Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

How is the security level works in the VLAN interface??

Hi,

I configured the VLAN interfaces in the inside physical interface e1.

Look like I am having problem to access from higher security to lower security.

Please help to point out my problem.

Here is my configuration. Thanks.

For example: Host ip address 172.20.0.5 (inside Security100) can not ping 66.x.x.34 (intf3 Security35). However host 172.20.0.5 can ping any host outside of the PIX example 11.11.11.1

pixfirewall(config)# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet1 vlan2 physical

interface ethernet1 vlan3 logical

interface ethernet1 vlan4 logical

interface ethernet1 vlan5 logical

interface ethernet1 vlan6 logical

interface ethernet1 vlan7 logical

interface ethernet1 vlan8 logical

interface ethernet1 vlan9 logical

interface ethernet1 vlan10 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan3 intf3 security35

nameif vlan4 intf4 security45

nameif vlan5 intf5 security55

nameif vlan6 intf6 security65

nameif vlan7 intf7 security65

nameif vlan8 intf8 security85

nameif vlan9 intf9 security95

nameif vlan10 intf10 security98

enable password xxxx

passwd xxxx

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_out permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 66.x.x.2 255.255.255.224

ip address inside 172.20.0.1 255.255.0.0

ip address intf3 66.x.x.33 255.255.255.224

ip address intf4 66.x.x.129 255.255.255.224

ip address intf5 192.168.2.1 255.255.255.0

ip address intf6 66.x.x.225 255.255.255.248

ip address intf7 10.100.1.226 255.255.255.224

ip address intf8 192.168.10.254 255.255.255.224

ip address intf9 10.200.1.126 255.255.255.128

ip address intf10 10.0.0.2 255.255.255.252

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

no failover ip address intf6

no failover ip address intf7

no failover ip address intf8

no failover ip address intf9

no failover ip address intf10

no pdm history enable

arp timeout 14400

global (outside) 1 66.x.99.10 netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (intf8) 1 0.0.0.0 0.0.0.0 0 0

static (intf3,outside) 66.x.x.32 66.166.99.32 netmask 255.255.255.224 0 0

static (intf4,outside) 66.x.x.128 66.166.99.128 netmask 255.255.255.224 0 0

static (intf6,outside) 66.x.x.224 66.166.100.224 netmask 255.255.255.248 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.x.x.166.99.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

6 REPLIES
Cisco Employee

Re: How is the security level works in the VLAN interface??

Always remember that the PIX does not open up holes for returning ICMP traffic like it does with TCP/UDP, so testing connectivity with pings is fraught with danger.

To make the PIX inspect ICMP packets and open up holes for the replies, add the command:

fixup inspect icmp

into your config, you will probably find you can then ping through it.

Note that you can ping outside hosts because you have the following configured:

access-list acl_out permit icmp any any

access-group acl_out in interface outside

which allows the ICMP replies back in the outside interface, even though they haven't been inspected. If you add the above command you can actually remove this access-list and still be able to ping outside.

Oh, and for the record, security levels for logical interfaces work exctly the same way as they do for physical interfaces. Your config seems correct, I think it's just that you're not inspecting ICMP's is the cause of your problem.

Community Member

Re: How is the security level works in the VLAN interface??

Hi gfullage,

Thank you for your helps. For some reason I tried command fixup inspect icmp it does not take in version 6.3(5)

pixfirewall(config)# fixup inspect icmp

wrong key word is entered

Usage: [no] fixup protocol [] [-]

pixfirewall(config)

Cisco Employee

Re: How is the security level works in the VLAN interface??

Ahh fat fingers, sorry. The command is:

fixup protocl icmp

Community Member

Re: How is the security level works in the VLAN interface??

Hi gfullage,

pixfirewall(config)# fixup protocol icmp

Usage: [no] fixup protocol icmp error

The following is accetpted with error option ( I do not know there is any other options for icmp beside error).

pixfirewall(config)# fixup protocol icmp error

pixfirewall(config)# 111008: User 'enable_15' executed the 'fixup protocol icmp error' command.

Thanks again.

Re: How is the security level works in the VLAN interface??

security levels work same on VLANs as for physical interfaces:

high -> low = nat & global

low -> high = static

this is complicated by no-NAT.

you have a "nat" statement for inside, but not a "global" for intf3, something like:

global (intf3) 1 [ip_address]

or, with no_NAT:

access-list noNAT_inside permit ip 172.20.0.0 255.255.0.0 66.166.99.32 255.255.255.224

nat (inside) 0 access-list noNAT_inside

or, if you want intf3 to be able to initiate to inside:

static (inside,intf3) 172.20.0.0 172.20.0.0 netmask 255.255.0.0 0 100

and you still need the ACL or icmp fixup as described by gfullage.

but if you turned on "logging buff debug" and looked up the messages on CCO, you'd see that.

Community Member

Re: How is the security level works in the VLAN interface??

Hi grant.maynard,

Thank you for for your explainations. It's clear, I need to study this to get familar with the PIX.

I will post back and let you know. Thanks.

120
Views
0
Helpful
6
Replies
CreatePlease to create content