Cisco Support Community
Community Member

Security Levels - Communication ?

Hi !

I am totally confused about routing between interfaces with different security levels ! ( without any NAT - just like a normal ROUTER)

At the PIX Adv. Course I got to know the following:

Security Level low to high ( STATIC NAT with STATIC Command : static (HIGH,LOW) LOW HIGH )combined with conduits or access-lists

Security Level high to low (by default PERMITTED) ; without NAT I have to use the NAT 0 acess-list command

So - but what to do, if I would lik to send traffic from an interface (sec. level low) to an interface with securtiy Level high (without any NAT ):

I have seen this STATIC (high, low) low low formular - but is traffic now permitted in both directions ? Do I need access-lists on both interfaces ?

OR do i just need Access-lists on the (security level LOW) interface - without the STATIC-command.

AND if sending traffic from Security Level HIGH to LOW - should I also use this STATIC (high,low) low low formular ?

Could ANYONE please give me some hints - or could send me some documents about this ?


Community Member

Re: Security Levels - Communication ?

It's important to keep in mind the relationships between security levels, access-lists and NAT. Typical security assignments would look like this.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security10

In this case, without any access lists, the inside interface can access all services on the outside and dmz1, dmz1 can access all services on just outside, and outside can't access any services on the inside or dmz1.

If you need to permit www traffic from the dmz to a server on the inside network for example, you would create an access list and apply it to the dmz interface like this.

access-list dmz-in permit tcp any host eq www

access-group dmz-in in interface dmz1

Your STATIC command has no bearing on what traffic is permitted. NAT and STATIC allow you to hide networks or hosts behind the firewall. You still need to use your access list to permit any type of traffic from a less trusted interface. An example to set up the static between the outside and dmz interfaces and then permit web traffic to the device would be:

static (dmz1,outside) netmask

access-list outside-in permit tcp any host eq www

access-group outside-in in interface outside

You can check out some sample configs on CCO at

Hope this helps.


Community Member

Re: Security Levels - Communication ?

Hi !

Thanks for your detailed response.

But suppose you have a forth interface (security level 50) and you want to permit traffic from Security Level 50 (DMZ2) to Security Level 100

for example:

net5 (dmz2)

net2 (inside)

I want to permit traffic from to

Do I have to configure Access-Lists on the DMZ2 interface and a NAT 0 Rule

for any communication from (inside) to (DMZ2).

Do I implicitly need this NAT 0 Rule ?

As I said, a systemintegrator used this STATIC (inside,dmz2) dmz2 dmz2 netmask command on one of our PIX Firewalls

That`s why I am so confused.

On this example I do NOT have any public IP Address - as all are internal addresses.

Thanks for your help


Community Member

Re: Security Levels - Communication ?

The same rules apply to your configuration as the example I provided. To permit traffic from dmz2 to the inside you must configure an access list and apply it inbound to the dmz2 interface. If your not using nat between your inside and dmz2 interfaces, you need to specify the nat 0.

nat (dmz1) 0 access-list nonat

nat (inside) 0 access-list nonat

access-list nonat permit ip any

access-list nonat permit ip any

This would turn off nat for both your inside and dmz2 interfaces.

I'm not sure what the STATIC (inside,dmz2) dmz2 dmz2 netmask is doing for you in this case.


CreatePlease to create content