08-15-2007 06:07 AM - edited 03-11-2019 03:58 AM
Hi,
I have a PIX 525 that has 8 interfaces, inside, outside, 2 security level 75 and 4 security level 50.
Traffic from interfaces on security level 50 must not be allowed to other security level 50 interfaces.
Traffic from interfaces on security level 75 interfaces is allowed to other security level 75 interfaces.
Therefore, I'd rather not enable the same-security-interface-permit command.
I've configured ACL's on the security level 75 interfaces to permit traffic to flow, but it doesn't appear to be working.
If I change the security level on one of the level 75 interfaces to 76, then traffic flows.
Any ideas ?
Thanks
Lee
08-15-2007 06:38 AM
How about enabling same-security-traffic permit inter-interface then writing acls to prevent the traffic from the level 50 interfaces.
08-15-2007 06:57 AM
If you use same-security-traffic permit inter-interface feature you still have to create acl's to allow the traffic between the interface. The same-security-traffic permit inter-interface feature basically allow the firewall use the acl's that you create to allow traffic between interface with same security levels.
Check this link:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/intfce_f.html#wp1039276
08-15-2007 07:18 AM
That's not what the ASA Command Ref. says...
"Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits:
- You can allow traffic to flow freely between all same security interfaces WITHOUT access lists."
08-15-2007 08:25 AM
Hi,
I realise I could enable "same-security" but then I have to put denies in 4 ACLs and it starts to get more complex.
What I'm really trying to find out is why hosts on different interfaces that have the same security level cannot communicate even though the ACL permits it.
Do I have to have an ACL for the reply traffic as well perhaps ?
I would also agree that you should not have to add ACL's if "same-security" is turned on. Or perhaps that only applies for the ASA and not the Pix ?
Any more thoughts greatly appreciated.
Lee
08-15-2007 09:36 AM
"What I'm really trying to find out is why hosts on different interfaces that have the same security level cannot communicate even though the ACL permits it."
-Because you have not enabled the same-security-traffic command.
"Do I have to have an ACL for the reply traffic as well perhaps?"
-No.
08-15-2007 09:55 AM
So just to clarify then, as I must have misunderstood the configuration guide.
In order for hosts on interfaces of the same security level to communicate, the same-security-interface command must be enabled, even if there are ACL's defined which permit the communication ?
08-15-2007 10:12 AM
The code it build to don't allow communication between interface with same security level even if you have ACL's allowing the traffic. One interesting point is that th e ASA/PIX behave different than the FWSM when use same-security-interface command. As acomiskey said when use the same-security-interface it allows communication without ACL's in the FWSM after enable the same-security-interface it still need ACL's. Another option for you could change the security level in one of the interface with level 50 to something 51 or 49 and then add ACL's to allow traffic between those 2.
08-15-2007 10:33 AM
thanks guys, thats answered my questions now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: