Cisco PIX Firewall Software

Table Of Contents

Release Notes for the PIX Firewall
Version 4.4(8)

Contents

Introduction

System Requirements

Memory Requirements

Maximum Configuration Size

PIX Firewall Manager Interoperability

Cisco Secure Policy Manager Interoperability

New and Changed Information

Installation Notes

Limitations and Restrictions

Important Notes

Caveats

Open Caveats

Resolved Caveats

Related Documentation

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Contacting TAC by Using the Cisco TAC Website

Contacting TAC by Telephone

Release Notes for the PIX Firewall
Version 4.4(8)

---

July 2001

Contents

This document includes the following sections:

•Introduction

•System Requirements

•New and Changed Information

•Installation Notes

•Limitations and Restrictions

•Important Notes

•Caveats

•Related Documentation

•Obtaining Documentation

•Obtaining Technical Assistance

Introduction

For information on previous version 4.4 features, installation notes, limitations and restrictions, usage notes, and caveats, refer to the release notes at these following websites:

•Version 4.4(1): http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pixrn44.htm

•Version 4.4(2): http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pixrn442.htm

•Version 4.4(3): http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pixrn443.htm

•Version 4.4(4): http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pixrn444.htm

•Version 4.4(5): http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pixrn445.htm

•Version 4.4(6): http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pixrn446.htm

•Version 4.4(7): http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pixrn447.htm

System Requirements

The information contained in these release notes applies to all PIX Firewall hardware models running software version 4.4 or later.

Version 4.4 supports one of the following interface combinations:

•One 4-port Ethernet card and one or two Ethernet or Token Ring cards, which can be intermixed such as, a 4-port Ethernet card and two Token Ring cards

•Up to four single-port Ethernet or Token Ring cards, either separate or intermixed

•Two FDDI cards

Memory Requirements

Version 4.4 requires at least 16 MB of RAM (optional memory upgrades are available) and at least
2 MB of Flash memory. Use the show version command to verify how much Flash and RAM memory is in your PIX Firewall.

Maximum Configuration Size

The maximum configuration size is 350 KB for all Flash memory sizes.

PIX Firewall Manager Interoperability

You can use PIX Firewall version 4.4(8) with the PIX Firewall Manager version 4.3(2)h. Refer to the Release Notes for the PIX Firewall Manager Version 4.3(2)h for more information. You can view this document online at the following website:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pfm432e.htm

The PIX Firewall Manager (PFM) lets you manage PIX Firewall units; however, it does not let you configure any PIX Firewall features added after version 4.3(2).

The "Frequently Asked Questions" section in the PFM release notes provides useful troubleshooting information.

Cisco Secure Policy Manager Interoperability

Cisco Secure Policy Manager (Cisco Secure PM), version 2.2, provides policy-based management support for PIX Firewall units running a version 4.2(n), 4.4(n), or 5.1(n) software image.

Refer to the documentation set for Cisco Secure PM at the following website:

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/index.htm

New and Changed Information

No new and changed information were added in version 4.4(8).

Installation Notes

No new installation notes were added in version 4.4(8).

Limitations and Restrictions

No new limitations or restrictions were added in version 4.4(8).

Important Notes

No new important notes were added in version 4.4(8).

Caveats

Open Caveats

Table 1 lists the open caveats for the 4.4(8) release.

Table 1 Open Caveats

DDTS Number	Description
CSCdu61593	Syslog stops after stressing PIX Firewall.
CSCdu60389	PIX Firewall parser allows configuration for NAT and PAT in the same address.
CSCds25359	snmpwalk does not return a value if we walk from.1 (4.4-only).
CSCdr40377	Opening ftp data connection does not show up in syslog, 4.4-only.
CSCdp12322	PIX Firewall 4.4.1 syslog error %PIX-2-106002 doc and display are ambiguous.

Resolved Caveats

Table 2 lists the resolved caveats for the 4.4(8) release.

