 Feedback
|
Table Of Contents
Cisco PIX Firewall Release Notes Version 6.2(4)
Maximum Recommended Configuration File Size
Cisco VPN Software Interoperability
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Cisco Easy VPN Server Interoperability
Determining the Software Version
Upgrading to a New Software Release
New Features in Release 6.2(4)
New Features in Release 6.2(3)
Incomplete Crypto Map Enhancements
New Software Features in Release 6.2(2)
Bi-Directional Network Address Translation (NAT)
Command-Line Interface (CLI) Activation Key Management
CPU Utilization Monitoring Through SNMP
DHCP Option 66 and 150 Support
Downloadable Access Control Lists (ACLs)
Factory Default Configurations for the PIX 501 and PIX 506/506E
Multicast Support (IGMP v2 and Stub Multicast Routing)
Network Time Protocol (NTP) Support
PIX 501 User Licensing and VPN Support Enhancements
PIX Firewall Image Flash Compression
Port Address Translation (PAT) for H.323 and SIP fixups
Software Performance Enhancements
Denying ICMP Traffic to the Outside Interface
Downloading PIX Firewall Image
Resolved Caveats - Release 6.2(4)
Software Configuration Tips on the Cisco TAC Home Page
Obtaining Technical Assistance
Obtaining Additional Publications and Information
Cisco PIX Firewall Release Notes Version 6.2(4)
July 2004
Contents
This document includes the following sections:
•
Obtaining Technical Assistance
•
Introduction
The PIX Firewall delivers unprecedented levels of security, performance, and reliability, including robust, enterprise-class security services such as the following:
•
•
•
•
•
•
PIX Firewall software Version 6.2(3) provides the secure networking features included in previous releases and adds support for the following features:
•
PIX Firewall software Version 6.2(2) provides the secure networking feature included in previous releases and adds support for the following features:
•
•
•
•
•
•
•
•
•
•
•
Additionally, PIX Firewall software Version 6.2 supports Cisco PIX Device Manager (PDM) Version 2.0 and adds enhancements to features introduced in earlier releases.
System Requirements
The sections that follow list the system requirements for operating a PIX Firewall with Version 6.2 software.
Memory Requirements
The PIX 501 has 16 MB of RAM and will operate correctly with Version 6.2, while all other
PIX Firewall platforms continue to require at least 32 MB of RAM (and therefore are also compatible with Version 6.2 and higher).In addition, all units except the PIX 501 and PIX 506/506E require 16 MB of Flash memory to boot. (The PIX 501 and PIX 506/506E have 8 MB of Flash memory, which works correctly with Version 6.2.)
Table 1 lists Flash memory requirements for this release.
Software Requirements
The following is required for Version 6.2:
1.
2.
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324
3.
4.
Maximum Recommended Configuration File Size
For the PIX 525 and PIX 535, the maximum configuration file size limit is increased to 2 MB for PIX Firewall software Versions 5.3(2) and higher. For other PIX Firewall platforms and earlier software versions, the maximum configuration file size limit remains the same. (In these cases, the maximum configuration size is most likely 1 MB.)
While configuration files up to 2 MB are now supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:
•
•
•
Cisco Secure Policy Manager (Cisco Secure PM) may also experience limitations if a PIX Firewall configuration file near 2 MB is used, and the optimal configuration file size for use with Cisco PIX Device Manager is less than 100 KB (which is approximately 1500 lines). Please take these considerations into account when planning and implementing your configuration.
Cisco VPN Software Interoperability
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Cisco Easy VPN Server Interoperability
Determining the Software Version
Use the show version command to verify the software version of your PIX Firewall unit.
Upgrading to a New Software Release
If you have a Cisco Connection Online (CCO) login, you can obtain software from the following website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
New and Changed Information
New Features in Release 6.2(4)
No new features were added to this maintenance release. This releases only contains open and resolved caveat issues.
