PIX Firewall Series Version 4.1.4
Release Notes

January 1998

Cisco's PIX Firewall provides firewall and network translation services.

The following topics are covered in these release notes:

Cisco provides PIX Firewall technical tips at:

http://www.cisco.com/warp/public/110/index.shtml

Additional information about PIX Firewall is available at:

http://www.cisco.com/pix

Important Notes

This section contains critically important information.

Note PIX Firewall does not support a configuration with three Token Ring interfaces.

Note Before installing version 4.1 from 4.0, save your configuration on floppy disk and write down your license activation key. You must have a copy of your activation key to restore a previous version from floppy disk.

Note To install and configure the PIX Firewall Manager, refer to the PIX Firewall Manager
Version 4.1 Release Notes included in the PIX Firewall accessory kit.

Note PIX Firewall only supports configuration upgrades from version 4.0.x.

Note RADIUS is only supported for authentication and not for authorization.

Note The HTML Configuration Manager is being obsoleted in a future release and has not been updated for use with the version 4.1 third interface feature. If your PIX Firewall has two network interfaces, it will work correctly.

Usage Notes

The following section contains information required to use PIX Firewall:

Two conduit statements are required for establishing access to the following services: DNS, ident, NTP, PPTP, RPC, and SNMP. Each service, except for PPTP, requires one conduit for TCP and one for UDP. For DNS, you only need a TCP conduit if you are receiving zone updates. For PPTP, the two conduit statements you need are:

conduit (inside, outside) global_ip 1723 tcp foreign_ip mask
conduit (inside, outside) global_ip 0 gre foreign_ip mask

Passwords and SNMP text strings are now case sensitive. The default Telnet password is cisco. There is no default password for privileged mode; just press Enter at the Password prompt. PIX Firewall now encrypts passwords in the configuration when you issue a write command to view or store the configuration. If you change a PIX Firewall password, write the new password down and store it in accordance with your site's security policy.
Net statics cannot be pinged from the outside.
IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX Firewall. To create reverse DNS mappings, use a DNS PTR record in the address-to-name mapping file for each global address. For more information on DNS, refer to DNS and BIND, by Paul Albitz and Cricket Liu, O'Reilly & Associates, Inc., ISBN 1-56592-010-4. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP that consistently fails. For example, if a global IP address is 204.31.17.1 and the domain for the PIX Firewall is pix.newoaks.com, the PTR record would be:

1.17.31.204.in-addr.arpa. IN PTR pix.newoaks.com

If the user name or password on the authentication database differs from the user name or password on the remote host to which you are using FTP to access, enter the user name and password in these formats:

authentication_user_name@remote_system_user_name
authentication_password@remote_system_password

: This usage only works on the first authentication with RADIUS. Subsequent authentications cause the user to be prompted for each user name and password.

IP addresses on the inside and outside (and perimeter) interfaces must be on different subnets if you use the same IP address range on all interfaces.
Failover is not supported in a switched environment.
Only one port address translation (PAT) global statement is permitted per external network interface. If you have two network interfaces for internal and external networks, one PAT global statement is permitted. If you have an additional perimeter interface, you can have a PAT global statement for that interface.
Net statics take precedence over use of the nat 1 0 0 and global command pair. This means that nat 1 0 0 only grants outbound access to hosts not specified in the net static statement.
The aaa authorization command syntax was incorrect in the early version 4.1 documentation. The IP address from which authorization originates is shown as the dest_ip parameter but should be source_ip.
The PIX Firewall Mail Guard feature is compliant with the RFC 1651 EHLO command as well as the RFC 821 section 4.5.1 commands.
PIX Firewall takes 75 seconds to respond to ARP requests from an Ascend Pipeline router.
Ethernet network interface cards support both half and full duplex transmissions.
Failover cables can now be constructed or you can purchase the cable from Cisco. The pin outs are as follows:

Primary	Secondary
1	10
2	3
3	2
4, 11, 12	6 (at Primary, pins 4, 11, and 12 are connected inside the cable)
5	5, 12 (at Secondary, pins 5 and 12 are connected inside the cable)
6	4, 11 (at Secondary, pins 4 and 11 are connected inside the cable)
9	14
10	1
14	9

: Primary pins 7, 8, and 13 are not used.

The console serial cable must be a null modem cable. The pin outs are as follows:

J1 (DB-9) Pins	J2 (DB-25) Pins
1	not used
2	2
3	3
4	6
5	7
6	20
7	5
8	4
9	not used

For the outbound command, do not mix the permit, deny, and except options in a single outbound list. If you use the except option, use it only with a single permit statement or with a single deny statement, but not with both deny and permit statements.
If you are using DHCP to configure IP addresses for the hosts on the inside network, the DHCP server must provide the IP address, netmask, and gateway (default route) IP address. The default route must point to the PIX Firewall, either directly or via a router.
The Java applet blocking feature removes applets that come into the HTTP port. The PIX Firewall removes applets containing a Java signature anywhere in the packet, but does not remove applets encapsulated in some archive files. Legitimate, non-Java files with Java signatures are also blocked.
Configurations longer than 400 lines cannot be accessed with the PIX Firewall console HTML management interface.
When the aaa command is enabled, before users can access MS-IIS sites, they must visit other sites to be authenticated before the MS-IIS sites can be accessed.
When you create an internal network, we recommend you use one of the following address groups reserved by the Network Working Group (RFC 1918) for private network addressing:
- Class A: 10.0.0.0 to 10.255.255.255
- Class B: 172.16.0.0 to 172.31.255.255
- Class C: 192.168.0.0 to 192.168.255.255
The alias command requires that the DNS server be on the outside network. There must be an A (address) record in the DNS zone file for the internal "dnat" address in the alias command.
The maximum size for a configuration in the older 512 KB flash memory units is 100 KB. Use the UNIX wc command or a Windows word processing program, such as Microsoft Word, to view the number of characters in the configuration.
Before downgrading from version 4 to version 3:

Step 1 Use the show config command to view the encrypted form of the privileged mode password.

Step 2 Enter the text representation of the encrypted password in version 3 to access privileged mode.

Step 3 Remove the aaa commands from your configuration.

Step 4 Reload version 3 software.

Step 5 Add the appropriate auth commands back in.

Documentation Errata

The following documentation errors exist:

PIX Firewall Series Configuration Guide:

Item	Description
Table 3-1	The recommended RFC 1918 IP address groups should be: Class A: 10.0.0.0 to 10.255.255.255 Class B: 172.16.0.0 to 172.31.255.255 Class C: 192.168.0.0 to 192.168.255.255
conduit command page	The statement that if you exceed 4,096 conduits, you need to upgrade to the 2 MB flash memory should actually read that if the configuration exceeds 100 KB, you should upgrade. Use the UNIX wc command or a Windows word processing program, such as Microsoft Word, to view the number of characters in a configuration.
interface command page	In the next to the last bullet under Usage Guidelines, the first sub bullet recommends that if a no buffer condition arises that you should reboot the PIX Firewall. In an overloaded network situation, these errors can occur and not signify a problem. Rebooting the PIX Firewall does not improve the situation. The last bullet in this section describing overrun errors should instead be in the interface problems bullet list.
mailhost command page	The reference to the clear mailhost command in the command syntax is incorrect. This command does not exist. Use the no mailhost command instead.
outbound command page	You can ignore the following statement: "Do not specify more than one outbound statement for the same outbound list because each additional command stays in the configuration."
snmp-server command page	The example for the SNMP community string incorrectly shows a string entered in lowercase with the snmp-server command being transformed into upper and lowercase with the show snmp-server command. While the SNMP community string is case sensitive, uppercase must be explicitly entered to occur.
static command page	The reference to the clear static command in the command syntax is incorrect. This command does not exist. Use the no static command instead.
timeout command page	The command description incorrectly states that TCP connection slots are freed within 30 seconds after a normal connection close sequence. Connection slots actually free after 75 seconds when a cleanup thread executes.

