All rights reserved. Copyright , Regents of the University of California. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. Audience This guide is for network managers who perform any of the following tasks: Managing network security Installing and configuring firewalls Managing default and static routes, and TCP and UDP services Use this guide with the installation guide supplied with your PIX Firewall unit. Chapter 2, Establishing Connectivity, describes how to establish secure connectivity between an unprotected network, such as the public Internet, and one or more protected networks.
|Published (Last):||28 September 2008|
|PDF File Size:||4.54 Mb|
|ePub File Size:||19.22 Mb|
|Price:||Free* [*Free Regsitration Required]|
Obtaining Documentation and Submitting a Service Request. This document includes the following sections:. The PIX Firewall image no longer fits on a diskette. Before getting a new activation key, write down your old key in case you want to retrograde to Version 4. You can have a new bit DES activation key sent to you by completing the form at the following website:.
If you are upgrading from a previous PIX Firewall version, save your configuration and write down your activation key and serial number. Refer to "Upgrading to a New Software Release" for new installation requirements.
While configuration files up to 2 MB are now supported on the PIX and PIX , be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:.
Please take these considerations into account when planning and implementing your configuration. PIX Firewall software Version 6. PIX Firewall software version 6. Use the show version command to verify the software version of your PIX Firewall. The new feature in Release 6. Beginning with Version 5. Access lists are implemented with the access-list and access-group commands. These commands are used instead of the conduit and outbound commands, which were used in earlier versions of PIX Firewall software.
In major software releases after Version 6. To migrate an obsolete PIX configuration file that contains conduit and outbound commands to a supported configuration file that contains the equivalent access-list commands, a tool is available to help with the conversion process:. PIX Firewall Version 6. Policy NAT allows you to identify both the source and destination addresses in an access list when specifying the local traffic to translate.
This feature lets you use different global addresses for each source and destination pair on an interface, even if the source address is the same for each pair. Without policy NAT, you can only specify a single global address for a given source address, because the destination address is not considered.
To configure policy NAT, use either the static or nat commands. Based on this maximum-length configured by the user, the DNS fixup checks to see if the DNS packet length is within this limit.
The default value is bytes. This new feature enhances the show failover command to display the last occurrence of a failover. Every static crypto map must define an access list and an IPSec peer.
If either is missing, the crypto map is considered incomplete and a warning message is printed. Traffic not matched to a complete crypto map is skipped, and the next entry is tried. Failover hello packets are now exempt from the incomplete crypto map check; previously they were dropped. Use the show conf command to ensure that every crypto map is complete. Infinite isakmp phase 1 lifetime is a feature that allows interoperatability with third party VPN vendor gateways that do not support rekeying of the IKE phase 1 SA.
To enable it, specify a lifetime value of 0 using the isakmp policy command. Note Using infinite phase 1 SA lifetime is relatively less secure, because the phase 1 keys are not periodically refreshed as they normally would otherwise be.
Do not enable this feature unless the PIX must communicate with a third party VPN gateway device that cannot be configured with a finite phase 1 SA lifetime.
The 'show ver' output now has two interface-related lines, Max Physical interfaces and Max interfaces. Max interfaces is the total physical and virtual interfaces. Following is an example of the output:. This feature allows users to specify a new keyword per-user-override to the access-group command.
By default, the fixup protocol ils command is disabled. You can use the fixup protocol command to enable the ILS fixup and, optionally, change the default port assignment. When the aaa proxy-limit is set to 16, the "aaa proxy-limit 16" line shows up.
This feature specifies the number of concurrent proxy connections allowed per user, from 1 to The default value is This feature enables the decoupling of IP interfaces from physical interfaces hence making it possible to configure logical IP interfaces independent of the number of interface cards installed , and supplies appropriate handling for IEEE Route propagation and greatly reduced route convergence times are two of the many benefits that arrive with Open shortest Path First OSPF.