New Features in Release 6.2(3)
Incomplete Crypto Map Enhancements
Every static crypto map must define an access list and an IPsec peer. If either is missing, the crypto map is considered incomplete and a warning message is printed. Traffic that has not been matched to an complete crypto map is skipped, and the next entry is tried. Failover hello packets are now exempt from the incomplete crypto map check; previously they were dropped. Use the show conf command to ensure that every crypto map is complete.
For more information on this feature, refer to "Crypto Maps" in the Cisco PIX Firewall and VPN Configuration Guide. For a complete description of the command syntax for this new command, refer to the Cisco PIX Firewall Command Reference.
New Software Features in Release 6.2(2)
Auto Update Support
PIX Firewall software Version 6.2 supports Auto Update, a next-generation feature set for Cisco and third-party applications, that provides secure remote network management.
Bi-Directional Network Address Translation (NAT)
PIX Firewall software Version 6.2 allows Network Address Translation (NAT) of external source IP addresses for packets traveling from the outside interface to an the inside interface. All functionality available with traditional NAT such as fixups, Stateful Failover, dynamic NAT, static NAT, and PAT are available bidirectionally in this release.
Command-Level Authorization
PIX Firewall software Version 6.2 supports Command-Level authorization, which is user-defined command privilege levels (from 0 to 15) for all PIX Firewall CLI commands, and Local User Database authorization. With Local User Database authorization, you can create user accounts tied to these privilege levels. Additionally, command set functionality is available through an access control server (ACS), which allows definition of authorized CLI command sets on a per-user basis without the dependency of defining command sets across all users.
Privilege-level command tracing is provided through the PIX Firewall syslog, and privilege configuration updates are displayed in the show version command output. User authentication may occur either locally or through a TACACS+ server.
When a PIX Firewall sends a command authorization request to a CiscoSecure ACS for Windows Version 3.0.1, it is possible that the CSTACACS service may crash. (See CSCdw78255.) To rectify this, use the CSCdw78255.zip patch, which contains an updated CSTacacs.exe to use with CiscoSecure ACS for Windows 3.0.1 (build 40) instead of the existing CSTacacs.exe.
Command-level authorization sets work correctly with Cisco Secure ACS for Windows Version 3.0.2 or higher, and command-level authorization of users and groups works correctly with Version 3.0.1 and previous versions of CiscoSecure ACS for Windows.
Command-Line Interface (CLI) Activation Key Management
PIX Firewall software Version 6.2 lets you enter a new activation key through the PIX Firewall command-line interface (CLI), without using the system monitor mode and having to TFTP a new image. Additionally, the PIX Firewall CLI displays the currently running activation key when you enter the show version command.
Configurable RAS Fixup
PIX Firewall software Version 6.2 includes an option to turn off the H.323 RAS (Registration, Admission, and Status) fixup and displays this option, when set, in the configuration. This enables customers to turn off the RAS fixup if they do not have any RAS traffic, they do not want their RAS messages to be inspected, or if they have other applications that utilize the UDP ports 1718 and 1719.
CPU Utilization Monitoring Through SNMP
PIX Firewall software Version 6.2 supports monitoring of the PIX Firewall CPU usage through SNMP. CPU usage information is still available directly on the PIX Firewall through the show cpu usage command, but SNMP provides integration with other network management software. Specifically, this release supports the cpmCPUTotalTable of the Cisco Process MIB (CISCO-PROCESS-MIB.my).
DHCP Option 66 and 150 Support
PIX Firewall software Version 6.2 enhances the DHCP Server on the inside interface of the PIX Firewall to provide TFTP address information to the served DHCP clients. The implementation responds with one TFTP server for DHCP option 66 requests and with, at most, two servers for DHCP option 150 requests.
DHCP options 66 and 150 simplify remote deployments of Cisco IP Phones and Cisco SoftPhone by providing the Cisco CallManager contact information needed to download the rest of the IP phone configuration.
Downloadable Access Control Lists (ACLs)
PIX Firewall software Version 6.2 supports the download of access control lists (ACLs) to the PIX Firewall from an access control server (ACS). This enables the configuration of per-user access lists on an AAA server, to provide per-user access list authorization, that are then downloadable through the ACS to the PIX Firewall.
This feature is supported for RADIUS servers only and is not supported for TACACS+ servers.
Easy VPN Remote Support
PIX Firewall software Version 6.2 supports Cisco Easy VPN Remote. (Cisco Easy VPN Server has been supported starting with PIX Firewall software Version 6.0.) Cisco Easy VPN Remote is designed to function seamlessly with existing VPN headends configured to support Unity Clients and to minimize the administrative overhead for the client by centralizing VPN configuration at the Cisco Easy VPN Server. For example, as Easy VPN Remote products, the PIX 501 and PIX 506/506E can accept dynamic push policy from an Easy VPN Server. Other examples of Cisco Easy VPN Remote products include the Cisco VPN Client v3.x and the Cisco VPN 3002 Hardware Client.
Note
Factory Default Configurations for the PIX 501 and PIX 506/506E
The PIX 501 (since its introduction) and the PIX 506/506E ship with factory-default configurations as of PIX Firewall software Version 6.2. (The PIX 501 and PIX 506/506E can be reset to their factory default configuration with the configure factory-default command.) For more information on the PIX 501 and PIX 506/506E default configurations, please refer to the Cisco PIX 501 Firewall Quick Start Guide and the Cisco PIX 506/506E Firewall Quick Start Guide.
Failover Enhancements
PIX Firewall software Version 6.2 enhances failover functionality so that the standby unit in a PIX Firewall failover pair can be configured to use a virtual MAC address. This eliminates potential "stale" ARP entry issues for devices connected to the PIX Firewall failover pair, in the unlikely event that both PIX Firewalls in a failover pair fail at the same time and only the standby unit remains operational.
In addition, the performance of Stateful Failover has been enhanced.
ILS Fixup
PIX Firewall software Version 6.2 provides an Internet Locator Service (ILS) fixup to support NAT for ILS and Lightweight Directory Access Protocol (LDAP). Also, with the addition of this fixup, the PIX Firewall supports H.323 session establishment by Microsoft NetMeeting. Microsoft NetMeeting, SiteServer, and Active Directory products leverage ILS, which is a directory service, to provide registration and location of endpoints. ILS supports the LDAP protocol and is LDAPv2 compliant.
LAN-Based Failover
LAN-based Failover extends PIX Firewall failover functionality to operate through a dedicated LAN interface, without the serial failover cable. This overcomes the distance limitation of the current serial cable. Failover configuration synchronization can now occur through the serial cable or a LAN interface. However, the PIX Firewall failover pair must be on the same subnet, and the PIX Failover model remains a hot-standby model, with one unit active and the other standby.
For LAN-based Failover, use a dedicated switch or hub (or VLAN) to connect the PIX Firewall failover pair so that the secondary unit can detect the failure of the dedicated LAN failover interface of the primary unit and become active. Crossover Ethernet cables cannot be used to connect the LAN-based Failover interface. Additionally, we recommend that you dedicate a LAN interface for LAN-based Failover, but the interface can be shared with Stateful Failover under lightly loaded configurations.
Multicast Support (IGMP v2 and Stub Multicast Routing)
PIX Firewall software Version 6.2 enables you to statically configure multicast routes or use an IGMP helper address for forwarding IGMP reports and leave announcements.
The following summarizes multicast support in this release:
•
•
•
•
•
Network Time Protocol (NTP) Support
The Network Time Protocol (NTP) synchronizes the times of devices operating over an IP data network.
PIX Firewall software Version 6.2 supports NTP, enabling the PIX Firewall to act as an NTP client and synchronize its time to a network time server. This enables the PIX Firewall to maintain precise network time for logging and certificate revocation list (CRL) validation. NTP server mode is not supported because the firewall would have to allow incoming requests to open ports, which is a security risk.
PIX Firewall software Version 6.2 supports Version 3 of NTP as this is currently the most common version in use and is the highest version supported by Cisco IOS software. The NTP authentication mechanism uses MD5 and is compatible with Cisco IOS software.
Object Grouping
To simplify your configuration, object grouping is supported in PIX Firewall software Version 6.2. object grouping enables you to define groups of objects such as hosts, IP addresses, or network services. You can use these groups, for example, when you create and apply access rules. When you include a PIX Firewall object group in a PIX Firewall command, it is the equivalent of applying every element of the object group to the PIX Firewall command.
Packet Capture
PIX Firewall software Version 6.2 supports packet capture. The PIX Firewall packet capture provides the ability to sniff or "see" any traffic accepted or blocked by the PIX Firewall. Once the packet information is captured, you have the option of viewing it on the console, transferring it to a file over the network using a TFTP server, or accessing it through a web browser using Secure HTTP. However, the PIX Firewall does not capture traffic unrelated to itself on the same network segment, and this packet capture feature does not include file system, DNS name resolution, or promiscuous mode support.
PIX 501 User Licensing and VPN Support Enhancements
The PIX 501 can act as a VPN headend, supporting up to five remote VPN users. These remote VPN users count against the total number of VPN peers supported by the PIX 501, which is five.
The PIX 501 supports up to 10 active users on the inside network (an optional 50-user license is also available). A user is considered active when any one or more of the following is true:
•
•
•
•
PIX Firewall Image Flash Compression
By default, PIX Firewall software Version 6.2 compresses the PIX Firewall image stored in Flash memory to optimize memory usage.
Port Address Translation (PAT) for H.323 and SIP fixups
PIX Firewall software Version 6.2 enhances support for the existing H.323 and SIP fixups by adding support for Port Address Translation (PAT). Adding support for PAT with H.323 and SIP enables our customers to expand their network address space using a single global address.
PPPoE Support
PIX Firewall software Version 6.2 supports Point-to-Point Protocol over Ethernet (PPPoE). (PPPoE provides a standard method for using PPP authentication over an Ethernet network and is used by many Internet service providers (ISPs) to grant client machine access to their networks, commonly through DSL.) PPPoE is only supported on the outside interfaces of the PIX 501 and PIX 506/506E.
Software Performance Enhancements
PIX Firewall software Version 6.2 has a number of internal software performance enhancements.
TurboACL
PIX Firewall software Version 6.2 supports TurboACL. TurboACL enhances the performance of PIX Firewall access list processing by providing an access list match in a deterministic amount of time for small and large access control lists (ACLs). (TurboACL compiles ACLs into a set of lookup tables, while maintaining first-match requirements. Packet headers enable you to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries.)
URL Fltering Enhancements
PIX Firewall software Version 6.2 supports N2H2 URL filtering services for URLs up to 1159 bytes.
For Websense, long URL filtering is supported for URLs up to 4096 bytes in length.
Additionally, this release provides a configuration option to buffer the response from a web server if its response is faster than the response from either an N2H2 or Websense filtering service server. This prevents the web server's response from being loaded twice.
For technical documentation on new features in previous PIX Firewall software versions, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/
Important Notes
This section describes important notes for the 6.2 release.
Denying ICMP Traffic to the Outside Interface
By default the PIX Firewall denies all inbound traffic through the outside interface. Based on your network security policy, you should consider configuring the PIX Firewall to deny all ICMP traffic to the outside interface, or any other interface you deem necessary, by entering the icmp command. The icmp command controls ICMP traffic that terminates on the PIX Firewall. If no ICMP control list is configured, then the PIX Firewall accepts all ICMP traffic that terminates at any interface (including the outside interface).
For example, to deny all ICMP traffic, including ping requests, to the outside interface enter:
icmp deny any outsideContinue entering the icmp deny any interface command for each additional interface on which you want to deny ICMP traffic.
For more information about the icmp command, refer to the Cisco PIX Firewall Command Reference at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid5
Preventing Fragmented Packets
By default the PIX Firewall accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the PIX Firewall to prevent fragmented packets from traversing the firewall by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented.
For example, to prevent fragmented packets on the outside and inside interfaces enter:
fragment chain 1 outsidefragment chain 1 insideContinue entering the fragment chain 1 interface command for each additional interface on which you want to prevent fragmented packets.
For more information about the fragment command, refer to the Cisco PIX Firewall Command Reference at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/df.htm#xtocid15
The PIX Firewall also includes FragGuard for additional IP fragmentation protection. For more information, refer to the Cisco PIX Firewall and VPN Configuration Guide at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/overvw.htm#1046527
Downloading PIX Firewall Image
Only Fast Ethernet cards can be used in monitor mode; Gigabit Ethernet cards cannot be used in monitor mode. Additionally, Fast Ethernet cards in 64-bit slots on the PIX 535 are not visible in monitor mode. This means that the TFTP server cannot reside on one of these interfaces. The user should use the copy tftp flash command to download the PIX Firewall image file via TFTP.
PIX 535 Interfaces
These practices must be followed to achieve the best possible system performance on the PIX 535:
•
•
The PIX-1GE Gigabit Ethernet adaptor is supported in the PIX 535; however, its use is strongly discouraged because maximum system performance with the PIX-1GE card is much lower than that with the PIX-1GE-66 card. The software displays a warning at boot time if a PIX-1GE is detected.
Table 2 summarizes the performance considerations of the different interface card combinations.
Caution
Caution
Restrictions
Starting with PIX Firewall software Version 6.0(1), FDDI, PL2, and Token Ring interfaces are not supported.
Starting with PIX Firewall software Version 6.0(1), PFM is no longer supported; PFM has been replaced by the Cisco PIX Device Manager (PDM).
Starting with PIX Firewall software Version 6.0(1), and in all subsequent higher versions, the PIX Firewall Classic, PIX10000, and PIX 510 platforms are not supported.
Caveats
The following sections describe the caveats for the 6.2(2) release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•
•
•
Note
http://www.cisco.com/public/support/tac/tools_trouble.shtml
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 6.2(4)
The caveats in Table 3 are yet to be resolved in this release.
Resolved Caveats - Release 6.2(4)
The caveats in Table 4 are resolved in this release.
Related Documentation
Use this document in conjunction with the PIX Firewall and Cisco VPN Client Version 3.x documentation at the following websites:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
Cisco provides PIX Firewall technical tips at the following website:
http://www.cisco.com/warp/public/707/index.shtml#pix
Software Configuration Tips on the Cisco TAC Home Page
The Cisco Technical Assistance Center has many helpful pages. If you have a CCO account you can visit the following websites for assistance:
TAC Customer top issues for PIX Firewall:
http://www.cisco.com/warp/public/110/top_issues/pix/pix_index.shtml
TAC Sample Configs for PIX Firewall:
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX&s=Software_Configuration
TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html
All users can order annual or quarterly subscriptions through the online Subscription Store:
http://www.cisco.com/go/subscription
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
http://www.cisco.com/en/US/partner/ordering/index.shtml
•
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.
You can send your comments in e-mail to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance.
Cisco TAC Website
The Cisco TAC website (http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:
http://tools.cisco.com/RPF/register/register.do
Opening a TAC Case
The online TAC Case Open Tool (http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (Your network is minimally impaired or you require product information). After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using these recommendations, your case will be assigned to a Cisco TAC engineer.
For P1 or P2 cases (your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.
To open a case by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447For a complete listing of Cisco TAC contacts, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
TAC Case Priority Definitions
To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.
Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
•
•
http://www.cisco.com/go/packet
•
http://www.cisco.com/go/iqmagazine
•
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
•
http://www.cisco.com/en/US/learning/index.html
