Cisco Support Community
Community Member

PIX with two interfaces with security0


A customer have a PIX 515E with two interfaces with security0 (ethernet0 and ethernet4 for example).

How can we have this PIX having those 2 interfaces the same way to response to TCP packet asking to open a not-open-port on those 2 PIX interfaces ?

I would like the ethernet4 having the same to respond when receiving a TCP SYN packet for TCP port as 25, or 23.

The destination IP address is the one of the ethernet4 interface, and the destination TCP port isn't opened.

Is there a link with all difference between ethernet0 and any other interface.

Can we use any non-ethernet0 interface with security0 to be used as the outside world ?

Thank you for your explaination and links.



Re: PIX with two interfaces with security0

Having 2 interfaces with the same security level is an unsupported configuration.

Why do you want two interfaces to respond the same way?

Community Member

Re: PIX with two interfaces with security0


Well I think that:

One way to have no communication between two interfaces can be done by giving them the same security level. Traffic can go from securityA interface to security(A-1) interface without doing anything.

Communication is only possible between a lower to a higger or a higger to a lower security level.

MAybe I'm wrong, so if you can argu, this could help me.

Do you have any link about that two interfaces can NOT have the same security level ? Maybe I m bad thinking that it is possible.

PIX release 6.3.3 on a PIX515E with 6 interfaces do accept the commandes.

Anyway, two interfaces having the same configuration should act the same way to any same packets received. This is right for a router !

Anyway, we could have two providers links on the same PIX. In fact I do not know yet why the customer uses 2 interfaces as "ouside world", but the sniffer traces show me that those two interfaces do not response the same way when receiving a telnet initiation packet for example TCP port 25 or 23.

The less then basic configuration is the same. I just move the IP address and the "outside" cable form one interface to the other one.

No command with an explicite interface name, excepted a SSH permit command (to reach the PIX from an outside link).

So only port 22 is opened on those two interfaces.


CreatePlease to create content