Bug Fixes

The following bugs have been fixed in version 4:

CSCdj Bug Number	Description	Fixed in Release
66058	Improvements in the PIX Firewall's Intel NIC driver fixed list processing and system control block problems reported against version 4.0.7.	4.1.4
63817	PIX Firewall now expires authentications correctly. The authentication duration is set with the uauth option to the timeout command. After an authentication expires, the user is reprompted for their authentication credentials when they start a new connection. The behavior in previous releases caused expired authentications to appear with the show uauth command.	4.1.4
63280	Net statics now work correctly so that parameters are no longer truncated. New syntax for the static command is shown in the PIX Firewall Series Configuration Guide.	4.1.4
63276	PIX Firewall now works correctly with two Token Ring and one Ethernet interface boards. Note: Three Token Ring boards are not supported.	4.1.4
61138	PIX Firewall now correctly routes packets generated on the perimeter network to their correct destination. In the past, these packets were routed to the inside network and either denied or dropped.	4.1.4
58092	PIX Firewall now correctly authenticates users so that reauthentication is no longer required for every subordinate connection, such as when visiting additional web sites.	4.1.4
56353	PIX Firewall now correctly releases translation slots with the clean_xlate function.	4.1.4
54975	Use of Token Ring for the third interface now works correctly with all PIX Firewall motherboards.	4.1.4
52620	The show xlate command now works correctly.	4.1.4
51732	PIX Firewall no longer requires all Intel 10/100 interfaces for use with the third interface feature.	4.1.4
51100	The conduit command now permits literals for port and protocol parameters.	4.1.4
50247	PIX Firewall now lets Telnet users enter command lines greater than 160 characters.	4.1.4
50133	SYSLOG messages are now sent correctly to the SYSLOG server.	4.1.4
48329	Prior to version 4.1.4, outbound FTP did not work after aaa authentication was started for HTTP or Telnet. For example, after entering the following command, outbound FTP would be inoperable: `aaa authentication http outbound 0 0 tacacs+` For previous versions, FTP can be made to work by enabling outbound user authentication for FTP connections: `aaa authentication ftp outbound 0 0 tacacs+`	4.1.4
46403	Inbound Telnet TN5250 sessions no longer display garbled characters on the first attempt at user authentication.	4.1.4
44848 and 30254	Private Link over Token Ring no longer forces a reboot.	4.1.4
45964	Support for PPTP tunneling now works correctly.	4.1.4
44209	Use of a host address containing a zero in the last octet(s) used with the static command no longer causes PIX Firewall to crash and display the message "Assert failure." For example, failure occurred when a static command contained an address like 10.1.1.0 which is a Class A address being used as a host address.	4.1.4
42187	PIX Firewall now works correctly when a Windows 95 client copies a NetBIOS SMB file across Private Link.	4.1.4
42149	PIX Firewall now sends SYSLOG messages correctly.	4.1.4
42111	PIX Firewall now handles multiple inbound user authorization requests.	4.1.4
41919	SNMP traps are now sent correctly.	4.1.4
41735	PIX Firewall now logs valid Telnet logins via SYSLOG.	4.1.2
41550	Telnet to PIX Firewall console no longer stalls the Telnet session.	4.1.4
41161	PIX Firewall formerly hung after user authentication proxy failures when the requested server did not exist.	4.1.2
38612 and 37411	PIX Firewall formerly hung on a Telnet console disconnect when the syslog console command was used.	4.1.2
36920	Net statics now take precedence over use of the nat 1 0 0 and global command pair. This means that nat 1 0 0 only grants outbound access to hosts not specified in the net static command.	4.1.2
33461	PIX Firewall previously dropped ICMP exceed messages generated by the routers on the outside. This caused ping requests to fail.	4.1.2
