Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
4
Replies

Traffic between interfaces with same security level not working well

br
Level 1
Level 1

‎08-15-2005 06:29 AM - edited ‎03-09-2019 12:08 PM

Dear all,

we are using a PIX-515 with IOS 7.0(2). In our configuration we have defined following interfaces:

interface Ethernet1.20

description Internal ISN-1

vlan 20

nameif ISN-1

security-level 80

ip address 10.254.130.253 255.255.255.0

!

interface Ethernet1.30

description Internal ISN-P1

vlan 30

nameif ISN-P1

security-level 80

ip address 10.254.129.253 255.255.255.0

!

interface Ethernet1.40

description Internal ISN-P2

vlan 40

nameif ISN-C4H

security-level 80

ip address 10.254.131.253 255.255.255.0

We added this option to make sure the traffic is flowing freely between these interfaces (just normal routing, no firewall rules):

same-security-traffic permit inter-interface

Unfortunately we encouter strange problems because traffic from interface ISN-P2 to ISN-P1 is working but traffic from ISN-P2 to ISN-1 is not working. We have no error or deny messages in the log of the firewall, it's just not working.

Even when adding allow-rules like "access-list allow_all extended permit ip any any" on every interface (using "access-group allow_all in interface ISN-*") does not change anything.

Please help me to find the problem. Feel free to send me some hints how to find out what's not working.

Best regards

Bernhard Roth

Labels:
0 Helpful
4 Replies 4

george.goebel
Community Member

‎08-31-2005 11:15 AM

Since this topic is two weeks old I'm sure you probably have figured it out by now. But, just in case you haven't, interfaces with the same security level will never talk to each other. It's just the way the pix works. Change the security level on one of them and it will probably work.

0 Helpful

br
Level 1
Level 1
In response to george.goebel

‎08-31-2005 12:01 PM

Now everything is working, thanks to your help. The problem was that we connected the pix to a quite heavy loaded network segment (as a replacement for a linux firewall) and all the filters were (by default) switched on for every interface. As a result the pix was overloaded and was some kind of stucked. After we changed the policy to be only active on the outside interface it worked fine.

Thanks to all your help. The new pix os 7 is great, much better in adminstration and performance that 6.x 🙂

best regards

bernhard

0 Helpful

mdufault
Frequent Visitor
Frequent Visitor

‎09-01-2005 03:15 PM

Don't use the same security level. PIX work on high to low or low to high and not same to same.

0 Helpful

br
Level 1
Level 1
In response to mdufault

‎09-01-2005 10:32 PM

Currently we are (ab)using the pix as firewall/router. As next step we will remove the "same-security-traffic permit inter-interface" setting and configuring access rules in both directions for same-security level interfaces. The conceptional problem is that there is not really an interface with a "higher" security level as all are customers/service areas are equal. We want to specify allowed traffic in both directions and not block one interface to all others with lower security level. The configuration is getting quite complex, isn't it?

0 Helpful
Customers Also Viewed These Support Documents