PIX Firewall Series Version 4.1.2
Release Notes

September 15, 1997

Cisco's PIX Firewall provides firewall and network translation services.

The following topics are covered in these release notes:

• "Important Notes," page 2

• "Version 4.1 Features," page 6

• "Usage Notes," page 8

• "SYSLOG Message Usage Notes," page 9

• "HTML Configuration Manager," page 9

• "Version 4 Bug Fix History," page 11

• "Cisco Connection Online," page 13

Important Notes

---

Note Before installing version 4.1, save your configuration on floppy disk and write down your license activation key value. You must have a copy of your activation key number to restore a previous version from floppy disk.

---

---

Note PIX Firewall only supports configuration upgrades from version 4.0.x.

---

---

Note PIX Firewall version 4.1.1 was released internally only.

---

---

Note Three Ethernet network interfaces are supported currently. Two Token-Ring interfaces are supported or three as an EFT (Extended Field Test) option. In addition, PIX Firewall supports only two interfaces if you mix Ethernet and Token-Ring interfaces.

---

---

Note The PIX Firewall now has case-sensitive passwords, SNMP strings, and interface names.

---

---

Note RADIUS is only supported for authentication and not for authorization.

---

---

Note The HTML Configuration Manager is being obsoleted in a future release and has not been updated for use with the version 4.1 third interface feature. If your PIX Firewall has two network interfaces, it will work correctly. Information on the HTML Configuration Manager is provided only in these release notes. This feature is being replaced by the new PIX Firewall Manager which is being enhanced in a future release to directly configure a PIX Firewall in the same manner as the HTML Configuration Manager.

---

---

Note The aaa authorization command syntax was incorrect in the early version 4.1 documentation. The IP address from which authorization originates is shown as
the dest_ip parameter but should be source_ip.

---

---

Note Net statics now take precedence over use of the nat 1 0 0 and global command pair. This means that nat 1 0 0 only grants outbound access to hosts not specified in the net static statement.

---

Version 4.1.2 Features

Version 4.1.2 introduces a new set of options for the static command and fixes bugs from previous PIX Firewall versions.

New static Command Option

The syntax for the static command is:

static [(internal_if_name, external_if_name)] global_ip local_ip [max_conns [em_limit]]
[options]

Syntax Description

internal_if_name	The internal network interface name.
external_if_name	The external network interface name.
global_ip	A global IP address. This address cannot be a PAT (port address translation) IP address.
local_ip	The local IP address from the inside network.
max_conns	The maximum number of TCP connections allowed for this static. Use the show conn command to view how TCP connections are being used in the firewall.
em_limit	The embryonic connection limit.
options	Specify one option, or two options separated with a comma from the following: norandomseq--Do not randomize the TCP/IP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the PIX Firewall. classa | classb | classc--Specify that global_ip is a Class A, Class B, or Class C IP address. Class A addresses start with 1 through 127, Class B addresses start with 128 through 191, and Class C addresses start with 192 and higher. For example, norandomseq,classa. (Do not put a space after the comma.)

Usage Guidelines

The static command creates a permanent mapping (called a static translation slot or "xlate") between a local IP address and a global IP address. For outbound connections, use static to specify an address in the pool of global addresses that is always used for translation between the local host and the global address. For inbound connections, use static with the conduit command to identify addresses visible on the external network. For inbound connections, do not use a global IP address created with the global command.

Refer to the static command page in the PIX Firewall Series Configuration Guide for more details on how to use the static command.

For version 4.1.2, the static command determines the network mask of network statics by the class option or by the number in the first octet of the global IP address. The class option overrides the number in the first octet. This feature lets you change the class of a global IP address; for example, you can use 192.0.0.0 as a Class A address even though its first octet indicates it is a Class C address.

If the address is all zeros where the net mask is zero, then the address is a net address.

IP Address Classes

IP address classes are defined as follows:

• Class A-- if the first octet of global_ip is between 1 and 127 (inclusive), the address is a Class A address. In a Class A address, the first octet is the one-byte net address and the last three octets are the host address. For example, 10.4.0.0 is a host IP address. The net address portion is 10.0.0.0, the net mask is 255.0.0.0, and the host address portion is 4.0.0. The address 10.0.0.0
  is a net address.

