Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco PIX Firewall Software

Release Notes for the Cisco Secure PIX Firewall Version 6.0(3)

Downloads

Table Of Contents

Release Notes for the Cisco PIX Firewall Version 6.0(3)

Contents

Introduction

System Requirements

Memory Requirements

Software Requirements

Cisco IOS Software Interoperability

Cisco VPN Client Interoperability

Determining the Software Version

Upgrading to a New Software Release

New and Changed Information

New Features in Release 6.0(3)

New Features in Release 6.0(2)

New Features in Release 6.0(1)

PIX 535 Interfaces

Changed Hardware Features in Release 6.0(1)

New Software Features in Release 6.0(1)

AAA—Authentication, Authorization, and Accounting

Cisco VPN Client Version 3.x

CiscoView Support

clear logging Command

CPU Utilization Monitoring

DHCP Support

Failover Support for HTTP

fragment Command

L2TP—Layer 2 Tunnel Protocol

Cisco PIX Device Manager (PDM)

Port Redirection

RADIUS Support

show interface Command

shun Command

SNMP Enhancements

SSL debug Support

Voice Over IP Skinny Protocol Support

Command Reference

aaa authentication

aaa-server

clear logging

copy tftp flash

crypto ipsec transform-set

dhcpd

failover replicate http

fixup protocol

fragment

http

ip address

isakmp policy

pdm

reload

service

setup

show cpu usage

show interface

show vpdn

shun

snmp-server host

static

sysopt connection permit

vpdn group

Debug Commands

debug pdm history

debug ppp

debug sip

debug ssl

Important Notes

AAA Authentication

Downloading PIX Firewall image

DHCP Server Functionality

Restrictions

Caveats

Open Caveats - Release 6.0(3)

Resolved Caveats - Release 6.0(3)

Resolved Caveats - Release 6.0(2)

Resolved Caveats - Release 6.0(1)

Related Documentation

Software Configuration Tips on the Cisco TAC Home Page

Obtaining Documentation

Cisco.com

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information


Release Notes for the Cisco PIX Firewall Version 6.0(3)

March 2002

Contents

This document includes the following sections:

Introduction

System Requirements

New and Changed Information

Command Reference

Debug Commands

Important Notes

Caveats

Related Documentation

Obtaining Documentation

Obtaining Technical Assistance

Obtaining Additional Publications and Information

Introduction

These release notes describe the new features, restrictions, and caveats for Cisco Secure PIX Firewall software version 6.0(3).

System Requirements

The sections that follow list the system requirements for operating a PIX Firewall with version 6.0(3) software.

Memory Requirements

Note All PIX Firewall units must have at least 32 MB of RAM memory or the PIX Firewall will not boot. In addition, all units except the PIX 506/506E must have 16 MB of Flash memory to boot. The PIX 506/506E has 8 MB of memory, which works correctly with version 6.0.

Table 1 lists Flash memory requirements for this release:

Table 1 Flash Memory Requirements

PIX Firewall Model
Flash Memory Required in 6.0

PIX 506/506E

8 MB

PIX 515/515E

16 MB

PIX 520

16 MB (Some PIX 520 units may need a memory upgrade because older units had 2 MB, though newer units have 16 MB.)

PIX 525

16 MB

PIX 535

16 MB


We highly recommend that you use Livengood Gigabit Ethernet cards in systems with a 64-bit/66 MHz PCI bus; for example, in a PIX 535. (If you use the Livengood Gigabit Ethernet cards in a PIX Firewall, the system RAM should be at least 128 MB.) For a PIX Firewall with only a 32-bit/33 MHz bus, such as the PIX 520 and PIX 525, we recommend that you use Wiseman Gigabit Ethernet cards.

Software Requirements

PIX Firewall requires the following for version 6.0(3):

1. The PIX Firewall image no longer fits on a diskette. If you are using a PIX Firewall unit with a diskette drive, you need to download the Boothelper file from Cisco.com to let you download the PIX Firewall image with TFTP.

2. If you are upgrading from version 4 or earlier and want to use the IPSec or VPN features or commands, you must have a new activation key. Before getting a new activation key, write down your old key in case you want to downgrade to version 4. You can have a new activation key sent to you by completing the form at the following website:

http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324

3. If you are using PIX Firewall Syslog Server (PFSS), we recommend you install Windows NT Service Pack 6 to fix year 2000 conflicts in Windows NT.

4. If you are upgrading from a previous PIX Firewall version, save your configuration and write down your activation key and serial number. Refer to "Upgrading to a New Software Release" for new installation requirements.

Cisco IOS Software Interoperability

Cisco VPN Series
Interoperability

Cisco IOS Routers

If using IKE mode configuration on the PIX Firewall, the router must be running Cisco IOS Release 12.0(6)T or later.

Cisco VPN 3000 Concentrators

PIX Firewall version 6.0(1) requires Cisco VPN 3000 Concentrator version 2.5.2 or later for correct VPN interoperability.


Cisco VPN Client Interoperability

Cisco VPN Client
Interoperability Comments

Cisco Secure VPN Client v1.1

PIX Firewall version 6.0(1) requires Cisco Secure VPN Client version 1.1. Cisco Secure VPN Client version 1.0 and 1.0a are no longer supported.

Cisco VPN 3000 Client v2.5

PIX Firewall version 6.0(1) requires Cisco VPN 3000 Client version 2.5 or later. This VPN client can be used with Windows 95, Windows 98, and Windows NT version 4.0. It is not supported on Windows 2000.

Cisco VPN Client v3.x

(Unified VPN Client Framework)

PIX Firewall version 6.0(1) supports the Cisco VPN Client version 3.x. The Cisco VPN Client runs on all current Microsoft Windows platforms. At this time, the Cisco VPN Client is not supported on UNIX, Linux, or Mac platforms.


Determining the Software Version

Use the show version command to verify the software version of your PIX Firewall unit.

Upgrading to a New Software Release

If you have a Cisco.com login, you can obtain software from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/pix

New and Changed Information

New Features in Release 6.0(3)

This release resolves two caveats, CSCdw63021 and CSCdw75833.

New Features in Release 6.0(2)

The PIX 506E and PIX 515E join the PIX Firewall product line. Both the PIX 506E and PIX 515E have faster processors than the PIX 506 and PIX 515. Also, the PIX 506E has a physically different, but functionally equivalent, power supply than the PIX 506.

New Features in Release 6.0(1)

PIX 535 Interfaces

The PIX 535 now supports up to ten interfaces. A maximum of eight interfaces are available with a restricted license, and ten interfaces are available with an unrestricted license.

These practices must be followed to achieve the best possible system performance on the PIX 535:

PIX-1GE-66 interface cards should be installed first in the 64-bit/66 MHz buses before they are installed in the 32-bit/33 MHz bus. If more than four PIX-1GE-66 cards are needed, they may be installed in the 32-bit/33 MHz bus but with limited potential throughput.

PIX-1GE and PIX-1FE cards should be installed first in the 32-bit/33 MHz bus before they are installed in the 64-bit/66 MHz buses. If more than five PIX-1GE and/or PIX-1FE cards are needed, they may be installed in a 64-bit/66 MHz bus but doing so will lower that bus speed and limit the potential throughput of any PIX-1GE-66 card installed in that bus.

The PIX-1GE Gigabit Ethernet adaptor is supported in the PIX 535; however, its use is strongly discouraged because maximum system performance with the PIX-1GE card is much lower than that with the PIX-1GE-66 card. The software displays a warning at boot time if a PIX-1GE is detected.

Table 2 summarizes the performance considerations of the different interface card combinations.

Table 2 Gigabit Ethernet Interface Card Combinations

Interface Card Combination
Installed in Interface Slot Numbers
Potential Throughput

Two to four PIX-1GE-66

0 through 3

Best

PIX-1GE-66 combined with PIX-1GE or just PIX-1GE cards

0 through 3

Degraded

Any PIX-1GE-66 or PIX-1GE

4 through 8

Severely degraded


Caution The PIX-4FE and PIX-VPN-ACCEL cards can only be installed in the 32-bit/33 MHz bus and must never be installed in a 64-bit/66 MHz bus. Installation of these cards in a 64-bit/66 MHz bus may cause the system to hang at boot time.
Caution If Stateful Failover is enabled, the interface card and bus used for the Stateful Failover LAN port must be equal to or faster than the fastest card used for the network interface ports. For example, if your inside and outside interfaces are PIX-1GE-66 cards installed in bus 0, then your Stateful Failover interface must be a PIX-1GE-66 card installed in bus 1. A PIX-1GE or PIX-1FE card cannot be used in this case, nor can a PIX-1GE-66 card installed in bus 2 or sharing bus 1 with a slower card.

Changed Hardware Features in Release 6.0(1)

Note The PIX Firewall Classic, PIX10000, and PIX 510 platforms are not supported on version 6.0(1).

New Software Features in Release 6.0(1)

AAA—Authentication, Authorization, and Accounting

The aaa authentication command has been modified to support HTTP authentication. The PIX Firewall allows authentication verification of the HTTP server through the aaa authentication http console command before PDM can access the PIX Firewall. More information about this command is available in the "Command Reference" section.

Cisco VPN Client Version 3.x

PIX Firewall software versions 6.0(1) and higher support the Cisco VPN Client version 3.x. The Cisco VPN Client is a cross-platform Virtual Private Network (VPN) client.

CiscoView Support

The existing MIB II support on PIX Firewall version 6.0(1) has been enhanced to provide PIX Firewall platform-specific Object ID in the SNMP mib-2.system.sysObjectID variable.

The SNMP mib-2.system.sysObjectID variable now provides one of the following PIX Firewall platform-specific Object IDs: 

.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewa ll506 (same 
as .1.3.6.1.4.1.9.1.389)

.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewa ll515 (same 
as .1.3.6.1.4.1.9.1.390)

.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewa ll520 (same 
as .1.3.6.1.4.1.9.1.391)

.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewa ll525 (same 
as .1.3.6.1.4.1.9.1.392)

.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewa ll535 (same 
as .1.3.6.1.4.1.9.1.393)

For other PIX Firewall platforms not mentioned in the preceding text: 

.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewa

ll (same as .1.3.6.1.4.1.9.1.227)

clear logging Command

The clear logging command now works in privileged mode. More information about this command is available in the "Command Reference" section.

CPU Utilization Monitoring

The show cpu usage command has been added to the PIX Firewall for CPU Utilization monitoring support. More information about this command is available in the "Command Reference" section.

DHCP Support

The PIX Firewall Dynamic Host Configuration Protocol (DHCP) client/server support has been extended to let the user automatically leverage the DNS, WINS, and domain name values obtained by the
PIX Firewall DHCP client for use by the hosts served by the DHCP server.

The following commands have been modified or added to the PIX Firewall to provide DHCP client/server support:

ip address

dhcpd

The ip address command has been enhanced to let you enter the number of times the PIX Firewall will poll for DHCP information. Refer to the "Command Reference" section for more information.

Failover Support for HTTP

For PIX Firewall version 6.0(1), the following commands have been modified or added to the PIX Firewall to allow the stateful replication of HTTP sessions in a Stateful Failover environment:

failover replicate http

show failover

When HTTP replication is enabled, the show failover command displays the failover replicate http command.

Refer to the "Command Reference" section for more information.

fragment Command

The fragment command provides additional management of packet fragmentation and improves compatibility with NFS. Refer to the "Command Reference" section for more information.

L2TP—Layer 2 Tunnel Protocol

Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Network (VPN) tunneling protocol that allows remote clients to use public networks to communicate securely with servers at private corporate networks.

PIX Firewall version 6.0(1) supports terminating the Microsoft Windows 2000 OS L2TP/IPSec client. This feature does not work with L2TP/IPSec clients from other vendors. L2TP traffic must be protected by the IPSec traffic, or the PIX Firewall will discard unsecured L2TP traffic.

The following commands have been modified or added to the PIX Firewall to provide L2TP support:

debug ppp

show vpdn

sysopt connection permit

vpdn group

crypto ipsec transform-set

Refer to the "Command Reference" section for more information.

Cisco PIX Device Manager (PDM)

The Cisco PIX Device Manager (PDM) is a browser-based configuration tool designed to help you set up, configure, and monitor your PIX Firewall graphically, without requiring an extensive knowledge of the PIX Firewall command-line interface (CLI). PDM ships with every PIX Firewall running software version 6.0(1) and above.

The following commands have been modified or added to the PIX Firewall to provide this PDM support:

aaa authentication

clear logging

copy tftp flash

http

pdm

setup

Refer to the "Command Reference" section for more information.

Port Redirection

The PIX Firewall now provides static Port Address Translation (PAT) capability. This capability can be used to send multiple inbound TCP or UDP services to different internal hosts through a single global address. The global address can be a unique address, a shared outbound PAT, or shared with the external interface.

The static command has been modified to accommodate this feature. Refer to the "Command Reference" section for more information.

RADIUS Support

Two new aaa-server command options now support selection of RADIUS accounting and authentication ports. More information about this command is available in the "Command Reference" section.

Note The Release Notes for the Cisco Secure PIX Firewall Version 5.3.1 contained an error which included two sysopt command options, sysopt radius acct-port and sysopt radius auth-port, as performing this function. Those commands were not implemented and do not exist in version 5.3.1 or any other release.

show interface Command

The show interface command has been modified to display buffer counters. Refer to the "Command Reference" section for more information.

shun Command

The shun command, when issued from an appropriately configured Cisco Secure IDS unit (PIX Firewall shunning is supported in Cisco Secure IDS 3.0), provides dynamic packet filtering in response to a Cisco Secure IDS signature by preventing new connections from an attacking host and disallowing packets from the attacking host on any existing connection(s). When possible, the connection that caused the event is terminated. More information about this command is available in the "Command Reference" section.

SNMP Enhancements

Support for the PIX Firewall platform-specific object IDs has been added to the SNMP mib-2.system.sysObjectID variable. This enhancement is necessary for CiscoView Support of the PIX Firewall.

PIX Firewall version 6.0(1) supports up to 32 SNMP management stations.

Two new options have been added to the snmp-server host command to support specific configuration of trap and poll activities. Refer to the "Command Reference" section for more information.

SSL debug Support

Support for the Secure Socket Layer (SSL) protocol has been added to the debug command. SSL is a protocol for authenticated and encrypted communications between client and servers such as the Cisco PIX Device Manager (PDM) and the PIX Firewall. Refer to the "Debug Commands" section for more information.

Voice Over IP Skinny Protocol Support

The fixup protocol command has been enhanced to support the Skinny Client Control Protocol (SCCP), used for IP telephony.

Refer to the "Command Reference" section for more information.

Command Reference

This section documents new or modified commands in version 6.0(1). All other commands used with this version are documented in the Configuration Guide for the Cisco Secure PIX Firewall Version 6.0.

aaa authentication

aaa-server

clear logging

copy tftp flash

crypto ipsec transform-set

service

dhcpd

failover replicate http

fixup protocol

fragment

http

ip address

isakmp policy

pdm

reload

service

setup

show cpu usage

show interface

show vpdn

shun

snmp-server host

static

sysopt connection permit

vpdn group

aaa authentication

The aaa authentication command has been modified to support PDM authentication. The PIX Firewall allows authentication verification of the HTTP server through the aaa authentication http console command before PDM can access the PIX Firewall.

[no] aaa authentication [serial | enable | telnet | ssh | http] console group_tag

Syntax Description

authentication

Enable or disable user authentication, prompt user for username and password, and verify information with the authentication server.

serial

Access verification for the PIX Firewall unit's serial console.

enable

Access verification for the PIX Firewall unit's privilege mode.

telnet

Access verification for the Telnet access to the PIX Firewall console.

ssh

Access verification for the SSH access to the PIX Firewall console.

http

Access verification for the Hypertext Transfer Protocol (HTTP) access to the PIX Firewall (via PDM).

console

Specifies that access to the PIX Firewall console requires authentication.

group_tag

The AAA server group tag defined by the aaa-server command.


Defaults

If an aaa authentication http console group_tag command statement is not defined, you can gain access to the PIX Firewall (via PDM) with no username and the PIX Firewall enable password (set with the password command). If the aaa command is defined but the HTTP authentication requests a time out, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using the username pix and the enable password (set with the enable password command).

Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.

The web browser prompts for the username and password with a pop-up window.

Examples 

	router(config) aaa authentication telnet console radius

Related Commands

aaa-server

http

setup

aaa-server

Two new aaa-server commands, aaa-server radius-authport and aaa-server radius-acctport, have been added to support selection of the RADIUS server ports, which will be used for authentication and accounting.

aaa-server radius-authport port
aaa-server radius-acctport port

Note sysopt radius acct-port and sysopt radius auth-port, documented in Release Notes for the Cisco Secure PIX Firewall Version 5.3.1 were in error. Those commands do not exist.

Syntax Description

radius-authport

Sets the port number of the RADIUS server which the PIX Firewall will use for authentication functions. The default port number used for RADIUS authentication is 1645.

radius-acctport

Sets the port number of the RADIUS server which the PIX Firewall unit will use for accounting functions. The default port number used for RADIUS accounting is 1646.

port

Specifies the destination TCP/UDP port number of the remote RADIUS server host to which you wish to assign authentication or accounting functions for the PIX Firewall.

These port pairs are listed as assigned to authentication and accounting services on RADIUS servers:

1645 (authentication), 1646 (accounting) - default for PIX Firewall

1812 (authentication), 1813 (accounting) - alternate

You can view these and other commonly used port number assignments online at the following website:

http://www.iana.org/assignments/port-numbers


Defaults

By default, the PIX Firewall listens for RADIUS on ports 1645 for authentication and 1646 for accounting.

Usage Guidelines

If your RADIUS server uses ports 1812 for authentication and 1813 for accounting, you are required to reconfigure the PIX Firewall to use ports 1812 and 1813.

Note This is a global setting that takes effect when RADIUS service is started. The default ports are 1645 for authentication and 1646 for accounting as defined in RFC 2058. Newer RADIUS servers may use the port numbers 1812 and 1813 as defined in RFC 2138 and 2139. If your server uses ports other than 1645 and 1646, then you should define ports using the aaa-server radius-authport and aaa-server radius-acctport commands prior to starting the RADIUS service with the aaa-server command.

Examples 

aaa-server radius-authport 1812 
aaa-server radius-acctport 1813

clear logging

The clear logging command clears the syslog message queue accumulated by the logging buffered command. New to version 6.0(1), the clear logging command is now permitted in privileged mode.

clear logging

Examples 

clear logging

copy tftp flash

This command has been enhanced to lets you to copy a PDM image to Flash memory using TFTP.

copy tftp[:[[//location] [/pathname]]] flash[:[image | pdm]]

Syntax Description

copy tftp flash

Download Flash memory software images via TFTP without using monitor mode.

location

Either an IP address or a name that resolves to an IP address via the PIX Firewall naming resolution mechanism.

pathname

PIX Firewall must know how to reach this location via its routing table information. This information is determined by the ip address command, the route command, or also RIP, depending upon your configuration. The pathname can include any directory names in addition to the actual last component of the path to the file on the server.

image

Download the selected PIX Firewall image to Flash memory. An image you download is made available to the PIX Firewall on the next reload (reboot).

pdm

Download the selected PDM image files to Flash memory. These files are available to the PIX Firewall immediately, without a reboot.


Defaults

If the pdm image type is not specified, the default copies the PIX Firewall image.

Examples 

copying tftp://171.69.38.195/cdisk to flash

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Received 2156544 bytes.

Erasing current image.

Writing 2060344 bytes of image.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Image installed.

