Table Of Contents
Cisco PIX Firewall Release Notes Version 6.3(4)
This release is provides new features and fixes for a variety of PIX Firewall models and configuration modes, including new VLAN support, AAA fallback administration, and improved syslog messaging and ip address privacy. This document includes the following sections:
Note For more information on the NAT ID rules caveat, refer to "Important Notes" in the Cisco PIX Firewall Release Notes Version 6.3(2).
The PIX Firewall delivers unprecedented levels of security, performance, and reliability, including robust, enterprise-class security services such as the following:
•Stateful inspection security, based on state-of-the-art Adaptive Security Algorithm (ASA)
•Over 100 predefined applications, services, and protocols for flexible access control
•Virtual Private Networking (VPN) for secure remote network access using IKE/IPSec standards
•Intrusion protection from over 55 different network-based attacks
•URL filtering of outbound web traffic through third-party server support
•Network Address Translation (NAT) and Port Address Translation Support (PAT)
Additionally, PIX Firewall Version 6.3 software supports Cisco PIX Device Manager (PDM) Version 3.0 and adds enhancements to features introduced in earlier releases.
The sections that follow list the system requirements for operating a PIX Firewall with Version 6.3 software.
The PIX 501 has 16 MB of RAM and will operate correctly with Version 6.1(1) and higher, while all other
PIX Firewall platforms continue to require at least 32 MB of RAM (and therefore are also compatible with version 6.1(1) and higher).
In addition, all units except the PIX 501 and PIX 506E require 16 MB of Flash memory to boot. (The PIX 501 and PIX 506E have 8 MB of Flash memory, which works correctly with Version 6.1(1) and higher.)
Table 1 lists Flash memory requirements for this release.
Version 6.3 requires the following:
1. The PIX Firewall image no longer fits on a diskette. If you are using a PIX Firewall unit with a diskette drive, you need to download the Boothelper file from Cisco Connection Online (CCO) to let you download the PIX Firewall image with TFTP.
2. If you are upgrading from Version 4 or earlier and want to use the Auto Update, IPSec, SSH, PDM, or VPN features or commands, you must have a new 56-bit DES activation key. Before getting a new activation key, write down your old key in case you want to retrograde to Version 4. You can have a new 56-bit DES activation key sent to you by completing the form at the following website:
3. If you are upgrading from a previous PIX Firewall version, save your configuration and write down your activation key and serial number. Refer to "Upgrading to a New Software Release" for new installation requirements.
Maximum Recommended Configuration File Size
For the PIX 525 and PIX 535, the maximum configuration file size limit is increased to 2 MB for PIX Firewall software Versions 5.3(2) and later. For other PIX Firewall platforms, the maximum configuration file size limit is 1 MB. Earlier versions of the PIX 501 are limited to a 256 KB configuration file size. If you are using PIX Device Manager (PDM), we recommend no more than a 100 KB configuration file because larger configuration files can interfere with the performance of PDM on your workstation.
While configuration files up to 2 MB are now supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:
•While executing commands such as write term and show conf
•Failover (the configuration synchronization time)
•During a system reload
The optimal configuration file size for use with PDM is less than 100 KB (which is approximately 1500 lines). Please take these considerations into account when planning and implementing your configuration.
Cisco VPN Software Interoperability
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Cisco Easy VPN Server Interoperability
Determining the Software Version
Use the show version command to verify the software version of your PIX Firewall unit.
Upgrading to a New Software Release
If you have a Cisco Connection Online (CCO) login, you can obtain software from the following website:
New and Changed Information
New Features in Release 6.3(4)
Release 6.3(4) includes the following new features:
VLAN Support Added to the PIX 506/506E
This release introduces VLAN support for PIX 506/506E, enabling these platforms to be a low-cost DMZ enabled solution. With this new PIX support, users may implement additional logical interfaces, allowing them to securely host an external Web site, a secure email server, or even an extranet.
By adding support for the IEEE 802.1q VLAN tags, 506/506E Firewalls now feature added flexibility in managing and provisioning the firewall. This feature enables the decoupling of IP interfaces from physical interfaces, making it possible to configure logical IP interfaces independently.
VLAN feature support is added to the interface command.
•A maximum of three logical interfaces may be configured on the 506/506E. For more information on the maximum number of interfaces supported on the PIX Firewall models, refer to "Using Logical Interfaces" in the Cisco PIX Firewall and VPN Configuration Guide.
•When 506 and 506E are used as VPN hardware clients, logical interfaces on the 506/506E cannot be used to initiate a VPN tunnel.
•If the VLAN ID is set to 4095, the interface name cannot be modified with the nameif command. It may not be appropriate to use VLAN ID 4095 because of this issue.
For configuration information, refer to "Configuring PIX Firewall with VLANs" in the Cisco PIX Firewall and VPN Configuration Guide. For a complete description of the command syntax for these new commands, refer to the Cisco PIX Firewall Command Reference.
AAA Fallback for Administrative Access
This release introduces the ability to authenticate and authorize requests to fall-back to a local user database on the PIX Firewall. The requirements and design will factor future compatibility with Cisco IOS-like "method list" support for the PIX Firewall, and deliver the addition of the LOCAL fallback method.
The following commands are now enhanced to create a fallback scenario for AAA administrative access:
aaa authentication console
A. aaa authorization command
A. aaa authorization match
crypto map command
[no] aaa-server <tag> max-failed-attempts <number>
[no] aaa-server <tag> deadtime <minutes>
This release introduces SNMP traffic inspection capabilities, enabling administrators to specify which SNMP version packets are permitted or denied passage through a PIX Firewall.
The following commands were added modified to support this new feature:
snmp deny version
fixup protocol snmp
IKE Syslog Support Improved
This release introduces a small enhancement to IKE syslogging support and a limited set of IKE event tracing capabilities for scalable VPN troubleshooting. These enhancements have been added to allow for new syslog message generation and improved IKESMP command control.
New Syslog Messaging for AAA authentication
This release introduces a new AAA syslog message, which prompts users for their authentication before they can use a service port. This syslog improvement is based on prior configured PIX Firewall policies. The added syslog is as follows:
%PIX-3-109023: User from src_IP_Adress/src_port to dest_IP_Address/dest_port on interface outside must authenticate before using this service
SIP IP Address Privacy Enhancement
This release introduces an enhancement to PIX Firewall IP address privacy issues that affect SIP fixup. Phones connected on the same interface of the PIX Firewall should not have any direct P2P communication. This feature eliminates the ability of a third party computer to take control of (SIP) and voice (RTP/RTCP) traffic flow through the PIX Firewall. Using the PIX Firewall to create the required pin holes for voice traffic, we can eliminate any direct P2P communication between phones working on a PIX Firewall. The new command that provides this functionality is called:
New Ability to Assign Netmasks with Address Pools
This release introduces the ability to define a subnet mask for each address pool and pass this information onto the client. The command to define a subnet mask for a local ip pool is:
ip local pool <name> <range> [mask <mask>]
The command which lets you see if a local subnet mask has been defined is:
show ip local pool
Note Downgrade Issue if this feature is implemented: If you downgrade to a software version that does not have this new feature, address ranges will be loaded without the defined subnet mask. If you downgrade, save the configuration, then upgrade, the masks will not be set or returned to the client.
Important Notes in Release 6.3(3)
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The PIX Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using Access Control Lists (ACLs). ACL based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefits:
•Access-list Element (ACE) Insertion capability - System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete or modify individual ACEs.
•ACL supports remarks - ACL entries can be identified easily within large system configurations using remarks.
•Turbo ACLs - Turbo ACLs provide enhanced performance and scalability for ACL compilation.
•Object-grouping support - Object-groups are not supported by the outbound command
•ACLs are commonly employed by most PIX features to define traffic designated for that feature (IPsec, nat 0, AAA, etc.)
•All the new developments in PIX are geared towards ACL (time based and outbound ACL) based configurations.
Important Notes in Release 6.3(2)
Major releases beyond PIX Firewall Version 6.3 will not support the conduit and outbound commands.
Important Notes in Release 6.3
This section describes important notes for Version 6.3.
ACL Source Address Change When an Alias is Configured
When the alias command is used for destination address translation, an inbound message originating from the foreign_ip source address is translated to the dnat_ip address. If you configure an inbound ACL with an address defined by the alias command, you must use the foreign_ip address as the ACL source address instead of the dnat_ip address, as was used in Release 6.2. The ACL check is now done before the translation occurs, which is consistent with the way the firewall treats other NATed addresses in ACLs.
