17.12.2020
22
- Cisco Pix 6.3 Generate Ssh Key Linux
- Cisco Pix 6.3 Generate Ssh Key Windows
- Cisco Pix 6.3 Generate Ssh Key Login
- Cisco Pix 6.3 Generate Ssh Key Mac
- Generate Ssh Key Aix
Contents
Oct 27, 2003 The website www.cisco.com has configuration examples for practically everything under the planet, including the start for this one. To configure a Cisco PIX Firewall to support SSH, enter the following commands: hostname myfirewall domain-name mydomain.mytld ca gen rsa key 1024 ssh 172.18.124.114 255.255.255.255 inside ssh timeout 60. Hi, A very high level question here but really could do with a detailed response. Trying to generate a CSR on a PIX 6.3 without requiring the use of SCEP. The PIX OS Command-Line Interface - PIX OS Versions The operating system for Cisco PIX/ASA firewalls is known as the PIX OS. Because the PIX product line was acquired and not originally developed by Cisco, PIX OS versions up to 6.0 featured a command-line interface that was similar to, but not exactly like, the Cisco IOS. Oct 14, 2008 This document provides a sample configuration of Secure Shell (SSH) on the inside and outside interfaces of Cisco Series Security Appliance version 7.x and later. 6.3 Maintaining a Project; 6.4. 4.3 Git on the Server - Generating Your SSH Public Key. Generating Your SSH Public Key. Many Git servers authenticate using SSH public keys. In order to provide a public key, each user in your system must generate one if they don’t already have one. This process is similar across all operating systems.
Introduction
PIX command authorization and expansion of local authentication was introduced in version 6.2. This document provides an example of how to set this up on a PIX. Previously available authentication features are still available but not discussed in this document (for example, Secure Shell (SSH), IPsec client connection from a PC, and so on). The commands performed may be controlled locally on the PIX or remotely through TACACS+. RADIUS command authorization is not supported; this is a limitation of the RADIUS protocol.
Local command authorization is done by assigning commands and users to privilege levels.
Remote command authorization is done through a TACACS+ authentication, authorization, and accounting (AAA) server. Multiple AAA servers can be defined in the event that one is unreachable.
Authentication also works with previously configured IPSec and SSH connections. SSH authentication requires that you issue this command:
Note: If you use a TACACS+ or RADIUS server group for authentication, you can configure the PIX to use the local database as a FALLBACK Method if the AAA server is unavailable.
For Example
You can alternatively use the local database as your main method of authentication (with no fallback) if you enter LOCAL alone.
For example, issue this command in order to define a user account in the local database and to perform local authentication for an SSH connection:
Refer to How To Perform Authentication and Enabling on the Cisco Secure PIX Firewall (5.2 Through 6.2) for more information on how to create AAA-authenticated access to a PIX Firewall that runs PIX Software version 5.2 through 6.2 and for more information about enable authentication, syslogging, and gaining access when the AAA server is down.
Refer to PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Example for more information on how to create AAA-authenticated (Cut-through Proxy) access to a PIX Firewall that runs PIX Software versions 6.3 and later.
If the configuration is done properly, you should not be locked out of the PIX. If the configuration is not saved, rebooting the PIX should return it to its pre-configuration state. If the PIX is not accessible due to misconfiguration, refer to Password Recovery and AAA Configuration Recovery Procedure for PIX.
Before You Begin
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Prerequisites
There are no specific prerequisites for this document.
Components Used
The information in this document is based on these software and hardware versions:
PIX Software version 6.2
Cisco Secure ACS for Windows version 3.0 (ACS)
Cisco Secure ACS for UNIX (CSUnix) version 2.3.6
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Testing Prior to Adding Authentication/Authorization
Prior to implementing the new 6.2 authentication/authorization features, make sure that you are currently able to gain access to the PIX using these commands:
Understanding Privilege Settings
Most commands in the PIX are at level 15, although a few are at level 0. To view current settings for all commands, use this command:
Most commands are at level 15 by default, as shown in this example:
A few commands are at level 0, as shown in this example:
The PIX can operate in enable and configure modes. Some commands, such as show logging, are available in both modes. To set privileges on these commands, you must specify the mode that the command exists in, as shown in the example. The other mode option is enable. You get the logging is a command available in multiple modes error message. If you do not configure the mode, use the mode [enable configure] command:
These examples address the clock command. Use this command to determine the current settings for the clock command:
The output of the show privilege command clock command shows that the clock command exists in these three formats:
Authentication/Authorization - Local Usernames
Before changing the privilege level of the clock command, you should go to the console port to configure an administrative user and turn on LOCAL login authentication, as shown in this example:
The PIX confirms the addition of the user, as shown in this example:
The user 'poweruser' should be able to Telnet into the PIX and enable with the existing local PIX enable password (the one from the enable password <password> command).
You can add more security by adding authentication for enabling, as shown in this example:
This requires the user to enter the password both for login and enable. In this example, the password 'poweruser' is used for both login and enable. User 'poweruser' should be able to Telnet into the PIX and also enable with the local PIX password.
If you want some users to be able to only use certain commands, you have to set up a user with lower privileges, as shown in this example:
Since practically all of your commands are at level 15 by default, you have to move some commands down to level 9 so that 'ordinary' users can issue them. In this instance, you want your level 9 user to be able to use the show clock command, but not to reconfigure the clock, as shown in this example:
You also need your user to be able to log out of the PIX (the user might be in level 1 or 9 when wanting to do this), as shown in this example:
You need the user to be able to use the enable command (the user is at in level 1 when attempting this), as shown in this example:
By moving the disable command to level 1, any user between levels 2-15 can get out of enable mode, as shown in this example:
If you Telnet in as the user 'ordinary' and enable as the same user (the password is also 'ordinary'), you should use the privilege configure level 1 command disable, as shown in this example:
If you still have the original session open (the one prior to adding any authentication), the PIX may not know who you are because you did not initially log in with a username. If that is the case, use the debug command to view messages about the user 'enable_15' or 'enable_1' if there is no associated username. Therefore, Telnet into the PIX as the user 'poweruser' (the 'level 15' user) prior to configuring command authorization, because you need to be sure the PIX can associate a username with the commands being attempted. You are ready to test command authorization by using this command:
The user 'poweruser' should be able to Telnet in, enable, and perform all commands. The user 'ordinary' should be able to use the show clock, enable, disable, and logout commands but no others, as shown in this example:
Authentication/Authorization with an AAA Server
You can also authenticate and authorize users by using an AAA server. TACACS+ works best because command authorization is possible, but RADIUS can also be used. Check to see if there are previous AAA Telnet/console commands on the PIX (in the event that the LOCAL AAA command was previously used), as shown in this example:
If there are previous AAA Telnet/console commands, remove them by using these commands:
As with configuring local authentication, test to make sure users can Telnet into the PIX by using these commands.
Depending on what server you are using, configure the PIX for authentication/authorization with an AAA server.
ACS - TACACS+
Configure ACS to communicate with the PIX by defining the PIX in the Network Configuration with 'Authenticate Using' TACACS+ (for Cisco IOS® Software). The configuration of the ACS user depends on the configuration of the PIX. At a minimum, the ACS user should be set up with a username and password.
On the PIX, use these commands:
At this point, the ACS user should be able to Telnet into the PIX, enable it with the existing enable password on the PIX, and perform all commands. Complete these steps:
If there is a need to do PIX enable authentication with ACS, choose Interface Configuration > Advanced TACACS+ Settings.
Check the Advanced TACACS+ Features in Advanced Configuration Options box.
Click Submit. The Advanced TACACS+ Settings are now visible under the user configuration.
Set Max Privilege for any AAA Client to Level 15.
Choose the enable password scheme for the user (which could involve configuring a separate enable password).
Click Submit.
To turn on enable authentication through TACACS+ in the PIX, use this command:
At this point, the ACS user should be able to Telnet into the PIX and enable with the enable password configured in ACS.
Prior to adding PIX command authorization, ACS 3.0 must be patched. You can download the patch from the Software Center (registered customers only) . You can also view additional information about this patch by accessing Cisco bug ID CSCdw78255 (registered customers only) .
Authentication must be working prior to doing command authorization. If there is a need to perform command authorization with ACS, choose Interface Configuration > TACACS+ (Cisco) > Shell (exec) for user and/or group and click Submit. The shell command authorization settings are now visible under the user (or group) configuration.