• Class B-- If the first octet of global_ip is between 128 and 191 (inclusive), the address is a
  Class B address. In a Class B address, the first two octets are the net address and the last two octets are the host address. For example, 172.16.4.0 is a host IP address. The net address portion is 172.16.0.0, the net mask is 255.255.0.0, and the host address portion is 4.0. The address 172.16.0.0 is a net address.

• Class C-- If the first octet of global_ip is 192 or higher, the address is a Class C address. In a
  Class C address, the first three octets are the net address and the last octet is the host address. For example, 192.168.5.6 is a host address. The net address portion is 192.168.5.0, the net mask is 255.255.255.0, and the host portion is 6. The address 192.168.5.0 is a net address.

Examples

If the global_ip address is a net address, then the static is presumed to be a net static, and the net mask is the mask for the global_ip address. The local_ip address must follow the global_ip address; if the global address is a Class B net address, then the local_ip address must also be a net address, using a Class B net mask. For example, the following command is a net static:

	static (inside,outside) 172.16.0.0 172.8.0.0 0 0 

The global_ip is 172.16.0.0. The first octet is 172, and that makes the net mask 255.255.0.0 (a
Class B net mask). When a net mask of 255.255.0.0 is applied to the local_ip address, we find that it is also a net address. It does not matter that the first octet in the local_ip is a Class B address; the only thing that counts is the value of the first octet of the global_ip.

	static (inside, outside) 172.16.0.0 10.8.0.0 0 0 

In this command, the local_ip address, 10.8.0.0, is a Class A address, but the mask is taken from the global_ip address, which is a Class B address, so the net mask is 255.255.0.0. Using that mask, 10.8.0.0 is a net address.

	static (inside,outside) 172.16.0.0 192.168.5.0 0 0 

This command is an error, and is rejected. The global address is a Class B net address. Using a
Class B net mask, the local_ip is a host address, not a net address. It is irrelevant that 192.168.5.0 is a Class C address, as determined by its first octet, 192. It also does not matter that 192.168.5.0, under most conditions, would be considered a Class C network address. What matters is that the global address indicates that static use a Class B net mask. Using that mask, 172.16.0.0 is a net address and 192.168.5.0 is a host address, and PIX Firewall disallows a static command where the global_ip is a host address and local_ip is a net address or vice versa.

Using the class Option

To specify a net mask different than the mask specified by the global_ip address, use the class option. This option overrides the net mask implied by the first octet of the global_ip.

For example, if you have three Class C networks, 10.0.0.0, 10.2.0.0, and 10.3.4.0, and want to create a net static for the first one only, use the following command:

	static (inside,outside) 10.0.0.0 10.0.0.0 0 0 classc 

The class option lets you permit access to some hosts in a network and deny access to others as shown in this example:

static (inside,outside) 10.0.0.0 10.0.0.0 0 0 classc 	
conduit (inside,outside) 10.0.0.0 0 tcp 0 0 	
conduit (inside,outside) 10.0.0.0 0 udp 0 0

Without the classc option, the command would build a static and a conduit for 10.n.n.n; and allow TCP access to both 10.0.0.5 and 10.2.0.3. With the classc option, the command builds a static and a conduit for 10.0.0.n. This then permits outside TCP access to 10.0.0.5, but denies access to 10.2.0.3.

Usage Rules Summary

The following usage rules apply:

• The local_ip address must have the same class as the global_ip address; if the global_ip address is a Class B net address, then the local_ip address must also be a net address, using a Class B net mask.

• Subnetting has to be on 8-bit boundaries.

• Both the global IP address and local IP address must be network IP addresses and not host addresses.

