Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco PIX Device Manager

Cisco PIX Device Manager Release Notes, Version 2.0(2)

Downloads

Table Of Contents

Cisco PIX Device Manager Release Notes Version 2.0(2)

Contents

Introduction

PDM Software Overview

System Requirements

PDM and PIX Firewall Requirements

Browser Requirements

Workstation Requirements

Windows Requirements

SUN Solaris Requirements

Linux Requirements

Determining the Software Version of the PIX Firewall

Upgrading to a New Software Version

New and Changed Information

New Software Features in supported in Version 2.0

Auto-Update Support

Bi-Directional Network Address Translation (NAT)

Command-Level Authorization

Configurable RAS Fixup

DHCP Option 66 and 150 Support

Easy VPN Remote Support

Failover Enhancements

ILS Fixup

LAN-Based Failover

Multicast Support (IGMP v2 and Stub Multicast Routing)

Network Time Protocol (NTP) Support

Object Grouping

PPPoE Support

Startup Configuration Wizard Enhancements

TurboACL

URL Fltering Enhancements

VPN Configuration and Monitoring

Important Notes

PDM Support for PIX Firewall CLI Commands

Fully Supported CLI Commands

CLI Commands Ignored By PDM

Unsupported CLI Commands and Command Combinations

PDM and Netscape Version 4.73

Virus-Checking Software

Caveats

Open Caveats - Version 2.0(2)

Resolved Caveats - Version 2.0(2)

Related Documentation

Software Configuration Tips on the Cisco TAC Home Page

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Web Site

Cisco TAC Escalation Center


Cisco PIX Device Manager Release Notes Version 2.0(2)

June 2002

Contents

This document includes the following sections:

Introduction

New and Changed Information

Important Notes

Caveats

Related Documentation

Obtaining Documentation

Obtaining Technical Assistance

Introduction

Cisco PIX Device Manager (PDM) is a web browser based application for configuring and monitoring a Cisco PIX Firewall.

PDM software version 2.0 adds object grouping, VPN configuration and monitoring, as well as a VPN configuration wizard and enhanced startup configuration wizard.

PDM software version 2.0 also includes support for the following new PIX Firewall software version 6.2 features:

Auto-Update Support

Bi-Directional Network Address Translation (NAT)

Command-Level Authorization

Configurable RAS Fixup

DHCP Option 66 and 150 Support

Easy VPN Remote Support

Failover Enhancements

ILS Fixup

LAN-Based Failover

Multicast Support (IGMP v2 and Stub Multicast Routing)

Network Time Protocol (NTP) Support

Object Grouping

PPPoE Support

Startup Configuration Wizard Enhancements

TurboACL

URL Fltering Enhancements

VPN Configuration and Monitoring

PDM Software Overview

PDM is installed as a separate software image on the PIX Firewall. PDM is designed to provide secure administration of a PIX Firewall from most workstations without installing additional software or plug-ins. (PDM is a signed Java applet that downloads from the PIX Firewall to your web browser.)

PDM uses tables, drop-down menus, and task-oriented selection menus to assist you in administering your PIX Firewall. Additionally, PDM maintains compatibility with the PIX Firewall command-line interface (CLI) and includes a tool for using the standard CLI commands within the PDM application. PDM also lets you print or export graphs of traffic through the PIX Firewall and system activity.

To help you use PDM, online Help is provided throughout the application as well as a Help table of contents, index, and glossary.

System Requirements

The following sections list the system requirements for Cisco PIX Device Manager version 2.0(2) software.

PDM and PIX Firewall Requirements

PDM has the following system requirements:

PDM version 2.0 requires PIX Firewall software version 6.2.

PDM version 2.0 is available on all PIX 501, PIX 506/506E, PIX 515/515E, PIX 520, PIX 525, and PIX 535 platforms that are running PIX Firewall software version 6.2. If you are using PIX Firewall software version 6.0 or 6.1, use PDM version 1.1. For instructions on installing PDM version 1.1, please refer to the Cisco PIX Device Manager Installation Guide, Version 1.1, at the following website:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/pdm_ig/index.htm

PDM works with any configuration, whether created with the PIX Firewall command-line interface (CLI) or Cisco Secure Policy Manager (Cisco Secure PM). However, subsequent configuration changes using Cisco Secure PM overwrite the PDM configuration. Changes made using the PIX Firewall CLI modify the PDM configuration, but do not replace it.

Caution If you are using Cisco Secure PM, use PDM for monitoring only. All changes that were made using PDM will be overwritten the next time Cisco Secure PM synchronizes with the PIX Firewall.

The optimal configuration file size to use with PDM is less than 100 KB, which is approximately 1500 lines. PIX Firewall configuration files over 100 KB may interfere with the performance of PDM on your workstation. You can determine the size of your configuration file by entering the show flashfs command at a PIX CLI prompt. Then, look for a line in the output which begins with "file 1." The number labeled "length" on the same line is the configuration file size in bytes.

For example: 

pixfirewall(config)# show flashfs

flash file system:  version:2  magic:0x12345679

  file 0: origin:       0 length:1511480

  file 1: origin: 2883584 length:1639

  file 2: origin:       0 length:0

  file 3: origin: 3014656 length:4311804

  file 4: origin: 8257536 length:280

Note The PIX Firewall platforms do not have the same configuration file size limitations as PDM. Most PIX Firewall platforms support up to 1 MB, though the PIX 525 and PIX 535 support even larger configurations (up to 2 MB).

If you are using a PIX Firewall that is already running PIX Firewall software version 6.2, then you have met the requirements to run PDM as discussed in this section and can continue to the "Browser Requirements" section. For example, PIX Firewall units that contain PIX Firewall software version 6.2 ship with a pre-installed DES activation key.

Otherwise, a PIX Firewall unit must meet the following requirements to successfully install and run PDM:

You must have an activation key that enables Data Encryption Standard (DES) or the more secure Triple DES (3DES). PDM requires a DES or 3DES activation key for its Secure Socket Layer (SSL) connection.

If your PIX Firewall is not enabled for DES, you can have a new activation key sent to you by completing the form at the following website:

http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324

Verify that your PIX Firewall meets all PIX Firewall software version 6.2 requirements listed in the Cisco PIX Firewall Release Notes Version 6.2(1). You must have version 6.2 installed on the PIX Firewall unit before using PDM version 2.0. You can download version 6.2 and the PDM software from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/pix

You must have at least 8 MB of Flash memory on the PIX Firewall unit to run PDM.

Browser Requirements

The following are required to access a PIX Firewall unit through PDM:

A JavaScript and Java enabled browser. If these are not enabled in the browser, PDM guides you through how to enable them. PDM uses the native Java Virtual Machine (JVM) in your browser. It does not use the Java browser plug-in. (However, if you have the Java plug-in, it can remain installed with your browser, but it cannot be your default JVM.)

If you are using Microsoft Internet Explorer, be sure to use JDK version 1.1.4. To check which version you have, launch PDM. In the main PDM menu, click Help>About Cisco PIX Device Manager. When the About PDM information window appears, it displays your browser specifications in a table, including your JDK version. If you have an older JDK version, you can get the latest JVM from Microsoft by downloading the product called Virtual Machine from the following website:

http://www.microsoft.com/downloads/search.asp?

Workstation Requirements

PDM requirements depend on the platform from which you run it.

PDM is not supported on Macintosh, Windows 3.1, or Windows 95 operating systems.

This section includes the following topics:

Windows Requirements

SUN Solaris Requirements

Linux Requirements

Windows Requirements

PDM is not supported on Windows 3.1 or Windows 95.

The following are required to run PDM with Windows:

Windows 2000, Windows NT 4.0, Windows 98, Windows ME, or Windows XP operating system.

Supported browsers: Internet Explorer 5.0, 5.5, 6.0 or higher and Netscape Communicator 4.5x or 4.7x. PDM does not support Netscape 6.x. We recommend Internet Explorer as PDM runs faster with this browser.

Any Pentium or Pentium-compatible processor running at 350 MHz or higher.

At least 128 MB of random-access memory (RAM). We recommend 192 MB or more.

An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least High Color (16-bit) colors.

Note The use of virus checking software may dramatically increase the time required for PDM to start. This is especially true for Netscape Communicator on any Windows platform and Windows 2000 with any browser.

SUN Solaris Requirements

The following are required to run PDM with Sun SPARC:

Sun Solaris 2.6 or higher running CDE or OpenWindows window manager.

SPARC microprocessor.

Supported browsers: Netscape Communicator 4.5x or 4.7x. PDM does not support Netscape 6.x.

At least 128 MB of random-access memory (RAM).

An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least High Color (16-bit) colors.

Note PDM does not support Solaris on IBM PCs.

Linux Requirements

The following are required to run PDM with Linux:

Red Hat Linux 7.0, 7.1, or 7.2 running the GNOME or KDE 2.0 desktop environment.

Supported browser: Netscape Communicator 4.7x. PDM does not support Netscape 6.x.

At least 64 MB of random-access memory (RAM).

An 800 x 600 pixel display with at least 256 colors. We recommend a 1024 x 768 pixel display and at least 16-bit colors.

Determining the Software Version of the PIX Firewall

Use the show version command to verify the software version of your PIX Firewall unit.

Upgrading to a New Software Version

If you have a Cisco Connection Online (CCO) login, you can obtain software from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/pix

New and Changed Information

New Software Features in supported in Version 2.0

Auto-Update Support

PDM version 2.0 supports Auto Update, a next-generation feature set for Cisco and third-party applications, that provides secure remote network management.

Bi-Directional Network Address Translation (NAT)

PDM version 2.0 supports Network Address Translation (NAT) of external source IP addresses for packets traveling from the outside interface to the inside interface (also called outside NAT). All functionality available with traditional NAT such as fixups, Stateful Failover, dynamic NAT, static NAT, and PAT are available bidirectionally in this version.

Command-Level Authorization

PDM version 2.0 supports command-level authorization, which is user-defined command privilege levels (from 0 to 15) for all PIX Firewall CLI commands, and Local User Database authorization. With Local User Database authorization, you can create user accounts tied to these privilege levels. Additionally, command set functionality is available through an access control server (ACS), which allows definition of authorized CLI command sets on a per-user basis without the dependency of defining command sets across all users.

Privilege-level command tracing is provided through the PIX Firewall syslog, and privilege configuration updates are displayed in the show version command output. User authentication may occur either locally or through a TACACS+ server.

When a PIX Firewall sends a command authorization request to a CiscoSecure ACS for Windows version 3.0.1, it is possible that the CSTACACS service may crash. (See CSCdw78255.) To rectify this, use the CSCdw78255.zip patch, which contains an updated CSTacacs.exe to use with CiscoSecure ACS for Windows 3.0.1 (build 40) instead of the existing CSTacacs.exe.

Command-level authorization sets work correctly with Cisco Secure ACS for Windows version 3.0.2 or higher, and command-level authorization of users and groups works correctly with version 3.0.1 and previous versions of CiscoSecure ACS for Windows.

Configurable RAS Fixup

PDM version 2.0 includes an option to turn off the H.323 RAS (Registration, Admission, and Status) fixup and displays this option, when set, in the configuration. This enables customers to turn off the RAS fixup if they do not have any RAS traffic, they do not want their RAS messages to be inspected, or if they have other applications that utilize the UDP ports 1718 and 1719.

DHCP Option 66 and 150 Support

PDM version 2.0 supports DHCP Server enhancements on the inside interface of the PIX Firewall to provide TFTP address information to the served DHCP clients. The implementation responds with one TFTP server for DHCP option 66 requests and with, at most, two servers for DHCP option 150 requests.

DHCP options 66 and 150 simplify remote deployments of Cisco IP Phones and Cisco SoftPhone by providing the Cisco CallManager contact information needed to download the rest of the IP phone configuration.

Easy VPN Remote Support

PDM version 2.0 supports Cisco Easy VPN Remote. Cisco Easy VPN Remote is designed to function seamlessly with existing VPN headends configured to support Unity Clients and to minimize the administrative overhead for the client by centralizing VPN configuration at the Cisco Easy VPN Server. For example, as Easy VPN Remote products, the PIX 501 and PIX 506/506E can accept dynamic push policy from an Easy VPN Server. Other examples of Cisco Easy VPN Remote products include the Cisco VPN Client v3.x and the Cisco VPN 3002 Hardware Client.

Note The PIX Firewall already acts as a central site VPN device and supports the termination of remote access VPN clients.

Failover Enhancements

PDM version 2.0 supports improved failover functionality so that the standby unit in a PIX Firewall failover pair can be configured to use a virtual MAC address. This eliminates potential "stale" ARP entry issues for devices connected to the PIX Firewall failover pair, in the unlikely event that both PIX Firewalls in a failover pair fail at the same time and only the standby unit remains operational.

In addition, the performance of Stateful Failover has been enhanced.

ILS Fixup

PDM version 2.0 supports the PIX Firewall Internet Locator Service (ILS) fixup. This protocol fixup provides support for NAT and the Lightweight Directory Access Protocol (LDAP). Also, with the addition of this fixup, the PIX Firewall supports H.323 session establishment by Microsoft NetMeeting. Microsoft NetMeeting, SiteServer, and Active Directory products leverage ILS, which is a directory service, to provide registration and location of endpoints. ILS supports the LDAP protocol and is LDAPv2 compliant.

LAN-Based Failover

PDM version 2.0 supports LAN-based failover for the PIX Firewall. This failover functionality operates through a dedicated LAN interface, without the serial failover cable. This overcomes the distance limitation of the current serial cable. Failover configuration synchronization can now occur through the serial cable or a LAN interface. However, the PIX Firewall failover pair must be on the same subnet, and the PIX Firewall failover model remains a hot-standby model, with one unit active and the other standby.

For LAN-based failover, use a dedicated switch or hub (or VLAN) to connect the PIX Firewall failover pair so that the secondary unit can detect the failure of the dedicated LAN failover interface of the primary unit and become active. Crossover Ethernet cables cannot be used to connect the LAN-based failover interface. Additionally, we recommend that you dedicate a LAN interface for LAN-based failover, but the interface can be shared with Stateful Failover under lightly loaded configurations.

Multicast Support (IGMP v2 and Stub Multicast Routing)

PDM version 2.0 enables you to statically configure multicast routes or use an IGMP helper address for forwarding IGMP reports and leave announcements.

The following summarizes multicast support in this version:

Access-list filters can be applied to multicast traffic to permit or deny specific protocols and ports.

NAT and PAT can be performed on the multicast packet source addresses only.

Multicast data packets with destination addresses in the 224.0.0.0/24 address range are not forwarded. However, everything else in the 224.0.0.0/8 address range is forwarded.

IGMP packets for address groups within the 224.0.0.0-224.0.0.255 range are not forwarded because these addresses are reserved for protocol use.

NAT is not performed on IGMP packets. When IGMP forwarding is configured, the PIX Firewall forwards the IGMP packets (report and leave) with the IP address of the helper interface as the source IP address.

Network Time Protocol (NTP) Support

The Network Time Protocol (NTP) synchronizes the times of devices operating over an IP data network.

PDM version 2.0 supports NTP, enabling the PIX Firewall to act as an NTP client and synchronize its time to a network time server. This enables the PIX Firewall to maintain precise network time for logging and certificate revocation list (CRL) validation. NTP server mode is not supported because the firewall would have to allow incoming requests to open ports, which is a security risk.

PDM version 2.0 supports version 3 of NTP as this is currently the most common version in use and is the highest version supported by Cisco IOS software. The NTP authentication mechanism uses MD5 and is compatible with Cisco IOS software.

Object Grouping

PDM version 2.0 supports network object groups and service object groups. PDM has limited support for the following object group types: protocol, ICMP, and nested network objects; these groups are displayed but cannot be modified or deleted in PDM.

PPPoE Support

PDM version 2.0 supports Point-to-Point Protocol over Ethernet (PPPoE). (PPPoE provides a standard method for using PPP authentication over an Ethernet network and is used by many Internet service providers (ISPs) to grant client machine access to their networks, commonly through DSL.)

Startup Configuration Wizard Enhancements

PDM version 2.0 enhances the PDM startup configuration wizard selections and options.

TurboACL

PDM version 2.0 supports TurboACL. TurboACL enhances the performance of PIX Firewall access list processing by providing an access list match in a deterministic amount of time for small and large access control lists (ACLs). (TurboACL compiles ACLs into a set of lookup tables, while maintaining first-match requirements. Packet headers enable you to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries.)

URL Fltering Enhancements

PDM version 2.0 supports N2H2 URL filtering services for URLs up to 1159 bytes.

For Websense, long URL filtering is supported for URLs up to 4096 bytes in length.

Additionally, this version provides a configuration option to buffer the response from a web server if its response is faster than the response from either an N2H2 or Websense filtering service server. This prevents the web server's response from being loaded twice.

VPN Configuration and Monitoring

PDM version 2.0 supports VPN configuration and monitoring, and includes a VPN configuration wizard to simplify your first-time configuration and VPN configuration tasks.

For technical documentation on new features in previous PDM software versions, refer to the following website:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Important Notes

This section describes important notes for PDM software version 2.0(2).

PDM Support for PIX Firewall CLI Commands

PIX Firewall commands that you enter at the command line, but do not appear in the configuration, are not supported in PDM. These are the arp, capture, configure, copy, debug, disable, enable, flashfs, help, pager, perfmon, reload, session, shun, setup, and terminal commands.

The clear uauth, kill, ping, show, who, and write commands that also do not appear in the configuration are incorporated directly into the PDM interface.

Fully Supported CLI Commands

PDM parses these commands when uploading or creating a PIX Firewall configuration and grants you full access to all PDM user-interface tabs.

Exceptions are noted in the table and occur when PDM cannot parse certain combinations of command statements. Commands that PDM cannot parse stay in the configuration, their values cannot be changed with PDM, and they appear in the list of unparseable commands.

Table 1 lists the CLI commands that PDM fully supports. PDM parses these commands in a PIX Firewall configuration and allows PDM to operate successfully.

Table 1 CLI Commands That PDM Parses and Fully Supports in Configuration 

Command

aaa commands

aaa-server

access-list and access-group

apply

auth-prompt

ca

capture

clock

conduit

crypto map

crypto dynamic-map

crypto ipsec

dhcp

domain-name

enable password

failover

filter

fixup protocol

global

hostname

http

icmp

igmp (multicast subcommand)

interface

ip address

ip audit

ip verify reverse-path

isakmp identity

logging

multicast

mroute

name

nameif

nat

nat [(if_name)] 0 access-list acl_name

ntp

object-group network

object-group service

outbound

passwd

pdm

privilege

rip

route

service resetinbound

service resetoutside

snmp-server

ssh

static

sysopt

telnet

tftp-server

timeout

url-block

url-cache

url-server

username

vpdn

vpnclient

vpngroup


Table 2 lists supported PDM commands that cannot be changed. PDM parses these commands in the PIX Firewall configuration and handles them transparently.

Table 2 Supported CLI Commands That Cannot be Changed with PDM 

Command

arp

floodguard

mtu

object-group icmp-type

object-group network (with nested, mixed object types)

object-group protocol

sysopt ipsec pl-compatible

sysopt nodnsalias inbound

sysopt nodnsalias outbound

sysopt route dnat

sysopt security fraggaurd

sysopt uauth allow-http-cache

virtual


CLI Commands Ignored By PDM

These CLI commands are displayed in the list of unparseable commands in PDM. However, PDM does not change or remove these commands from your configuration, and the presence of these commands does not limit your access to the user-interface tabs in PDM.

The following commands are otherwise ignored by PDM except that they are displayed in the list of unparseable commands:

Access lists not applied to any interface and not applied to the aaa command statement—A group of access-list command statements without an accompanying access-group command statement or aaa match acl command statement.

For example: 

access-list eng permit ip any server1 255.255.255.255

access-list eng permit ip any server2 255.255.255.255

access-list eng permit ip any server3 255.255.255.255

access-list eng deny ip any any

A list of outbound command statements without an associated apply command statement.

Any isakmp client configuration commands.

Unsupported CLI Commands and Command Combinations

If these CLI commands or command combinations are present in your configuration, you can only use the Monitoring tab.

Table 3 lists commands that PDM does not support in a configuration. If the commands are present in your configuration, you can only use the Monitoring tab.

Table 3 CLI Commands That Limit You to the PDM Monitoring Tab

Command

alias

establish

outbound id except


In addition, the following command combinations also limit your access to the Monitoring tab only:

aaa command with the match option appearing in the configuration with other aaa commands that contain the include or exclude options. For example, the following commands would not be parsed by PDM. 

access-list 101 permit tcp any any 

aaa authentication include http inside 1.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 portal

aaa accounting match 101 inside portal

You can fix this by changing aaa commands exclusively to either the match acl style or to the include/exclude style.

Combining the access-list and access-group command statements with conduit and/or outbound command statements. For example, the following commands appearing anywhere in the configuration (not necessarily together) would not be parsed by PDM. 

access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0

access-group 101 in interface outside

conduit permit icmp any any

Using an access control list (ACL) for multiple interfaces. For example, the access-list eng permit ip any server1 255.255.255.255 limits access. 

access-group eng in interface perim

access-group eng in interface outside

Using an ACL name for multiple purposes such as in access-group and aaa command statements. For example, the following commands would not be parsed by PDM. 

access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-group acl_out in interface outside

aaa authentication match acl_out outside AuthIn

In this example, the access-list command statement is applied to the outside interface by the access-group command. The same ACL name cannot then be used by the aaa command statement. You can fix this example by creating an access-list command statement without an accompanying access-group command statement and then applying that to the aaa command statement.

For example: 

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

Using an ACL for multiple purposes (such as authentication, authorization, or accounting). For example, the following command statements cannot be parsed by PDM. 

