PIX Firewall Series Version 4.1.3
Release Notes

October 30, 1997

Cisco's PIX Firewall provides firewall and network translation services.

The following topics are covered in these release notes:

Cisco provides PIX Firewall technical tips at:

http://www.cisco.com/warp/public/110/index.shtml

Additional information about PIX Firewall is available at:

http://www.cisco.com/pix

Important Notes

This section contains critically important information.

Note Before installing version 4.1 from 4.0, save your configuration on floppy disk and write down your license activation key value. You must have a copy of your activation key number to restore a previous version from floppy disk.

Note To install and configure the PIX Firewall Manager, refer to the PIX Firewall Manager
Version 4.1 Release Notes included in the PIX Firewall accessory kit.

Note PIX Firewall only supports configuration upgrades from version 4.0.x.

Note RADIUS is only supported for authentication and not for authorization.

Note The HTML Configuration Manager is being obsoleted in a future release and has not been updated for use with the version 4.1 third interface feature. If your PIX Firewall has two network interfaces, it will work correctly.

Usage Notes

The following section contains information required to effectively use PIX Firewall:

Passwords are now case-sensitive. The default Telnet password is cisco. There is no default password for privileged mode; just press Enter at the Password prompt. PIX Firewall now encrypts passwords in the configuration when you issue a write command to view or store the configuration. If you change a PIX Firewall password, write the new password down and store it in accordance with your site's security policy.
Net statics cannot be pinged from the outside. If statics need to be pinged, declare them individually.
IP addresses on the inside and outside interfaces have to be on different subnets.
Only one port address translation (PAT) global statement is permitted in a configuration.
The console serial cable must be a null modem cable.
Net statics take precedence over use of the nat 1 0 0 and global command pair. This means that nat 1 0 0 only grants outbound access to hosts not specified in the net static statement.
The aaa authorization command syntax was incorrect in the early version 4.1 documentation. The IP address from which authorization originates is shown as the dest_ip parameter but should be source_ip.
The PIX Firewall Mail Guard feature is compliant with the RFC 1651 EHLO command as well as the RFC 821 section 4.5.1 commands.
PIX Firewall takes 75 seconds to respond to ARP requests from an Ascend Pipeline router.
Ethernet network interface cards support both half and full duplex transmissions.
Failover cables can now be constructed or you can purchase the cable from Cisco. The pin outs are as follows:

Primary	Secondary
1	10
2	3
3	2
4, 11, 12	6 (at Primary, pins 4, 11, and 12 are connected inside the cable)
5	5, 12 (at Secondary, pins 5 and 12 are connected inside the cable)
6	4, 11 (at Secondary, pins 4 and 11 are connected inside the cable)
9	14
10	1
14	9

: Primary pins 7, 8, and 13 are not used.

Console null modem cables can now be constructed. The pin outs are as follows:

J1 (DB-9) Pins	J2 (DB-25) Pins
1	not used
2	2
3	3
4	6
5	7
6	20
7	5
8	4
9	not used

For the outbound command, do not mix the permit, deny, and except options in a single outbound list. If you use the except option, use it only with a single permit statement or with a single deny statement, but not with both deny and permit statements.
If you are using DHCP to configure IP addresses for the hosts on the inside network, the DHCP server must provide the IP address, netmask, and gateway (default route) IP address. The default route must point to the PIX Firewall, either directly or via a router.
The Java applet blocking feature removes applets that come into the HTTP port. The PIX Firewall removes applets containing a Java signature anywhere in the message, but does not remove applets encapsulated in some archive files. Legitimate, non-Java files with Java signatures are also blocked.
Configurations longer than 400 lines cannot be accessed with the PIX Firewall console HTML management interface.
When the aaa command is enabled, before users can access MS-IIS sites, they must visit other sites to be authenticated before the MS-IIS sites can be accessed.
When you create an internal network, we recommend you use one of the following address groups reserved by the Network Working Group (RFC 1918) for private network addressing:
- Class A: 10.0.0.0 to 10.255.255.255
- Class B: 172.16.0.0 to 172.31.255.255
- Class C: 192.168.0.0 to 192.168.255.255
Before downgrading from version 4 to version 3:

Step 1 Use the show config command to view the encrypted form of the privileged mode password.

Step 2 Enter the text representation of the encrypted password in version 3 to access privileged mode.

Step 3 Remove the aaa commands from your configuration.

Step 4 Reload version 3 software.

Step 5 Add the appropriate auth commands back in.

