Guest

Cisco PIX Firewall Software

Cisco PIX Security Appliance Release Notes Version 8.0

  • Viewing Options

  • PDF (496.0 KB)
  • Feedback
Cisco PIX Security Appliance Release Notes Version 8.0(2)

Table Of Contents

Cisco PIX Security Appliance Release Notes Version 8.0(2)

Contents

Introduction

System Requirements

Memory Requirements

Software Requirements

Maximum Recommended Configuration File Size

Cisco VPN Software Interoperability

Cisco VPN Client Interoperability

Cisco Easy VPN Remote Interoperability

Determining the Software Version

Upgrading to a New Software Version

New Features

Important Notes

virtual http Command

FIPS 140-2

AnyConnect Client Sessions

Open Source Software Usage

User Upgrade Guide

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

Features not Supported in Version 8.0(2)

Downgrade to Previous Version

Certificates

Caveats

Open Caveats - Version 8.0(2)

Related Documentation

Obtaining Documentation and Submitting a Service Request


Cisco PIX Security Appliance Release Notes Version 8.0(2)


June 2007

Contents

This document includes the following sections:

Introduction

System Requirements

New Features

Important Notes

Caveats

Related Documentation

Obtaining Documentation and Submitting a Service Request

Introduction


Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 8.0(2).


The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability.

For more information on all the new features, see New Features.

Additionally, the adaptive security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the security appliance, ASDM accelerates adaptive security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the security appliance. Its secure, web-based design enables anytime, anywhere access to security appliances.

System Requirements

The sections that follow list the system requirements for operating a security appliance.


Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 8.0(2).


Memory Requirements

If you are using a PIX 515/515E running PIX Version 6.2/6.3, you must increase your memory before upgrading to PIX Version 8.0(2). This version requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. Table 1 lists the default value for the memory that ships with each security appliance and flash memory requirements for Version 8.0(2).

Table 1 Default Memory Shipped and Flash Memory Requirements 

PIX Security Appliance Model
Default Memory (MB)
Flash Memory Required (MB)

515/515E

64

16

525

128

535

512


For more information about minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0.

Software Requirements

Version 8.0(2) requires the following:

The minimum software version required before upgrading to PIX Version 8.0(2) is PIX Version 7.2. If you are running a PIX version earlier than Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can upgrade to PIX Version 7.2.

To upgrade your PIX software image, go to the following website:

http://www.cisco.com/public/sw-center/index.shtml

For information on specific licenses supported on each model of the security appliance, go to the following website: http://www.cisco.com/en/US/docs/security/asa/asa80/license/license80.html

If you are upgrading from a previous PIX version, save your configuration and record your activation key and serial number. For new installation requirements, go to the following website: http://www.cisco.com/public/sw-center/index.shtml

Maximum Recommended Configuration File Size

For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 8.0(2). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 8.0(2). If you are using ASDM, we recommend no more than a 500 KB configuration file, because larger configuration files can interfere with the performance of ASDM on your workstation.

While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:

While executing commands such as the write terminal and show running-config commands

Failover (the configuration synchronization time)

During a system reload

Cisco VPN Software Interoperability

Cisco VPN Series
Interoperability Comments

Cisco IOS routers

Version 8.0(2) requires Cisco IOS Release 12.3(T)T or higher running on the router when using IKE Mode Configuration on the security appliance.

Cisco VPN 3000 concentrators

Version 8.0(2) requires Cisco VPN 3000 concentrator Version 3.6 or higher for correct VPN interoperability.


Cisco VPN Client Interoperability

Cisco VPN Client
Interoperability Comments

Cisco VPN client v3.x/4x

(Unified VPN client framework)

Version 8.0(2) supports the Cisco VPN client Version 3.6 or higher that runs on all Microsoft Windows platforms. This version also supports the Cisco VPN client Version 3.6 or higher that runs on Linux, Solaris, and Macintosh platforms.


Cisco Easy VPN Remote Interoperability

Cisco Easy VPN Remote
Interoperability Comments

Cisco PIX Security Appliance Easy VPN remote V6.3

Version 8.0(2) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.

VPN 3000 Easy VPN remote V3.x/4x

Version 8.0(2) Cisco Easy VPN server requires the Version 3.6 or higher of the Easy VPN remote that runs on the VPN 3002 platform.

Cisco IOS Easy VPN remote Release 12.2(16.4)T

Version 8.0(2) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.


Determining the Software Version

Use the show version command to verify the software version installed on your security appliance. Alternatively, you can view the software version on the Cisco ASDM home page.

Upgrading to a New Software Version

If you have a Cisco.com (CDC) login, you can obtain software from the following website:

http://www.cisco.com/public/sw-center/index.shtml

If you want to upgrade from Version 7.1.(x) to 7.2(x) or downgrade from Version 7.2(x) to Version 7.1(x), you must follow the subsequent procedure, because older versions of the security appliance images do not recognize new ASDM images, and new security appliance images does not recognize old ASDM images.

You can also use the CLI to download the image. For more information, see the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.

To upgrade from Version 7.2.(x) to Version 8.0(2), perform the following steps:


Step 1 Load the new Version 8.0(2) image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 2 Reload the device to upgrade to the Version 8.0(2) image.

Step 3 Copy the new ASDM Version 6.0 image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 4 Enter the following command to tell the security appliance where to find the ASDM image:

hostname(config)# asdm image flash:/asdmfile


To downgrade from Version 8.0(2) to 7.2.(x), perform the following steps:


Step 1 Load the earlier Version 7.2(x) image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 2 Reload the device to downgrade to the Version 7.2(x) image.

Step 3 Copy the earlier ASDM Version 5.2(x) image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 4 Enter the following command to tell the security appliance where to find the ASDM image:

hostname(config)# asdm image flash:/asdmfile


New Features

This section lists the new feature for Version 8.0(2). All new features are supported in ASDM 6.0(2).

Feature Type 
Feature 
Description 
General Features
Routing

EIGRP routing

The adaptive security appliance supports EIGRP or EIGRP stub routing.

High Availability

Remote command execution in Failover pairs

You can execute commands on the peer unit in a failover pair without having to connect directly to the peer. This feature works for both Active/Standby and Active/Active failover.

Failover pair Auto Update support

You can use an Auto Update server to update the platform image and configuration in failover pairs.

Stateful Failover for SIP signaling

SIP media and signaling connections are replicated to the standby unit.

Redundant interfaces

A logical redundant interface pairs an active and a standby physical interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can configure a redundant interface to increase the adaptive security appliance reliability. This feature is separate from device-level failover, but you can configure redundant interfaces as well as failover if desired. You can configure up to eight redundant interface pairs.

Access Policies

Dynamic access policies (DAP)

VPN gateways operate in dynamic environments. Multiple variables can affect each VPN connection, for example, intranet configurations that frequently change, the various roles each user may inhabit within an organization, and logins from remote access sites with different configurations and levels of security. The task of authorizing users is much more complicated in a VPN environment than it is in a network with a static configuration.

Dynamic access policies (DAP) on the security appliance let you configure authorization that addresses these many variables. You create a dynamic access policy by setting a collection of access control attributes that you associate with a specific user tunnel or session. These attributes address issues of multiple group membership and endpoint security. That is, the security appliance grants access to a particular user for a particular session based on the policies you define. It generates a DAP at the time the user connects by selecting and/or aggregating attributes from one or more DAP records. It selects these DAP records based on the endpoint security information of the remote device and the AAA authorization information for the authenticated user. It then applies the DAP record to the user tunnel or session.

Administrator Differentiation

Lets you differentiate regular remote access users and administrative users under the same database, either RADIUS or LDAP. You can create and restrict access to the console via various methods (TELNET and SSH, for example) to administrators only. It is based on the IETF RADIUS "service-type" attribute.

Platform Enhancements

VLAN support for remote access VPN connections

Provides support for mapping (tagging) of client traffic at the group or user level. This feature is compatible with clientless as well as IPSec and SSL tunnel-based connections.

VPN load balancing for the ASA 5510

Extends load balancing support to ASA 5510 adaptive adaptive security appliances that have a Security Plus license.

Crypto Conditional Debug

Lets users debug an IPSec tunnel on the basis of predefined crypto conditions such as the peer IP address, connection-ID of a crypto engine, and security parameter index (SPI). By limiting debug messages to specific IPSec operations and reducing the amount of debug output, you can better troubleshoot the adaptive security appliance with a large number of tunnels.

HTTP Proxy

PAC Support

Lets you specify the URL of a proxy autoconfiguration file (PAC) to download to the browser. Once downloaded, the PAC file uses a JavaScript function to identify a proxy for each URL.

HTTPS Proxy

Proxy Exclusion List

Lets you configure a list of URLs to exclude from the HTTP requests the adaptive security appliance can send to an external proxy server.

NAC

Support for audit services

You can configure the adaptive security appliance to pass the IP address of the client to an optional audit server if the client does not respond to a posture validation request. The audit server uses the host IP address to challenge the host directly to assess its health. For example, it might challenge the host to determine whether its virus checking software is active and up-to-date. After the audit server completes its interaction with the remote host, it passes a token to the posture validation server, indicating the health of the remote host. If the token indicates the remote host is healthy, the posture validation server sends a network access policy to the adaptive security appliance for application to the traffic on the tunnel.

   
Firewall Features
Application Inspection

Modular Policy Framework inspect class map

Traffic can match one of multiple match commands in an inspect class map; formerly, traffic had to match all match commands in a class map to match the class map.

   

TLS Proxy for SCCP and SIP

Enables inspection of encrypted traffic. Implementations include SSL-encrypted VoIP signaling (that is, Skinny and SIP) interacting with the Cisco CallManager.

SIP Enhancements for CCM

Improves interoperability with CCM 5.0 and 6.x with respect to signaling pinholes.

Full RTSP PAT Support

Provides TCP fragment reassembly support, a scalable parsing routine on RTSP, and security enhancements that protect RTSP traffic.

Access Lists

Enhanced service object group

Lets you configure a service object group that contains a mix of TCP services, UDP services, ICMP-type services, and any protocol. It removes the need for a specific ICMP-type object group and protocol object group. The enhanced service object group also specifies both source and destination services. The access list CLI now supports this behavior.

Ability to rename access list

Lets you rename an access list.

Live access list hit counts

Includes the hit count for ACEs from multiple access lists. The hit count value represents how many times traffic hits a particular access rule.

Attack Prevention

Set connection limits for management traffic to the adaptive security appliance

For a Layer 3/4 management class map, you can specify the set connection command.

Threat detection

You can enable basic threat detection and scanning threat detection to monitor attacks such as DoS attacks and scanning attacks. For scanning attacks, you can automatically shun attacking hosts. You can also enable scan threat statistics to monitor both valid and invalid traffic for hosts, ports, protocols, and access lists.

NAT

Transparent firewall NAT support

You can configure NAT for a transparent firewall.

IPv6

IPv6 support for SIP

The SIP inspection engine supports IPv6 addresses. IPv6 addresses can be used in URLs, in the Via header field, and SDP fields.


Important Notes

This section lists important notes related to Version 8.0(2).

virtual http Command

The virtual http command has been restored. This command is needed with basic authentication when you have cascading authentication requests.

FIPS 140-2

Version 8.0(2) has been submitted for FIPS 140-2 Level 2 validation.

AnyConnect Client Sessions

A reestablished AnyConnect Client session fails to displace an AnyConnect Client session that is terminated abnormally (CSCsi40917).

Open Source Software Usage

For a list of the open source software used in th ASA 8.0 release, see the Open Source Software Licenses for ASA and PIX Security Appliances document on Cisco.com.

User Upgrade Guide

Before upgrading to Version 8.0(2), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide includes information about deprecated features and other changes in the Cisco PIX software Version 7.0. For a list of deprecated features and user upgrade information, go to the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html


Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, because this is not a supported configuration and Version 8.0(2) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 8.0(2) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the adaptive security appliance over the network.