Version 4.1.2 Bug Fixes

The following bugs were fixed in version 4.1.2:

• Intel 10/100 interface cards now boot up and respond to ARP requests faster than the previous performance of 75 seconds. [CSCdj15384]

• PIX Firewall formerly did not check for excessive command line arguments. [CSCdj16468]

• Use of the nat 0 command caused PIX Firewall to run out of translation slots (called "xlates").
  [CSCdj31212]

• Outbound FTP through an alias address created by port address translation did not work. [CSCdj31673]

• Use of the conduit command with PPTP protocol requires that you create two conduit statements, both for port 1723, and one for TCP and the other for PPTP. For example [CSCdj30226]:

conduit (inside, outside) global_ip 1723 tcp foreign_ip mask
conduit (inside, outside) global_ip 1723 pptp foreign_ip mask

• Net statics with a variable subnet mask caused ambiguous results. Refer to the "New static Command Option" section for information about the new class option to the static command that solves this problem. [CSCdj32982]

• PIX Firewall formerly rebooted after about 100 minutes elapsed. [CSCdj33164]

• PIX Firewall previously dropped ICMP exceed messages generated by the routers on the outside. This caused ping requests to fail. [CSCdj33461]

• Net statics now take precedence over use of the nat 1 0 0 and global command pair. This means that nat 1 0 0 only grants outbound access to hosts not specified in the net static command.[CSCdj36920]

• PIX Firewall formerly hung on a Telnet console disconnect when the syslog console command was used. [CSCdj37411 and CSCdj38612]

• PIX Firewall formerly hung after user authentication proxy failures when the requested server did not exist. [CSCdj41161]

• PIX Firewall now logs valid Telnet logins via SYSLOG. [CSCdj41735]

Version 4.1 Features

PIX Firewall version 4.1 contains the following features:

• 30% to 50% faster throughput.

• Support for three network interfaces.

• Multi-service conduits let you create conduits with the UDP, TCP, and PPTP service types. PPTP enables support for Microsoft's Virtual Private Network. In addition, ESP is supported as an EFT feature.

• Multi-service outbound permits or denies access to either TCP or UDP ports.

• Support for network configuration via a TFTP server so you can retrieve a configuration across the network or store it. The configuration is sent in clear text and is, therefore, less secure than other configuration methods.

• Command line editing capability that lets you display the last 10 lines entered and to call back and edit any of those lines.

• Support for communications between Oracle SQL*Net clients and servers through the firewall. This is implemented in the conduit command.

• PCI DES hardware support (as EFT).

• Additional command changes (refer to "Version 4.1 Command Changes").

• All passwords, keywords, and text strings can now be specified in uppercase and lowercase.

• Improved command line help that provides much better error messages and access to the help mechanism from any part of a command.

• Documentation changes--the following changes occurred in the documentation:

  • The PIX Firewall Installation Guide and the PIX10000 Installation Guide are now combined into the single document entitled, Installing PIX Firewall Series Version 4.1.

  • The PIX Firewall Series Configuration Guide was rewritten and reduced in pages to provide improved command access, substantially more configuration information, and better introductory information.

  • The former Cisco PIX Firewall Configuring and Troubleshooting Quick Reference Card was renamed as the PIX Firewall Series Quick Reference Card and revised to add changes for the optional third network interface.

Version 4.1 Command Changes

The following changes occurred in the PIX Firewall command set:

• New commands have been added:

  • clear xlate clears the contents of the translation slots.

  • history lets you display the last 10 commands entered.

  • nameif lets you name each network interface and assign it a security level. The default interface names are inside and outside.

  • pager lets you enable or disable screen paging where after 24 lines displays, the More prompt appears to pause the display.

  • show serial lets you view the PIX Firewall serial number (BIOS ID).

  • tftp-server lets you specify the path for a configuration file on a TFTP server that you can use to retrieve or store a configuration across the network.

• Old commands were removed:

  • lnko, no lnko, and show lnko let you add, remove, or view a Private Link connection to a version 2 PIX Firewall running Private Link.

  • lnkopath, clear lnkopath, no lnkopath, and show lnkopath let you add, remove, or show the path to a foreign version 2 Private Link PIX Firewall.

  • show actkey let you view the activation key and the number of connections.