Bug Fixes

The following bugs have been fixed in version 4:

CSCdj Bug Number	Description	Fixed in Release
52620	The show xlate command now works with the pager command.	4.1.3
51732	PIX Firewall no longer requires all Intel 10/100 interfaces for use with the third interface feature.	4.1.3
51100	The conduit command now permits literals for port and protocol parameters.	4.1.3
50247	Telnet no longer crashes when the space bar is pressed for 60 seconds or longer.	4.1.3
50133	SYSLOG messages are now sent correctly to the SYSLOG server.	4.1.3
48329	Prior to version 4.1.3, outbound FTP did not work after aaa authentication was started for HTTP or Telnet. For example, after entering the following command, outbound FTP would be inoperable: `aaa authentication http outbound 0 0 tacacs+` For previous versions, FTP can be made to work by enabling outbound user authentication for FTP connections: `aaa authentication ftp outbound 0 0 tacacs+`	4.1.3
46403	Inbound Telnet TN5250 sessions no longer display garbled characters on the first attempt at user authentication.	4.1.3
44848	Private Link over Token Ring no longer forces a reboot.	4.1.3
44209	Use of a host address containing a zero in the last octet(s) used with the static command no longer causes PIX Firewall to crash and display the message "Assert failure." For example, failure occurred when a static command contained an address like 10.1.1.0 which is a Class A address but being used as a host address.	4.1.3
42187	PIX Firewall now works correctly when a Windows 95 client copies a NetBIOS SMB file across Private Link.	4.1.3
42149	PIX Firewall now sends SYSLOG messages correctly.	4.1.3
42111	PIX Firewall now handles multiple inbound user authorization requests.	4.1.3
41919	SNMP traps are now sent correctly.	4.1.3
41735	PIX Firewall now logs valid Telnet logins via SYSLOG.	4.1.2
41550	Telnet to PIX Firewall console no longer stalls the Telnet session.	4.1.3
41161	PIX Firewall formerly hung after user authentication proxy failures when the requested server did not exist.	4.1.2
38612 and 37411	PIX Firewall formerly hung on a Telnet console disconnect when the syslog console command was used.	4.1.2
36920	Net statics now take precedence over use of the nat 1 0 0 and global command pair. This means that nat 1 0 0 only grants outbound access to hosts not specified in the net static command.	4.1.2
33461	PIX Firewall previously dropped ICMP exceed messages generated by the routers on the outside. This caused ping requests to fail.	4.1.2
33164	PIX Firewall no longer reboots after running 100 minutes.	4.1.2
32982	Net statics with a variable subnet mask caused ambiguous results.	4.1.2
32394	PIX Firewall would hang intermittently triggering the watchdog timer. This same error caused the PIX Firewall to reboot each time the xlate table was cleared. A crash dump showed the "clean-xlate" thread to be in an active state in the show process output.	4.0.7
31673	Outbound FTP through an alias address created by port address translation did not work.	4.1.2
31212	Use of the nat 0 command caused PIX Firewall to run out of translation slots (called "xlates").	4.1.2 and 4.0.7
31210	When using failover, the secondary PIX Firewall would reboot every 100 minutes. The show block command would show a leakage in 80-byte blocks.	4.0.7
30955	User authorization for Telnet sessions now works correctly.	4.1.3
30254	Private Link over Token Ring no longer forces a reboot.	4.1.3
30226	Use of the conduit command for PPTP protocol (a subset of the GRE protocol) requires that you create two conduit statements, one for port 1723 and the other for GRE. For example: `conduit (inside, outside) global_ip 1723 tcp foreign_ip mask` `conduit (inside, outside) global_ip 0 gre foreign_ip mask`	4.1.2
27408	The show uauth command did not display all available information.	4.0.6
27407	The aaa authentication except command did not work.	4.0.6
27405	HTTP did not reprompt when a password was not provided.	4.0.6
27404	The first attempt to deny inbound TACACS+ Telnet authorization did not work.	4.0.6
27403	RADIUS authentication only worked during one session; subsequent sessions failed.	4.0.6
26968	PAT now works when IP fragmenting is in effect.	4.0.6
26812	NFS over PAT now works correctly.	4.0.6
26291	DNS would not resolve PAT addresses and returned an error stating that the DNS response was denied.	4.0.6
24669	When the primary authentication server failed and when the PIX Firewall switched to the next authentication server, the firewall failed and rebooted.	4.0.6
23886	Use of failover no longer causes PIX Firewall to crash.	4.0.6
23209	The alias command now works with different network classes.	4.0.5
22282	The PIX Firewall now allows auto sensing as long as the interface board is capable of handling this feature.	4.0.5
22235	Private Link now resets reliably on the PIX10000.	4.0.5
22151	The PIX Firewall no longer causes buffer overruns and crashes accordingly.	4.0.5
21914	User-authenticated FTP now works to cco.cisco.com or to any other sites that return multiline responses for the FTP user command.	4.0.5
21400	The aaa authorization command now handles access denials consistently.	4.0.5
20000	Use of FTP during an FTP session now uploads the timeout value.	4.0.5
19369	Data connections from repeated chained FTP sessions are no longer denied.	4.0.5
19306	The PIX Firewall Token-Ring interfaces now work correctly with an IBM 2210 router.	4.0.5
19302	The firewall now works correctly with the AMD flash memory chip.	4.0.5
19227	Outbound pings via PAT to Cisco routers did not work.	4.0.6
19040	Port numbers higher than 34463 are now permitted in the outbound command.	4.0.5
18776	After one use of PIX Firewall's ping on a PAT (port address translation) IP address, all translated packets were returned with CRC errors.	4.0.6
18320	The aaa authentication command allows an r-shell (rsh) stderr connection.	4.0.5
18256	The PIX Firewall reuses ports properly.	4.0.5
18176	PIX Firewall now responds to ARP requests from Windows 95 and Windows NT without requiring the ARP timeout duration to be less than 10 seconds.	4.0.5
17286	A nat global that was reused as a PAT global mysteriously appeared in a PAT nat combination.	4.0.6
16468	PIX Firewall formerly did not check for excessive command line arguments.	4.1.2
15384	Intel 10/100 interface cards now boot up and respond to ARP requests faster than the previous performance of 75 seconds.	4.1.2
12006	Use of the alias command no longer requires adding an A record to the DNS zone file. The PIX Firewall now intercepts DNS queries for aliased IP addresses, resolves the query and sends out the packet with the correct source address.	4.0.5

