 Feedback
|
Table Of Contents
Cisco PIX Firewall Release Notes Version 6.2(2)
Maximum Recommended Configuration File Size
Cisco VPN Software Interoperability
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Cisco Easy VPN Server Interoperability
Determining the Software Version
Upgrading to a New Software Release
New Features in Release 6.2(2)
New Software Features in Release 6.2
Bi-Directional Network Address Translation (NAT)
Command-Line Interface (CLI) Activation Key Management
CPU Utilization Monitoring Through SNMP
DHCP Option 66 and 150 Support
Downloadable Access Control Lists (ACLs)
Factory Default Configurations for the PIX 501 and PIX 506/506E
Multicast Support (IGMP v2 and Stub Multicast Routing)
Network Time Protocol (NTP) Support
PIX 501 User Licensing and VPN Support Enhancements
PIX Firewall Image Flash Compression
Port Address Translation (PAT) for H.323 and SIP fixups
Software Performance Enhancements
Denying ICMP Traffic to the Outside Interface
Downloading PIX Firewall Image
Resolved Caveats - Release 6.2(2)
Resolved Caveats - Release 6.2
Software Configuration Tips on the Cisco TAC Home Page
Obtaining Technical Assistance
Cisco PIX Firewall Release Notes Version 6.2(2)
September 2002
Contents
This document includes the following sections:
•
Obtaining Technical Assistance
Introduction
The PIX Firewall delivers unprecedented levels of security, performance, and reliability, including robust, enterprise-class security services such as the following:
•
•
•
•
•
•
PIX Firewall software Version 6.2 provides the secure networking features included in previous releases and adds support for the following features:
•
•
•
•
•
•
•
•
•
•
•
Additionally, PIX Firewall software Version 6.2 supports Cisco PIX Device Manager (PDM) Version 2.0 and adds enhancements to features introduced in earlier releases.
System Requirements
The sections that follow list the system requirements for operating a PIX Firewall with Version 6.2(2) software.
Memory Requirements
The PIX 501 has 16 MB of RAM and will operate correctly with Version 6.2, while all other
PIX Firewall platforms continue to require at least 32 MB of RAM (and therefore are also compatible with Version 6.2 and higher).In addition, all units except the PIX 501 and PIX 506/506E require 16 MB of Flash memory to boot. (The PIX 501 and PIX 506/506E have 8 MB of Flash memory, which works correctly with Version 6.2.)
Table 1 lists Flash memory requirements for this release.
Use the PIX-1GE-66 card in systems with a 64-bit/66 MHz PCI bus; for example, in a PIX 535. (If you use the PIX-1GE-66 cards in a PIX Firewall, the system RAM should be at least 128 MB.) For a PIX Firewall with only a 32-bit/33 MHz bus, such as the PIX 520 and PIX 525, use the PIX-1GE card.
Software Requirements
The following is required for Version 6.2(2):
1.
2.
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324
3.
4.
Maximum Recommended Configuration File Size
For the PIX 525 and PIX 535, the maximum configuration file size limit is increased to 2 MB for PIX Firewall software Versions 5.3(2) and higher. For other PIX Firewall platforms and earlier software versions, the maximum configuration file size limit remains the same. (In these cases, the maximum configuration size is most likely 1 MB.)
While configuration files up to 2 MB are now supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:
•
•
•
Cisco Secure Policy Manager (Cisco Secure PM) may also experience limitations if a PIX Firewall configuration file near 2 MB is used, and the optimal configuration file size for use with Cisco PIX Device Manager is less than 100 KB (which is approximately 1500 lines). Please take these considerations into account when planning and implementing your configuration.
Cisco VPN Software Interoperability
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Cisco Easy VPN Server Interoperability
Determining the Software Version
Use the show version command to verify the software version of your PIX Firewall unit.
Upgrading to a New Software Release
If you have a Cisco Connection Online (CCO) login, you can obtain software from the following website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
New and Changed Information
New Features in Release 6.2(2)
This release resolves a number of caveats. The PIX-4FE-66 card is also supported, except for PIX Classic, 10000 and 510 platforms.
New Software Features in Release 6.2
Auto Update Support
PIX Firewall software Version 6.2 supports Auto Update, a next-generation feature set for Cisco and third-party applications, that provides secure remote network management.
Bi-Directional Network Address Translation (NAT)
PIX Firewall software Version 6.2 allows Network Address Translation (NAT) of external source IP addresses for packets traveling from the outside interface to an the inside interface. All functionality available with traditional NAT such as fixups, Stateful Failover, dynamic NAT, static NAT, and PAT are available bidirectionally in this release.
Command-Level Authorization
PIX Firewall software Version 6.2 supports Command-Level authorization, which is user-defined command privilege levels (from 0 to 15) for all PIX Firewall CLI commands, and Local User Database authorization. With Local User Database authorization, you can create user accounts tied to these privilege levels. Additionally, command set functionality is available through an access control server (ACS), which allows definition of authorized CLI command sets on a per-user basis without the dependency of defining command sets across all users.
Privilege-level command tracing is provided through the PIX Firewall syslog, and privilege configuration updates are displayed in the show version command output. User authentication may occur either locally or through a TACACS+ server.
When a PIX Firewall sends a command authorization request to a CiscoSecure ACS for Windows Version 3.0.1, it is possible that the CSTACACS service may crash. (See CSCdw78255.) To rectify this, use the CSCdw78255.zip patch, which contains an updated CSTacacs.exe to use with CiscoSecure ACS for Windows 3.0.1 (build 40) instead of the existing CSTacacs.exe.
Command-level authorization sets work correctly with Cisco Secure ACS for Windows Version 3.0.2 or higher, and command-level authorization of users and groups works correctly with Version 3.0.1 and previous versions of CiscoSecure ACS for Windows.
Command-Line Interface (CLI) Activation Key Management
PIX Firewall software Version 6.2 lets you enter a new activation key through the PIX Firewall command-line interface (CLI), without using the system monitor mode and having to TFTP a new image. Additionally, the PIX Firewall CLI displays the currently running activation key when you enter the show version command.
Configurable RAS Fixup
PIX Firewall software Version 6.2 includes an option to turn off the H.323 RAS (Registration, Admission, and Status) fixup and displays this option, when set, in the configuration. This enables customers to turn off the RAS fixup if they do not have any RAS traffic, they do not want their RAS messages to be inspected, or if they have other applications that utilize the UDP ports 1718 and 1719.
CPU Utilization Monitoring Through SNMP
PIX Firewall software Version 6.2 supports monitoring of the PIX Firewall CPU usage through SNMP. CPU usage information is still available directly on the PIX Firewall through the show cpu usage command, but SNMP provides integration with other network management software. Specifically, this release supports the cpmCPUTotalTable of the Cisco Process MIB (CISCO-PROCESS-MIB.my).
DHCP Option 66 and 150 Support
PIX Firewall software Version 6.2 enhances the DHCP Server on the inside interface of the PIX Firewall to provide TFTP address information to the served DHCP clients. The implementation responds with one TFTP server for DHCP option 66 requests and with, at most, two servers for DHCP option 150 requests.
DHCP options 66 and 150 simplify remote deployments of Cisco IP Phones and Cisco SoftPhone by providing the Cisco CallManager contact information needed to download the rest of the IP phone configuration.
Downloadable Access Control Lists (ACLs)
PIX Firewall software Version 6.2 supports the download of access control lists (ACLs) to the PIX Firewall from an access control server (ACS). This enables the configuration of per-user access lists on an AAA server, to provide per-user access list authorization, that are then downloadable through the ACS to the PIX Firewall.
This feature is supported for RADIUS servers only and is not supported for TACACS+ servers.
Easy VPN Remote Support
PIX Firewall software Version 6.2 supports Cisco Easy VPN Remote. (Cisco Easy VPN Server has been supported starting with PIX Firewall software Version 6.0.) Cisco Easy VPN Remote is designed to function seamlessly with existing VPN headends configured to support Unity Clients and to minimize the administrative overhead for the client by centralizing VPN configuration at the Cisco Easy VPN Server. For example, as Easy VPN Remote products, the PIX 501 and PIX 506/506E can accept dynamic push policy from an Easy VPN Server. Other examples of Cisco Easy VPN Remote products include the Cisco VPN Client v3.x and the Cisco VPN 3002 Hardware Client.
Note
Factory Default Configurations for the PIX 501 and PIX 506/506E
The PIX 501 (since its introduction) and the PIX 506/506E ship with factory-default configurations as of PIX Firewall software Version 6.2. (The PIX 501 and PIX 506/506E can be reset to their factory default configuration with the configure factory-default command.) For more information on the PIX 501 and PIX 506/506E default configurations, please refer to the Cisco PIX 501 Firewall Quick Start Guide and the Cisco PIX 506/506E Firewall Quick Start Guide.
Failover Enhancements
PIX Firewall software Version 6.2 enhances failover functionality so that the standby unit in a PIX Firewall failover pair can be configured to use a virtual MAC address. This eliminates potential "stale" ARP entry issues for devices connected to the PIX Firewall failover pair, in the unlikely event that both PIX Firewalls in a failover pair fail at the same time and only the standby unit remains operational.
In addition, the performance of Stateful Failover has been enhanced.
ILS Fixup
PIX Firewall software Version 6.2 provides an Internet Locator Service (ILS) fixup to support NAT for ILS and Lightweight Directory Access Protocol (LDAP). Also, with the addition of this fixup, the PIX Firewall supports H.323 session establishment by Microsoft NetMeeting. Microsoft NetMeeting, SiteServer, and Active Directory products leverage ILS, which is a directory service, to provide registration and location of endpoints. ILS supports the LDAP protocol and is LDAPv2 compliant.
LAN-Based Failover
LAN-based Failover extends PIX Firewall failover functionality to operate through a dedicated LAN interface, without the serial failover cable. This overcomes the distance limitation of the current serial cable. Failover configuration synchronization can now occur through the serial cable or a LAN interface. However, the PIX Firewall failover pair must be on the same subnet, and the PIX Failover model remains a hot-standby model, with one unit active and the other standby.
For LAN-based Failover, use a dedicated switch or hub (or VLAN) to connect the PIX Firewall failover pair so that the secondary unit can detect the failure of the dedicated LAN failover interface of the primary unit and become active. Crossover Ethernet cables cannot be used to connect the LAN-based Failover interface. Additionally, we recommend that you dedicate a LAN interface for LAN-based Failover, but the interface can be shared with Stateful Failover under lightly loaded configurations.
Multicast Support (IGMP v2 and Stub Multicast Routing)
PIX Firewall software Version 6.2 enables you to statically configure multicast routes or use an IGMP helper address for forwarding IGMP reports and leave announcements.
The following summarizes multicast support in this release:
•
•
•
•
•
Network Time Protocol (NTP) Support
The Network Time Protocol (NTP) synchronizes the times of devices operating over an IP data network.
PIX Firewall software Version 6.2 supports NTP, enabling the PIX Firewall to act as an NTP client and synchronize its time to a network time server. This enables the PIX Firewall to maintain precise network time for logging and certificate revocation list (CRL) validation. NTP server mode is not supported because the firewall would have to allow incoming requests to open ports, which is a security risk.
PIX Firewall software Version 6.2 supports Version 3 of NTP as this is currently the most common version in use and is the highest version supported by Cisco IOS software. The NTP authentication mechanism uses MD5 and is compatible with Cisco IOS software.
Object Grouping
To simplify your configuration, object grouping is supported in PIX Firewall software Version 6.2. object grouping enables you to define groups of objects such as hosts, IP addresses, or network services. You can use these groups, for example, when you create and apply access rules. When you include a PIX Firewall object group in a PIX Firewall command, it is the equivalent of applying every element of the object group to the PIX Firewall command.
Packet Capture
PIX Firewall software Version 6.2 supports packet capture. The PIX Firewall packet capture provides the ability to sniff or "see" any traffic accepted or blocked by the PIX Firewall. Once the packet information is captured, you have the option of viewing it on the console, transferring it to a file over the network using a TFTP server, or accessing it through a web browser using Secure HTTP. However, the PIX Firewall does not capture traffic unrelated to itself on the same network segment, and this packet capture feature does not include file system, DNS name resolution, or promiscuous mode support.
PIX 501 User Licensing and VPN Support Enhancements
The PIX 501 can act as a VPN headend, supporting up to five remote VPN users. These remote VPN users count against the total number of VPN peers supported by the PIX 501, which is five.
The PIX 501 supports up to 10 active users on the inside network (an optional 50-user license is also available). A user is considered active when any one or more of the following is true:
•
•
•
•
PIX Firewall Image Flash Compression
By default, PIX Firewall software Version 6.2 compresses the PIX Firewall image stored in Flash memory to optimize memory usage.
Port Address Translation (PAT) for H.323 and SIP fixups
PIX Firewall software Version 6.2 enhances support for the existing H.323 and SIP fixups by adding support for Port Address Translation (PAT). Adding support for PAT with H.323 and SIP enables our customers to expand their network address space using a single global address.
PPPoE Support
PIX Firewall software Version 6.2 supports Point-to-Point Protocol over Ethernet (PPPoE). (PPPoE provides a standard method for using PPP authentication over an Ethernet network and is used by many Internet service providers (ISPs) to grant client machine access to their networks, commonly through DSL.) PPPoE is only supported on the outside interfaces of the PIX 501 and PIX 506/506E.
Software Performance Enhancements
PIX Firewall software Version 6.2 has a number of internal software performance enhancements.
TurboACL
PIX Firewall software Version 6.2 supports TurboACL. TurboACL enhances the performance of PIX Firewall access list processing by providing an access list match in a deterministic amount of time for small and large access control lists (ACLs). (TurboACL compiles ACLs into a set of lookup tables, while maintaining first-match requirements. Packet headers enable you to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries.)
URL Fltering Enhancements
PIX Firewall software Version 6.2 supports N2H2 URL filtering services for URLs up to 1159 bytes.
For Websense, long URL filtering is supported for URLs up to 4096 bytes in length.