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

The security appliance Outbound and Conduit Conversion tool assists in converting configurations with the outbound or conduit command to similar configurations using ACLs. ACL-based configurations provide uniformity, optimize the ACL feature set, and provide the following benefits:

ACE insertion capability— Provides simplified system configuration and management, which allows you to add, delete, or modify individual ACEs.

Outbound ACLs and time-based ACLs—Provides administrators with improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.

Enabling and Disabling of ACL entries—Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs without the need to remove and replace ACL entries.

Features not Supported in Version 8.0(2)

The PPTP feature is not supported in Version 8.0(2).

The TLS proxy feature is not supported on the PIX security appliance.

Downgrade to Previous Version

To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. Use the downgrade command only if you want to downgrade to a version other than 7.x.

For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.


Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. If you load a software image from monitor mode onto a PIX security appliance that has a PIX Version 7.0 file system, unpredictable behavior may occur and is not supported. We strongly recommend that you use the downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.

Certificates

Symptom: SSL connections from browsers and AnyConnect fail if the certificate being used contains the following enhanced key usage "IP security IKE intermediate (1.3.6.1.5.5.8.2.2)". This is the default way of issuing certificates via SCEP enrollment to a Microsoft 2003 Enterprise CA with the newer certificate templates.

Workaround:

Use terminal enrollment instead of SCEP to get an ASA certificate.

Changing the SCEP policy module on the 2003 CA may alleviate this issue.

Symptom: If the validity date on the a certificate is issued beyond the year 2099, it will fail to authenticate and an error will be generated when attempting to authenticate it.

Workaround:

Limit the validity period of the certificate to less than the recommended end date of 03:14:08 UTC, January 19, 2038.

Symptom: User prompted for credentials when permstore and auto-signon are both enabled.

Conditions:

Both auto-signon and permanent-storage are enabled for the server requiring authentication.

Workaround:

Disable auto-signon for this server. Enable auto-signon only for servers having the same login credentials as WebVPN.


Note Because credentials used by auto-signon take precedence over permanent-storage of user credentials, do not enable auto signon for servers that do not require authentication or that use credentials different from the adaptive security appliance. When auto signon is enabled, the adaptive security appliance passes on the login credentials that the user entered to log into the adaptive security appliance regardless of what credentials are in user storage.


Caveats

This section lists the open and resolved caveats for Version 8.0(2).

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.


Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do


Open Caveats - Version 8.0(2)

Table 2 Open Caveats 

DDTS Number
Software Version 8.0(2)
 
 
Corrected
Caveat

CSCsj15448

No

Group-policy names with embedded space(s) are not usable

CSCsj08209

No

In some instances 'clear ospf process causes traceback

CSCsj22800

No

clearing shuns during an attack causes traceback

CSCsj20475

No

WebVPN: Group-URL fails without a /

CSCsi09586

No

Conflict between aaa listener and http redirect commands

CSCej04099

No

static xlate breaks management-access inside

CSCsg47023

No

L2TP Connections with Certificates to ASA Fail to Connect

CSCsg65434

No

Multiple ipsec peers : PIX/ASA stops processing the IPSEC peers list

CSCsh15861

No

VPN client fails to connect, external DHCP server

CSCsh28991

No

IKE sessions are getting stuck in AM_WAIT_DELETE state

CSCsh29836

No

Clientless WebVPN traffic not transmitted out separate L2L interface

CSCsh40829

No

LDAP: multiple Cisco-AV-Pair need to be enforced on vpn-session

CSCsh67528

No

L2TP/IPSec OSX client disconnection after 45 minutes when NAT-T in used

CSCsh68314

No

Nac-default-access list doesn't work as expected with l2tp/ipsec

CSCsi00074

No

Incorrect values returned by SSL VPN OIDs

CSCsi04673

No

FW may drop packets when VPN address pool overlaps with interface subnet

CSCsi08317

No

PIX using Authentication Proxy and Wildcard causes Certificates error

CSCsi12180

No

SSH connections may cause interface errors (no buffer and overruns)