Features

Version 4.1 contains the following features:

Version 4.1.3 fixes bugs from previous versions and introduces a change to the aaa command (described in "Command Changes").
Version 4.1.2 introduced a new set of options for the static command and fixed bugs from previous PIX Firewall versions. Refer to the PIX Firewall Series Configuration Guide for details on the static command.
30% to 50% faster throughput.
Support for three network interfaces.
Multi-service conduits let you create conduits with the UDP, TCP, and PPTP service types. PPTP enables support for Microsoft's Virtual Private Network. In addition, ESP is supported as an EFT feature.
Multi-service outbound permits or denies access to either TCP or UDP ports.
Support for network configuration via a TFTP server so you can retrieve a configuration across the network or store it. The configuration is sent in clear text and is, therefore, less secure than other configuration methods.
Command line editing capability that lets you display the last 10 lines entered and to call back and edit any of those lines.
Support for communications between Oracle SQL*Net clients and servers through the firewall. This is implemented in the conduit command.
PCI DES hardware support (as EFT).
Additional command changes (refer to "Command Changes").
All passwords, keywords, and text strings can now be specified in uppercase and lowercase.
Improved command line help that provides much better error messages and access to the help mechanism from any part of a command.
Documentation changes--the following changes occurred in the documentation:
- The PIX Firewall Installation Guide and the PIX10000 Installation Guide are now combined into the single document entitled, Installing PIX Firewall Series Version 4.1.
- The PIX Firewall Series Configuration Guide was rewritten and reduced in pages to provide improved command access, substantially more configuration information, and better introductory information.
- The former Cisco PIX Firewall Configuring and Troubleshooting Quick Reference Card was renamed as the PIX Firewall Series Quick Reference Card and revised to add changes for the optional third network interface.

Command Changes

The following changes to the PIX Firewall command set occurred between version 4.0 and 4.1.

New Commands

The following commands were added to the command set:

clear xlate clears the contents of the translation slots.
history lets you display the last 10 commands entered.
nameif lets you name each network interface and assign it a security level. The default interface names are inside and outside.
pager lets you enable or disable screen paging where after 24 lines displays, the More prompt appears to pause the display.
show serial lets you view the PIX Firewall serial number (BIOS ID).
tftp-server lets you specify the path for a configuration file on a TFTP server that you can use to retrieve or store a configuration across the network.

Command Changes

The following command changes occurred:

To handle third interface changes, you can now optionally specify an interface name for the following commands: alias, apply, conduit, global, mailhost, nat, and static. For each of these commands, the interface name MUST be enclosed in parentheses.
For any command that previously accepted an interface name, you must specify an interface name and you can now specify the name of the third interface. These commands are: arp,
ip address, mtu, ping, rip, and route. For these commands, the interface name
MUST NOT be enclosed in parentheses. The interface command now has new syntax so that specifying inside and outside are no longer supported, but these parameters will continue to work to provide backward compatibility for existing configurations. The inside and outside parameters will be removed from interface in a future release.
The established command now has the permitto and permitfrom options.
The nat and static commands now support the norandomseq option, which lets you not randomize the TCP/IP packet sequence numbers. This lets the PIX Firewall interact with applications that also randomize the sequence numbers. Note that use of the norandomseq option opens a security hole in the PIX Firewall.
The TFTP configuration feature has added the new net option to the configure and write commands that let you specify the path to the network configuration file as defined by the tftp-server command.
The snmp-server command now has the community option that lets you specify a community string. A community string is a encryption key of up to 32-characters shared between the PIX Firewall and the SNMP server.
The syntax for the aaa command has been changed as follows:

aaa authentication service inbound|outbound local_ip mask tacacs+|radius no aaa authentication [service inbound|outbound local_ip mask tacacs+|radius] aaa authentication except inbound|outbound local_ip mask tacacs+|radius no aaa authentication except [inbound|outbound local_ip mask tacacs+|radius] aaa authorization service inbound| outbound local_ip mask no aaa authorization [service inbound| outbound local_ip mask]

