Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Security Levels on Interfaces, a true engima

Hello,

*note I will assign points when this get resolved*

I have a Pix 515 running 6.3.3 with a few interfaces. Once interface is set with a security level of 20 and the other has a security level of 100. Logic states that those on the 100 security interface should be able to access the web servers on the 20 security level interface however they can not. I have created access lists and allowed specific IP's to have access to static IP addresses and a variety of other techniques that "should" work.

Example:

workstation IP 192.168.10.2 on interface 1, with a security level of 100 should be able to access 10.10.50.7 on interface 4 with a security level of 20. Quite stumped as the config should work. Any ideas?

Crake

2 REPLIES
Silver

Re: Security Levels on Interfaces, a true engima

it depends - if you have an access-list bound on the higher level security interface, that could prohibit said communication to the lower security interface's host. misconfigured nat/static statements could do the same

Silver

Re: Security Levels on Interfaces, a true engima

Two items to look at are:

1. Make sure that the pix interface where the web servers are is the default route for the web servers to allow the return traffic to flow back thru the pix.

2. If you are using nat and global, or a static for the inside worksstations, and the global address is on the same subnet as the pix interface that as sec level of 20 (i,e, global (dmz_intf) 20 10.10.50.177) make sure that the sysopt proxyarp setting is configured for the dmz/web-server interface. if it is not, the pix will not respond to the arp request that the web server generates. I have come across systems that ignore the mac address in the request packet and will issue a arp before sending the reply even though it should have done the correlation.

Can you post how the nat/global and/or static is configured?

90
Views
0
Helpful
2
Replies