August 5, 1997
Cisco's PIX Firewall provides firewall and network translation services.
The following topics are covered in these release notes:
Note PIX Firewall now encrypts passwords in the configuration when you use a
write command to view or store the configuration. If you change a PIX Firewall password, write the new password down and store it in accordance with your site's security policy.
Version 4.0.6 contains the following features:
- A new 1024 connection license was added.
- The arp command now accepts the 6x2 MAC address format; for example, 00:a0:c9:0a:eb:4d.
- Enhanced error checking.
The following bugs were fixed in version 4.0.6:
- A nat global that was reused as a PAT global mysteriously appeared in a PAT nat combination. [CSCdj17286]
- After one use of PIX Firewall's ping on a PAT (port address translation) IP address, all translated packets were returned with CRC errors. [CSCdj18776]
- Outbound pings via PAT to Cisco routers did not work. [CSCdj19227]
- Use of failover caused PIX Firewall to crash. [CSCdj23886]
- When the primary authentication server failed and when the PIX Firewall switched to the next authentication server, the firewall failed and rebooted. [CSCdj24669]
- When use of the show xlate command caused the More prompt to appear, the PIX Firewall stalled all connections. This was stated to be fixed in version 4.0.5, but reappeared. [CSCdj25664]
- DNS would not resolve PAT addresses and returned error stating that the DNS response was denied. [CSCdj26291]
- Use of NFS over PAT did not work. [CSCdj26812]
- PAT did not work when IP fragmenting was in effect. [CSCdj26968]
- RADIUS authentication only worked on the first session; subsequent sessions failed. [CSCdj27403]
- The first attempt to deny inbound TACACS+ Telnet authorization did not work. [CSCdj27404]
- HTTP did not reprompt when a password was not provided. [CSCdj27405]
- The aaa authentication except command did not work. [CSCdj27407]
- The show uauth command did not display all available information. [CSCdj27408]
PIX Firewall version 4.1 will obsolete the lnko, lnkopath, and show actkey commands.
The following usage notes apply to all PIX Firewall version 4 releases:
- For the outbound command, do not mix the permit, deny, and except options in a single outbound list. If you use the except option, use it only with a single permit statement or with a single deny statement, but not with both deny and permit statements.
- The previous version 4.0.4 usage note about the show xlate command pausing PIX Firewall if the More prompt appeared is no longer in affect.
- If you are using DHCP to configure IP addresses for the hosts on the inside network, the DHCP server must provide the IP address, netmask, and gateway (default route) IP address. The default route must point to the PIX Firewall, either directly or via a router.
- The Java applet blocking feature removes applets that come into the HTTP port. The PIX Firewall removes applets containing a Java signature anywhere in the message, but does not remove applets encapsulated in some archive files. Legitimate, non-Java files with Java signatures are also blocked.
- Configurations greater than 400 lines cannot be accessed with the PIX Firewall console HTML management interface.
- When the aaa command is enabled, before users can access MS-IIS sites, they must visit other sites to be authenticated before the MS-IIS sites can be accessed.
- The following version 3 commands changed in version 4:
- auth, auth-server, and auth-user commands were dropped and replaced by the aaa, radius-server, and tacacs-server commands. The version 4 installation program automatically converts the old auth commands to the new commands.
- global no longer accepts a single network IP address. In the past, you could type in the following command and have it represent 10.1.1.1 through 10.1.1.254:
global 1 10.1.1.0
- In version 4, single IP addresses specified in the global command indicate port address translation. To specify a network global, enter it as 10.1.1.1-10.1.1.254. In version 3, after a network global statement was entered, it was converted in the configuration to the dash form (10.1.1.1-10.1.1254). Therefore, there are no conversion issues with this command.
- The show uptime command was added after the documentation was sent to print. This command lists how long the PIX Firewall has been operating since its last reboot.
- Before downgrading from version 4 to version 3:
Step 1 Use the show config command to view the encrypted form of the privileged mode password. You must enter the text representation of the encrypted password in version 3 to access privileged mode.
Step 2 Remove the aaa commands from your configuration.
Step 3 Reload version 3 software.
Step 4 Add the appropriate auth commands back in.
The following corrections apply to the PIX Firewall Series Configuration Guide, Chapter 3, "Command Reference."
The minimum duration is 1 minute.