: This is the same as in version 4.0 and later with the addition of the except option and clarification that local_ip can only be a host on the inside network. For inbound connections, local_ip is the inside host to which access is sought. For outbound connections, local_ip is the inside host from which the connection originates.

Removed Commands

The following commands were removed:

lnko, no lnko, and show lnko let you add, remove, or view a Private Link connection to a version 2 PIX Firewall running Private Link.
lnkopath, clear lnkopath, no lnkopath, and show lnkopath let you add, remove, or show the path to a foreign version 2 Private Link PIX Firewall.
show actkey let you view the activation key and the number of connections.

Troubleshooting

You can use the following guidelines to interpret SYSLOG messages:

"laddr" indicates a local IP address, "gaddr" indicates a global IP address, and "faddr" indicates a foreign IP address. A local IP address is an untranslated IP address on the internal, protected interface. A global IP address is a translated IP address in the pool of global addresses created by the global, static, or mailhost commands. A foreign IP address is an untranslated IP address on the external, unprotected interface.
The "due to DNS response" message in a deny statement means that the PIX Firewall DNS Guard feature is in effect and the message indicates slow response from the DNS server. When the response is slow, the PIX Firewall sends a second DNS inquiry, the first returns, and the second gets denied and logged.

Future Command Obsolescence

This section lists commands that will be removed in future releases.

Because the http command will be removed in the near future, the information is provided in these release notes and not in the PIX Firewall Series Configuration Guide.

Note The HTML Configuration Manager has not been updated for the third interface changes and may provide unexpected information displays.

Configuring with the HTML Configuration Manager

The PIX Firewall provides a graphical user interface to help simplify configuration tasks.

Once you have specified the network interface speed and IP addresses, you need to enter two additional commands and you can then use a network browser, such as Netscape Navigator, to complete the configuration. You can have up to 16 simultaneous HTTP console sessions.

Use the http command (described in the next section) to give access to a workstation and ensure that the firewall has an IP address other than the default 0.0.0.0 value.

To access the PIX Firewall from a network browser:

Step 1 At your workstation, start a network browser.

Step 2 Open a URL and specify the IP address of the PIX Firewall's inside IP address.

Step 3 The network browser then prompts you for a user name and password. Always use admin for the user name and enter the password you specified with the passwd command. The default password is cisco.

The main configuration screen then appears. You can then configure information as needed.

http command

Provide or remove access to the PIX Firewall console HTML management interface. (Privileged mode.)

[no] http ip_address [netmask] clear http ip_address [netmask] show http

Syntax Description

ip_address	IP address of systems on the inside of the PIX Firewall that are able to access the PIX Firewall HTML management interface.
netmask	Network mask of ip_address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255. If you do not specify netmask, it defaults to 255.255.255.255 regardless of the class of ip_address.

Usage Guidelines

The http command lets an IP address access the PIX Firewall console HTML management interface. Use no http or clear http to disable management interface access. Use show http to list the information you entered. Up to 16 HTTP console sessions can be simultaneously active.

When you start the web browser, specify the IP address of the firewall in the Go to field or the Open URL field. You must have previously given the firewall an IP address and default route. In addition, if the computer on which you run the browser is directly connected to the PIX Firewall, the computer must be on the same subnet as the firewall.

If the browser displays an error message stating "Document contains no data," the http command has not been used to give that computer access to the firewall.

Note You must use the http command before you can use the PIX Firewall HTML network browser configuration capability.

The HTTP user name is admin and the default password is cisco. The user name cannot be changed.

Example

pixfirewall(config)# http 192.168.42.42
pixfirewall(config)# show http
                    192.168.42.42 255.255.255.255*

Cisco Connection Online

Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.

Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.

CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.

You can access CCO in the following ways:

WWW: http://www.cisco.com
WWW: http://www-europe.cisco.com
WWW: http://www-china.cisco.com
Telnet: cco.cisco.com
Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28.8 kbps.

For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.

Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.

CD-ROM Documentation

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more up to date than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.

If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar, select Documentation, and click Enter the feedback form. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.

Table of Contents