts cause short periods of packet loss.





  Interface routing should be based on the DNAT address.





  Outbound filtering is not working correctly. An example is as follows:




    outbound 2 permit 0.0.0.0 0.0.0.0 0 tcp
outbound 2 deny 192.168.85.51 255.255.255.255 0 ip
outbound 2 deny 192.168.85.51 255.255.255.255 0 tcp
apply (inside) 2 outgoing_src
 

  If you do not have the third command statement, the second line does not stop TCP packets. It may sound logical, the protocol values may be UDP, TCP, or the ICMP protocols. In this case, ip is not a valid protocol, and thus, not evaluated by the PIX Firewall, but it is not denied by PIX Firewall command line parser.




 Resolved Caveats - Release 5.2(1)


 The following caveats were resolved:



  H.323 now correctly performs NAT on IP addresses configured with the alias command.





  The fixup protocol rtsp command no longer allocates the wrong server port for QuickTime.





  When using the fixup protocol ftp strict command, FTP communications between a server that advertises a big welcome banner, and a Windows 2000 or Netscape Communicator 4.73 client now works correctly. 


  Previously, these types of FTP connections were treated as intrusion events and dropped. The problem occurred because these clients issued the next command before receiving the complete advertised banner from the server. PIX Firewall treated this as a pipelined command, which with the strict option, is treated as an intrusion event.





  PIX Firewall no longer crashes during Cisco Secure PM configuration downloads.





  All inside interface static route command statements now appear in the configuration. Previously, an RIP-generated route overrode the static route and kept it from appearing in the configuration. Now the static route overrides an RIP-generated route.





  PIX Firewall no longer creates two PPTP tunnels for the same client.





  The configure net command no longer changes the severity level of the logging history command. 





  Failover with an Ethernet cross-over cable no longer causes the configuration in the Standby unit to be lost and the network to become temporarily unavailable. 





  PIX Firewall now verifies that an xlate is linked to a host object; if not, the "no local host infor" message appears when the show xlate debug command is used. Previously, Telnet sessions were being lost during Stateful Failover.





  Creates the sysopt route dnat command, which specifies that when an incoming packet does a route lookup, the incoming interface is used to determine which interface the packet should go to and what is the next hop.





  On PIX Firewall, you can configure multiple vpngroup command statements when using certificates with the Cisco VPN 3000 Client. This can be done only when the name of the vpngroup command statement you specify on the PIX Firewall is the same as the Organizational Unit (OU) field of the certificate on the client. When PIX Firewall is processing the client's certificate, it uses the value of the OU field of the certificate to associate with the vpngroup command statement and uses that. 





  Multiple SMTP commands contained in a single packet are no longer permitted and are now dropped.





  Uauth now shows the correct address specified by the ip local pool command when doing xauth with a VPN Client. Previously, this problem noted that ISP assigned address appeared instead of the correct pool address.





  Stateful Failover now supports the nat 0 access-list command.





  Specifying an outbound command list_ID greater than 1599 no longer causes a crash. The maximum list_ID value is now 1599.





  The write standby command now clears the configuration of the Secondary unit and its ARP table. The Active unit then sends each configuration command to the Secondary unit. While sending the commands to synchronize the two configurations, the failover IP addresses are now temporarily disabled (set to 0.0.0.0), which prevents the previous condition that when syslog was enabled, the Secondary unit would ARP for the syslog server and cause confusion on the network.





  PIX Firewall now polls the CRL during ISAKMP negotiation to determine if the CRL has expired.





  The embryonic connection count no longer underflows during Stateful Failover.





  The inbound and outbound options to the aaa command are restricted to first and second interfaces only.





  PIX Firewall now supports up to 14,000 outbound command statements in a configuration.





  Syslog message PIX-5-304001 now displays a username. The format of this message is as follows:




    %PIX-5-304001: user src_addr Accessed JAVA URL|URL dest_addr: url.
 



  The tracert command now displays hops beyond the PIX Firewall when using PAT.