Table 2 Resolved Caveats 

DDTS Number	Description
CSCdu51096	Reboot interval for FO-only lic is doubled, fail active incr at 30s.
CSCdu47003	Able to pass disallowed SMTP command thorough PIX Firewall, by sending after mail.
CSCdu46309	pix_init should be called after verifying license key.
CSCdu44986	Redundant output for max interface when PIX Firewall boots up.
CSCdu43926	F-Only: show ver does not indicate unit is failover only.
CSCdu05694	Invalid global command causes trace back (ci/console).
CSCdu02673	Clear config should be a config mode command.
CSCdu01056	Reload while running backup traffic (SQL*Net) through PIX Firewall.
CSCdt82325	Reload due to exhausted memory while URL filtering heavy traffic.
CSCdt75960	ISA fragment method causes PIX Firewall to discard packets.
CSCdt69667	Encryption layer for tcp port 1467 uses up lots of memory.
CSCdt61758	Assertion, trace back in log_lookup_by_ident(); pre-5.1 only.
CSCdt60487	PIX Firewall reboots dumping trace.
CSCdt40837	PIX Firewall show block has 1552 size entry.
CSCdt37028	Redundant error checking can cause trace back within first trace back.
CSCdt28204	No support for Failover-Only License on 4.4 train.
CSCds90792	Fixup smtp blocks emails when and <CR><LF> are not in the same pack.
CSCds77371	Static ARP is not static.
CSCds74244	Reload if Active and Standby units write mem at same time.
CSCds73999	Config failed diagnostic prints only first word.
CSCds73666	Copyright notice obscures config problems.
CSCds72499	Assertion and trace back after receiving faulty DHCPDISCOVER packet.
CSCds70898	Fixup ftp strict command does not work some ProFTPD setups.
CSCds64958	Strict FTP does not work in active mode with verbose FTP server.
CSCds55734	Negative byte count in show conn output.
CSCds54886	Trace back in AAA while trying to parse URL in HTTP GET request.
CSCds54786	interface command does not recognize unit for hw_speed.
CSCds48493	Large packet loss stall TCP transfer.
CSCds45528	Debug packet output always print tcp hlen field as 0.
CSCds43419	wr erase does not delete customer configuration.
CSCds38708	Disallowed commands can piggyback through SMTP with the DATA command.
CSCds38456	PIX Firewall timeout function wakes up earlier than the specified timeout value.
CSCds19078	PIX Firewall key cutter uses ports allowed verbiage.
CSCdr48266	PIX Firewall assertion t->stack[0] == STKINIT failed, trace back in uauth.
CSCdr04004	Small arp timeouts cause short periods of packet loss.
CSCdp67764	Show traffic displays incorrect information.
CSCdm91916	CI goes to a confused state after misconfiguring the static command.

Related Documentation

Use this document in conjunction with the PIX Firewall documentation available online at the following site:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm

Cisco provides PIX Firewall technical tips at the following site:

www.cisco.com/public/technotes/serv_tips.shtml

Obtaining Documentation

The following sections provide sources for obtaining documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following sites:

•http://www.cisco.com

•http://www-china.cisco.com

•http://www-europe.cisco.com

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

•Registered Cisco Direct Customers can order Cisco Product documentation from the Networking Products MarketPlace:

http://www.cisco.com/public/ordsum.html

•Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

•Nonregistered CCO users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS(6387).

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:

Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

To access Cisco.com, go to the following website:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Website

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:

http://www.cisco.com/tac

P3 and P4 level problems are defined as follows:

•P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

•P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration.

In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.

To register for Cisco.com, go to the following website:

http://www.cisco.com/register/

If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website:

http://www.cisco.com/tac/caseopen

Contacting TAC by Telephone

If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

P1 and P2 level problems are defined as follows:

•P1—Your production network is down, causing a critical impact to business operations if service is not restored quickly. No workaround is available.

•P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available.

This document is to be used in conjunction with the documents listed in the "Related Documentation" section.

AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0106R)

Copyright © 2000-2001, Cisco Systems, Inc.
All rights reserved.