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

aaa authorization match acl_out2 outside AuthIn

In this example, the access-list command statement is applied to the outside interface by the aaa authentication command. Using the acl_out2 ACL name for both authentication and authorization cannot be parsed by PDM. You can fix this by creating another access-list command statement identical to the first statement and applying that in the aaa authorization command.

For example: 

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-list acl_out3 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

aaa authorization match acl_out3 outside AuthIn

Applying an outbound command statement group to multiple interfaces. For example, the following command statements would not be parsed by PDM. 

outbound 13 deny 0.0.0.0 0.0.0.0 0 0                                                                                                  

outbound 13 permit 0.0.0.0 0.0.0.0 389 tcp

outbound 13 permit 0.0.0.0 0.0.0.0 30303 tcp

outbound 13 permit 0.0.0.0 0.0.0.0 53 udp

apply (inside) 13 outgoing_src

apply (perim) 13 outgoing_src

Any outbound command statement that contains the except option. (You can replace the the except option with a permit or deny statement, both of which are options fully supported by PDM.)

PDM and Netscape Version 4.73

While this rarely occurs, when you have a corrupted certificate database and run PDM with Netscape version 4.73, the Netscape browser may crash after you click Grant. (The certificate database is a file called cert7.db, located in the your Netscape directory.)

There are reports that Netscape version 4.73 can corrupt the certificate database if you do the following before you click Grant:

1. Run an applet that uses a digital certificate.

2. Renew the certificate.

3. Run the new applet with the updated certificate.

This can happen on Windows, Sun Solaris, or Linux and is a problem in the Netscape Java Virtual Machine (JVM).

To work around this, remove the corrupted cert7.db file from your Netscape directory. A new cert7.db file is created when you run Netscape again. However, this removes all of the certificates that you have previously accepted as trusted. (This includes certificates that you accepted from other sites as well as certificates that you entered manually.)

Virus-Checking Software

The use of virus checking software may dramatically increase the time required for PDM to start. This is especially true for Netscape Communicator on any Windows platform or Windows 2000 running any browser.

Caveats

The following sections describe the caveats for PDM software version 2.0(2).

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.

Note Please use Bug Navigator II on CCO to view additional caveat information. Bug Navigator II may be accessed at the following website:

http://www.cisco.com/support/bugtools

Open Caveats - Version 2.0(2)

The caveats in Table 4 are yet to be resolved in this version.

Table 4 Open Caveats 

ID Number
Software Version
2.0(2)
Corrected
Caveat Title

CSCdt21999

No

Graphing tables not loaded realtime w/ IE & PDM history disabled

CSCdw76068

No

PDM hangs on refresh if a switchover occurs

CSCdx49079

No

static port redirect with dns tag is not parsed by PDM

CSCdx65052

No

Assign single address to VPN pool causes screen error

CSCdx68222

No

using ip local pool of just one address in vpngroup -> pdm hang

CSCdx71469

No

PDM 2.0 changes meaning of Proxy Arp check boxes

CSCdx80878

No

java exception with IGMP access group with non-outside interface

CSCdx81103

No

PDM ACL can not have multiple users


Resolved Caveats - Version 2.0(2)

The caveats in Table 5 are resolved in this version.

Table 5 Resolved Caveats 

ID Number
Software Version
2.0(2)
Corrected
Caveat Title

CSCdx79154

Yes

PDM uses wrong address/group in ACL, marks correct rule as NULL


Related Documentation

Use this document in conjunction with the PIX Firewall and Cisco VPN Client version 3.x documentation at the following websites:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm

http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm

Cisco provides PIX Firewall technical tips at the following website:

http://www.cisco.com/warp/public/707/index.shtml#pix

Software Configuration Tips on the Cisco TAC Home Page

The Cisco Technical Assistance Center has many helpful pages. If you have a CCO account you can visit the following websites for assistance:

TAC Customer top issues for PIX Firewall:

http://www.cisco.com/warp/public/110/top_issues/pix/pix_index.shtml

TAC Sample Configs for PIX Firewall:

http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:

http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX

Obtaining Documentation

The following sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following URL:

http://www.cisco.com

Translated documentation is available at the following URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/public/ordsum.html

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click the Fax or Email option under the "Leave Feedback" at the bottom of the Cisco Documentation home page.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Inquiries to Cisco TAC are categorized according to the urgency of the issue:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:

http://www.cisco.com/register/

If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.