  PIX Firewall no longer incorrectly NATs embedded IP addresses with a network static command statement.





  PIX Firewall no longer fails with an assertion error when 50 or more IPSec static peers are configured. In this case, each peer was configured with individual ISAMKP keys, ISAKMP policies, transform sets, and lines to match address access-lists.





  SIP uses three signaling ports, which caused problems for SIP UDP signaling. SIP can also use TCP, but the problems and solutions only apply to UDP signaling. Normally, SIP with UDP has a configurable timer set by default to 30 minutes. This caused the database and signaling connections to remain until this timer expired.


  A new timer and flag were added for transient connections, so that a connection will now time out and be closed in 1 minute when the media ports are assigned and connections are made either in the 183 ringing message or the 200 OK response message. 


  The call is then moved to the active state and the connection address is saved in the database at this time. When the terminating message arrives on a different connection, the active connection address will be retrieved from the database and the UDP flag will be changed on this connection to the transient flag.





  The ISAKMP lifetime specified on the Cisco VPN 3000 Concentrator Manager series is ignored whether or not the group name is defined on the PIX Firewall. When the Cisco VPN 3000 Client starts a connection without a group ID name (no split tunneling), the ISAKMP timer expires and tries to rekey, when it actually should be ignored and not used.





  Disconnecting the Cisco VPN 3000 Client deletes IPSec SAs on the PIX Firewall.





  The failover poll seconds command provides a user-definable failover polling timer.





  PIX Firewall now provides NAT for embedded outside DNAT address in H.225.





  The no ca identity nickname command now clears the CRL list.





  The performance of the fixup command has been improved.





  Added support for Cisco's proprietary RAS messages to let PIX Firewall interoperate with Cisco's gateways and gatekeepers.





  If a hung Telnet session is killed with the terminal monitor command while syslog is enabled, PIX Firewall no longer reboots when a syslog message is sent.





  The logging monitor command used on a Telnet console session no longer hangs the console when the screen display pauses with More.





  ISAKMP keys no longer display with the show config or write terminal commands. The keys now display as follows:




    isakmp key ******** address ip_addr netmask mask
 



  The failover active command now works correctly when the PIX Firewall unit is equipped with FDDI network interfaces.





  Dynamic hookups are now provided for the H.225 call signaling channel.





  If, during an upgrade from version 5.1 to version 5.2, the PIX Firewall detects a version 5.1 ca identity cgi-bin path, it will automatically convert the path into the version 5.2 style cgi-bin path.





  Accounting records for DNS now have the correct port number.





  FDDI line protocol no longer resets to "down" after reloading the image.





  PIX Firewall now permits URLs to be up to 1024 characters long.





  When a pool of addresses set by the ip local pool command is empty, the following syslog message now appears:




    %PIX-4-404101: ISAKMP: Failed to allocate address for client from pool poolname
 



  When the PIX Firewall unit is equipped with Gigabit Ethernet interfaces, the Standby unit in failover no longer fails after using the clear config all command.





  PIX Firewall, when creating an IPSec tunnel, now copies the TOS fields from the incoming packets header into the header of the encrypted packet.





  The clear config command formerly changed the default interface name from pix/intfn to intfn. The caveat resolution now changes the default interface name to intfn.





  The debug failover option command now appears as follows:




             tx      Failover cable xmit
         rx      Failover cable receive
         open    Failover device open
         cable   Failover cable status
         txdmp   Cable xmit message dump (serial console only)
         rxdmp   Cable recv message dump (serial console only)
         ifc     Network interface status trace
         rxip    IP network failover packet recv
         txip    IP network failover packet xmit
         get     IP network packet received
         put     IP network packet xmited
         verify  Failover message verify
         switch Failover Switching status
         fail    Failover internal exception
         fmsg    Failover message
 



  Syslog message %PIX-3-106014 now correctly displays all information. Previously the message appeared with <> to indicate missing information:




    Deny inbound icmp src outside:192.168.8.10 dst <>:192.168.205.2 (type 0, code 0)
 



  PIX Firewall no longer blocks JAVA applets when the filter java command is not enabled.





