Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Security to the interfaces

Hi

whatz the need for security levels to different interfaces needed?? No other firewalls has this feature ? ITs however understood that every interface shud have to be secured from the inruders..so whatz the point in assigning security levels to the interfaces

Any other logic apart from this

Regards

Raj

2 REPLIES
Silver

Re: Security to the interfaces

The Pix makes decisions for packet forwarding and address translation based on whether a packet is going from a higher security to a lower or vice versa. The security numbers don't have any real meaning outside of their relative value to other interfaces. Therefore, a DMZ interface with a security level of 50 has no more "security" than a DMZ interface with a security level of 95. Either way, it's still higher than the outside and lower than the inside for ACL decisions. When going from an high interface to low, all traffic is allowed by default and is only prevented by an explicit deny. When going from low to high, all traffic is denied by default unless explicitly allowed. by an ACL Also, traffic must be NATted from high to low even if it's just being NATted back to its own address. Traffic from low to high does not need to be NATted, although it can be.

Re: Security to the interfaces

Hi,

by default all traffic is allowed from a higher security level to a lower security level ( eg from the inside to the outside). To let traffic pass from a higher security level to a lower security level, you only needs some address translation (nat/pat or static )

by default all traffic is blocked from a lower security level to a higher security level ( eg from the internet to the inside).

If you want to allow traffic from a lower to a higher security level , then you need to create an access-list that specifies the allowed traffic and apply it to the lower securtiy level interface.

Regards,

Tom

100
Views
0
Helpful
2
Replies
CreatePlease to create content