In the second to the last sentence on the page, the sentence should read: The packet goes to the PIX Firewall with SRC=192.9.200.123 and DST=192.168.1.33.
The ip_address and netmask parameters are optional. This command is the same as the no telnet command.
The ip_address parameter should state that this is an outside IP address.
The md5 parameter is optional, not required as shown in the syntax.
All mail hosts that you create with the mailhost command must be on the inside network.
The max_conns parameter applies to all TCP connections, not just mail connections as indicated.
When you use the nat 0 0 command, the NIC-registered addresses you want visible on the outside must be identified with the static and conduit commands as shown in the following example. This example makes inside host 207.31.17.1 visible on the outside for FTP access to the outside 192.159.1.0 network:
nat 0 0
static 207.31.17.1 207.31.17.1
conduit 207.31.17.1 ftp tcp 192.159.1.0 255.255.255.0
This command requires that you specify both the inside and outside IP addresses to delete an alias entry.
The netmask parameter is optional.
You can use the md5 option instead of the key-id and key parameters to disable use of the MD5 encryption protocol for the remote IP address.
The example for this command is:
no link 192.168.0.42 1 beebee
no link 192.168.0.50 md5
The ip_address parameter is optional.
The ip_address and netmask parameters are optional.
The java option is shown as a separate parameter from port. This description should state that java is an alternate name for port 80 (web access) that provides more control over web access. The java keyword lets you filter out Java applets while still permitting web access.
The correct syntax for the outbound command is:
outbound num permit | deny ip_address [netmask] [java | [port[-port]]]
The following example enables web access at port 80, but filters out Java applets:
outbound 1 permit 192.168.42.54 255.255.255.255 80
outbound 1 deny 192.168.42.54 255.255.255.255 java
apply 1 outgoing_src
To disable web access, use the outbound ... deny ... 80 command.
The total number of RADIUS and TACACS+ servers allowed is 16.
The example should be:
show alias
alias 10.2.3.0 10.4.5.0 255.255.255.0
The show who and who commands only show Telnet console sessions, not serial port console sessions or HTTP management interface sessions.
Line 2 of the example should read:
name 192.150.49.12 server_12
Also, a "slot" is a global IP address to which one or more connections are associated. If Port Address Translation (PAT) is occurring, a slot is a single port.
The xlate duration must be at least 5 minutes, the conn duration must be at least 5 minutes, the udp duration must be at least 1 minute, the rpc duration must be at least 1 minute, the h323 duration must be at least 5 minutes, and the uauth duration must be shorter than the xlate duration and at least 2 minutes.
PIX Firewall version 4.0.5 contains the following features:
- Translates embedded IP addresses in SQL*Net messages.
- Displays and permits input of Ethernet ARP entry MAC addresses in the standard form;
for example, 00:00:A6:00:01:BA.
- Expands SYSLOG number and messages mapping.
- The established command has new options. The syntax for the command is:
established udp|tcp [[port]-port] permit[to|from] [udp|tcp] [[port]-port]
- The new features let you narrow the hole that the established command opens for multimedia applications. The port options let you specify the TCP or UDP port and whether connections can be started to or from a specified port. An example is:
established tcp 4254 permitto tcp 113
The following bugs were fixed in version 4.0.5:
- Use of the alias command no longer requires adding an A record to the DNS zone file. The PIX Firewall now intercepts DNS queries for aliased IP addresses, resolves the query and sends out the packet with the correct source address. [CSCdj12006]
- The PIX Firewall now responds to ARP requests from Windows 95 and Windows NT without requiring the ARP timeout duration to be less than 10 seconds. [CSCdj18176]
- The PIX Firewall reuses ports properly. [CSCdj18256]
- The aaa authentication command allows an r-shell (rsh) stderr connection. [CSCdj18320]
- The PIX Firewall Token-Ring interfaces now work correctly with an IBM 2210 router. [CSCdj19036]
- Port numbers higher than 34463 are now permitted in the outbound command. [CSCdj19040]
- The firewall now works correctly with the AMD flash memory chip. [CSCdj19302]
- Data connections from repeated chained FTP sessions are no longer denied. [CSCdj19369]
- Use of FTP during an FTP session now uploads the timeout value. [CSCdj20000]
- The aaa authorization command now handles access denials consistently. [CSCdj21400]
- User-authenticated FTP now works to cco.cisco.com or to any other sites that return multiline responses for the FTP user command. [CSCdj21914]
- The PIX Firewall no longer causes buffer overruns and crashes accordingly. [CSCdj22151]
- Private Link now resets reliably on the PIX10000. [CSCdj22235]
- The PIX Firewall now allows auto sensing as long as the interface board is capable of handling this feature. [CSCdj22282]
- The alias command now works with different network classes. [CSCdj23209]
- Token Ring configured at 4 Mbps no longer changes to 16 Mbps after PIX Firewall reboots. [CSCdj22414]
PIX Firewall version 4.0.4 introduced the features described in the sections that follow.
