Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
235
Views
0
Helpful
2
Replies

PIX with two interfaces with security0

jabouaf
Level 1
Level 1

‎03-12-2004 03:03 AM - edited ‎02-20-2020 11:17 PM

Hello,

A customer have a PIX 515E with two interfaces with security0 (ethernet0 and ethernet4 for example).

How can we have this PIX having those 2 interfaces the same way to response to TCP packet asking to open a not-open-port on those 2 PIX interfaces ?

I would like the ethernet4 having the same to respond when receiving a TCP SYN packet for TCP port as 25, or 23.

The destination IP address is the one of the ethernet4 interface, and the destination TCP port isn't opened.

Is there a link with all difference between ethernet0 and any other interface.

Can we use any non-ethernet0 interface with security0 to be used as the outside world ?

Thank you for your explaination and links.

Regards,

0 Helpful
2 Replies 2

mostiguy
Level 6
Level 6

‎03-12-2004 04:39 AM

Having 2 interfaces with the same security level is an unsupported configuration.

Why do you want two interfaces to respond the same way?

0 Helpful

jabouaf
Level 1
Level 1
In response to mostiguy

‎03-12-2004 05:19 AM

Hello,

Well I think that:

One way to have no communication between two interfaces can be done by giving them the same security level. Traffic can go from securityA interface to security(A-1) interface without doing anything.

Communication is only possible between a lower to a higger or a higger to a lower security level.

MAybe I'm wrong, so if you can argu, this could help me.

Do you have any link about that two interfaces can NOT have the same security level ? Maybe I m bad thinking that it is possible.

PIX release 6.3.3 on a PIX515E with 6 interfaces do accept the commandes.

Anyway, two interfaces having the same configuration should act the same way to any same packets received. This is right for a router !

Anyway, we could have two providers links on the same PIX. In fact I do not know yet why the customer uses 2 interfaces as "ouside world", but the sniffer traces show me that those two interfaces do not response the same way when receiving a telnet initiation packet for example TCP port 25 or 23.

The less then basic configuration is the same. I just move the IP address and the "outside" cable form one interface to the other one.

No command with an explicite interface name, excepted a SSH permit command (to reach the PIX from an outside link).

So only port 22 is opened on those two interfaces.

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card