Multiple outside interfaces

reggae3227 · ‎08-04-2004

I have seen many examples showing the pix configed with 1 outside,1 inside and multplie perimeter interfaces. Can 1 pix box(525) handle multiple outside interfaces? If so, where can I go to see some type of documentation?

Terry Pattinson · ‎08-06-2004

The idea of one outside (lowest security), one inside (highest security) and multiple DMZ interfaces comes from the idea that, by default, one interface is sec level 0 (outside), one is sec level 100 (inside) and the others range from 1-99. This affects the need for ACLs or conduits, low to high need and high to low doesn't require, but of course can use, ACLs and conduits.

The upshot of this is that multiple outside interfaces can be connected to on the DMZ interfaces, as long as the correct ACLs are applied.

In addition to this, multiple sec 0 interfaces can be configured. They will be able to communicate with higher interfaces (sec 1-100), but not with each other.

Finally, this concept seems to be going away. Already on the FWSM, the security level concept can be disabled.

"You can configure interfaces on the same security level to communicate with each other. This feature is off by default, and you can enable or disable this feature on a per context basis. In earlier releases, no communication between interfaces with the same security level was possible.

See the same-security-traffic command. "

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_2/fwsmrns.htm#wp65269

reggae3227 · ‎08-06-2004

Yes I knew about the FWSM 2.2 same security level feature. That feature however, I've been told will not exist on the pix until the 7.0 release. So, at this time the pix cannot handle multiple outside features but the FWSM can? I am trying to justify the expense of the 6500 series FWSM/IDS/VPN versus multiple pix boxes to handle multiple outside networks. Any more thought on the vice/versa?