Interface Settings on the PIX 501 and PIX 506E
With the PIX Firewall Version 6.3, the settings for the following interfaces have been updated as follows:
•PIX 501 outside interface (port 0) - 10/100 Mbps half or full duplex
•PIX 501 inside interface - 10/100 Mbps half or full duplex
•PIX 506E inside interface - 10/100 Mbps half or full duplex
•PIX 506E outside interface - 10/100 Mbps half or full duplex
Note When upgrading the PIX 501 to Version 6.3, the inside interface is automatically upgraded to 100 Mbps full duplex. During the upgrade process the system displays the message "ethernet1 interface can only be set to 100full."
Upgrading the PIX 506 and the PIX 515
When upgrading a classic PIX 506 or PIX 515 (the non "E" versions) to PIX Firewall OS Version 6.3, the following message(s) might appear when rebooting the PIX Firewall for the first time after the upgrade:
ethernet0 was not idle during boot.
ethernet1 was not idle during boot.
These messages (possibly one per interface) will be followed by a reboot. This is a one-time event and is a normal part of the upgrade on these platforms.
Easy VPN Remote and Easy VPN Server
The PIX 501 and PIX 506/506E are both Easy VPN Remote and Easy VPN Server devices. The PIX 515/515E, PIX 525, and PIX 535 act as Easy VPN Servers only.
The PIX 501 and PIX 506/506E can act as Easy VPN Remote devices or Easy VPN Servers so that they can be used either as a client device or VPN headend in a remote office installation. The PIX 515/515E, PIX 525, and PIX 535 act as Easy VPN Servers only because the capacity of these devices makes them appropriate VPN headends for higher-traffic environments.
PIX 535 Interfaces
These practices must be followed to achieve the best possible system performance on the PIX 535:
•PIX-1GE-66 interface cards should be installed first in the 64-bit/66 MHz buses before they are installed in the 32-bit/33 MHz bus. If more than four PIX-1GE-66 cards are needed, they may be installed in the 32-bit/33 MHz bus but with limited potential throughput.
•PIX-VACPLUS should be installed in a 64-bit/66 MHz bus to avoid degraded throughput.
•PIX-1GE and PIX-1FE cards should be installed first in the 32-bit/33 MHz bus before they are installed in the 64-bit/66 MHz buses. If more than five PIX-1GE and/or PIX-1FE cards are needed, they may be installed in a 64-bit/66 MHz bus but doing so will lower that bus speed and limit the potential throughput of any PIX-1GE-66 card installed in that bus.
The PIX-1GE Gigabit Ethernet adaptor is supported in the PIX 535; however, its use is strongly discouraged because maximum system performance with the PIX-1GE card is much slower than that with the PIX-1GE-66 card. The software displays a warning at boot time if a PIX-1GE is detected.
Table 2 summarizes the performance considerations of the different interface card combinations.
Caution The PIX-4FE and PIX-VPN-ACCEL cards can only be installed in the 32-bit/33 MHz bus and must never be installed in a 64-bit/66 MHz bus. Installation of these cards in a 64-bit/66 MHz bus may cause the system to hang at boot time.
Caution If Stateful Failover is enabled, the interface card and bus used for the Stateful Failover LAN port must be equal to or faster than the fastest card used for the network interface ports. For example, if your inside and outside interfaces are PIX-1GE-66 cards installed in bus 0, then your Stateful Failover interface must be a PIX-1GE-66 card installed in bus 1. A PIX-1GE or PIX-1FE card cannot be used in this case, nor can a PIX-1GE-66 card be installed in bus 2 or share bus 1 with a slower card.
The following sections describe the caveats for the 6.3 release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
To become a registered cisco.com user, go to the following website:
Open Caveats - Release 6.3(4)
Resolved Caveats - Release 6.3(4)
Use this document in conjunction with the PIX Firewall and Cisco VPN Client Version 3.x documentation at the following websites:
Cisco provides PIX Firewall technical tips at the following website:
Software Configuration Tips on the Cisco TAC Home Page
The Cisco Technical Assistance Center has many helpful pages. If you have a CCO account you can visit the following websites for assistance:
TAC Customer top issues for PIX Firewall:
TAC Sample Configs for PIX Firewall:
TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.