33164	PIX Firewall no longer reboots after running 100 minutes.	4.1.2
32982	Net statics with a variable subnet mask caused ambiguous results.	4.1.2
32394	PIX Firewall would hang intermittently triggering the watchdog timer. This same error caused the PIX Firewall to reboot each time the xlate table was cleared. A crash dump showed the "clean-xlate" thread to be in an active state in the show process output.	4.0.7
31673	Outbound FTP through an alias address created by port address translation did not work.	4.1.2
31212	Use of the nat 0 command caused PIX Firewall to run out of translation slots (called "xlates").	4.1.2 and 4.0.7
31210	When using failover, the secondary PIX Firewall would reboot every 100 minutes. The show block command would show a leakage in 80-byte blocks.	4.0.7
30955	User authorization for Telnet sessions now works correctly.	4.1.4
30226	Use of the conduit command for PPTP protocol (a subset of the GRE protocol) requires that you create two conduit statements. Refer to the "Usage Notes" for more information.	4.1.2
27408	The show uauth command did not display all available information.	4.0.6
27407	The aaa authentication except command did not work.	4.0.6
27405	HTTP did not reprompt when a password was not provided.	4.0.6
27404	The first attempt to deny inbound TACACS+ Telnet authorization did not work.	4.0.6
27403	RADIUS authentication only worked during one session; subsequent sessions failed.	4.0.6
26968	PAT now works when IP fragmenting is in effect.	4.0.6
26812	NFS over PAT now works correctly.	4.0.6
26291	DNS would not resolve PAT addresses and returned an error stating that the DNS response was denied.	4.0.6
24669	When the primary authentication server failed and when the PIX Firewall switched to the next authentication server, the firewall failed and rebooted.	4.0.6
23886	Use of failover no longer causes PIX Firewall to crash.	4.0.6
23209	The alias command now works with different network classes.	4.0.5
22282	The PIX Firewall now allows auto sensing as long as the interface board is capable of handling this feature.	4.0.5
22235	Private Link now resets reliably on the PIX10000.	4.0.5
22151	The PIX Firewall no longer causes buffer overruns and crashes accordingly.	4.0.5
21914	User-authenticated FTP now works to cco.cisco.com or to any other sites that return multiline responses for the FTP user command.	4.0.5
21400	The aaa authorization command now handles access denials consistently.	4.0.5
20000	Use of FTP during an FTP session now uploads the timeout value.	4.0.5
19369	Data connections from repeated chained FTP sessions are no longer denied.	4.0.5
19306	The PIX Firewall Token-Ring interfaces now work correctly with an IBM 2210 router.	4.0.5
19302	The firewall now works correctly with the AMD flash memory chip.	4.0.5
19227	Outbound pings via PAT to Cisco routers did not work.	4.0.6
19040	Port numbers higher than 34,463 are now permitted in the outbound command.	4.0.5
18776	After one use of PIX Firewall's ping on a PAT (port address translation) IP address, all translated packets were returned with CRC errors.	4.0.6
18320	The aaa authentication command allows an r-shell (rsh) stderr connection.	4.0.5
18256	The PIX Firewall reuses ports properly.	4.0.5
18176	PIX Firewall now responds to ARP requests from Windows 95 and Windows NT without requiring the ARP timeout duration to be less than 10 seconds.	4.0.5
17286	A nat global that was reused as a PAT global mysteriously appeared in a PAT nat combination.	4.0.6
16468	PIX Firewall formerly did not check for excessive command line arguments.	4.1.2
15384	Intel 10/100 interface cards now boot up and respond to ARP requests faster than the previous performance of 75 seconds.	4.1.2
12006	The alias command now automatically makes DNS requests. The PIX Firewall now intercepts DNS queries for aliased IP addresses, resolves the query and sends out the packet with the correct source address.	4.0.5

Open Bugs

The following bugs are fixed in an internal version of PIX Firewall still undergoing testing. This version is available from Cisco Customer Support. The bugs fixed in this version are:

CSCdj Bug Number	Description
69951	The conduit command now accepts a value of 0 in the ports parameter to indicate all ports.
69950	PIX Firewall now evaluates outbound command statements by the numerical value of the number parameter instead of the order in which the commands appear in the configuration.
64928	PIX Firewall now sends an ICMP destination unreachable message when it receives a packet larger than the size set in the mtu command and when the DF (Don't Fragment) bit is set in the flags field of the IP header.
63283	PIX Firewall now displays a link protocol status bit in the show failover command output. This lets you determine if a failover is repeatedly looping on the same failover event such as when power fails or a network wire is detached from the primary or secondary unit. This bit is also used by PIX Firewall to determine if the failover has already occurred for the condition.

Features

Version 4.1 contains the following features:

Version 4.1.4 fixes bugs from previous versions and introduces a change to the aaa command (described in "Command Changes").
Version 4.1.2 introduced a new set of options for the static command and fixed bugs from previous PIX Firewall versions. Refer to the PIX Firewall Series Configuration Guide for details on the static command.
30% to 50% faster throughput.
Support for three network interfaces.
Multi-service conduits let you create conduits with the UDP, TCP, and PPTP service types. PPTP enables support for Microsoft's Virtual Private Network. In addition, ESP is supported as an EFT feature.
Multi-service outbound permits or denies access to either TCP or UDP ports.
Support for network configuration via a TFTP server so you can retrieve a configuration across the network or store it. The configuration is sent in clear text and is, therefore, less secure than other configuration methods.
Command line editing capability that lets you display the last 10 lines entered and to call back and edit any of those lines.
Support for communications between Oracle SQL*Net clients and servers through the firewall. This is implemented in the conduit command.
PCI DES hardware support (as EFT).
Additional command changes (refer to "Command Changes").
All passwords, keywords, and text strings can now be specified in uppercase and lowercase.
Improved command line help now provides more detailed error messages and access to the help mechanism from any part of a command.
Documentation changes--the following changes occurred in the documentation:
- The PIX Firewall Installation Guide and the PIX10000 Installation Guide are now combined into the single document entitled, Installing PIX Firewall and PIX10000.
- The PIX Firewall Series Configuration Guide was rewritten and reduced in pages to provide improved command access, substantially more configuration information, and better introductory information.
- The former Cisco PIX Firewall Configuring and Troubleshooting Quick Reference Card was renamed as the PIX Firewall Series Quick Reference Card and revised to add changes for the optional third network interface.

Command Changes

The following changes to the PIX Firewall command set occurred between version 4.0 and 4.1.

New Commands

The following commands were added to the command set:

clear xlate clears the contents of the translation slots.
history lets you display the last 10 commands entered.
nameif lets you name each network interface and assign it a security level. The default interface names are inside and outside.
pager lets you enable or disable screen paging where after 24 lines displays, the More prompt appears to pause the display.
show serial lets you view the PIX Firewall serial number (BIOS ID).
tftp-server lets you specify the path for a configuration file on a TFTP server that you can use to retrieve or store a configuration across the network.

Command Changes

The following command changes occurred:

To handle third interface changes, you can now optionally specify an interface name for the following commands: alias, apply, conduit, global, mailhost, nat, and static. For each of these commands, the interface name MUST be enclosed in parentheses.
For any command that previously accepted an interface name, you must specify an interface name and you can now specify the name of the third interface. These commands are: arp,
ip address, mtu, ping, rip, and route. For these commands, the interface name
MUST NOT be enclosed in parentheses. The interface command now has new syntax so that specifying inside and outside are no longer supported, but these parameters will continue to work to provide backward compatibility for existing configurations. The inside and outside parameters will be removed from interface in a future release.
The established command now has the permitto and permitfrom options.
The nat and static commands now support the norandomseq option, which lets you not randomize the TCP/IP packet sequence numbers. This lets the PIX Firewall interact with applications that also randomize the sequence numbers. Note that use of the norandomseq option opens a security hole in the PIX Firewall.
The TFTP configuration feature has added the new net option to the configure and write commands that let you specify the path to the network configuration file as defined by the tftp-server command.
The snmp-server command now has the community option that lets you specify a community string. A community string is a encryption key of up to 32-characters shared between the PIX Firewall and the SNMP server.
The syntax for the aaa command has been changed as follows:

aaa authentication service inbound|outbound local_ip mask tacacs+|radius

no aaa authentication [service inbound|outbound local_ip mask tacacs+|radius]

aaa authentication except inbound|outbound local_ip mask tacacs+|radius

no aaa authentication except [inbound|outbound local_ip mask tacacs+|radius]

aaa authorization service inbound| outbound local_ip mask

no aaa authorization [service inbound| outbound local_ip mask]

: This is the same as in version 4.0 and later with the addition of the except option and clarification that local_ip can only be a host on the inside network. For inbound connections, local_ip is the inside host to which access is sought. For outbound connections, local_ip is the inside host from which the connection originates.

