Cisco® PIX™ Firewalls
ISBN: 0072225238

ERRATTA & UPDATES
 
Chapter 2
Page 51, Figure 2-1, the column called “Outside Port” should really be 
“Destination Port”.

Page 69, the sentence below the first set of bullets should read: The PIX 
515 and 515E do have their differences, though, as is shown in Table 2-7.

 
Chapter 3
Page 103, the show route output should read as:

pixfirewall# show route
        inside 192.168.30 255.255.255.0 192.168.31 1 CONNECT static
        outside 192.168.10 255.255.255.0 192.168.11 1 CONNECT static
        dmz 192.168.2.0 255.255.255.0 192.168.2.1 1 1 CONNECT static

Page 111, bottom of the output of show processes output should not have the 
line beginning with “SYMBOL 223 \f “Wingdings”...”

 
Chapter 4
Page 117, second paragraph, last sentence, should read: In most instances, 
though, the PIX cannot make this determination.

Page 128, Figure 4-11, the packet contents in step 3 should have a source port 
of 1024.

Page 132, “Address Pools and NAT” section, 2nd paragraph, last two sentences 
should read: At this point, starting in FOS 6.0, once all the addresses in the 
pool are used up, no more address translations can take place and any new 
devices are denied from making outbound connections. However, prior to 6.0, 
the PIX would perform PAT on the last address in the pool.

Page 138, “Configuration Example Using Only NAT” section, last paragraph--delete 
the last sentence.

Page 140, the second route inside command should have 199 in the second octet, 
not 19.

Page 153, “Using the static command” section, 2nd to last paragraph, last 
sentence: 192.168.100.0/24 should be 201.201.201.0/24.

 
Chapter 5
Page 183, first entry in Code Listing 5-9 should be: access-list INTERNAL 
permit tcp any host 192.168.5.5 eq 25.

Page 194, bottom code example should be:

You can create an object group for TCP and UDP applications that you use in 
your filter commands. To create a services object group, use these commands:

pixfirewall(config)#  object-group service group_ID tcp|udp|tcp-udp
pixfirewall(config-service)#  port-object eq port_number/name
pixfirewall(config-service)#  port-object range first_port last_port

The first command, object-group service, creates a services object group and 
takes you into the Service Subconfiguration mode. You need to specify either 
TCP, UDP, or both protocols—this refers to the types of ports within this 
object group. The second command, the one with the eq parameter, specifies 
a specific port number (or name) in the Object Group. You can also specify 
a range of port numbers—you need to use the keyword range followed by the 
first number in the list and the last number.