[c-nsp] Pix security levels

Brian Lehigh brianl at sti.net
Mon Jul 11 17:55:18 EDT 2005 

Try this:
>From Cisco:

same-security-traffic 
To permit communication between interfaces with equal security levels, use
the same-security-traffic command in global configuration mode. To disable
the same-security interfaces, use the no forms of this command. 

same-security-traffic permit {inter-interface | intra-interface} 

no same-security-traffic permit {inter-interface | intra-interface} 

Syntax Description
inter-interface 
 Permits communication between different interfaces that have the same
security level. 
 
intra-interface 
 Permits communication in and out of the same interface when traffic is
IPSec protected. 
 

 

Defaults 
This command has no default settings. 

Command Modes 
The following table shows the modes in which you can enter the command: 

Command Mode 
 Firewall Mode 
 Security Context 
 
Routed 
 Transparent 
 Single 
 Multiple 
 
Context 
 System 
 
Global configuration 
 . 
 . 
 . 
 . 
 - 
 

 

Command History
Release 
 Modification 
 
7.0 
 This command was introduced. 
 

 

Usage Guidelines 
Allowing communication between same security interfaces provides the
following benefits: 

.You can configure more than 101 communicating interfaces. If you use
different levels for each interface, you can configure only one interface
per level (0 to 100). 

.You want traffic to flow freely between all same security interfaces
without access lists. 

If you enable NAT control, you do not need to configure NAT between same
security level interfaces. 

Examples 
The following example shows how to enable the same-security interface
communication: 

hostname(config)# same-security-traffic permit inter-interface
 
Related Commands
Command 
 Description 
 
show running-config same-security-traffic 
 Displays the same-security-traffic configuration. 


Brian Lehigh
Network Operations Center
Sierra Tel Internet
http://www.sti.net
 
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Voll, Scott
Sent: Monday, July 11, 2005 2:53 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Pix security levels

I thought I understood the Pix but I think I was mistaken.

I have dual Pix 525's running 6.3.4 code.

I have 8 interfaces, inside, outside, failover and 5 DMZs.  I need some
traffic to pass from one DMZ to another.  I have setup ACLs on each DMZ
interface to allow the traffic.  I have also setup static NAT so that should
not be an issue.  But the only way to get traffic from one to the other is
to lower the security level on the one DMZ (same security level doesn't
work).  I thought that Security level went out the door when you use the
static NAT and ACL's. Am I wrong (I must be)?  Can someone send me a link to
help me understand this better?

TIA

Scott

More information about the cisco-nsp mailing list