The except option lets you create an exception to a previously set authentication range. This option is an unsupported early field test feature. The following example authenticates every outbound connection except those originating at host 10.1.42.1:
aaa authentication any out 0 0 tacacs+
aaa authentication except out 10.1.42.1 255.255.255.255 tacacs+
Up to 256 alias statements are now permitted.
The except option replaces the deny or permit options and lets you create an exception to a previously set outbound definition. This option is an unsupported early field test feature. The following example disables all outbound web traffic except to destination host 204.31.17.2:
outbound 11 deny 0 0 80
outbound 11 except 204.31.17.2 255.255.255.255 80
apply 11 outgoing_dest
Refer to the "Usage Notes" section for additional information on the use of this command.
URL logging now displays the user name from user authentication.
The following bugs were fixed in version 4.0.4:
- The static command allowed multiple entries for the same IP address. [CSCdj09165]
- The following error message was removed:
port 514 is already on ifcl
- This error occurred if the SYSLOG host is an outside host to which access fails. The SYSLOG host is only supported for use on the inside network. The message that replaced the old message is:
<111002> No arp for ip_address
- The inside SYSLOG host must be active while the PIX Firewall is operational. [CSCdj11794]
- Inbound FTP user authentication under TACACS+ did not accept tacacs+name@ftpname tacacs+passwd@ftpasswd. [CSCdj11831]
- Inbound user authentication generated the following spurious SYSLOG message during retry after the timeout uauth value was exceeded [CSCdj12383]:
<166 109001 Auth start for user 'unknown' from ip_address to ip_address
- RADIUS and TACACS+ authentication would not allow FTP access after a user was authenticated. [CSCdj12659 and CSCdj12660]
- PIX Firewall did not report running out of connections or translation slots. [CSCdj12999]
- Inbound authentication without authorization did not work. [CSCdj13023]
- The route command's metric parameter is now optional. The metric parameter specifies the number of hops to the router. The default is 1 hop. [CSCdj13208]
- The show xlate command now differentiates between TCP and UDP. [CSCdj14272]
- Connection counts were used up during normal usage. [CSCdj14755]
- Incorrect sequence numbers caused looping between <FIN> <ACK> and <FIN> to machines on both sides of the PIX Firewall. [CSCdj14760]
- Outbound or inbound use of FTP to IP addresses specified with the alias command did not work. [CSCdj14824]
- The clear arp command did not work. [CSCdj14826]
- A typographical error was fixed in the HTTP management interface user name prompt. [CSCdj15367]
- Use of an outbound command permitting all service access to an inside IP address followed by an outbound command to deny access to a particular service to that same IP address still permitted access to the denied service. The rule for an outbound command is that for the same IP address, a deny has precedent over a permit. [CSCdj16844]
- A port other than 20 can now initiate FTP data port negotiation. [CSCdj17862]
- Private Link did not pass packets greater than 1,400 bytes. [CSCdj10379]
PIX Firewall version 4.0.3 consists of all the features of version 4.0 described in your documentation set plus the following:
- PIX Firewall now supports Token Ring with failover.
- In a Token Ring-to-Token Ring configuration, if one end of the connection is a Windows NT server, packet sizes larger than 1500 bytes now pass correctly through the PIX Firewall.
- The Telnet quit command can now be used to end a Telnet session.
- The groom command now appears in PIX Firewall command line help.
- The write erase command now prompts you before executing the command.
- Separate inbound and outbound authentication is now available for the same host.
- The clear lnkopath, clear static, no link, no radius-server, and no tacacs-server commands now work as documented in the PIX Firewall Series Configuration Guide.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
- WWW: http://www.cisco.com
- WWW: http://www-europe.cisco.com
- WWW: http://www-china.cisco.com
- Telnet: cco.cisco.com
- Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28.8 kbps.
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.
