03-12-2004 03:03 AM - edited 02-20-2020 11:17 PM
Hello,
A customer have a PIX 515E with two interfaces with security0 (ethernet0 and ethernet4 for example).
How can we have this PIX having those 2 interfaces the same way to response to TCP packet asking to open a not-open-port on those 2 PIX interfaces ?
I would like the ethernet4 having the same to respond when receiving a TCP SYN packet for TCP port as 25, or 23.
The destination IP address is the one of the ethernet4 interface, and the destination TCP port isn't opened.
Is there a link with all difference between ethernet0 and any other interface.
Can we use any non-ethernet0 interface with security0 to be used as the outside world ?
Thank you for your explaination and links.
Regards,
03-12-2004 04:39 AM
Having 2 interfaces with the same security level is an unsupported configuration.
Why do you want two interfaces to respond the same way?
03-12-2004 05:19 AM
Hello,
Well I think that:
One way to have no communication between two interfaces can be done by giving them the same security level. Traffic can go from securityA interface to security(A-1) interface without doing anything.
Communication is only possible between a lower to a higger or a higger to a lower security level.
MAybe I'm wrong, so if you can argu, this could help me.
Do you have any link about that two interfaces can NOT have the same security level ? Maybe I m bad thinking that it is possible.
PIX release 6.3.3 on a PIX515E with 6 interfaces do accept the commandes.
Anyway, two interfaces having the same configuration should act the same way to any same packets received. This is right for a router !
Anyway, we could have two providers links on the same PIX. In fact I do not know yet why the customer uses 2 interfaces as "ouside world", but the sniffer traces show me that those two interfaces do not response the same way when receiving a telnet initiation packet for example TCP port 25 or 23.
The less then basic configuration is the same. I just move the IP address and the "outside" cable form one interface to the other one.
No command with an explicite interface name, excepted a SSH permit command (to reach the PIX from an outside link).
So only port 22 is opened on those two interfaces.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide