Communication between interfaces with same security level

Unanswered Question
Aug 2nd, 2010

Hi. I've recently taken over the management of a Pix 515e (running 6.3) with it's interface levels set as follows

inside    100

site_1    50

site_2     50

outside   0

The issue I have is that site_1 and site_2 are now regarded as trusted sites so I need to allow comms between them. I've achieved this between inside and site_1 and inside and site_2 using translation and access rules but was wondering how best to achieve this between site_1 and site_2 given they both have the same security level, preferably without changing the level of one as there is already plenty of config on the device relating to interfaces.

Thanks, Rex

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rahul Govindan Mon, 08/02/2010 - 01:31

Same security traffic is only permitted  from 7.x code in PIX. You could lower the security level for one site so that you can pass traffc or upgrade to 7.x code.

Rex Biesty Mon, 08/02/2010 - 02:34

thanks for the reply, thought as such. Upgrading to v7 isn't an option just now as I only have remote access to the pix (the actual device is 320 miles away). What are the effects on the current config of changing one of the interfaces to a slightly different security level?

Rex Biesty Mon, 08/02/2010 - 04:06

I just realised that my last post was a bit vague so I've attached my config. Can someone please take a look at advise on what effects changing the security level of the interface named Darlaston to 49 will have and how I can remedy? Basically I want Darlaston to communicate freely with Inside and Coventry. Sorry if this seems a basic question, Pix management isn't something I do very often. Thanks.

Rahul Govindan Mon, 08/02/2010 - 04:21

Hi, there won't be any change with regard to traffic between Darlaston , inside and outside as basically the order of security levels is still the same between the interfaces inside>Darlaston>outside. So need to make any change there. With respect to Darlaston and Coventry, Coventry is now a higher security level, so in order to initiate traffic from Darlaston to coventry we need to add an inbound access-list on Darlaston to allow traffic from lower to higher security level. Other than that the normal nat rules prevail just keeping in mind that Coventry> Darlaston wrt security levels.

Rex Biesty Mon, 08/02/2010 - 04:26

Brilliant. Thanks very much, makes sense. I'll crack on with that and let you know how I get on.

Actions

This Discussion