Related Commands

setup

crypto ipsec transform-set

For PIX Firewall version 6.0(1), L2TP is the only protocol that can use the IPSec transport mode. PIX Firewall discards all other types of packets using IPSec transport mode.

crypto ipsec transform-set trans-name mode transport

Syntax Description

crypto ipsec transform-set

A transform set specifies one or two IPSec security protocols (either Encapsulating Security Payload (ESP) or Authentication Header (AH) or both) and specifies which algorithms to use with the selected security protocol. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

trans-name

IPSec transform set name.

mode

Specify IPSec transport mode for a transform set.

transport

Windows 2000 L2TP/IPSec client uses IPSec transport mode, so you need to select transport mode on the transform set.


Usage Guidelines

A transport-mode transform can only be used on a dynamic crypto map and causes the PIX Firewall to fail if you attempt to tie a transport-mode transform to a static crypto map.

Examples 

crypto ipsec transform-set myset mode transport

dhcpd

Dynamic Host Configuration Protocol (DHCP) client/server support has been extended to let the user automatically leverage the DNS, WINS and domain name values obtained by the PIX Firewall DHCP client for use by the hosts served by the DHCP server.

dhcpd auto_config [client_ifx_name]

Syntax Description

auto_config

Enable PIX Firewall to automatically configure DNS, WINS and domain name values from the DHCP client to the DHCP server.

client_ifx_name

This optional argument supports only the outside interface at this time. When more interfaces are supported, this argument will specify which interface supports the DHCP auto_config feature.


Usage Guidelines

DHCP must be enabled to use this command. Use the dhcpd enable command to turn on DHCP.

The DHCP address pool is increased to 256 for all the PIX Firewall version 6.0(1) supported platforms. PIX 506 remains at 32.

Examples 

dhcpd auto_config [client_ifx_name]

Related Commands

ip address

failover replicate http

The failover replicate http command allows the stateful replication of HTTP sessions in a Stateful Failover environment. The no form of this command disables HTTP replication in a Stateful Failover configuration. When HTTP replication is enabled, the show failover command displays the failover replicate http command.

[no] failover replicate http
show failover

Usage Guidelines

Enabling Stateful Failover of HTTP sessions has a significant impact on PIX Firewall system resources due to the large number of short-lived HTTP sessions. This command should be used with caution.

Examples 

router (config)# show failover

Failover On

Cable status:Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

failover replication http

        This host:Secondary - Standby

                Active time:0 (sec)

                Interface FailLink (172.16.31.2):Normal

                Interface 4th (172.16.16.1):Normal

                Interface int5 (192.168.168.1):Normal

                Interface intf2 (192.168.1.1):Normal

                Interface outside (209.165.200.225):Normal

                Interface inside (10.1.1.4):Normal

         Other host:Primary - Active

                Active time:242145 (sec)

                Interface FailLink (172.16.31.1):Normal

                Interface 4th (172.16.16.2):Normal

                Interface int5 (192.168.168.2):Normal

                Interface intf2 (192.168.1.2):Normal

                Interface outside (209.165.200.226):Normal

                Interface inside (10.1.1.5):Normal


Stateful Failover Logical Update Statistics

        Link :FailLink

        Stateful Obj    xmit       xerr       rcv        rerr

        General         10389      0          10392      0

        sys cmd         10389      0          10388      0

        up time         0          0         2          0

        xlate           0          0         2          0

        tcp conn        0          0         0          0

        udp conn        0          0         0          0

        ARP tbl         0          0         0          0

        RIP Tbl         0          0         0          0


        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:        0       1       10392

        Xmit Q:        0       1       10389

fixup protocol

The fixup protocol command now supports the Skinny Client Control Protocol (SCCP), and support for the Session Initiation Protocol (SIP) has been enhanced.

fixup protocol [protocol skinny [port[-port]]
no fixup protocol [protocol] [port]

show fixup [protocol protocol]
show timeout sip

Syntax Description

fixup protocol

Performs enabling, disabling, viewing, or changing the configuration of a service or protocol through the PIX Firewall.

no

Disables the fixup of a protocol by removing all fixups of the protocol from the configuration using the no fixup command.  After removing all fixups for a protocol, the no fixup form of the command or the default port is stored in the configuration.

port

The port over which the designated protocol travels.

protocol

Specifies the protocol to fix up.

sip

Enables SIP.

show conn state

Displays the connection state of the designated protocol.

show fixup

The show fixup command lists all values or the show fixup protocol protocol command lists an individual protocol.

show timeout

Displays the timeout value of the designated protocol.

skinny

Enables SCCP. SCCP protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals.


Defaults

The default for fixup protocol sip is 5060.

The default for fixup protocol skinny is 2000.

Usage Guidelines

SCCP (skinny) protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals.

To support SIP calls through the PIX Firewall, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Therefore, SIP is a text-based protocol and contains the IP addresses throughout the text. The packets are inspected and NAT is provided for the IP addresses.

Note If Call Manager (CM) is configured for NAT and outside phones register to it via TFTP, the connection will fail because PIX Firewall currently does not NAT the configuration file transferred via TFTP.

For additional information about the SIP protocol see RFC 2543. For additional information about the Session Description Protocol (SDP) see RFC 2327.

Examples 

fixup protocol [protocol skinny [port[-port]]

fragment

The fragment command provides additional management of packet fragmentation and improves compatibility with NFS.

fragment size database-limit [interface]
fragment chain chain-limit [interface]
fragment timeout seconds [interface]
clear fragment
show fragment [interface]

Syntax Description

size

Sets the maximum number of packets in the fragment database.

chain

Specifies the maximum number of packets into which a full IP packet can be fragmented.

timeout

Specifies the maximum number of seconds that a packet fragment will wait to be reassembled after the first fragment is received before being discarded.

clear

Resets the fragment databases and defaults. All fragments currently waiting for reassembly are discarded and the size, chain, and timeout options are reset to their default values.

show

Displays the state of the fragment database:

Size - Maximum packets set by the size option.

Chain - Maximum fragments for a single packet set by the chain option.

Timeout - Maximum seconds set by the timeout option.

Queue - Number of packets currently awaiting reassembly.

Assemble - Number of packets successfully reassembled.

Fail - Number of packets which failed to be reassembled.

Overflow - Number of packets which overflowed the fragment database.

database-limit

The default is 200. The maximum is 1,000,000 or the total number of blocks.

chain-limit

The default is 24. The maximum is 8,200.

seconds

The default is 5 seconds. The maximum is 30 seconds.

interface

The PIX Firewall interface. If not specified, the command will apply to all interfaces.


Usage Guidelines

In general, the default values should be used. However, if a large percentage of the network traffic through the PIX Firewall is NFS, additional tuning may be necessary to avoid database overflow. See system log message 209003 for additional information.

In an environment where the MTU between the NFS server and client is small, such as a WAN interface, the chain option may require additional tuning. In this case, NFS over TCP is highly recommended to improve efficiency.

Setting the database-limit of the size option to a large value can make the PIX Firewall more vulnerable to a DoS attack by fragment flooding. Do not set the database-limit equal to or greater than the total number of blocks. The default values will limit DoS due to fragment flooding to that interface only.

Examples 

fragment size database-limit [interface]

http

New http commands let you enable the PIX Firewall HTTP server and specify the clients that are allowed to access it.

http ip_address [netmask] [if_name]
no http ip_address netmask if_name

[no] http server enable

clear http
show http

Note The HTTP server must be enabled to configure and monitor the PIX Firewall through PDM.

Syntax Description

http

Relating to the Hypertext Transfer Protocol.

ip_address

Specifies the host or network authorized to initiate an HTTP connection to the PIX Firewall.

netmask

Specifies the network mask for the http ip_address.

if_name

PIX Firewall interface name on which the host or network initiating the HTTP connection resides.

http server enable

Enables the HTTP server required to run PDM.

clear http

Removes all HTTP hosts and disables the server.

show http

Lists the allowed hosts and the enable state of the HTTP server.


Defaults

If you do not specify a netmask, the default is 255.255.255.255 regardless of the class of IP address. The default if_name is inside.

Usage Guidelines

Access from any host will be allowed if 0.0.0.0 0.0.0.0 (or 0 0) is specified for ip_address and netmask.

Examples

The following http command example is used for one host: 

http 16.152.1.11 255.255.255.255 outside

The following http command example is used for any host: 

http 0.0.0.0 0.0.0.0 inside

ip address

The ip address command has been enhanced to let you enter the number of times the PIX Firewall will poll for DHCP information.

ip address outside dhcp [setroute] [retry retry_cnt]

Syntax Description

dhcp

Specifies PIX Firewall will use DHCP to poll for information.

outside

Interface from which the PIX Firewall will poll for information.

setroute

Tells the PIX Firewall to set the default route using the default gateway parameter the DHCP server returns.

retry

Enables PIX Firewall to retry a poll for DHCP information.

retry_cnt

Specifies the number of times PIX Firewall will poll for DHCP information. The values available are 4 to 16. If no value is specified, the default is 4.


By default the PIX Firewall will not retry to poll for DHCP information. The default value for retry_cnt is 4.

Examples 

ip address outside dhcp retry 10

Related Commands

dhcpd

isakmp policy

The isakmp policy command lets you negotiate IPSec security associations and enable IPSec secure communications.

isakmp policy [priority] group 2

Syntax Description

priority

Uniquely identifies the Internet Key Exchange (IKE) policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest.

group 2

Specifies that the 1024-bit Diffie-Hellman group 2 be used in the IKE policy.


Usage Guidelines

Cisco VPN Client version 3.x uses Diffie-Hellman group 2 and VPN Client version 2.5 uses Diffie-Hellman group 1. If you are using Cisco VPN Client version 3.x, configure Diffie-Hellman group 2 by using the isakmp policy command.

To configure Diffie-Hellman group identifier two, use the isakmp command as noted in the "Command Reference" section of the Cisco PIX Firewall IPSec User Guide, Version 6.0.

Note The Cisco VPN Client version 3.x does not require the crypto map map-name client configuration address initiate | respond command.

