cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
583
Views
0
Helpful
11
Replies

Inside interface security level

homolya
Level 1
Level 1

Inside interface on pix has a default security level set - 100. My pix shows on inside interface level 99 and I am not able to set it to 100.

Any idea how to change it to 100?

Thanx a lot .

11 Replies 11

ywadhavk
Cisco Employee
Cisco Employee

Hi Viktor,

This is interesting. What is the pix model and the IOS version running? Can you paste the part of the config showing this?

The inside interface is reserved at security level 100 by default.

Thanks,

yatin

Yes, I know it is reserved to 100 by default, it also responds this fact when I try to change it to 100.

model: pix 515E, sw:6.31(but same thing happened with 6.2)

I don't have access to it right now, but it has 4 interfaces (inside, outside, dmz, failover). The outside is on level 0 (of course) but the inside is on 99. I think there should be no problem, since the inside interface is still on the highest level. But it's interesting anyway.

Hi Viktor,

When you get a chance, send me the 'sh tech' for this pix

thanks,

yatin@cisco.com

Maybe you have allready another interface set to security level 100?

I believe that only one interface can have security level 100, but I'm not quite sure.

No. Only 1 interface has a [default(!)] security level 100 - the inside interface. This cannot be changed. But it shows 99. But I have noticed 2 interfaces uses the same irq. Don't know if this is ok.

thanks anyway

Two interfaces using the same IRQ on a PIX is normal behaviour, I've seen it on almost every PIX with a 4-FE module in it, so, that's ok!

Can not simply determine why your PIX shows securitylevel 99

First thing I would try is first disable the interface by using the command:

interface ethernet1 shut

Then try to set the securitylevel to 100 again by using:

nameif ethernet1 inside security100

And finally re-enable the interface again:

interface ethernet1 auto (or 10full/100full as required)

I think this will work. If not, I think it would be good if you post a show tech

Regards,

Leo

Thanks for suggestion Leo, but did not help. As soon as I try to change it to 100, it answers that this level is reserved.

Viktor

Uhm, strange :-S

Can you post a show tech, Viktor?

(please remove encrypted password before posting)

This may help solve your case :-)

It sounds to me as one interface is allready having security level 100 (allthough you allready confirmed that this isn't the case). It also could be that you try to select another name for this interface. Security level 100 is reserved for the interface named inside (I believe that use of the name is even case sensitive), so, for example: one could not use the name internal on ethernet1 interface and set the securitylevel to 100. If this is the case, simply rename your interface to exactly match the name inside and it should work.

Beside what I stated here, my experience is that securitylevel 100 is not explicit bound to be used on ethernet1, I have my own configuration here running the name inside with securitylevel 100 on interface ethernet5

Hope this helps (again :-)))

Regards,

Leo

I have the firewall in the different office, so I can't try this last suggetion. It is true, that the interface is named differently (not "inside"). I will be able to try it tomorrow.

The firewall I have here (a different one) does not allow to chnge the level 100 interface to name different as "inside". (the level has to be decreased in that case).

I believe this could solve the problem.

[Could there be any problem if I leave the eth1 (inside) interface on level 99?]

Thanks for help Leo!

Viktor

Well, it seems this solved your case then. Inside is reserved for the interface using securitylevel 100. Having ethernet1 used with a different name and securitylevel 99 is not a problem. It works fine and doesn't create a security issue or what so ever. In fact, it gives you more expanding possibilities (but that's another duscussion then)

If it isn't possible for you to change, I shouldn't bother, if I where you. At least you know why you weren't able to get the interface to sec level 100 :-)

Case solved and closed. Glad I could be of any help :-)))

(would be great to rate the posting in this case and set the "this answer solved my question" option, so everyone will see this case is solved then)

Regards,

Leo

Almost forgot. If you rather wouldn't post a show tech (which I can understand, cause I don't like to post this myself *grin*), please do post the output of the show interface command, so we can see what this says :-)))

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: