cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
704
Views
0
Helpful
5
Replies

Communication between interfaces with same security level

Rex Biesty
Level 1
Level 1

Hi. I've recently taken over the management of a Pix 515e (running 6.3) with it's interface levels set as follows

inside    100

site_1    50

site_2     50

outside   0

The issue I have is that site_1 and site_2 are now regarded as trusted sites so I need to allow comms between them. I've achieved this between inside and site_1 and inside and site_2 using translation and access rules but was wondering how best to achieve this between site_1 and site_2 given they both have the same security level, preferably without changing the level of one as there is already plenty of config on the device relating to interfaces.

Thanks, Rex

5 Replies 5

rahgovin
Level 4
Level 4

Same security traffic is only permitted  from 7.x code in PIX. You could lower the security level for one site so that you can pass traffc or upgrade to 7.x code.

thanks for the reply, thought as such. Upgrading to v7 isn't an option just now as I only have remote access to the pix (the actual device is 320 miles away). What are the effects on the current config of changing one of the interfaces to a slightly different security level?

I just realised that my last post was a bit vague so I've attached my config. Can someone please take a look at advise on what effects changing the security level of the interface named Darlaston to 49 will have and how I can remedy? Basically I want Darlaston to communicate freely with Inside and Coventry. Sorry if this seems a basic question, Pix management isn't something I do very often. Thanks.

Hi, there won't be any change with regard to traffic between Darlaston , inside and outside as basically the order of security levels is still the same between the interfaces inside>Darlaston>outside. So need to make any change there. With respect to Darlaston and Coventry, Coventry is now a higher security level, so in order to initiate traffic from Darlaston to coventry we need to add an inbound access-list on Darlaston to allow traffic from lower to higher security level. Other than that the normal nat rules prevail just keeping in mind that Coventry> Darlaston wrt security levels.

Brilliant. Thanks very much, makes sense. I'll crack on with that and let you know how I get on.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: