Downloads |
Table Of Contents
Command Reference
This chapter provides detailed descriptions on each PIX Firewall command.
Before using this chapter, read:
•
"," for important information about command line guidelines including ports and protocols.
•
•
The following notes can help you as you configure the PIX Firewall:
•
•
•
•
•
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix
•
•
•
http://www.isi.edu/in-notes/iana/assignments/port-numbers
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers
•
aaa
Enable, disable, or view TACACS+ or RADIUS user authentication, authorization, and accounting for the server previously designated with the aaa-server command. (Configuration mode.)
aaa accounting acctg_service |except inbound|outbound| if_name local_ip local_mask
foreign_ip foreign_mask group_tagno aaa accounting authen_service |except inbound | outbound | if_name group_tag
aaa authentication authen_service |except inbound|outbound| if_name local_ip local_mask
foreign_ip foreign_mask group_tagno aaa authentication [authen_service |except inbound|outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
aaa authentication [serial |enable |telnet] console group_tag
no aaa authentication [serial|enable|telnet] console group_tag
aaa authorization author_service |except inbound| outbound| if_name
local_ip local_mask foreign_ip foreign_maskno aaa authorization [author_service |except inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_mask]show aaa
Syntax Description
accounting
Enable or disable accounting services with authentication server. Use of this command requires that you previously used the aaa-server command to designate an authentication server.
acctg_service
The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, telnet, or protocol/port. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form.
For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.authentication
Enable or disable user authentication, prompt user for username and password, and verify information with authentication server.
When used with the console option, enables or disables authentication service for access to the PIX Firewall console over Telnet or from the Console connector on the PIX Firewall unit.
Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.
authen_service
The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP, HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.)
If the authentication or authorization server is authenticating services other than FTP, HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP, HTTP, and Telnet for authentication and authorization.
Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another.
authorization
Enable or disable TACACS+ user authorization for services (PIX Firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access.
author_service
The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization.
For protocol/port:
•
•
aaa authorization udp/53-1024 inside 0 0 0 0This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024.
Note
except
Create an exception to a previously specified set of services.
inbound
Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside or perimeter.
outbound
Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside or perimeter.
if_name
Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. See the Examples section for how the if_name affects the use of this command.
local_ip
The IP address of the highest security level interface from which or to which access is sought. You can set this address to 0 to let the authentication server decide which hosts are authenticated.
local_mask
Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0.
foreign_ip
The IP address of the lowest security level interface from which or to which access is sought.
foreign_mask
Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0.
console
Specify that access to the PIX Firewall console require authentication and optionally, log configuration changes to a syslog server.
The aaa authentication serial console command lets you require authentication verification to access the PIX Firewall's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console.
Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial|enable|telnet] console command. While the enable option allows three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial or Telnet connections.
Telnet access to the PIX Firewall console is available from any internal interface (not the outside interface) and requires previous use of the telnet command.
Authentication of the serial console creates a potential dead-lock situation if the authentication server requests are not answered and you need access to the console to attempt diagnosis. If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.
The maximum password length for accessing the console is 16 characters.
group_tag
The group tag set with the aaa-server command.
Usage Guidelines
The aaa command enables or disables the following AAA (Authentication, Authorization, and Accounting) features:
•
•
•
•
Note
Note
Usage Notes
1
2
3
(a)
(b)
authentication_user_name@remote_system_user_nameauthentication_password@remote_system_passwordIf you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and username with an additional at (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit depending on how many units are daisy-chained and password length.
Some FTP graphical user interfaces (GUIs) do not display challenge values.
(c)
4
5
6
(a)
(b)
(c)
7
aaa authentication any outbound 0 0 serveraaa authentication except outbound perim_net perim_mask server8
Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.
To solve this problem, PIX Firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.
Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set. This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.
As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.
9
10
11
12
13
14
15
16
17
18
19
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet is:Unable to connect to remote host: Connection timed outSee also: aaa-server, auth-prompt, service, telnet, virtual.
Examples
1
This example enables authentication for connections originated from the inside network to the outside network:
aaa authentication any outbound 192.168.1.0 255.255.255.0 192.150.50.0 255.255.255.0 tacacs+This example enables authentication for connections originated from the inside network to the perimeter network:
aaa authentication any outbound 192.168.1.0 255.255.255.0 192.150.50.0 255.255.255.0 tacacs+This example enables authentication for connections originated from the outside network to the inside network:
aaa authentication any inbound 192.168.1.0 255.255.255.0 192.150.50.0 255.255.255.0 tacacs+This example enables authentication for connections originated from the outside network to the perimeter network:
aaa authentication any inbound 192.150.50.0 255.255.255.0 192.150.50.0 255.255.255.0 tacacs+This example enables authentication for connections originated from the perimeter network to the outside network:
aaa authentication any perimeter 192.150.50.0 255.255.255.0 192.150.50.0 255.255.255.0 tacacs+2
nat (inside) 1 10.0.0.0 255.255.255.0aaa authentication any outbound 0 0 tacacs+aaa authentication except outb 10.0.0.42 255.255.255.255 tacacs+3
aaa-server AuthIn protocol tacacs+aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20static (inside, outside) 192.150.50.0 10.16.1.0 netmask 255.255.255.0 10 60conduit permit tcp 192.150.50.0 255.255.255.0 10.16.1.0 255.255.255.0aaa authentication any inbound 0 0 AuthIn4
aaa authorization udp/53 inbound 0.0.0.0 0.0.0.05
aaa authorization 1/0 outbound 0.0.0.0 0.0.0.0This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.
6
aaa authorization 1/8 outbound 0.0.0.0 0.0.0.0aaa-server
Specify an AAA server. (Configuration mode.)
aaa-server group_tag (if_name) host server_ip key timeout seconds
no aaa-server group_tag (if_name) host server_ip key timeout seconds
aaa-server group_tag protocol auth_protocol
clear aaa-server [group_tag]
Syntax Description
Usage Guidelines
The aaa-server command lets you specify an AAA server group. PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS.
AAA server group are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 16 tag groups and each group can have up to 16 AAA servers for a total of up to 256 AAA servers.
The aaa command references the tag group.
The aaa-server command replaces the radius-server and tacacs-server commands.
Note
If accounting is in effect, the accounting information goes only to the active server.
The default configuration provides these two aaa-server protocols:
aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radius
Note
Examples
1
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20aaa authentication any outbound 0 0 0 0 TACACS+aaa authorization any outbound 0 0 0 0aaa accounting any outbound 0 0 0 0 TACACS+aaa authentication any serial console TACACS+This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall's serial console requires authentication from the TACACS+ server.
2
aaa-server AuthIn protocol radiusaaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4aaa-server AuthOut protocol radiusaaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15aaa authenticate any inbound 0 0 0 0 AuthInaaa authentication any outbound 0 0 0 0 AuthOutaccess-group
Binds the access list name to the interface interface-name to permit or deny IP packets incoming into the interface. (Configuration mode.)
access-group access-list-name in interface interface-name
clear access-group access-list-name in interface interface-name
no access-group access-list-name in interface interface-name
show access-group access-list-name in interface interface-name
Syntax Description
access-list-name
The name associated with a given access list.
in interface
Filters on inbound packets at the given interface.
interface-name
The name of the network interface.
Usage Guidelines
The access-group command binds the name of a given access list to an interface. Access lists are applied to traffic inbound to interface. If the access list permits the address, the PIX Firewall continues to process the packet. If the access list rejects the address, the firewall discards the packet and generates a syslog message.
If no access list is bound to an interface, the conduit list or outbound list is checked.
Note
Note
The no access-group command unbinds the "access-list-name" from the interface interface-name.
The show access-group command displays the current access-list bound to the interface(s).
The clear access-group command removes all entries from access-list indexed by "list-name." If "list-name" is not specified, all access-lists are destroyed.
Examples
The following example shows use of the access-group command. The example indicates that access list 101 will be bound to the outside interface.
access-group 101 in interface outsideaccess-list
Create an access list. (Configuration mode.)
access-list access-list-name [deny | permit] protocol source source-netmask destination destination-netmask
no access-list access-list-name [deny | permit] protocol source source-netmask destination destination-netmask
clear access-list
show access-list
Syntax Description
Usage Guidelines
The access-list command allows you to create an access list. After you have defined an access list, bind it to an interface using the access-group command or bind it to a crypto map entry using the crypto map command. The show access-list command lists the access-list command statements in the configuration. The clear access-list command removes all access-list command statements from the configuration.
Note
Note
Note
If the access list is bound to an interface, the access list selects which traffic will be able to traverse the PIX Firewall. When bound to a crypto map entry, the access list selects which IP traffic will be protected by IPSec and which traffic will not be protected. For example, access lists can be created to protect all IP traffic between Subnet A and Subnet Y or traffic between Host A and Host B.
The access lists themselves are not specific to IPSec. It is the crypto map entry referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list.
Crypto access lists associated with IPSec crypto map entries have four primary functions:
•
•
•
•
The crypto access list you define will be associated with an interface after you define the corresponding crypto map entry and apply the crypto map set to the interface. Different access lists must be used in different entries of the same crypto map set. However, both inbound and outbound traffic will be evaluated against the same "outbound" IPSec access list. Therefore, the access list's criteria are applied in the forward direction to traffic exiting your PIX Firewall and the reverse direction to traffic entering your PIX Firewall.
If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies.
Cisco recommends that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword. See the sections "Mirror Image Crypto Access Lists at each IPSec Peer" and "any Keyword in Crypto Access Lists" in "."
Note
If you configure multiple statements for a given crypto access list to be used for IPSec, in general the first permit statement that is matched will be the statement used to determine the scope of the IPSec security association. That is, the IPSec security association will be set up to protect traffic that meets the criteria of the matched statement only. Later, if traffic matches a different permit statement of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list statement.
Examples
The following example creates a numbered crypto access list that specifies a Class C subnet for the source and a Class C subnet for the destination of IP packets. When the PIX Firewall uses this crypto access list, all IP traffic that is exchanged between the source and destination subnets will be encrypted.
access-list 101 permit ip 172.21.3.0 0.0.0.255 172.22.2.0 0.0.0.255This crypto access list would be applied to an interface as an outbound crypto access list after you define a crypto map and apply it to the interface.
alias
Administer overlapping addresses with dual NAT. (Configuration mode.)
alias [(if_name)] dnat_ip foreign_ip [netmask]
no alias [[(if_name)] dnat_ip foreign_ip [netmask]]
show alias
Syntax Description
Usage Guidelines
The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 192.150.50.1, you can use alias to redirect traffic to another address, such as, 192.150.50.42.
Note
After changing or removing an alias command statement, use the clear xlate command.
There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command.
The alias command has two uses which can be summarized in the following ways of reading an alias command statement:
•
•
The no alias command disables a previously set alias command statement. The show alias command displays alias command statements in the configuration.
The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.
You can specify a net alias by using network addresses for the foreign_ip and dnat_ip IP addresses. For example, alias 10.1.1.0 192.150.50.0 255.255.255.0 creates aliases for each IP address between 192.150.50.1 and 192.150.50.254.
Note
Usage Notes
1
alias (inside) 192.168.8.14 192.150.50.1 255.255.255.255static (inside,outside) 192.150.50.1 192.168.8.14 netmask 255.255.255.255conduit permit tcp host 192.150.50.1 eq ftp-data host 192.168.8.14An alias is specified with the inside address 192.168.8.14 mapping to the foreign address 192.150.50.1.
Examples
1
alias (inside) 192.168.1.0 192.159.1.0 255.255.255.0show aliasalias 192.168.1.0 192.159.1.0 255.255.255.0When client 192.159.1.123 connects to domain.com, the DNS response from an external DNS server to the internal client's query would be altered by the PIX Firewall to: 192.168.1.33. If the PIX Firewall uses 192.150.50.1 through 192.150.50.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=192.159.1.123 and DST=192.168.1.33. The PIX Firewall translates it to SRC=192.150.50.254 and DST=192.159.1.33 on the outside.
2
The period at the end of the www.domain.com. domain name must be included.
The alias command is:
alias 10.1.1.11 192.150.50.11 255.255.255.255PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server.
The conduit command statement you would expect to use is:
conduit permit tcp host 192.150.50.11 eq telnet host 192.150.50.7But with the alias command, use this command:
conduit permit tcp host 192.150.50.11 eq telnet host 192.159.1.7You can test the DNS entry for the host with the following nslookup command:
nslookup -type=any www.domain.comarp
Change or view the ARP cache, and set the timeout value. (Configuration mode.)
arp if_name ip_address mac_address [alias]
clear arp
no arp if_name ip_address
show arp [if_name] [ip_address mac_address alias]
arp timeout seconds
no arp timeout
show arp timeout
Syntax Description
Usage Guidelines
The arp command adds an entry to the PIX Firewall ARP cache. ARP is a low-level TCP/IP protocol that resolves a node's physical address from its IP address through an ARP request asking the node with a particular IP address to send back its physical address. The presence of entries in the ARP cache indicates that the PIX Firewall has network connectivity. The clear arp command clears the ARP table but not the alias (permanent) entries. Use the no arp command to remove these entries. The show arp command lists the entries in the ARP table.
Note
Use the arp command to add an entry for new hosts you add on your network or when you swap an existing host for another. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.
The arp timeout command sets the duration that an ARP entry can stay in the PIX Firewall ARP table before expiring. The timer is known as the ARP persistence timer. The default value is
14,400 seconds (4 hours).The no arp timeout command sets the timer to its default value. The show arp timeout command displays its current value.