It is a good idea to set up at least one powerful ACS user for command authorization and to permit unmatched Cisco IOS commands.
Other ACS users can be set up with command authorization by permitting a subset of commands. This example uses these steps:
Choose Group Settings to find the desired group from the drop-down box.
Click Edit Settings.
Choose Shell Command Authorization Set.
Click the Command button.
Enter login.
Choose Permit under Unlisted Arguments.
Repeat this process for the logout, enable, and disable commands.
Choose Shell Command Authorization Set.
Click the Command button.
Entershow.
Under Arguments , enter permit clock.
Choose deny for Unlisted Arguments.
Click Submit.
Here is an example of these steps:
If you still have your original session open (the one prior to adding any authentication), the PIX may not know who you are because you did not initially log in with a ACS username. If that is the case, use the debug command to view messages about user 'enable_15' or 'enable_1' if there is no username associated. You need to be sure the PIX can associate a username with the commands being attempted. You can do this by Telnetting into the PIX as the level 15 ACS user prior to configuring command authorization. You are ready to test command authorization by using this command:
At this point, you should have one user who should be able to Telnet in, enable, and use all of the commands, and a second user who can only do five commands.
CSUnix - TACACS+
Configure CSUnix to communicate with the PIX as you would with any other network device. The configuration of the CSUnix user depends on the configuration of the PIX. At a minimum, the CSUnix user should be set up with a username and password. In this example, three users have been set up:
On the PIX, use these commands:
Cisco Pix 6.3 Generate Ssh Key Linux
At this point, any of the CSUnix users should be able to Telnet into the PIX, enable with the existing enable password on the PIX, and use all of the commands.
Enable authentication through TACACS+ in the PIX:
At this point, the CSUnix users who have 'privilege 15' passwords should be able to Telnet into the PIX and enable with those 'enable' passwords.
If you still have your original session open (the one prior to adding any authentication), the PIX may not know who you are because you did not initially log in with a username. If that is the case, issuing the debug command may show messages about user 'enable_15' or 'enable_1' if there is no username associated. Telnet into the PIX as the user 'pixtest' (our 'level 15' user) prior to configuring command authorization, because we need to be sure the PIX can associate a username with the commands being attempted. Enable authentication must be on prior to doing command authorization. If there is a need to perform command authorization with CSUnix, add this command:
Of the three users, 'pixtest' can do everything, and the other two users can do a subset of commands.
ACS - RADIUS
RADIUS command authorization is not supported. Telnet and enable authentication is possible with ACS. ACS can be configured to communicate with the PIX by defining the PIX in Network Configuration with 'Authenticate Using' RADIUS (any variety). The configuration of the ACS user depends on the configuration of the PIX. At a minimum, the ACS user should be set up with a username and password.
On the PIX, use these commands:
At this point, the ACS user should be able to Telnet into the PIX, enable with the existing enable password on the PIX, and use all commands (the PIX does not send commands to the RADIUS server; RADIUS command authorization is not supported).
If you want to enable with ACS and RADIUS on the PIX, add this command:
Unlike with TACACS+, the same password is used for RADIUS enable as for RADIUS login.
CSUnix - RADIUS
Configure CSUnix to talk to the PIX as you would with any other network device. The configuration of the CSUnix user depends on the configuration of the PIX. This profile works for authentication and enabling:
On the PIX, use these commands:
If you want to enable with ACS and RADIUS on the PIX, use this command:
Unlike with TACACS+, the same password is used for RADIUS enable as for RADIUS login.
Network Access Restrictions
Network access restrictions can be used in both ACS and CSUnix to limit who may connect to the PIX for administrative purposes.
ACS—The PIX would be configured in the Network Access Restrictions area of the Group Settings. The PIX configuration is either 'Denied Calling/Point of Access Locations' or 'Permitted Calling/Point of Access Locations' (depending on the security plan).
CSUnix—This is an example of a user who is permitted access to the PIX, but not other devices:
Debug
To turn on debug, use this command:
These are examples of good and bad debugs:
Good debug—The user is able to use the log in, enable, and perform commands.
