|
|
February 1997
The Cisco PIX Firewall provides network firewall and translation services.
The sections that follow list the product changes.
The following features are new in this release:
PIX Firewall now includes the groom command to permit traditional flash memory circuit boards to operate at peak efficiency. The firewall calls this command when flash memory is full; that is, when you try to save your configuration and insufficient memory is available to store it.
In the past, when the firewall wrote to flash memory, the flash memory appended the image to its existing memory. Eventually, the circuit board ran out of memory and caused system failure. With the groom command, the firewall stores the existing configuration in flash memory in RAM and clears the complete memory space. Then it restores the image back into flash memory.
The command syntax is:
groom
There are no options for this command.
You can either wait until you run out of memory or run it as part of your preventative maintenance schedule, either monthly or every few months, depending on how many times you change the configuration and save it to flash memory.
An example of using this command follows:
pixfirewall(config)# groom Grooming flash. This will take a moment. DO NOT INTERRUPT. pixfirewall(config)#
To download upgrades from CCO:
Step 1 Use a network browser, such as Netscape Navigator to access http://www.cisco.com.
Step 2 If you are a registered CCO user, click LOGIN in the topmost graphic on the page. If you have not registered, click REGISTER and follow the steps to register.
Step 3 After you click LOGIN, a dialog box appears requesting your User Name and Password. Enter these and click OK.
Step 4 When you are ready to continue, choose Service & Support.
Step 5 On the Service & Support page, find Software Library and choose Cisco Software Images from the choices below the Software Library selection.
Step 6 On the Software Image Library page, scroll down to the Internet Products heading and choose Private Internet Exchange (PIX) Software.
Step 7 On the Cisco Private Internet Exchange (PIX) page, if you will use a MS-DOS or Windows PC to create the PIX Firewall floppy disk, click the pix306.exe self-extracting archive. If you will use a UNIX system, click the pix306.bin file option. Click Execute to continue.
Step 8 The Software Download page appears and lets you specify either a domestic or international site from which to download the file, or to send the file to a remote location by FTP or email.
(a) To copy the file directly to your hard drive, choose either United States (San Jose) or European (Amsterdam) depending on your location. A dialog box appears requesting that you enter your CCO password again. Enter it and click OK. The Save As... dialog box appears and lets you specify the directory and output file name of the file on your hard drive. Choose the directory and file name and click Save. A dialog box appears to show you the progress of the transfer.
(b) If you choose to send the file by FTP, choose that selection and a form appears requesting the remote site name, your login and password, and the remote path location on that host. You can also be notified by email about the success or failure of the FTP file transfer. Click Send File to send the file.
(c) If you choose to send the file by email, enter the destination email address and the file will be encoded with the UNIX uuencode command before being sent to the address you specify.
If you are using UNIX, proceed to the section "If You Are Using UNIX," page 4; if you are using Windows or MS-DOS, continue with the next section.
Step 1 Exit the network browser and start an MS-DOS shell prompt. Choose or create a directory to contain the files from the archive. Enter the name of the self-extracting archive at the DOS command prompt and press the Return key. The archive unloads three files:
A sample archive extraction follows:
C:\pix>pix306.exe PKSFX (R) FAST! Self Extract Utility Version 2.04g 02-01-93 Copr. 1989-1993 PKWARE Inc. All Rights Reserved. Shareware version PKSFX Reg. U.S. Pat. and Tm. Off. Searching EXE: C:/PIX/PIX306.EXE Inflating: SAMPLE.CFG Inflating: RAWRITE.EXE Inflating: PIX306.BIN C:\pix>
Step 2 Locate a floppy disk, ensure it is IBM formatted, and does not contain useful files. When the PIX Firewall floppy disk is created, all the files on the floppy disk are erased.
Step 3 Enter rawrite at the command prompt and the utility prompts you for the name of the source binary file, the output device (a: or b: for a 3.5-inch floppy disk), and to then insert a formatted floppy disk. The utility then creates the PIX Firewall floppy disk.