Removed Commands

The following commands were removed:

lnko, no lnko, and show lnko let you add, remove, or view a Private Link connection to a version 2 PIX Firewall running Private Link.
lnkopath, clear lnkopath, no lnkopath, and show lnkopath let you add, remove, or show the path to a foreign version 2 Private Link PIX Firewall.
show actkey let you view the activation key and the number of connections. Should you lose your activation key, you can call customer support and give them the serial number from the show serial command and they can help you regain access to your system.

Troubleshooting

You can use the following guidelines to interpret SYSLOG messages:

"laddr" indicates a local IP address, "gaddr" indicates a global IP address, and "faddr" indicates a foreign IP address. A local IP address is an untranslated IP address on the internal, protected interface. A global IP address is a translated IP address in the pool of global addresses created by the global, static, or mailhost commands. A foreign IP address is an untranslated IP address on the external, unprotected interface.
The "due to DNS response" message in a deny statement means that the PIX Firewall DNS Guard feature is in effect and the message indicates slow response from the DNS server. When the response is slow, the PIX Firewall sends a second DNS inquiry, the first returns, and the second gets denied and logged.

Future Command Obsolescence

This section lists commands that will be removed in future releases.

Because the http command will be removed in the near future, the information is provided in these release notes and not in the PIX Firewall Series Configuration Guide.

Note The HTML Configuration Manager has not been updated for the third interface changes and may provide unexpected information displays.

Configuring with the HTML Configuration Manager

The PIX Firewall provides a graphical user interface to help simplify configuration tasks.

Once you have specified the network interface speed and IP addresses, you need to enter two additional commands and you can then use a network browser, such as Netscape Navigator, to complete the configuration. You can have up to 16 simultaneous HTTP console sessions.

Use the http command (described in the next section) to give access to a workstation and ensure that the firewall has an IP address other than the default 0.0.0.0 value.

To access the PIX Firewall from a network browser:

Step 1 At your workstation, start a network browser.

Step 2 Open a URL and specify the IP address of the PIX Firewall's inside IP address.

Step 3 The network browser then prompts you for a user name and password. Always use admin for the user name and enter the password you specified with the passwd command. The default password is cisco.

The main configuration screen then appears. You can then configure information as needed.

http command

Provide or remove access to the PIX Firewall console HTML management interface. (Privileged mode.)

[no] http ip_address [netmask] clear http ip_address [netmask] show http

Syntax Description

ip_address	IP address of systems on the inside of the PIX Firewall that are able to access the PIX Firewall HTML management interface.
netmask	Network mask of ip_address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255. If you do not specify netmask, it defaults to 255.255.255.255 regardless of the class of ip_address.

Usage Guidelines

The http command lets an IP address access the PIX Firewall console HTML management interface. Use no http or clear http to disable management interface access. Use show http to list the information you entered. Up to 16 HTTP console sessions can be simultaneously active.

When you start the web browser, specify the IP address of the firewall in the Go to field or the Open URL field. You must have previously given the firewall an IP address and default route. In addition, if the computer on which you run the browser is directly connected to the PIX Firewall, the computer must be on the same subnet as the firewall.

If the browser displays an error message stating "Document contains no data," the http command has not been used to give that computer access to the firewall.

Note You must use the http command before you can use the PIX Firewall HTML network browser configuration capability.

The HTTP user name is admin and the default password is cisco. The user name cannot be changed.

Example

pixfirewall(config)# http 192.168.42.42
pixfirewall(config)# show http
                    192.168.42.42 255.255.255.255*

Cisco Connection Online

Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.

Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.

CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.

You can access CCO in the following ways:

WWW: http://www.cisco.com
WWW: http://www-europe.cisco.com
WWW: http://www-china.cisco.com
Telnet: cco.cisco.com
Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28.8 kbps.

For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.

Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.

CD-ROM Documentation

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more up to date than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.

If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar, select Documentation, and click Enter the feedback form. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.

Table of Contents