Bad debug—Authorization fails for user, as shown in this example:
The remote AAA server is unreachable:
Accounting
There is no actual command accounting available, but by having syslog activated on the PIX, you can see what actions were performed, as shown in this example:
Information to Collect if You Open a TAC Case
| If you still need assistance after following the troubleshooting steps above and want to open a case with the Cisco TAC, be sure to include the following information for troubleshooting your PIX Firewall. |
|---|
|
Related Information
Table Of Contents
Cisco PIX Firewall Release Notes Version 6.3(5)
February 2008
Contents
This document includes the following sections:
•Introduction
•System Requirements
•New and Changed Information
•Important Notes in Release 6.3
•Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Introduction
The PIX Firewall delivers unprecedented levels of security, performance, and reliability, including robust, enterprise-class security services such as the following:
•Stateful inspection security, based on state-of-the-art Adaptive Security Algorithm (ASA)
•Over 100 predefined applications, services, and protocols for flexible access control
•Virtual Private Networking (VPN) for secure remote network access using IKE/IPSec standards
•Intrusion protection from over 55 different network-based attacks
•URL filtering of outbound web traffic through third-party server support
•Network Address Translation (NAT) and Port Address Translation Support (PAT)
Additionally, PIX Firewall Version 6.3 software supports Cisco PIX Device Manager (PDM) Version 3.0 and adds enhancements to features introduced in earlier releases.
System Requirements
The sections that follow list the system requirements for operating a PIX Firewall with Version 6.3 software.
Memory Requirements
The PIX 501 has 16 MB of RAM and will operate correctly with Version 6.1(1) and higher, while all other
PIX Firewall platforms continue to require at least 32 MB of RAM (and therefore are also compatible with version 6.1(1) and higher).
Cisco Pix 6.3 Generate Ssh Key Windows
In addition, all units except the PIX 501 and PIX 506E require 16 MB of Flash memory to boot. (The PIX 501 and PIX 506E have 8 MB of Flash memory, which works correctly with Version 6.1(1) and higher.)
Table 1 lists Flash memory requirements for this release.
Flash Memory Required in Version 6.3 | |
|---|---|
PIX 501 | 8 MB |
PIX 506E | 8 MB |
PIX 515/515E | 16 MB |
PIX 520 | 16 MB (Some PIX 520 units may need a memory upgrade because older units had 2 MB, though newer units have 16 MB) |
PIX 525 | 16 MB |
PIX 535 | 16 MB |
Software Requirements
Version 6.3 requires the following:
1. The PIX Firewall image no longer fits on a diskette. If you are using a PIX Firewall unit with a diskette drive, you need to download the Boothelper file from Cisco Connection Online (CCO) to let you download the PIX Firewall image with TFTP.
2. If you are upgrading from Version 4 or earlier and want to use the Auto Update, IPSec, SSH, PDM, or VPN features or commands, you must have a new 56-bit DES activation key. Before getting a new activation key, write down your old key in case you want to retrograde to Version 4. You can have a new 56-bit DES activation key sent to you by completing the form at the following website:
3. If you are upgrading from a previous PIX Firewall version, save your configuration and write down your activation key and serial number. Refer to 'Upgrading to a New Software Release' for new installation requirements.
Maximum Recommended Configuration File Size
For the PIX 525 and PIX 535, the maximum configuration file size limit is increased to 2 MB for PIX Firewall software Versions 5.3(2) and later. For other PIX Firewall platforms, the maximum configuration file size limit is 1 MB. Earlier versions of the PIX 501 are limited to a 256 KB configuration file size. If you are using PIX Device Manager (PDM), we recommend no more than a 100 KB configuration file because larger configuration files can interfere with the performance of PDM on your workstation.
While configuration files up to 2 MB are now supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:
•While executing commands such as write term and show conf
•Failover (the configuration synchronization time)
•During a system reload
The optimal configuration file size for use with PDM is less than 100 KB (which is approximately 1500 lines). Please take these considerations into account when planning and implementing your configuration.