  The show tech-support command now includes the write terminal command that shows the current configuration. The previous version used the show config command that listed the configuration stored in Flash memory.





  Disabling and enabling the vpdn command to move access to another interface no longer requires rebooting the PIX Firewall.





  PIX Firewall TACACS+ per-user idle and absolute timeouts now work correctly.





  Boothelper can now TFTP through a gigabit interface.





  Syslog message %PIX-6-602301 no longer is preceded with several linefeeds, which made this message unreadable on some syslog servers.





  If two users try to authenticate at approximately same time, PIX Firewall no longer generates two syslog messages with the same username, even though the IP addresses logged correctly. Also, the show uauth command output no longer shows two entries with same username but different IP addresses.





  AAA usernames are now limited to up to 30 characters and passwords are limited to up to 15 characters in length.





  PIX Firewall no longer crashes if a VeriSign CA is accessed without the crloptional parameter to the ca conf command.





  Formerly, if you made a certificate enrollment request without having first generated your RSA keys, the enrollment request terminated with the following error message:




    %Error: router certificate exists.
 

  The new error message is as follows:




    %Error: The signature public key is not found. Abort.
Type help or '?' for a list of available commands.
 



  PIX Firewall now rejects a received CA certificate if an incorrect fingerprint was entered.





  The names command no longer intermittently disables after being configured.





  To track usage among different subnets, you can specify multiple PATs. Before, only one PAT statement could be configured for each configuration.





  To specify PAT using the IP address at the interface, specify the interface keyword.


  global interface id address | interface




 Related Documentation

 
 Use this document in conjunction with the PIX Firewall and Cisco VPN 3000 documentation at the following sites:


 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
  

 http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
  

 Cisco provides PIX Firewall technical tips at the following site:


 http://www.cisco.com/warp/public/110/index.shtml#pix
  

 Obtaining Documentation

 
 World Wide Web


 You can access the most current Cisco documentation on the World Wide Web at http://www.cisco.com,  http://www-china.cisco.com,  or http://www-europe.cisco.com.
  

 Documentation CD-ROM


 Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.


 Ordering Documentation


 Registered CCO users can order the Documentation CD-ROM and other Cisco Product documentation through our online Subscription Services at http://www.cisco.com/cgi-bin/subcat/kaojump.cgi.
  

 Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).


 Obtaining Technical Assistance

 
 Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.


 Cisco Connection Online


 Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.


 CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.


 Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.


 You can access CCO in the following ways:



 You can e-mail questions about using CCO to cco-team@cisco.com.


 Technical Assistance Center


 The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.


 To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.


 To contact by e-mail, use one of the following:


  




Language

E-mail Address



 English


 tac@cisco.com


 


 Hanzi (Chinese)


 chinese-tac@cisco.com


 


 Kanji (Japanese)


 japan-tac@cisco.com


 


 Hangul (Korean)


 korea-tac@cisco.com


 


 Spanish


 tac@cisco.com


 


 Thai


 thai-tac@cisco.com


 












 In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.
  

 Documentation Feedback


 If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.


 You can e-mail your comments to bug-doc@cisco.com.


 To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:


 Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883


 We appreciate and value your comments.


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 This document is to be used in conjunction with the documents listed in the "Related Documentation" section.


 Access Registrar, AccessPath, Are You Ready, ATM Director, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, iQuick Study, iQ Readiness Scorecard, The iQ Logo, Kernel Proxy, MGX, Natural Network Viewer, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Collision Free, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. 


 All other brands, names, or trademarks mentioned in this document/website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its resellers. (0008R)


 Copyright © 2000, Cisco Systems, Inc.
All rights reserved.





hometocprevnextglossaryfeedbacksearchhelp


Posted: Sun Sep 24 20:21:29 PDT 2000

Copyright 1989-2000©Cisco Systems Inc.