Examples 

isakmp policy 93 group 2 n

pdm

A new family of commands support PDM communication with a PIX Firewall over an HTTP server. The pdm disconnect command lets you disconnect a specific PDM session using a session_id obtained with the show pdm sessions command. The show pdm sessions command lists all the open PDM sessions going to a PIX Firewall.

Note The pdm disconnect command, and the show pdm sessions command are accessible through the command line. The clear pdm, pdm history commands, pdm location, and pdm logging commands may appear in your configuration and are available through the CLI, but they are designed to work as internal PDM-to-PIX Firewall commands accessible through PDM.

clear pdm

pdm disconnect session_id
show pdm sessions

[no] pdm history enable
show pdm history [view {all|12h|5d|60m|10m}][snapshot] [feature {all|blocks|cpu|failover|ids|interface if_name|memory|perfmon|xlates}][pdmclient]

pdm location ip_address netmask if_name

pdm logging [level [messages]]
no pdm logging
show pdm logging

Syntax Description

pdm

Pertaining to the Cisco PIX Device Manager.

clear pdm

Removes all locations, disables logging, and clears the PDM buffer. Internal PDM command.

pdm disconnect

Disconnects the specified PDM session from the PIX Firewall.

session_id

PDM session ID number available from the show pdm sessions command.

show pdm sessions

Displays a session_id for each active PDM session to the PIX Firewall, beginning with session number 0.

history enable

Internal PDM command. Take a data sample and store the sample data to the PDM history buffer. The no version of this command disables PDM data sampling.

show pdm history

Internal PDM command. Displays the contents of the PDM history buffer.

12h | 5d | 60m | 10m | all

Specifies the PDM history view to display: 12 hours (12h), 5 days (5d), 60 minutes (60m),10 minutes (10m), or all history contents in the PDM history buffer.

snapshot

Displays only the last PDM history data point.

pdmclient

Displays the PDM history in PDM-display format.

location

Internal PDM command. Associates an interface with an IP address.

ip_address

Specifies the host or network.

netmask

Specifies the network mask for the pdm location ip_address.

if_name

Specifies the interface name for the pdm location ip_address.

logging

Internal PDM command. Specifies the type and number of syslog messages displayed through the PDM syslog option.

level

Specifies the priority level of syslog messages displayed in the PDM syslog option.

messages

Specifies the number of messages stored in the PDM buffer. Once the buffer is full, old messages will be discarded.

show pdm logging

Internal PDM command. Displays the contents of the PDM buffer within PDM.


Defaults

Default PDM syslog level is 0. Default logging messages is 100 and the maximum is 512.

Usage Guidelines

The pdm location command can only associate one interface to an ip_address /netmask pair. Specifying an existing pair will replace the old definition. The PDM syslog messages are stored separately from the PIX Firewall syslog accessed through the logging buffered command.

Examples

This example shows how to report the last data point in PDM-display format: 

pix(config)# show pdm history 10m snapshot pdmclient

INTERFACE|outside|up|IBC|0|OBC|1088|IPC|0|OPC|0|IBR|17|OBR|0|IPR|0|OPR|0|IERR|1|NB|0|RB|0|
RNT|0|GNT|0|CRC|0|FRM|0|OR|0|UR|0|OERR|0|COLL|0|LCOLL|0|RST|0|DEF|0|LCR|0:PIXoutsideINTERF
ACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|1952|METRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTORY
|SNAP|IPR|VIEW|10|17|METRIC_HISTORY|SNAP|OPR|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0|
METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:PIXinsideINTERFACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|0|M
ETRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTORY|SNAP|IPR|VIEW|10|0|METRIC_HISTORY|SNAP|OP
R|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0|METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:PixSYS:
METRIC_HISTORY|SNAP|MEM|VIEW|10|52662272|METRIC_HISTORY|SNAP|BLK4|VIEW|10|1600|METRIC_HIST
ORY|SNAP|BLK80|VIEW|10|400|METRIC_HISTORY|SNAP|BLK256|VIEW|10|998|METRIC_HISTORY|SNAP|BLK1
550|VIEW|10|676|METRIC_HISTORY|SNAP|XLATES|VIEW|10|0|METRIC_HISTORY|SNAP|CONNS|VIEW|10|0|M
ETRIC_HISTORY|SNAP|TCPCONNS|VIEW|10|0|METRIC_HISTORY|SNAP|UDPCONNS|VIEW|10|0|METRIC_HISTOR
Y|SNAP|URLS|VIEW|10|0|METRIC_HISTORY|SNAP|WEBSNS|VIEW|10|0|METRIC_HISTORY|SNAP|TCPFIXUPS|V
IEW|10|0|METRIC_HISTORY|SNAP|TCPINTERCEPTS|VIEW|10|0|METRIC_HISTORY|SNAP|HTTPFIXUPS|VIEW|1
0|0|METRIC_HISTORY|SNAP|FTPFIXUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAAUTHENUPS|VIEW|10|0|MET
RIC_HISTORY|SNAP|AAAAUTHORUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAACCOUNTS|VIEW|10|0|