• Existing commands were improved:

  • To handle third interface changes, you can now optionally specify an interface name for the following commands: alias, apply, conduit, global, mailhost, nat, and static. For each of these commands, the interface name must be enclosed in parentheses.

  • For any command that previously accepted an interface name, you must specify an interface name and you can now specify the name of the third interface. These commands are: arp,
    ip address, mtu, ping, rip, and route. For these commands, the interface name
    must not be enclosed in parentheses. The interface command now has new syntax so that specifying inside and outside are no longer supported, but these parameters will continue to work to provide backward compatibility for existing configurations. The inside and outside parameters will be removed from interface in a future release.

  • The established command now has the permitto and permitfrom options.

  • The nat and static commands now support the norandomseq option, which lets you not randomize the TCP/IP packet sequence numbers. This lets the PIX Firewall interact with applications that also randomize the sequence numbers. Note that use of the norandomseq option opens a security hole in the PIX Firewall.

  • The TFTP configuration feature has added the new net option to the configure and write commands that let you specify the path to the network configuration file as defined by the tftp-server command.

  • The snmp-server command now has the community option that lets you specify a community string. A community string is a encryption key of up to 32-characters shared between the PIX Firewall and the SNMP server.

Usage Notes

The following usage notes apply to all PIX Firewall version 4 releases:

• PIX Firewall takes 75 seconds to respond to ARP requests from an Ascend Pipeline router.

• PIX Firewall now encrypts passwords in the configuration when you use a write command to view or store the configuration. If you change a PIX Firewall password, write the new password down and store it in accordance with your site's security policy.

• The meanings for the xlate flags are as follows:

Translation Slot (xlate) Flag	Description
a	Passive mode FTP detected on inbound connection.
A	Passive mode FTP detected on outbound connection.
B	Inbound-only connection.
d	Marked to be dumped (cleaned up).
f	Expecting a fragmented IP packet.
h	HTTP connection.
i	Port address translation ICMP echo.
I	Identity connection. The identity feature is started with the nat 0 command.
N	Network static xlate.
n	The IP packet sequence number has not been randomized. This occurs when the norandomseq option is used with the nat and the static commands.
o	FTP port command received on an outbound connection.
O	Port-out received.
p	Port-in transmitted.
P	Port-out transmitted.
r	Port address translation (PAT) xlate.
s	Connection uses a static.
S	SMTP connection.
v	Passive mode FTP started.

• For the outbound command, do not mix the permit, deny, and except options in a single outbound list. If you use the except option, use it only with a single permit statement or with a single deny statement, but not with both deny and permit statements.

• If you use the nat 0 command; that is, the PIX Firewall identity feature, the IP addresses on the inside and outside interfaces have to be on different subnets.

• If you are using DHCP to configure IP addresses for the hosts on the inside network, the DHCP server must provide the IP address, netmask, and gateway (default route) IP address. The default route must point to the PIX Firewall, either directly or via a router.

• The Java applet blocking feature removes applets that come into the HTTP port. The PIX Firewall removes applets containing a Java signature anywhere in the message, but does not remove applets encapsulated in some archive files. Legitimate, non-Java files with Java signatures are also blocked.

• Configurations greater than 400 lines cannot be accessed with the PIX Firewall console HTML management interface.

• When the aaa command is enabled, before users can access MS-IIS sites, they must visit other sites to be authenticated before the MS-IIS sites can be accessed.

• When you create an internal network, we recommend that you use one of the following address groups reserved by the Network Working Group (RFC 1918) for use with private network addressing:

  • Class A: 10.1.1.1 to 10.254.254.254

  • Class B: 172.16.1.1 to 172.31.254.254

  • Class C: 192.168.1.1 to 192.168.254.254

• Before downgrading from version 4 to version 3:

Step 1 Use the show config command to view the encrypted form of the privileged mode password. You must enter the text representation of the encrypted password in version 3 to access privileged mode.

Step 2 Remove the aaa commands from your configuration.

Step 3 Reload version 3 software.

