06-30-2003 06:24 AM - edited 03-09-2019 03:51 AM
Inside interface on pix has a default security level set - 100. My pix shows on inside interface level 99 and I am not able to set it to 100.
Any idea how to change it to 100?
Thanx a lot .
06-30-2003 07:18 AM
Hi Viktor,
This is interesting. What is the pix model and the IOS version running? Can you paste the part of the config showing this?
The inside interface is reserved at security level 100 by default.
Thanks,
yatin
06-30-2003 10:20 PM
Yes, I know it is reserved to 100 by default, it also responds this fact when I try to change it to 100.
model: pix 515E, sw:6.31(but same thing happened with 6.2)
I don't have access to it right now, but it has 4 interfaces (inside, outside, dmz, failover). The outside is on level 0 (of course) but the inside is on 99. I think there should be no problem, since the inside interface is still on the highest level. But it's interesting anyway.
06-30-2003 10:38 PM
07-01-2003 12:11 AM
Maybe you have allready another interface set to security level 100?
I believe that only one interface can have security level 100, but I'm not quite sure.
07-01-2003 12:39 AM
No. Only 1 interface has a [default(!)] security level 100 - the inside interface. This cannot be changed. But it shows 99. But I have noticed 2 interfaces uses the same irq. Don't know if this is ok.
thanks anyway
07-01-2003 01:11 AM
Two interfaces using the same IRQ on a PIX is normal behaviour, I've seen it on almost every PIX with a 4-FE module in it, so, that's ok!
Can not simply determine why your PIX shows securitylevel 99
First thing I would try is first disable the interface by using the command:
interface ethernet1 shut
Then try to set the securitylevel to 100 again by using:
nameif ethernet1 inside security100
And finally re-enable the interface again:
interface ethernet1 auto (or 10full/100full as required)
I think this will work. If not, I think it would be good if you post a show tech
Regards,
Leo
07-01-2003 02:30 AM
Thanks for suggestion Leo, but did not help. As soon as I try to change it to 100, it answers that this level is reserved.
Viktor
07-01-2003 02:55 AM
Uhm, strange :-S
Can you post a show tech, Viktor?
(please remove encrypted password before posting)
This may help solve your case :-)
It sounds to me as one interface is allready having security level 100 (allthough you allready confirmed that this isn't the case). It also could be that you try to select another name for this interface. Security level 100 is reserved for the interface named inside (I believe that use of the name is even case sensitive), so, for example: one could not use the name internal on ethernet1 interface and set the securitylevel to 100. If this is the case, simply rename your interface to exactly match the name inside and it should work.
Beside what I stated here, my experience is that securitylevel 100 is not explicit bound to be used on ethernet1, I have my own configuration here running the name inside with securitylevel 100 on interface ethernet5
Hope this helps (again :-)))
Regards,
Leo
07-01-2003 03:24 AM
I have the firewall in the different office, so I can't try this last suggetion. It is true, that the interface is named differently (not "inside"). I will be able to try it tomorrow.
The firewall I have here (a different one) does not allow to chnge the level 100 interface to name different as "inside". (the level has to be decreased in that case).
I believe this could solve the problem.
[Could there be any problem if I leave the eth1 (inside) interface on level 99?]
Thanks for help Leo!
Viktor
07-01-2003 03:38 AM
Well, it seems this solved your case then. Inside is reserved for the interface using securitylevel 100. Having ethernet1 used with a different name and securitylevel 99 is not a problem. It works fine and doesn't create a security issue or what so ever. In fact, it gives you more expanding possibilities (but that's another duscussion then)
If it isn't possible for you to change, I shouldn't bother, if I where you. At least you know why you weren't able to get the interface to sec level 100 :-)
Case solved and closed. Glad I could be of any help :-)))
(would be great to rate the posting in this case and set the "this answer solved my question" option, so everyone will see this case is solved then)
Regards,
Leo
07-01-2003 02:57 AM
Almost forgot. If you rather wouldn't post a show tech (which I can understand, cause I don't like to post this myself *grin*), please do post the output of the show interface command, so we can see what this says :-)))
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: