The PIX Firewall provides network firewall and translation services.
The sections that follow list the product changes:
The following features are new for this release:
- global command options
- multimedia debugging command
- NetBIOS and CIFS support
- PIX Firewall is not susceptible to the Ping-based denial of service attack
The global -i and -p commands are new for this release. The global -i command lets you add an IP address for identity and global -p lets you add an IP address for port remapping.
With the identity feature, NIC-registered IP addresses on the inside of the firewall appear on the outside with the same address. The identity feature lets traffic pass through the PIX Firewall without address translation while preserving adaptive security. This is useful for handling application protocols not compliant with RFC1631 such as talk and H.323.
With the port remapping feature, you can have multiple outbound sessions appear to originate from a single IP address. This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. The IP addresses you specify for global -p cannot be in the global address pool.
Ports are service specifiers inside a UDP or TCP packet. With port remapping enabled, the firewall chooses a unique port number for each outbound connection, thereby permitting many connections to use a single IP address.
Note Port remapping only takes effect when the dynamic IP addresses specified in previous
global -a statements are exhausted. To only use port remapping, you can omit
global -a statements in your configuration.
If a server expects a client to have a specific port number, port remapping cannot be used. Some multimedia applications expect the client to use a specific port and may cause problems with this feature.
The multimedia command lets you debug a multimedia application. If a new multimedia application is not working with PIX Firewall, use the multimedia on command to start this debug feature. Then start the multimedia application. While the PIX Firewall multimedia feature is running, all UDP traffic is permitted between the client and server for the current TCP connection. The command itself does not produce either console or SYSLOG output while running.
You can see if the command is enabled by entering save -s and examining the list of configuration commands for the presence of the multimedia on command.
When you complete debugging, use the multimedia off command to restore PIX Firewall to its normal functionality.
The syntax for this command is:
multimedia on|off
Only use this command while debugging. This command is especially helpful for Microsoft NetShow compatibility. Future PIX Firewall versions will handle this application transparently.
PIX Firewall now supports NetBIOS authentication and name servers and CIFS (Common Internet File System).
PIX Firewall is not susceptible to the Ping-based denial of service attack currently affecting the Internet.
The following features were in version 2.7.12:
- The 10-minute SYSLOG stamps have been moved from the accounting to the resource file.
- The firewall issues a console warning if you use the static command without the secure option.
- Static translations created without the secure option are forced into secure mode when you create a conduit for them.
- PIX Firewall now transparently supports the following multimedia applications: VocalTec Internet Phone, Xingtech Streamworks, VDO Live, CuSeeMe, and Progressive RealAudio.
- PIX Firewall now supports ATMEL segment-erasable flash memory boards.
- The floppy disk image now loads automatically without prompting you if the floppy disk image version is different than the flash memory image version.
- PIX Firewall software updates are now unserialized so that you can download an archive file from the network. Archive files are available for UNIX, MS-DOS, or Windows operating systems. You can then create a floppy disk image to install on your firewall. Previous versions required special handling from Cisco Sales.
- The conduit command now allows port number ranges as well as single port numbers. The port format syntax is mask-from-to; for example, specify ports 10 to 20 as 32-10-20.
- The xlate command now displays PIX Firewall state flags for each TCP connection.
- PIX Firewall adaptive security now transparently supports TFTP.
The following features appear in the PIX Firewall version 2 documentation, but are shown here for emphasis:
- PIX Firewall now listens for default routes on the outside network interface.
- The conduit command now lets you access all TCP or UDP ports on a host. If a conduit is specified as conduit 192.1.1.1 tcp:192.1.2.2/32-0, the host 192.1.2.2 can access the inside host that is mapped to the global address 192.1.1.1 on any TCP port. The same syntax applies for UDP. You can specify static routes with the route command.
- Remote PIX Firewall units can be managed with Private Link.
- The new -u option to the xlate command lets you view UDP connection state information.
- UDP port 53 is no longer transparent from the outside with a secure static. To access an internal DNS server from outside the firewall, use conduit 192.1.1.1 udp:0.0.0.0/0-53.
- The access_list command provides an access control feature that allows PIX Firewall to locally control the hosts that can use services, and which Internet machines and services can be accessed.
The following software fixes are in this release:
- UDP state entries now expire correctly.
- Very large configurations can now be completely saved to flash memory or floppy disk. You can now save configurations of up to 2300 lines to flash memory or floppy disk.
- RIP-derived routes now expire correctly.
- The telnet command no longer requires a network mask value.
- The rip inside passive command routes packets to the correct inside network routers.
- To use the AUI port, you no longer need to reboot the PIX Firewall.
- FTP and passive mode FTP now work when access lists are in use.
- The list_rip command now displays router information correctly.
- You can only specify one apply command statement now.
- Removing non-existent static translations no longer corrupts the conduit count.
- PIX Firewall no longer hangs when free memory is low.
- RIP entries and UDP state entries now timeout correctly.
- The xlate command display now works properly with the static and link commands.
- PIX Firewall now adds an inside ARP entry whenever you create a dynamic xlate.
- The ifconfig command now parses options correctly and indicates a bad link type clearly.
- PIX Firewall now handles IP fragmenting correctly.
- PIX Firewall now correctly handles the FIN state for a TCP connection. The FIN (finish) flag indicates that the sender is done sending data. PIX Firewall also correctly handles the creation of a TCP connection over an older one in FIN state.
- PIX Firewall now correctly handles multiple FTP commands in a single packet; for example, after an FTP port command when multiple commands are sent.
- Multiple static commands mapping different global addresses to the same internal address are no longer accepted.
- Access list usage now works correctly.
The following bugs are present in the PIX Firewall software:
- Pings with a block size above 1472 characters to the PIX Firewall interfaces are not returned.
- Setting the SYSLOG host to an address on the outside DMZ segment can cause the PIX Firewall to lock up after an indeterminate period of time. This problem occurs more often when SYSLOG is heavily loaded.
- The maximum number of access_list entries allowed is 1000.
- Incorrect use of the static command can leave the IP address from that command unavailable. A reboot is required to clear the error.
- Flash memory can be exhausted after a number of save commands have been performed. In these situations, save commands return a "write failed" message. As a workaround, always save good configurations to floppy disk. Reinstalling the software from floppy disk completely resets the configuration storage and restores use of the save command.
- Translation descriptors used with inbound UDP traffic may not time out properly. Use the
xlate -u command to check for this condition.
- Using the restore -f command to restore the configuration from floppy disk may not work the first time it is issued. Repeat it a few times if needed. Console warnings about duplicate globals can be ignored. Use the save -s command to inspect the working configuration.
- Warnings may not appear if you attempt floppy disk operations without a diskette in the drive.
- If you attempt a connection to a TCP client that does not exist, the connections cannot be released until the connection timeout value elapses. For this reason, we recommend that you do not set your timeout value to the maximum value.
Cisco Connection Online (CCO), formerly Cisco Information Online (CIO), is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional content and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously--a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
- WWW: http://www.cisco.com.
- WWW: http://www-europe.cisco.com.
- WWW: http://www-china.cisco.com.
- Telnet: cco.cisco.com.
- Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and baud rates up to 14.4 kbps.
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.