This example shows how to report the last data point in non-PDM format: 

pix(config)# show pdm history 10m snapshot

INTERFACE|outside|up|IBC|0|OBC|1344|IPC|0|OPC|0|IBR|21|OBR|0|IPR|0|OPR|0|IERR|1|NB|0|RB|0|
RNT|0|GNT|0|CRC|0|FRM|0|OR|0|UR|0|OERR|0|COLL|0|LCOLL|0|RST|0|DEF|0|LCR|0

:PIX outside INTERFACE:

Input Byte Count: [ 10s] : 1952

Output Byte Count: [ 10s] : 64

Input Packet Count: [ 10s] : 17

Output Packet Count: [ 10s] : 1

Input Error Packet Count: [ 10s] : 0

Output Error Packet Count: [ 10s] : 0

:PIX inside INTERFACE:

Input Byte Count: [ 10s] : 0

Output Byte Count: [ 10s] : 64

Input Packet Count: [ 10s] : 0

Output Packet Count: [ 10s] : 1

Input Error Packet Count: [ 10s] : 0

Output Error Packet Count: [ 10s] : 0

MEM|50479104

BLOCK|BLK4|1600|BLK80|0|BLK256|400|BLK1550|0|BLK1552|997|BLK2560|0|BLK4096|1188|BLK8192|0|
BLK16384|0|BLK65536|0

Available Memory: [ 10s] : 52662272

Available 4 bytes Blocks: [ 10s] : 1600

Available 80 bytes Blocks: [ 10s] : 400

Available 256 bytes Blocks: [ 10s] : 998

Available 1550 bytes Blocks: [ 10s] : 676

PERFMON|XLATES|0|CONNECTIONS|0|TCP CONNS|0|UDP CONNS|0|URLS|0|WEBSNS|0|TCP FIXUP|0|TCP

INTERCEPT|0|HTTP FIXUP|0|FTP FIXUP|0|AAA AUTHEN|0|AAA AUTHOR|0|AAA ACCOUNT|0

Xlate Count: [ 10s] : 0

Connection Count: [ 10s] : 0

TCP Connection Count: [ 10s] : 0

UDP Connection Count: [ 10s] : 0

URL Filtering Count: [ 10s] : 0

WEBSENSE Filtering Count: [ 10s] : 0

TCP Fixup Count: [ 10s] : 0

TCP Intercept Count: [ 10s] : 0

HTTP Fixup Count: [ 10s] : 0

FTP Fixup Count: [ 10s] : 0

AAA Authentication Count: [ 10s] : 0

AAA Authorzation Count: [ 10s] : 0

AAA Accounting Count: [ 10s] : 0

Related Commands

copy tftp flash

http

setup

reload

The reload command has been enhanced with the new option noconfirm. It permits the PIX Firewall without user confirmation.

reload noconfirm

Syntax Description

reload

Reboot and reload configuration.

noconfirm

Permits the PIX Firewall to reload without user confirmation.


Usage Guidelines

The PIX Firewall does not accept abbreviations to the keyword noconfirm.

Command History

The noconfirm option was added to the reload command for PIX Firewall version 6.0(1).

Examples 

reload noconfirm

service

This command has been enhanced with the resetoutside option. The resetoutside option allows the PIX Firewall to quickly terminate the identity request (IDENT) from an external SMTP or FTP server. Actively resetting these connections avoids the 32 second time-out delay. This option is recommended with dynamic or static interface PAT (available with version 6.0(1)).

service {resetinbound | resetoutside}

Examples 

service {resetinbound | resetoutside}

setup

The setup command lets you provide pre-configuration information to a new PIX Firewall, so you can then configure and monitor your PIX Firewall graphically using PDM.

setup 

Pre-configure PIX Firewall now through interactive prompts [yes]? 
Enable Password [<use current password>]:

Clock (UTC)

  Year [system year]:

  Month [system month]:

  Day [system day]:

  Time [system time]:

Inside IP address: 
Inside network mask: 
Host name: 
Domain name: 
IP address of host running PIX Device Manager:

Syntax Description

setup

Prompts for the basic operational information for the PIX Firewall if no configuration is found in the Flash memory. 

Enable password:

Specify an enable password for this PIX Firewall unit. 

Clock (UTC)

Set the PIX Firewall clock to Universal Coordinated Time (also known as Greenwich Mean Time). 

Year [system year]:

Specify current year, or default to the year stored in the host computer. 

Month [system month]:

Specify current month, or default to the month stored in the host computer. 

Day [system day]:

Specify current day, or default to the day stored in the host computer. 

Time [system time]

Specify current time in hh:mm:ss format, or default to the time stored in the host computer. 

Inside IP address:

Network interface IP address of the PIX Firewall unit. 

Inside network mask:

A network mask that applies to inside IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0. 

Host name:

The host name you want to display in the PIX Firewall command line prompt. 

Domain name:

The DNS domain name of the network on which the PIX Firewall runs, for example cisco.com.