Step 4 Add the appropriate auth commands back in.

SYSLOG Message Usage Notes

You can use the following guidelines to interpret SYSLOG messages:

• "laddr" indicates a local IP address, "gaddr" indicates a global IP address, and "faddr" indicates a foreign IP address. A local IP address is an untranslated IP address on the internal, protected interface. A global IP address is a translated IP address in the pool of global addresses created by the global, static, or mailhost commands. A foreign IP address is an untranslated IP address on the external, unprotected interface.

• The "due to DNS response" message in a deny statement means that the PIX Firewall DNS Guard feature is in effect and the message indicates slow response from the DNS server. When the response is slow, the PIX Firewall sends a second DNS inquiry, the first returns, and the second gets denied and logged.

HTML Configuration Manager

Because the http command will be removed in the near future, the information is provided in these release notes and not in the PIX Firewall Series Configuration Guide.

---

Note The HTML Configuration Manager has not been updated for the third interface changes and may provide unexpected information displays.

---

Configuring with the HTML Configuration Manager

The PIX Firewall provides a graphical user interface to help simplify configuration tasks.

Once you have specified the network interface speed and IP addresses, you need to enter two additional commands and you can then use a network browser, such as Netscape Navigator, to complete the configuration. You can have up to 16 simultaneous HTTP console sessions.

Use the http command (described in the next section) to give access to a workstation and ensure that the firewall has an IP address other than the default 0.0.0.0 value.

To access the PIX Firewall from a network browser:

Step 1 At your workstation, start a network browser.

Step 2 Open a URL and specify the IP address of the PIX Firewall's inside IP address.

Step 3 The network browser then prompts you for a user name and password. Always use admin for the user name and enter the password you specified with the passwd command. The default password is cisco.

The main configuration screen then appears. You can then configure information as needed.

http command

Provide or remove access to the PIX Firewall console HTML management interface. (Privileged mode.)

[no] http ip_address [netmask] clear http ip_address [netmask] show http

Syntax Description

ip_address	IP address of systems on the inside of the PIX Firewall that are able to access the PIX Firewall HTML management interface.
netmask	Network mask of ip_address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255. If you do not specify netmask, it defaults to 255.255.255.255 regardless of the class of ip_address.

Usage Guidelines

The http command lets an IP address access the PIX Firewall console HTML management interface. Use no http or clear http to disable management interface access. Use show http to list the information you entered. Up to 16 HTTP console sessions can be simultaneously active.

When you start the web browser, specify the IP address of the firewall in the Go to field or the Open URL field. You must have previously given the firewall an IP address and default route. In addition, if the computer on which you run the browser is directly connected to the PIX Firewall, the computer must be on the same subnet as the firewall.

If the browser displays an error message stating "Document contains no data," the http command has not been used to give that computer access to the firewall.

---

Note You must use the http command before you can use the PIX Firewall HTML network browser configuration capability.

The HTTP user name is admin and the default password is cisco. The user name cannot be changed.

---

Example

pixfirewall(config)# http 192.168.42.42
pixfirewall(config)# show http
                    192.168.42.42 255.255.255.255*

Version 4 Bug Fix History

The following bugs have been fixed in version 4 to date:

• Use of the alias command no longer requires adding an A record to the DNS zone file. The PIX Firewall now intercepts DNS queries for aliased IP addresses, resolves the query and sends out the packet with the correct source address. [CSCdj12006 - fixed in version 4.0.5]

• A nat global that was reused as a PAT global mysteriously appeared in a PAT nat combination. [CSCdj17286 - fixed in version 4.0.6]

• The PIX Firewall now responds to ARP requests from Windows 95 and Windows NT without requiring the ARP timeout duration to be less than 10 seconds.
  [CSCdj18176 - fixed in version 4.0.5]

• The PIX Firewall reuses ports properly. [CSCdj18256 - fixed in version 4.0.5]

• The aaa authentication command allows an r-shell (rsh) stderr connection.
  [CSCdj18320 - fixed in version 4.0.5]