A sample rawrite session follows:
C:\pix>rawrite RaWrite 1.2 - Write disk file to raw floppy diskette Enter source file name: pix306.bin Enter destination drive: a: Please insert a formatted diskette into drive A: and press -ENTER- : Number of sectors per track for this disk is 18 Writing image to drive A:. Press ^C to abort. Track: 28 Head: 1 Sector: 16 Done. C:\pix>
Step 4 Remove the floppy disk from the drive, place it in the PIX Firewall floppy disk drive and power cycle the unit. Alternately, if your unit has a Reset switch, use it, or you can enter the reload command from the PIX Firewall console. The PIX Firewall then boots from the new floppy disk.
Step 1 Download the binary file to your local directory.
Step 2 Insert a diskette in your workstation's floppy disk drive.
Step 3 Enter the following command to copy the binary file to the floppy disk:
This command copies the binary file to the output device file with a block size of 18 bytes.
Step 4 Eject the floppy disk and insert it in the PIX Firewall floppy disk drive and power cycle the unit. Alternately, if your unit has a Reset switch, use it, or you can enter the reload command from the PIX Firewall console. The PIX Firewall then boots from the new floppy disk.
The prompts you see when you upgrade PIX Firewall from a previous version are described in this release note. They are not covered in the Cisco PIX Firewall User Guide. To upgrade, insert the upgrade disk in the PIX Firewall floppy disk drive and power cycle the unit.
These messages appear:
PIX Bios V2.7 Booting Floppy ...................................Execing flop PIX Floppy loader version 1.12 Starting second stage loader. .. PIX Floppy cloader version 1.0 Flash=i28F020 Reading floppy image.............................. Flash version 3.1.0.106, Floppy version 3.0.6 Installing to flash Activation Key: 6e2e72f3 1b681128 d690bbfb 37e44fb Do you want to enter a new activation key? [n]
If you are not adding additional user licenses, enter n and your unit starts normally.
These messages appear:
Erasing flash...
Writing image into flash...
8MB RAM
mcwa i82557 Ethernet @ irq 11 MAC: 00a0.c90a.eb43
mcwa i82557 Ethernet @ irq 5 MAC: 00a0.c90a.eb4d
Flash=i28F020
P r i v a t e I n t e r n e t e X c h a n g e
-----------------------------------------------------------------------
ppppppp iiiii xxx xxx
p p i x x
p p i x x
p p i x x
p p i xx
p p i xx
ppppppp i x x
p i x x
p i x x
p iiiii xxx xxx
-----------------------------------------------------------------------
(c) Cisco Systems, Inc.
PIX Version 3.0.6
Maximum Connections: 32
Copyright (c) 1996 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
pixfirewall>
You are now ready to configure your system. Refer to the Cisco PIX Firewall User Guide for more information.
If you are adding additional user licenses, enter y. The following messages appear:
Do you want to enter a new activation key? [n] y
Enter Activation Key
Part 1 of 4: 1d13b691
Part 2 of 4: fae588c1
Part 3 of 4: 64d1d76a
Part 4 of 4: ef7f773f
If you make a mistake while entering the activation key, a message appears indicating that the key is incorrect, and you are prompted to enter it again. After you enter the activation key, the messages that follow are the same as those in the previous section "Remaining Messages," page 5.
The following procedure assumes that you backed up your version 2 configuration on floppy disk before installing version 3. If you did not back up your configuration, skip Step 4 and re-enter your configuration from the PIX Firewall console.
To remove PIX Firewall version 3 and reinstall version 2:
You can now use your PIX Firewall in version 2.
The syntax of the auth-user, clear auth-user, and no auth-user commands have changed to allow different authentication servers for incoming or outbound connections. The new command syntax is:
auth-user inside|outside type ip_address netmask clear auth-user inside|outside type ip_address netmask no auth-user inside|outside type ip_address netmask
The inside parameter indicates that the connection originated from the inside of the PIX Firewall. The outside parameter indicates that the connection is from the outside. As described in the Cisco PIX Firewall User Guide, type is radius or tacacs+, ip_address is the address to which or from which authentication is performed, and netmask is the network mask of the IP address.
