Guest

Cisco PIX 500 Series Security Appliances

Field Notice: PIX Device Manager 2.0(1) Deferral


Revised June 14, 2002

June 11, 2002


Products Affected

Product

Comments

PDM 2.0(1)

PIX Device Manager (PDM) embedded management software, version 2.0(1)

Problem Description

When you use PDM 2.0(1) to create inbound access-list or conduit rules, PDM may not create the appropriate Command Line Interface (CLI) configuration entries in the PIX Firewall under certain conditions. When such rules are correctly created with the CLI, they may be displayed improperly in PDM.

In no case does the error in configuration result in the allowance of unexpected traffic to pass from a lower security level interface to a higher security level interface. In all cases, the errors prevent from passing traffic that is intended to be allowed to pass from a lower security level interface to a higher security level interface.

PDM 2.0(1) has been deferred and removed from Cisco.com. This bug is fixed in PDM 2.0(2), now available on Cisco.com in the PIX Firewall section of the software library. PDM 2.0(1) users should upgrade to 2.0(2).

This bug is in the PDM 2.0(1) executable image. There are no related errors in PIX OS 6.2. The access-list and conduit rules configured with the PIX OS 6.2 CLI function save to flash correctly.

Background

A bug in the PDM 2.0(1) software causes this failure to occur when inbound access-list or conduit rules are created against IP addresses within network ranges for which static Network Address Translation (NAT) rules are in place. Configurations that contain only dynamic NAT rules or static NAT rules based upon individual host addresses do not experience this failure.

Problem Symptoms

Condition

A static NAT rule based upon an IP network address range must be in place for this bug to be encountered. This kind of NAT rule looks like:

static (inside, outside) 20.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

You can identify static NAT rules based upon an IP network address range because they have a netmask other than 255.255.255.255. The outside network address 20.0.0.0 appears before the inside network address 10.0.0.0 in the syntax of this command.

Symptoms

When you configure access-list rules to allow access from the outside to a host on the inside network (10.1.1.1), the correct rule looks like this:

access-list 101 permit ip any host 20.1.1.1

You must apply the access-list rule against the outside NAT address of the inside host for proper function. However, PDM 2.0(1) incorrectly applies the access-list rule against the inside address of the host:

access-list 101 permit ip any host 10.1.1.1

This access-list rule does not allow any traffic to pass from the outside to the host 10.1.1.1 on the inside. The rule is evaluated prior to the NAT from the outside address 20.1.1.1 to the inside address.

The same problem exists when you configure conduit rules to allow access from the outside to a host on the inside network. The inside address of the host is used in the conduit rule. This fails to allow traffic to pass to it from the outside.

The same problem exists when you use object groups. In this case, an internal object-group is created and an access-list or conduit rule is applied that allows outside traffic to access the internal group. The configuration that results from PDM creates a rule that incorrectly matches the internal group rather than the external. This disallows any such traffic to reach the internal group.

When object-group, access-list, or conduit rules are created correctly with use of the CLI, PDM 2.0(1) fails to properly display the rule. Rules are incorrectly displayed as null rules even though, in the CLI, they are properly configured against the external network address or group, and they function as configured in the CLI.

Note:?It is normal behavior for PDM to display the inside address of the host for inbound access-list or conduit rules. There is no visual difference between the list of such rules placed against hosts or networks (but not groups) in PDM 1.x, 2.0(1), and 2.0(2). It is the CLI configuration generated and transferred to the PIX Firewall that should contain the outside NAT address; it is incorrectly generated with the inside address in PDM 2.0(1).

Refer to the DDTS in this document for more details about the failure symptoms.

Workaround/Solution

Workaround

If you encounter this bug, you can use the PIX OS CLI through the console, Telnet, or Secure Shell Protocol (SSH) to make configuration changes and view the configuration of affected access-list and conduit rules. You can also use the Command Line Interface option under the Tools menu in PDM to achieve correct results.

Solution

This bug is fixed in PDM 2.0(2), now available on Cisco.com. It is available in the PIX Firewall (registered customers only) section of the Software Library. PDM 2.0(1) users should upgrade to 2.0(2).

Note:?Any null rules already created by PDM 2.0(1) last after the upgrade to PDM 2.0(2). To correct them, complete these steps in the PDM Access Rules Table:

  1. Select the first null rule and, from the right-click menu or the Toolbar, choose Cut.

  2. From the right-click menu or the Toolbar, choose Paste to place it back into the table.

    Note:?Rules are order-dependent, so use the Paste before or Paste after functions to control where you want to insert the rule.

  3. In the Paste Rule window, verify the information, and click OK at the bottom of the window to finish the process.

Repeat this process for all the null rules. Be sure to apply these configuration changes to the PIX using the button at the bottom of the Access Rules window before you exit.

DDTS

DDTS

Description

CSCdx79154

PDM uses the wrong address/group in ACL, and marks the correct rule as NULL.

PIX CLI and PDM Naming Conventions

Both access-list and conduit PIX CLI rules appear under the main Access Rules tab in PDM. To see a list, click the Access Rules radio button in this tab. PDM does not support the use of access-list and conduit rules simultaneously on one PIX Firewall. By default, PDM creates access-list rules. The conduit rules are utilized only when PDM manages a PIX Firewall with existing conduit rules.

The object-group PIX CLI rules appear under the main Hosts/Networks tab in PDM. They are managed by the Hosts/Networks Groups box on the right side of the window.

NAT rules appear under the main Translation Rules tab in PDM. To identify a static NAT rule, you can compare the rule type in the table against the legend at the bottom of the window.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.