CSCsi15611

No

Traceback may occur with debugs webvpn citrix 255

CSCsi32502

No

packet/byte counters are not populated for the session table of CRAS MIB

CSCsi43492

No

ASA 7.2 CIFS: incomplete upload a file with size of ~100M for Firefox 2

CSCsi51600

No

Misleading prompt with radius/sdi authentication on 7.2.2

CSCsi58109

No

ASA requests username/password until next available aaa server found

CSCsi75355

No

5505 WebVPN: hw accelerator errors with >1024 bit cert

CSCsi98464

No

ASA injects another 'BrowserProtocol' keyword in ICA file

CSCsi98616

No

After two consecutive failovers SVC connections won't replicate

CSCsi98617

No

VPNFO: Standby stale sessions not removed

CSCsj01643

No

IPSec VPN first auth fails when SDI SoftID is in Cleared PIN Mode

CSCsj03319

No

WebVPN: Infopath XML fails to open correctly

CSCsj03437

No

WebVPN: RDP Icon fails after a redirect action to a Citrix Presentation

CSCsj13797

No

SSH connection fails when first server in AAA group is unreachable

CSCsj14874

No

AAA Authentication against local database working inconsistently

CSCsj19829

No

WebVPN: http-proxy interferes with port-forward

CSCsj24914

No

vpn-simultaneous-logins does not work when configuring PKI and no-xauth

CSCeg00330

No

DHCPACK in reply to DHCPINFORM might get dropped

CSCsf07135

No

ASDM connection may cause packet loss

CSCsg61719

No

SNMP: Coldstart Trap is not sent

CSCsh78681

No

cosmetic memory leak on his pix

CSCsi46292

No

Coldstart trap isn't sent in failover settings

CSCsi65122

No

alias with overlapping static and NAT exemption xlate errors on standby

CSCsi68321

No

Pix DHCP relay stops passing traffic after a period of time

CSCsj01620

No

Type 0 Client-ID for RA clients not supported by some DHCP servers

CSCsj10869

No

SNMP interface counters incorrect on PIX/ASA 7.2.2.22

CSCsg39338

No

to-the-box traffic from a higher metric route Int dropped for no route.

CSCsh48208

No

Directly connected network missing in route table

CSCsi41045

No

OSPF: default-info originate with route-map fails with next hop or sourc

CSCsi53577

No

OSPF goes DOWN after reload of VPN Peer

CSCsj03706

No

activex or java filter suppresses the syslog message 304001

CSCeh98117

No

Tunnel-group/ldap-login passwords in cleartext when viewed with more

CSCsi98786

No

Potential HW failure: Traceback in Thread Name: Dispatch Unit

CSCsj14865

No

SMTP fixup consistently drops '250 Ok' SMTP reply

CSCsh21462

No

esmtp ehlo masking drops packet instead of masking

CSCek21850

No

SIP: Stanby PIX show the wrong value of xlate timeout for sip media.

CSCsd31162

No

PPPoE: debug ppp doesn't display any debug messages

CSCse96428

No

PIX/ASA drops packets with IP Option Router Alert set

CSCse99033

No

tracked route removed from Standby firewall after failover

CSCsh43799

No

SIP Invite does not go to connect state in SIP Trunk Scenario

CSCsh60480

No

Unable to disconnect a call immediately with ip-address-privacy cmd

CSCsh64554

No

TCP sessions to the box denied because TCP connection limit exceeded

CSCsh91283

No

ASA/PIX: SunRPC inspect dropping packets on 7.0.6

CSCsi00628

No

CPU utilization spike observed with ASDM connected

CSCsi27609

No

ASA may drop MESSAGE requests due to sip-invite timeout

CSCsj12938

No

PIX/ASA - show ip audit count - signatures 6050 - 6053 are Informational

CSCsj18055

No

Traceroute fails through ASA if outside interface is pppoe and doing PAT

CSCsh55107

No

DHCP relay fails when static translation for all hosts configured


Related Documentation

Use this document in conjunction with the PIX firewall and Cisco VPN client Version 3.x documentation at the following website:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html

http://www.cisco.com/en/US/products/sw/secursw/ps2308/tsd_products_support_series_home.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

© 2007 Cisco Systems, Inc.

All rights reserved.