The new mtu commands lets you specify the MTU (Maximum Transmission Unit) value for the specified network interface. For Ethernet interfaces, the default MTU, 1550 bytes in a block, is sufficient for most applications. For Token Ring, you may need to specify different values to correspond to the needs at your site. The default value for the mtu command depends on the type of network interface specified in the interface command; 1500 bytes for Ethernet, 8192 bytes for Token Ring. The minimum value for bytes is 64 and the maximum is 65535 bytes.
According to RFC 1191 [Mogul and Deering 1990], each type of network interface has a different recommended value. The RFC recommends 1500 bytes for Ethernet, 17914 for 16Mbps Token Ring, and 4464 for 4Mbps Token Ring.
The syntax of the mtu commands are:
mtu inside|outside bytes no mtu [inside|outside] show mtu [inside|outside]
The inside and outside parameters let you indicate the network interface for which you are setting the block size. The no mtu command resets the MTU block size to the default. The show mtu command displays the current block size. The minimum block size is 64 bytes, the maximum is 65535 bytes, and entering a value of zero causes an error message to display.
The description of the conduit command contains incorrect information. On page 4-20 of the Cisco PIX Firewall User Guide, the paragraph before the example and the example itself describe the version 2.7 conduit command and not the version 3 command.
The text should read:
If a conduit is specified as the example that follows, host 192.168.2.2 can access the inside host that is mapped to the global address 192.168.1.1 on any TCP port:
conduit 192.168.1.1 0 tcp 192.168.2.2 255.255.255.255
When the port is specified as zero, all ports of the specified protocol can be accessed. The same syntax applies for UDP.
See also: no conduit, show conduit.
The following pair of commands enables only SMTP communication between the UNIX gateway host with IP address 10.10.25.10 and an SMTP server on the inside network with IP address 192.168.1.49:
pixfirewall(config)# static 10.10.26.147 192.168.1.49 255.255.255.255 pixfirewall(config)# conduit 10.10.26.147 25 tcp 10.10.25.10 255.255.255.255
To remove the last conduit, enter the no conduit command:
pixfirewall(config)# no conduit 10.10.26.147 25 tcp 10.10.25.10
For firewalls containing a Token Ring interface card, if the card, cable, or hub fails, the firewall only detects the failure after 30 seconds. Once this duration elapses, failover proceeds normally.
The interface ethernet command format follows:
interface ethernet inside|outside 10baseT|100baseTX|auto|aui|bnc
The aui and bnc options are not described in the interface ethernet command description in the Cisco PIX Firewall User Guide (Document Number 78-3728-01).
The PIX Firewall HTML management interface now works with Microsoft Internet Explorer.
IP does not reassemble fragmented packets destined for the PIX Firewall interface.
The link command description in the Cisco PIX Firewall User Guide states that you can have 64 Private Links. This number should be 256 Private Links.
The route command description in the Cisco PIX Firewall User Guide contains an error in the first line of the example at the bottom of page 4-70. The third command parameter is the gateway IP address.
PIX Firewall does not support browsing of the Cisco SYLOG MIB (Management Information Base). The only MIBs you can browse are the System, Interfaces, and SNMP groups of MIB-II.
To receive security and failover SNMP traps from the PIX Firewall, compile the Cisco SYSLOG MIB into your SNMP management application.
If you do not compile the Cisco SYSLOG MIB into your management application, you will only receive MIB-II traps for link up or down, and cold or warm start from the PIX Firewall.
The example for the static command on page 4-111 of the Cisco PIX Firewall User Guide does not provide an example. The example should read:
pixfirewall(config)# static 128.192.251.11 10.1.1.1
The first parameter is a global IP address and the second is a local IP address.
Cisco Connection Online (CCO), formerly Cisco Information Online (CIO), is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional content and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously--a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
|
|