Cisco VPN Software Interoperability
Interoperability Comments | |
|---|---|
Cisco IOS Routers | PIX Firewall Version 6.3 requires Cisco IOS Release 12.0(6)T or higher running on the router when using IKE Mode Configuration on the PIX Firewall. |
Cisco VPN 3000 Concentrators | PIX Firewall Version 6.3 requires Cisco VPN 3000 Concentrator Version 2.5.2 or higher for correct VPN interoperability. |
Cisco VPN Client Interoperability
Interoperability Comments | |
|---|---|
Cisco Secure VPN Client v1.x | PIX Firewall Version 6.3 requires Cisco Secure VPN Client Version 1.1. Cisco Secure VPN Client Version 1.0 and 1.0a are no longer supported. |
Cisco VPN Client v3.x (Unified VPN Client Framework) | PIX Firewall Version 6.3 supports the Cisco VPN Client Version 3.x that runs on all Microsoft Windows platforms. It also supports the Cisco VPN Client Version 3.5 or higher that runs on Linux, Solaris, and Macintosh platforms. |
Cisco Easy VPN Remote Interoperability
Interoperability Comments | |
|---|---|
PIX Firewall Easy VPN Remote v6.3 | PIX Firewall software Version 6.3 Cisco Easy VPN Server requires PIX Firewall software Version 6.3 Easy VPN Remote. |
VPN 3000 Easy VPN Remote v3.6 | PIX Firewall software Version 6.3 Cisco Easy VPN Server requires the VPN 3000 Version 3.6 Easy VPN Remote that runs on the VPN 3002 platform. |
Cisco IOS Easy VPN Remote Release 12.2(16.4)T | PIX Firewall software Version 6.3 Cisco Easy VPN Server interoperates with Cisco IOS 806 Easy VPN Remote Release (16.4)T. |
Cisco Easy VPN Server Interoperability
Interoperability Comments | |
|---|---|
PIX Firewall Easy VPN Server v6.3 | PIX Firewall software Version 6.3 Cisco Easy VPN Remote requires a PIX Firewall Version 6.3 Easy VPN Server. |
VPN 3000 Easy VPN Server v3.6.7 | PIX Firewall software Version 6.3 Cisco Easy VPN Remote requires VPN 3000 Version 3.6.7 Easy VPN Server. |
Cisco IOS Easy VPN Server Release 12.2(15)T | PIX Firewall software version 6.3 Cisco Easy VPN Remote works with Cisco IOS Release 12.2(15)T Easy VPN Server in IKE pre-shared authentication and does not work with certificate. It is expected to interoperate using certificate, after CSCea02359 and CSCea00952 resolved and integrated in later versions of Cisco IOS Easy VPN Server. |
Determining the Software Version
Use the show version command to verify the software version of your PIX Firewall unit.
Upgrading to a New Software Release
If you have a Cisco Connection Online (CCO) login, you can obtain software from the following website:
New and Changed Information
Version 6.3(5) is a maintenance release which includes several caveat resolutions.
Important Notes in Release 6.3
This section describes important notes for Version 6.3.
Simultaneous PPTP Connection Limitation
There is a hardware limitation of 128 concurrent sessions in PIX 6.x. If you subtract one for the PPTP listening socket, the maximum number of simultaneous PPTP connections is127.
Attempts to connect more than 127 connections with PIX 6.x generates the following error message:
ACL Source Address Change When an Alias is Configured
Cisco Pix 6.3 Generate Ssh Key Login
When the alias command is used for destination address translation, an inbound message originating from the foreign_ip source address is translated to the dnat_ip address. If you configure an inbound ACL with an address defined by the alias command, you must use the foreign_ip address as the ACL source address instead of the dnat_ip address, as was used in Release 6.2. The ACL check is now done before the translation occurs, which is consistent with the way the firewall treats other NATed addresses in ACLs.
Interface Settings on the PIX 501 and PIX 506E
With the PIX Firewall Version 6.3, the settings for the following interfaces have been updated as follows:
•PIX 501 outside interface (port 0) - 10/100 Mbps half or full duplex
•PIX 501 inside interface - 10/100 Mbps half or full duplex
•PIX 506E inside interface - 10/100 Mbps half or full duplex
•PIX 506E outside interface - 10/100 Mbps half or full duplex
Note When upgrading the PIX 501 to Version 6.3, the inside interface is automatically upgraded to 100 Mbps full duplex. During the upgrade process the system displays the message 'ethernet1 interface can only be set to 100full.'
Upgrading the PIX 506 and the PIX 515
When upgrading a classic PIX 506 or PIX 515 (the non 'E' versions) to PIX Firewall OS Version 6.3, the following message(s) might appear when rebooting the PIX Firewall for the first time after the upgrade:
ethernet0 was not idle during boot.
ethernet1 was not idle during boot.
These messages (possibly one per interface) will be followed by a reboot. This is a one-time event and is a normal part of the upgrade on these platforms.
Easy VPN Remote and Easy VPN Server
The PIX 501 and PIX 506/506E are both Easy VPN Remote and Easy VPN Server devices. The PIX 515/515E, PIX 525, and PIX 535 act as Easy VPN Servers only.
The PIX 501 and PIX 506/506E can act as Easy VPN Remote devices or Easy VPN Servers so that they can be used either as a client device or VPN headend in a remote office installation. The PIX 515/515E, PIX 525, and PIX 535 act as Easy VPN Servers only because the capacity of these devices makes them appropriate VPN headends for higher-traffic environments.
PIX 535 Interfaces
These practices must be followed to achieve the best possible system performance on the PIX 535:
•PIX-1GE-66 interface cards should be installed first in the 64-bit/66 MHz buses before they are installed in the 32-bit/33 MHz bus. If more than four PIX-1GE-66 cards are needed, they may be installed in the 32-bit/33 MHz bus but with limited potential throughput.
•PIX-VACPLUS should be installed in a 64-bit/66 MHz bus to avoid degraded throughput.
•PIX-1GE and PIX-1FE cards should be installed first in the 32-bit/33 MHz bus before they are installed in the 64-bit/66 MHz buses. If more than five PIX-1GE and/or PIX-1FE cards are needed, they may be installed in a 64-bit/66 MHz bus but doing so will lower that bus speed and limit the potential throughput of any PIX-1GE-66 card installed in that bus.
The PIX-1GE Gigabit Ethernet adaptor is supported in the PIX 535; however, its use is strongly discouraged because maximum system performance with the PIX-1GE card is much slower than that with the PIX-1GE-66 card. The software displays a warning at boot time if a PIX-1GE is detected.
Table 2 summarizes the performance considerations of the different interface card combinations.
Installed In Interface Slot Numbers | ||
|---|---|---|
Two to four PIX-1GE-66 | 0 through 3 | Best |
PIX-1GE-66 combined with PIX-1GE or just PIX-1GE cards | 0 through 3 | Degraded |
Any PIX-1GE-66 or PIX-1GE | 4 through 8 | Severely degraded |
Caution The PIX-4FE and PIX-VPN-ACCEL cards can only be installed in the 32-bit/33 MHz bus and must never be installed in a 64-bit/66 MHz bus. Installation of these cards in a 64-bit/66 MHz bus may cause the system to hang at boot time.
Caution If Stateful Failover is enabled, the interface card and bus used for the Stateful Failover LAN port must be equal to or faster than the fastest card used for the network interface ports. For example, if your inside and outside interfaces are PIX-1GE-66 cards installed in bus 0, then your Stateful Failover interface must be a PIX-1GE-66 card installed in bus 1. A PIX-1GE or PIX-1FE card cannot be used in this case, nor can a PIX-1GE-66 card be installed in bus 2 or share bus 1 with a slower card.
Caveats
The following sections describe the caveats for the 6.3 release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
https://tools.cisco.com/Support/BugToolKit
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 6.3(5)
Software Release 6.3(5) | ||
|---|---|---|
Caveat Title | ||
CSCec44081 | No | No address translation if multiple ILS messages in one TCP segment |
CSCee92806 | No | Tunnel not established with NAT-T and certs when MTU > 1500 |
CSCeg13784 | No | PIX tracebacks in turboacl_process when compiling access-list |
CSCeg13789 | No | PIX - compiled ACLs become corrupted over time |
CSCeg54777 | No | Throughput drop for combined FW and multi-tunnel VPN traffic |
CSCeg83890 | No | PIX 501 sends extra byte in passw attr during IUA challenge process |
CSCeh40145 | No | Assertion getting statistics via PDM while PIX in NEM and reloading |
CSCei07402 | No | PIX failed over with SSH thread |
CSCei47019 | No | Logger thread priority too low to allow proper logging queue drain |
CSCei47678 | No | PIX not following SNMP packet size standard in RFC 3417 |
CSCei62031 | No | Traceback in malloc:_free+17 on executing no capture |
CSCei63244 | No | Traceback with lu_rx thread name in failover mode |
CSCei74718 | No | Traceback seen at ssh_init when testing capture |
CSCsb34758 | No | Connection to DMZ fails after PIX authentication session |
CSCsb45070 | No | Assertion bp->rptr >= bp->base && bp->wptr <= bp->limit failed: file |
CSCsb48916 | No | Manual ipsec fail when esp-aes-256 specified with auth |
CSCsb53549 | No | VAC+ may cause interface to stop passing all traffic |
CSCsb53760 | No | Port redirection for DNS traffic does not work correctly |
CSCsb54610 | No | Reload in fover_parse when synchronizing very large access-list |
Resolved Caveats - Release 6.3(5)
Software Release 6.3(5) | ||
|---|---|---|
Caveat Title | ||
CSCdu79031 | Yes | Latency through PIX when issuing write mem command |
CSCea40885 | Yes | PIX - Capture sometimes records wrong MAC addr for PIXs |
CSCec86400 | Yes | PIX traceback after issuing show isakmp sa detail |
CSCec89275 | Yes | Reboot with traceback after modifying access-list |
CSCef10485 | Yes | PIX assigns the first time wrong IP address to VPNclient |
CSCef15146 | Yes | RIP may put the routes with bigger metric into the routing |
CSCef16218 | Yes | Active FTP failed with outside NAT and retransmit PORT |
CSCef16873 | Yes | No Audio During SIP Gateway Call |
CSCef17488 | Yes | PIX SIP fixup does not correctly open RTP conns using NAT |
CSCef17703 | Yes | Premature invalid SPI with dynamic crypto map |
CSCef22894 | Yes | Increase amount of memory allowed for the PDM history |
CSCef24632 | Yes | PIX might reload when clearing the config with pdm history |
CSCef26256 | Yes | PIX crash while doing write standby |
CSCef27344 | Yes | DHCP relay does not work with BOOTP |
CSCef39526 | Yes | Alias command may cause High CPU on Secondary PIX |
CSCef47155 | Yes | PPTP passthru fails after upgrading to 6.3.4 |
CSCef47529 | Yes | PIX crash in radius_snd thread |
CSCef57566 | Yes | PIX PMTUD implementation for IPSec vulnerable to spoofed |
CSCef61702 | Yes | 4-byte block leak when sending TCP RST in some |
CSCef66863 | Yes | OSPF redistribute connected vlan fails on physical |
CSCef75987 | Yes | Packets corrupted and spurious invalid SPI with VAC under |
CSCef80869 | Yes | arp-response received on a wrong interface causes crash |
CSCef81257 | Yes | Inbound SYN Packet has ACK changed from 0 to some random |
CSCef82742 | Yes | Presence of extra lf in uauth FTP answer |
CSCef84827 | Yes | Write Standby is causing http server disabled on standby |
CSCef86106 | Yes | Mishandling of syslog message 106013 |
CSCef91771 | Yes | Identity NAT norandomseq broken with stateful failover |
CSCef93994 | Yes | SIP:Large # of SIP conns from REGISTER xactions cause |
CSCef94622 | Yes | On receiving invalid ACK, RST should be allowed through |
CSCef98132 | Yes | aaa auth match statement not working correctly with |
CSCeg02725 | Yes | Crash when removing aaa serve |
CSCeg04006 | Yes | SEQ number in the outbound RST packet gets randomized |
CSCeg05291 | Yes | SIP: PIX does not reset xlate timer for RTP in certain |
CSCeg07701 | Yes | pptp stops accepting new connections: tcp listening socked |
CSCeg07744 | Yes | Linkdown trap does not contain ifIndex variable |
CSCeg20248 | Yes | PIX 501 crashes when VPN to VPN 3030 concentrator using |
CSCeg22626 | Yes | SIP: PIX add extra white space when IP Address Privacy is |
CSCeg24504 | Yes | Embryonic xlate gets consumed instead of using PAT xlate |
CSCeg31510 | Yes | PIX sets wrong content-length in SIP header |
CSCeg38460 | Yes | SIP: Signalling secondary connection not timing out as |
CSCeg40538 | Yes | SIP:2ndary conns for INVITE should stay up for duration of |
CSCeg41622 | Yes | SIP: Source UDP port of Register are not translated in |
CSCeg48656 | Yes | Potential SYN, ACK, RST loop on TCP recovery mechanism |
CSCeg52090 | Yes | PIX resetting ftp connection |
CSCeg54523 | Yes | PIX reboots continuously with overlapping/redundant statics |
CSCeg56154 | Yes | PIX crash with wrong clear ospf syntax |
CSCeg58814 | Yes | PIX crash stack overflow when show crypto ipsec identity |
CSCeg61351 | Yes | PIX 6.3(4) crashes with thread tacplus_snd similar to |
CSCeg71881 | Yes | Conversion from dhcpd to dhcprelay requires reboot |
CSCeh10239 | Yes | SIP: RTP session is closed/disconnected when receive |
CSCeh21989 | Yes | PIX 6.3 translates aaa accounting cmd automatically and |
CSCeh22724 | Yes | Incorrect xlate can be created by SIP fixup |
CSCeh28734 | Yes | Standby PIX takes active unit MAC for a few sec after boot |
CSCeh33341 | Yes | FastEthernet driver might corrupt packets under extreme |
CSCeh42211 | Yes | TurboACL with more than 65535 elements may compile wrong |
CSCeh42901 | Yes | SIP: CSeq No parsed incorrectly if CSeq no length is 10 |
CSCeh47107 | Yes | SIP: SIP URI Parse error happens when receiving SIP |
CSCeh52176 | Yes | DNS guard disconnects conn on one response |
CSCeh62359 | Yes | SIP: sip-disconnect timeout for SIP sessions |
CSCeh62642 | Yes | SIP: sip-invite timeout for SIP sessions |
CSCeh71223 | Yes | PIX stops forwarding the failover hello packet while write |
CSCeh71254 | Yes | Active FTP failed with cut-through proxy for FTP |
CSCeh73510 | Yes | PIX adds <16> in DC field for LDAP CRL request |
CSCeh74381 | Yes | On receiving invalid ACK, RST should be allowed through |
CSCeh78170 | Yes | Many SA requests at once cause unpredictable failover |
CSCeh92328 | Yes | OSPF external routes preferred over internal with multiple processes |
CSCeh94584 | Yes | Object group search for acl can be enabled after acl is used in nat |
CSCeh96286 | Yes | Deadlock of vac poll and interface threads with VAC card |
CSCeh96556 | Yes | 4 byte block exhaustion may cause failover or dropped connections |
CSCei09184 | Yes | L2TP over IPSEC NAT-T not working with WindowsXP |
CSCei10683 | Yes | SIP: fail to open a conn for Record route in NOTIFY |
CSCei17398 | Yes | Excessive TCP retransmissions for connections to the PIX |
CSCei22149 | Yes | URL filtering: misc issues related to request exhaustion and cleanup |
CSCei24710 | Yes | ffs: loading PDM from mozilla causes assert |
CSCei29707 | Yes | RTSP fixup does not recognise server ports |
CSCei41295 | Yes | Two dynamic maps configured and the correct one not picked up |
CSCei46448 | Yes | Port F1 fix (CSCeh38022) to 6.3. This is the GigE driver tx ring fix |
CSCei58383 | Yes | PIX crashes when -v option used without parameter in piping |
CSCei64471 | Yes | PIX crashes when entering CA SAVE ALL |
CSCsb33373 | Yes | SIP: Not translate c= address if first m= has port 0 in SDP body |
CSCsb37529 | Yes | PIX 6.3.3 crashes with traceback dbgtrace:_dbg_output+135 |
Related Documentation
Cisco Pix 6.3 Generate Ssh Key Mac
Use this document in conjunction with the PIX Firewall and Cisco VPN Client Version 3.x documentation at the following websites:
Cisco provides PIX Firewall technical tips at the following website:
Software Configuration Tips on the Cisco TAC Home Page
The Cisco Technical Assistance Center has many helpful pages. If you have a CCO account you can visit the following websites for assistance:
Generate Ssh Key Aix
TAC Customer top issues for PIX Firewall:
TAC Sample Configs for PIX Firewall:
TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0
.