The PIX Firewall implementation will support intra-area, inter-area and external routes. To configure secure authentication of HTTP sessions, use the aaa authentication secure-http-client command. In PIX Firewall software prior to 6. This feature allows cut-through and VPN using xauth traffic to be authenticated using the PIX Firewall local username database as an alternative in addition to the existing authenticating via an external AAA server.
For example:. The filter ftp and filter https commands were added to the filter command in the PIX Firewall Version 6. This feature adds support for securing site-to-site and remote access VPN connections with the new international encryption standard. For more information on the show crypto interface [counters] command, and a complete description of the command syntax for this new command, refer to the Cisco PIX Firewall Command Reference.
The test will be performed every time during the PIX Firewall boot up before the configuration is read from Flash memory. KAT can also be run from the command line in privileged mode, using the show crypto engine verify command. This feature allows hosts to be exempted from a broader authentication requirement, based on their MAC addresses. This is essential for devices like printers and IP phones located inside a firewall.
It receives requests from hosts on a given interface and forwards them to a user-configured DHCP server on another interface. With PIX 6. Updates have also been made to ensure that the default factory configuration considers the PIX User license installed in the device. It supports VPN Series Concentrator load balancing with automatic redirection to the least utilized concentrator.
Support for downloading a list of backup concentrators defined on the head-end. Split tunneling is a feature that allows users connected through the PIX Firewall to access the Internet in a clear text session, without using a VPN tunnel. This feature constitutes a configurable time out on the PIX Firewall connection attempts to a VPN headend, thereby controlling the latency involved in rolling over to the next backup concentrator on the list.
Users obtain certificates so they can identify themselves, present their access credentials, and obtain a secure network connection with other approved secure users or systems.
For more information on this command, refer to "Using X. You will have the flexibility to require all NMS traffic to flow over the tunnel or fine tune this policy.
Support for individually authenticating clients IP address based on the inside network of the VPN hardware client. This is done through a web-based interface. The secure-unit-authentication feature is added to the vpngroup command in the PIX Firewall Version 6. This feature is added to the fixup protocol h. For more information on this command, refer to "H. The Access Control List ACL editing feature provides users flexibility to insert or delete any access list element in an access list.
When such an option is configured, statistics for each flow that matches the permit or deny conditions of the ACL entry are logged. Allows a custom firewall identifier to be selected, such as an interface IP address, that will be included in all syslog messages to improve the centralized reporting of firewall events.
This new feature is added to the logging command. This feature allows users to include comments in access lists to make the ACL easier to understand and scan. Users will be able to configure a message-of-the-day motd , a login, and an exec banner that will be presented to users who access the PIX Firewall via the console, SSH, and Telnet.
Protects console from unauthorized administrative access by automatically logging out sessions after a configurable period of inactivity. This feature provides the ability to filter or search through the full output of show commands. In fact, administrators can define any PIX Firewall interface for management-access. This feature significantly benefits broadband environments.
The output of the show version command is enhanced to display additional information. Change the maximum allowed length of the host name to 63 characters. Change the maximum allowed length of the domain name from 64 to This limits the maximum fully qualified domain name plus terminating 0 to bytes.
This feature enhances the current show tech command output to include additional diagnostic information. These commands turn off all active debugs at once, and restore the PIX Firewall to normal operation.
The no debug all , undebug all , debug arp , crypto vpnclient , debug aaa [ authentication authorization accounting internal ] commands were added to the debug command in the PIX Firewall Version 6. TBI mode does not support half duplex. GMII mode supports both half duplex and full duplex. All the ix controllers used in the PIX Firewalls are configured for TBI and thus cannot support half-duplex mode, hence the half-duplex setting is removed. Users can now specify the capture command to store the packet capture in a circular buffer.
The capture will continue writing packets to the buffer until it is stopped by the administrator. ACL based configurations provide the following benefits:. During the upgrade process the system displays the message "ethernet1 interface can only be set to full.
These messages possibly one per interface will be followed by a reboot.
Cisco PIX Firewall Software
Cisco PIX Firewall and VPN Configuration Guide. Version 6.3