Examples
The following examples illustrate use of the arp and arp timeout commands:
arp inside 192.168.0.42 00e0.1e4e.2a7carp outside 192.168.0.43 00e0.1e4e.3d8b aliasshow arpoutside 192.168.0.43 00e0.1e4e.3d8b aliasinside 192.168.0.42 00e0.1e4e.2a7cclear arp inside 192.168.0.42arp timeout 42show arp timeoutarp timeout 42 secondsno arp timeoutshow arp timeoutarp timeout 14400 secondsauth-prompt
Change the AAA challenge text. (Configuration mode.)
auth-prompt [accept|reject|prompt] string
clear auth-prompt
no auth-prompt [accept|reject|prompt] string
show auth-prompt
Syntax Description
Usage Guidelines
The auth-prompt command lets you change the AAA challenge text for HTTP, FTP, and Telnet access. This text displays above the username and password prompts that users view when logging in. If you do not use this command, FTP users view FTP authentication, HTTP users view HTTP Authentication, and challenge text does not appear for Telnet access.
If the user authentication occurs from Telnet, you can use the accept and reject options to display different authentication prompts if the authentication attempt is accepted or rejected by the authentication server.
Example
The following example shows how to set the authentication prompt and how users view the prompt:
auth-prompt XYZ Company Firewall AccessAfter this string is added to the configuration, users view:
XYZ Company Firewall AccessUser Name:Password:The prompt keyword can be included or omitted. For example:
auth-prompt prompt Hello There!This command statement is the same as:
auth-prompt Hello There!ca
Configure the PIX Firewall to interoperate with a Certification Authority (CA). (Configuration mode.)
ca authenticate ca_nickname [fingerprint]
ca configure ca_nickname ca | ra retry_period retry_count [crloptional]
no ca configure ca_nickname
show ca configure
ca crl request ca_nickname
ca enroll ca_nickname challenge_password [serial] [ipaddress]
no ca enroll ca_nickname
ca generate rsa key|specialkey key_modulus_size
ca identity ca_nickname ca_ipaddress[:ca_script_location] [ldap_ip address]
no ca identity ca_nickname
show ca identity
ca save all
no ca save all
show ca certificate
ca zeroize rsa
show ca mypubkey rsa
Note
Syntax Description
Usage Guidelines
ca authenticate
The ca authenticate command allows the PIX Firewall to authenticate its CA by obtaining the CA's self-signed certificate, which contains the CA's public key.
In order to authenticate a peer's certificate(s), a PIX Firewall must obtain the CA certificate containing the CA public key. Because the CA certificate is a self-signed certificate, the key should be authenticated manually by contacting the CA administrator. You are given the choice of authenticating the public key in that certificate by including within the ca authenticate command the key's fingerprint, which is retrieved in some out-of-band process. The PIX Firewall will discard the received CA certificate and generate an error message, if the fingerprint you specified is different from the received one. You can also simply compare the two fingerprints without having to enter the key within the command.
If you are using RA mode (within the ca configure command), when you issue the ca authenticate command, the RA signing and encryption certificates will be returned from the CA, as well as the CA certificate.
The ca authenticate command is not saved to the PIX Firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). To save the public keys permanently to Flash memory, use the ca save all command.
To view the CA's certificate, use the show ca certificate command.
Note
Example
In this example, a request for the CA's certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the PIX Firewall prompts for verification of the CA's certificate by checking the CA certificate's fingerprint. Using the fingerprint associated with the CA's certificate retrieved in some out-of-band process from a CA administrator, compare the two fingerprints. If both fingerprints match, then the certificate is considered valid.
ca authenticate mycaCertificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 0123The following example shows the error message. This time, the fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.
ca authenticate myca 0123456789ABCDEF0123Certificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 5432%Error in verifying the received fingerprint. Type help or `?' for a list of available commands.ca configure
The ca configure command is used to specify the communication parameters between the PIX Firewall and the CA.
Use the no ca configure command to reset each of the communication parameters to the default value. If you want to show the current settings stored in RAM, use the show ca configure command.
Example
The following example indicates myca is the name of the CA and the CA will be contacted rather than the RA. It also indicates the PIX Firewall will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the PIX Firewall to accept other peer's certificates.
ca configure myca ca 5 15 [crloptional]ca crl request
The ca crl request command allows the PIX Firewall to obtain an updated CRL from the CA at any time.
A PIX Firewall automatically requests a CRL from the CA at various times, depending on whether the CA is in the RA mode or not. If the CA is not in the RA mode, a CRL is requested whenever the system reboots and finds that it does not already contain a valid (un-expired) CRL. If the CA is in the RA mode, no CRL can be obtained until a peer's certificate is sent via an ISAKMP exchange. This is because the certificate itself contains the location where the PIX Firewall must query to get the appropriate CRL. When a CRL expires, the PIX Firewall automatically requests an updated one. Until a new valid CRL is obtained, the PIX Firewall will not acc
