Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Inside interface security level

Inside interface on pix has a default security level set - 100. My pix shows on inside interface level 99 and I am not able to set it to 100.

Any idea how to change it to 100?

Thanx a lot .

11 REPLIES
Cisco Employee

Re: Inside interface security level

Hi Viktor,

This is interesting. What is the pix model and the IOS version running? Can you paste the part of the config showing this?

The inside interface is reserved at security level 100 by default.

Thanks,

yatin

New Member

Re: Inside interface security level

Yes, I know it is reserved to 100 by default, it also responds this fact when I try to change it to 100.

model: pix 515E, sw:6.31(but same thing happened with 6.2)

I don't have access to it right now, but it has 4 interfaces (inside, outside, dmz, failover). The outside is on level 0 (of course) but the inside is on 99. I think there should be no problem, since the inside interface is still on the highest level. But it's interesting anyway.

Cisco Employee

Re: Inside interface security level

Hi Viktor,

When you get a chance, send me the 'sh tech' for this pix

thanks,

yatin@cisco.com

Silver

Re: Inside interface security level

Maybe you have allready another interface set to security level 100?

I believe that only one interface can have security level 100, but I'm not quite sure.

New Member

Re: Inside interface security level

No. Only 1 interface has a [default(!)] security level 100 - the inside interface. This cannot be changed. But it shows 99. But I have noticed 2 interfaces uses the same irq. Don't know if this is ok.

thanks anyway

Silver

Re: Inside interface security level

Two interfaces using the same IRQ on a PIX is normal behaviour, I've seen it on almost every PIX with a 4-FE module in it, so, that's ok!

Can not simply determine why your PIX shows securitylevel 99

First thing I would try is first disable the interface by using the command:

interface ethernet1 shut

Then try to set the securitylevel to 100 again by using:

nameif ethernet1 inside security100

And finally re-enable the interface again:

interface ethernet1 auto (or 10full/100full as required)

I think this will work. If not, I think it would be good if you post a show tech

Regards,

Leo

New Member

Re: Inside interface security level

Thanks for suggestion Leo, but did not help. As soon as I try to change it to 100, it answers that this level is reserved.

Viktor

Silver

Re: Inside interface security level

Uhm, strange :-S

Can you post a show tech, Viktor?

(please remove encrypted password before posting)

This may help solve your case :-)

It sounds to me as one interface is allready having security level 100 (allthough you allready confirmed that this isn't the case). It also could be that you try to select another name for this interface. Security level 100 is reserved for the interface named inside (I believe that use of the name is even case sensitive), so, for example: one could not use the name internal on ethernet1 interface and set the securitylevel to 100. If this is the case, simply rename your interface to exactly match the name inside and it should work.

Beside what I stated here, my experience is that securitylevel 100 is not explicit bound to be used on ethernet1, I have my own configuration here running the name inside with securitylevel 100 on interface ethernet5

Hope this helps (again :-)))

Regards,

Leo

New Member

Re: Inside interface security level

I have the firewall in the different office, so I can't try this last suggetion. It is true, that the interface is named differently (not "inside"). I will be able to try it tomorrow.

The firewall I have here (a different one) does not allow to chnge the level 100 interface to name different as "inside". (the level has to be decreased in that case).

I believe this could solve the problem.

[Could there be any problem if I leave the eth1 (inside) interface on level 99?]

Thanks for help Leo!

Viktor

Silver

Re: Inside interface security level

Well, it seems this solved your case then. Inside is reserved for the interface using securitylevel 100. Having ethernet1 used with a different name and securitylevel 99 is not a problem. It works fine and doesn't create a security issue or what so ever. In fact, it gives you more expanding possibilities (but that's another duscussion then)

If it isn't possible for you to change, I shouldn't bother, if I where you. At least you know why you weren't able to get the interface to sec level 100 :-)

Case solved and closed. Glad I could be of any help :-)))

(would be great to rate the posting in this case and set the "this answer solved my question" option, so everyone will see this case is solved then)

Regards,

Leo

Silver

Re: Inside interface security level

Almost forgot. If you rather wouldn't post a show tech (which I can understand, cause I don't like to post this myself *grin*), please do post the output of the show interface command, so we can see what this says :-)))

154
Views
0
Helpful
11
Replies
CreatePlease login to create content