Additionally, this release provides a configuration option to buffer the response from a web server if its response is faster than the response from either an N2H2 or Websense filtering service server. This prevents the web server's response from being loaded twice.
For technical documentation on new features in previous PIX Firewall software versions, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
Important Notes
This section describes important notes for the 6.2(2) release.
Denying ICMP Traffic to the Outside Interface
By default the PIX Firewall denies all inbound traffic through the outside interface. Based on your network security policy, you should consider configuring the PIX Firewall to deny all ICMP traffic to the outside interface, or any other interface you deem necessary, by entering the icmp command. The icmp command controls ICMP traffic that terminates on the PIX Firewall. If no ICMP control list is configured, then the PIX Firewall accepts all ICMP traffic that terminates at any interface (including the outside interface).
For example, to deny all ICMP traffic, including ping requests, to the outside interface enter:
icmp deny any outsideContinue entering the icmp deny any interface command for each additional interface on which you want to deny ICMP traffic.
For more information about the icmp command, refer to the Cisco PIX Firewall Command Reference at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid5
Preventing Fragmented Packets
By default the PIX Firewall accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the PIX Firewall to prevent fragmented packets from traversing the firewall by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented.
For example, to prevent fragmented packets on the outside and inside interfaces enter:
fragment chain 1 outsidefragment chain 1 insideContinue entering the fragment chain 1 interface command for each additional interface on which you want to prevent fragmented packets.
For more information about the fragment command, refer to the Cisco PIX Firewall Command Reference at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/df.htm#xtocid15
The PIX Firewall also includes FragGuard for additional IP fragmentation protection. For more information, refer to the Cisco PIX Firewall and VPN Configuration Guide at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/overvw.htm#1046527
Downloading PIX Firewall Image
Only Fast Ethernet cards can be used in monitor mode; Gigabit Ethernet cards cannot be used in monitor mode. Additionally, Fast Ethernet cards in 64-bit slots on the PIX 535 are not visible in monitor mode. This means that the TFTP server cannot reside on one of these interfaces. The user should use the copy tftp flash command to download the PIX Firewall image file via TFTP.
PIX 535 Interfaces
These practices must be followed to achieve the best possible system performance on the PIX 535:
•
•
The PIX-1GE Gigabit Ethernet adaptor is supported in the PIX 535; however, its use is strongly discouraged because maximum system performance with the PIX-1GE card is much lower than that with the PIX-1GE-66 card. The software displays a warning at boot time if a PIX-1GE is detected.
Table 2 summarizes the performance considerations of the different interface card combinations.
Caution
Caution
Restrictions
Starting with PIX Firewall software Version 6.0(1), FDDI, PL2, and Token Ring interfaces are not supported.
Starting with PIX Firewall software Version 6.0(1), PFM is no longer supported; PFM has been replaced by the Cisco PIX Device Manager (PDM).
Starting with PIX Firewall software Version 6.0(1), and in all subsequent higher versions, the PIX Firewall Classic, PIX10000, and PIX 510 platforms are not supported.
Caveats
The following sections describe the caveats for the 6.2(2) release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•
•
•
Note
http://www.cisco.com/support/bugtools
Open Caveats - Release 6.2(2)
The caveats in Table 3 are yet to be resolved in this release.
Resolved Caveats - Release 6.2(2)
The caveats in Table 4 are resolved in this release.
Open Caveats - Release 6.2
The caveats in Table 5 are yet to be resolved in this release.
Resolved Caveats - Release 6.2
The caveats in Table 6 are resolved in this release.
Related Documentation
Use this document in conjunction with the PIX Firewall and Cisco VPN Client Version 3.x documentation at the following websites:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
Cisco provides PIX Firewall technical tips at the following website:
http://www.cisco.com/warp/public/707/index.shtml#pix
Software Configuration Tips on the Cisco TAC Home Page
The Cisco Technical Assistance Center has many helpful pages. If you have a CCO account you can visit the following websites for assistance:
TAC Customer top issues for PIX Firewall:
http://www.cisco.com/warp/public/110/top_issues/pix/pix_index.shtml
TAC Sample Configurations for PIX Firewall:
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX&s=Software_Configuration
TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX
Obtaining Documentation
The following sections explain how to obtain documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at the following URL:
Translated documentation is available at the following URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
•
http://www.cisco.com/public/ordsum.html
•
http://www.cisco.com/go/subscription
•
Documentation Feedback
If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click the Fax or Email option under the "Leave Feedback" at the bottom of the Cisco Documentation home page.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to
•
•
•
•
•
You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL:
Technical Assistance Center
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Inquiries to Cisco TAC are categorized according to the urgency of the issue:
•
•
•
•
Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
Cisco TAC Web Site
The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:
All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:
http://www.cisco.com/register/
If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.