• After one use of PIX Firewall's ping on a PAT (port address translation) IP address, all translated packets were returned with CRC errors. [CSCdj18776 - fixed in version 4.0.6]

• The PIX Firewall Token-Ring interfaces now work correctly with an IBM 2210 router. [CSCdj19036 - fixed in version 4.0.5]

• Port numbers higher than 34463 are now permitted in the outbound command.
  [CSCdj19040 - fixed in version 4.0.5]

• Outbound pings via PAT to Cisco routers did not work. [CSCdj19227 - fixed in version 4.0.6]

• The firewall now works correctly with the AMD flash memory chip.
  [CSCdj19302 - fixed in version 4.0.5]

• Data connections from repeated chained FTP sessions are no longer denied.
  [CSCdj19369 - fixed in version 4.0.5]

• Use of FTP during an FTP session now uploads the timeout value.
  [CSCdj20000 - fixed in version 4.0.5]

• The aaa authorization command now handles access denials consistently.
  [CSCdj21400 - fixed in version 4.0.5]

• User-authenticated FTP now works to cco.cisco.com or to any other sites that return multiline responses for the FTP user command. [CSCdj21914 - fixed in version 4.0.5]

• The PIX Firewall no longer causes buffer overruns and crashes accordingly.
  [CSCdj22151 - fixed in version 4.0.5]

• Private Link now resets reliably on the PIX10000. [CSCdj22235 - fixed in version 4.0.5]

• The PIX Firewall now allows auto sensing as long as the interface board is capable of handling this feature. [CSCdj22282 - fixed in version 4.0.5]

• The alias command now works with different network classes.
  [CSCdj23209 - fixed in version 4.0.5]

• Use of failover caused PIX Firewall to crash. [CSCdj23886 - fixed in version 4.0.6]

• When the primary authentication server failed and when the PIX Firewall switched to the next authentication server, the firewall failed and rebooted. [CSCdj24669 - fixed in version 4.0.6]

• When use of the show xlate command caused the More prompt to appear, the PIX Firewall stalled all connections. This was stated to be fixed in version 4.0.5, but reappeared.
  [CSCdj25664 - fixed in version 4.0.6]

• DNS would not resolve PAT addresses and returned an error stating that the DNS response was denied. [CSCdj26291 - fixed in version 4.0.6]

• Use of NFS over PAT did not work. [CSCdj26812 - fixed in version 4.0.6]

• PAT did not work when IP fragmenting was in effect. [CSCdj26968 - fixed in version 4.0.6]

• RADIUS authentication only worked during one session; subsequent sessions failed.
  [CSCdj27403 - fixed in version 4.0.6]

• The first attempt to deny inbound TACACS+ Telnet authorization did not work.
  [CSCdj27404 - fixed in version 4.0.6]

• HTTP did not reprompt when a password was not provided.
  [CSCdj27405 - fixed in version 4.0.6]

• The aaa authentication except command did not work. [CSCdj27407 - fixed in version 4.0.6]

• The show uauth command did not display all available information.
  [CSCdj27408 - fixed in version 4.0.6]

• When using failover, the secondary PIX Firewall would reboot every 100 minutes.
  The show block command would show a leakage in 80-byte blocks.
  [CSCdj31210 - fixed in version 4.0.7]

• Use of the nat 0 command caused translation slots ("xlates") to be exhausted. SYSLOG would report a message stating that the PIX Firewall was out of xlates.
  [CSCdj31212 - fixed in version 4.0.7]

• PIX Firewall would hang intermittently triggering the watchdog timer. This same error caused the PIX Firewall to reboot each time the xlate table was cleared. A crash dump showed the "clean-xlate" thread to be in an active state in the show process output.
  [CSCdj32394 - fixed in version 4.0.7]

Cisco Connection Online

Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.

Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.

CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.

You can access CCO in the following ways:

• WWW:  http://www.cisco.com

• WWW:  http://www-europe.cisco.com

• WWW:  http://www-china.cisco.com

• Telnet:  cco.cisco.com

• Modem:  From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28.8 kbps.

For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.

---

Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.

---