Re: Pix515 (7.0(2)) - Allow access between same security level i

johnelliot · ‎10-10-2006

Hi,

We have multiple subints with the same security level, and we are wanting to allow certain traffic between only two of them (So I cannot enable "same-security-traffic permit inter-interface")

I currently have the following:

interface Ethernet1.806

vlan 806

nameif DFLAN

security-level 50

ip address 172.16.4.1 255.255.255.0

interface Ethernet1.808

vlan 808

nameif ISELL_WEB

security-level 50

ip address 172.16.6.1 255.255.255.0

The "actual" networks for each interface are(The Pix connects to a router, which then connects to the two networks):

192.168.1.0/24 (DFLAN)

192.168.102.0/24 (ISELL_WEB)

route DFLAN 192.168.1.0 255.255.255.0 172.16.4.2 1

route ISELL_WEB 192.168.102.0 255.255.255.0 172.16.6.2 1

static (DFLAN,ISELL_WEB) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (ISELL_WEB,DFLAN) 192.168.102.0 192.168.102.0 netmask 255.255.255.0

It currently does not work - Is there anything additional that I must do to alllow communications between the two networks?(ACL's?)

Fernando_Meza · ‎10-10-2006

Hi .. you need same-security-traffic permit inter-interface otherwise you can't communicate. You can control the traffic by adding entries on the access list applied to the respective interfaces but again you need to enable same security flow first

I hope it helps .. please rate it if it does !!!

johnelliot · ‎10-10-2006

Hmm - So there's no other way to allow two ints with the same security level to communicate without enabling "same-security-traffic permit inter-interface" - Be nice if you enable it on a per-int level, rather than globally.

Pix515 (7.0(2)) - Allow access between same security level ints.