My Account | View Cart | Wishlist | Checkout | About Us | Contact Us
CCNP Certification: Benefits and Limitations of Context-Based Ac

Introduction

In preparation of our CCNP exam, we want to make sure we cover the various concepts that we could see on our Cisco CCNP exam. So to assist you, below we will discuss Benefits and Limitations of Context-Based Access Control.

This document contains frequently asked questions (FAQ) about the Cisco PIX Firewall Manager (PFM).

Q. What are some general tips for the best PFM performance?

A

  • Try not to install PFM on a machine that runs Microsoft Internet Information Server (IIS). The install works, but you must verify that PFM does not occupy any server ports used by IIS.
  • If any error messages are displayed during the PFM install, capture them (press ALT + PrtScn (Print Screen), cut and paste to a .txt file, and save). Contact the Technical Assistance Center (TAC) immediately. Do not attempt to proceed.
  • Verify that your Windows NT Service Pack (SP) is up-to-date. All Windows NT SPs through SP5 work on all PFM versions, but the browser that installs the service pack may not be supported. Check the PFM banner page to verify browser compatibility, and download the appropriate supported version. You can download these versions from the Netscape FTP site at:
Q. Where can I get documentation on the PFM?

A. There is no print manual for the PFM. Online help is provided on most PFM screens. Release notes are provided for each revision; read them before beginning installation.

Q. Why does PFM not install? It says I do not have permission to run the installer.

A. Possible reasons:

  • You might not be logged into the Windows NT machine locally (not the domain) as "administrator". At times, users with administrative rights can successfully install the product, but usually even users in the administrator group do not have enough rights to install the product.
  • You might be attempting to install on a primary domain controller (PDC) or a backup domain controller (BDC). PFM installation needs to create a local Security Access Management (SAM) database for PFM access, which is usually not possible with default PDC or BDC installations. Further, when the PFM process is configured for logging, the machine is taxed. Generally, administrators do not want to task critical network servers, such as PDCs or BDCs with additional services.
Q. Why does my NT system speaker beep continuously after the PFM install?

A. The NT beeps indicates an application port conflict. Usually, a syslog application (Cisco Works, PIX Firewall Syslog Server (PFSS) or a third-party application) is already listening on UDP 514, or a Web server is already occupying the PFM default TCP port 8080. Complete these steps to troubleshoot:

  1. Uninstall PFM completely. Use Windows Explorer to remove the install directory.
  2. Reboot the machine.
  3. Log in to the machine locally (not the domain) as "administrator" (not someone with admin rights).

    Note: Do not run setup yet.
  4. At the command prompt, type netstat -a | findstr # (where # is the port number) to verify that TCP 8080 and UDP 514 are not listed.
    If UDP is listed, uninstall the application that uses it. à
    If TCP 8080 is listed, choose an available TCP Port. 8081 is usually okay. à
    If you uninstall any applications, repeat steps 2-4.

    Note: It is important to reboot.
  5. Check for and repair any error messages in the event viewer. (For help with the error messages, search for the error message at Microsoft Help and Support .)
  6. Verify in Control Panel | Services that the server service is running.
  7. Reinstall PFM.
  8. Reboot the machine. You can log into the domain or whatever you want this time.
Q. I have installed PFM, but it does not run (I do not see the banner page).

A. Possible reasons:

  • You might not be browsing to the correct address; it should be either http://the_nt_ip_address:8080 or http://127.0.0.1:8080 (if you selected an alternate port during installation, use that port's number). Do not attempt to run index.html, it does not work.
  • Make sure your Windows NT IP Stack is not set to use DHCP. You must be assigned a static address.
  • Make sure this static assigned Windows NT IP address has not changed after installation of PFM.
  • Go to Control Panel > Services and make sure the Windows NT server service is running (especially on an Windows NT Workstation). Also, make sure the "PFM service" is started.
Q. Why do I get the error message "Security violation in all five IP addresses in firewall.html" after I click the configuration link from the banner page?

A. Possible reasons:

  • You might not be browsing to the correct address: It should be either http://the_nt_ip_address:8080 or http://127.0.0.1:8080 (If you selected an alternate port during installation, use that port's number.). Do not attempt to run index.html or firewall.html; this does not work.
  • If your Windows NT box is multi-homed (has more than one NIC) or has multiple IP addresses associated with the NIC, make sure all IP addresses of the machine are listed in Program FilesCiscoPIX Firewall Managerjclientnetscapefirewall.html. You can edit this file with a text editor. In some rare cases, you may need to add the Windows NT NetBIOS hostname of this machine as one of the IP address entries in this file. Reboot the server after you edit this file.
  • You may have loaded the Firewall Manager software on a Windows NT box that uses DHCP. Firewall Manager requires a static IP Address. If you have changed from DHCP to a static IP address, you need to edit the firewall.html file.
Q. The banner page comes up, and requests a username and password. What is this? Can they be changed from the defaults?

A. The default administrator user name is pixadmin and the default password is cisco. The administrator has read/write configuration abilities.

The default user (read only) username/password is pixuser/cisco. The user manager on the server allows you to add, change, or delete users to the pixadmins or pixusers groups ypu set up on install.

Q. Is there a log file I can look at for troubleshooting PFM problems?

A. Yes, it is called pfm.log. If you go through this FAQ and still have a problem, the TAC requests this log.

Q. Why does PFM have numerous error messages or not load the configuration after the install?

A. Possible reasons.

  • You must run the browser displayed on the banner page. Other browser versions are not supported. PFM is optimized for specific versions of the Netscape browser. You can download these versions from the Netscape FTP site at: ftp://archive:oldies@archive.netscape.com/archive/index.html.
  • Make sure you have set up your PIX to allow Telnet from the PFM. To verify, go to a command line, Telnet to the PIX interface, and log in to enable mode.
  • Your PIX has an unsupported interface card in it. Only Singleport 10/100 Ethernet/Fast Ethernet and Token Ring interfaces are supported with this product.
  • Your PIX version and PFM version might not be compatible. Current supported platforms are:

14.3.2c does not support any new features or commands in PIX versions newer than 4.3(2) and may generate error messages intermittently because of these new features. This should not affect your ability to configure the older, supported features. You can download the correct code version from the PIX Software Download ( registered customers only) .

Caution: To avoid lengthy network outages, always review hardware

requirements and version release notes before you perform a platform upgrade.

Q. Does PFM run on Windows 2000?

A. PFM only runs on the platform listed in the documentation, which is, Windows NT. The successor to PFM is PIX Device Manager (PDM), which works with browsers on Windows 95, 98, NT, and 2000. PDM is available with PIX 6.0 code.

Q. How do I change the PFM administrator (pixadmin) and user (pixuser) passwords from the defaults (which are noted in the PFM release notes)?

A. When PFM installs, it sets up the accounts in the Windows NT user database. The passwords for the default users may be changed as passwords are for other NT users. Go to Start > Programs > Administrative Tools (Common) > User Manager for Domains.

Q. How can I download PFM and PDM?

A. To download the PFM and PDM software described in this document, refer to the PIX Software Download ( registered customers only)

Q. Can I use Excel 95, 98, or 2000?

A. You cannot use Excel 95; the macros are not compatible. Excel 98 and 2000 are not supported.

A. You cannot use Excel 95; the macros are not compatible. Excel 98 and 2000 are not supported.

A. You cannot generate reports from the PFM active filesreport.xls, stat.dbf, dns.dbf, monday.dbf, and so on. You must copy these files to a separate directory, and open them in Excel 97.

Q. Why can I not download the .dbf files?

A. You cannot copy the Monday.dbf file to another directory until Tuesday, and the Tuesday.dbf file until Wednesday, and so on.

Q. I downloaded .dbf, but report.xls contains no data.

A. Make sure that logging is configured properly. Complete these steps:

  1. Logging traps output must be set to debug, or these files do not populate.
  2. Verify that the logging host is pointed at the PFM server.
  3. Make sure your configuration shows logging on.
  4. Test successful logging by pressing the Immediate syslog notification button in PFM's graphical user interface (GUI). This generates traffic through the PIX. Verify the activity in the GUI pop-up window.
Q. I can open report.xls, but Excel cannot find the .dbf files it needs to run. What is wrong?

A. You are probably using most recently used (MRU), or double-clicking on report.xls from Windows Explorer. Excel 97 tracks MRU files at the bottom of the File men, and Windows also tracks these in the Start > Documents menu. Do not open report.xls from those locations. If you do, the macros embedded in report.xls do not function properly. You must use the File > Open menu to open report.xls. When you select File > Open, Excel associates that directory with the application. When you use MRU, Excel keeps the file's association with the "My Documents" folder, and report.xls cannot find the .dbf files.

Q. Can I have the password to access and modify the macros embedded in report.xls for my own use?

A. Modifications to that file are not allowed. The product can only be supported when the code is intact. Report.xls is password protected to protect the integrity of the embedded macros. If you have specific needs not addressed by the macro, you can either:

  • Write your own rendition of the macro.
  • Submit an enhancement request through the TAC for future release consideration.

We hope you found this Cisco certification article helpful. We pride ourselves on not only providing top notch Cisco CCNP exam information, but also providing you with the real world Cisco CCNP skills to advance in your networking career.
Specials more
Cisco CCNA & Super Economy CCNP Kit
Cisco CCNA & Super Economy CCNP Kit
$1,499.99
$1,379.99
Specials more
Advanced CCNA/Starter CCNP Kit IV
Advanced CCNA/Starter CCNP Kit IV
$899.99
$714.99
Specials more
Cisco CCNA 3 Router & 3 Switch Lab Kit!
Cisco CCNA 3 Router & 3 Switch Lab Kit!
$559.99
$479.99
Specials more
Cisco Dual 2501 8/8 Router CCNA Kit
Cisco Dual 2501 8/8 Router CCNA Kit
$179.99
$149.99
Specials more
CCNA Study Value Pack
CCNA Study Value Pack
$84.99
$59.99
Shopping Cart more
0 items