command equivalent in PIX version 6.3 for the version 7.x command: same-security-traffic permit inte

Discussion in 'Cisco' started by Mike Rahl, Dec 11, 2006.

  1. Mike Rahl

    Mike Rahl Guest

    Good day

    I was wondering if anyone could help me. We have a PIX with version
    6.3 of the code loaded, and I wanted to know what the equivalent
    command in version 6.3 is for the command in version 7.x:
    "same-security-traffic permit inter-interface"

    We're trying to establish multiple interfaces with the same security
    level (assuming it's possible) and unfortunately, the PIX firewall
    doesn't have enougth RAM to upgrade to version 7.x

    If anyone has any ideas, please let me know
    Mike Rahl, Dec 11, 2006
    #1
    1. Advertising

  2. Mike Rahl

    Chad Mahoney Guest

    Re: command equivalent in PIX version 6.3 for the version 7.x command:same-security-traffic permit inter-interface

    Mike Rahl wrote:
    > Good day
    >
    > I was wondering if anyone could help me. We have a PIX with version
    > 6.3 of the code loaded, and I wanted to know what the equivalent
    > command in version 6.3 is for the command in version 7.x:
    > "same-security-traffic permit inter-interface"
    >
    > We're trying to establish multiple interfaces with the same security
    > level (assuming it's possible) and unfortunately, the PIX firewall
    > doesn't have enougth RAM to upgrade to version 7.x
    >
    > If anyone has any ideas, please let me know
    >


    I am pretty sure this is not possible in versions before 7.X

    Chad
    Chad Mahoney, Dec 11, 2006
    #2
    1. Advertising

  3. Re: command equivalent in PIX version 6.3 for the version 7.x command:same-security-traffic permit inter-interface

    In article <>,
    Chad Mahoney <> wrote:
    >Mike Rahl wrote:


    >> We're trying to establish multiple interfaces with the same security
    >> level (assuming it's possible) and unfortunately, the PIX firewall
    >> doesn't have enougth RAM to upgrade to version 7.x


    >I am pretty sure this is not possible in versions before 7.X


    Right, communicating with the same security level is out of
    the question before 7.x.


    Multiple interfaces with same security level, together with
    insufficient memory, would -tend- to imply an unrestricted
    license on a PIX 515 or early PIX 515E. In 7.x, the 515/515E need 128 Mb
    for full Unrestricted support; 64 for Restricted.
    PIX-515-MEM-128= and -32= respectively.

    Equivilent memory is available for about $US130 for 128 Mb; see
    for example memoryx.net .
    Walter Roberson, Dec 11, 2006
    #3
  4. Mike Rahl

    Mike Rahl Guest

    Thanks for the responses, alll

    I appreciate the help

    I had suspected that this was not possible, but just wanted to make
    sure I wasn't missing anything. The client is, unfortunately, quite
    cheap and is nitpicking us on everything from engineering time to
    equipment, so we're stuck stretching whatever can be stretched to get
    this to work.


    Walter Roberson wrote:
    > In article <>,
    > Chad Mahoney <> wrote:
    > >Mike Rahl wrote:

    >
    > >> We're trying to establish multiple interfaces with the same security
    > >> level (assuming it's possible) and unfortunately, the PIX firewall
    > >> doesn't have enougth RAM to upgrade to version 7.x

    >
    > >I am pretty sure this is not possible in versions before 7.X

    >
    > Right, communicating with the same security level is out of
    > the question before 7.x.
    >
    >
    > Multiple interfaces with same security level, together with
    > insufficient memory, would -tend- to imply an unrestricted
    > license on a PIX 515 or early PIX 515E. In 7.x, the 515/515E need 128 Mb
    > for full Unrestricted support; 64 for Restricted.
    > PIX-515-MEM-128= and -32= respectively.
    >
    > Equivilent memory is available for about $US130 for 128 Mb; see
    > for example memoryx.net .
    Mike Rahl, Dec 12, 2006
    #4
  5. Mike Rahl

    mak Guest

    Re: command equivalent in PIX version 6.3 for the version 7.x command:same-security-traffic permit inter-interface

    Mike Rahl wrote:
    > Thanks for the responses, alll
    >
    > I appreciate the help
    >
    > I had suspected that this was not possible, but just wanted to make
    > sure I wasn't missing anything. The client is, unfortunately, quite
    > cheap and is nitpicking us on everything from engineering time to
    > equipment, so we're stuck stretching whatever can be stretched to get
    > this to work.
    >

    on the other hand:

    why do you need this feature?


    M
    mak, Dec 12, 2006
    #5
  6. Mike Rahl

    Mike Rahl Guest

    I was actually posting it for a coworker here.

    Basically, the client wants to use multiple ports on his firewall (a
    PIX 535e) with the same security zone (basically using the Firewall as
    a quasi-switch, I guess). We've repeatedly told him not to do this,
    but rather use 1 port on the firewall and get a proper switch, then put
    the users on that switch.

    The client doesn't want to spend the money on the switch, nor does he
    want to buy memory, he just wants to stretch the firewall far beyond
    its capabilities.

    I can assure you, this is far from an optimal solution to me as well

    mak wrote:
    > Mike Rahl wrote:
    > > Thanks for the responses, alll
    > >
    > > I appreciate the help
    > >
    > > I had suspected that this was not possible, but just wanted to make
    > > sure I wasn't missing anything. The client is, unfortunately, quite
    > > cheap and is nitpicking us on everything from engineering time to
    > > equipment, so we're stuck stretching whatever can be stretched to get
    > > this to work.
    > >

    > on the other hand:
    >
    > why do you need this feature?
    >
    >
    > M
    Mike Rahl, Dec 12, 2006
    #6
  7. In article <>,
    Mike Rahl <> wrote:

    >Basically, the client wants to use multiple ports on his firewall (a
    >PIX 535e) with the same security zone (basically using the Firewall as
    >a quasi-switch, I guess). We've repeatedly told him not to do this,
    >but rather use 1 port on the firewall and get a proper switch, then put
    >the users on that switch.


    >The client doesn't want to spend the money on the switch, nor does he
    >want to buy memory, he just wants to stretch the firewall far beyond
    >its capabilities.


    Bummer. :(

    Is it a PIX 535 or PIX 515E? A 535 should already have enough memory,
    but original 515E might not have 128 Mb. If, though, the configuration
    is not too big or there is not a high traffic load, then the word
    in these newsgroups is that you can load PIX 7.x on a PIX 515/515E
    with less than the recommended amount of memory, particularily if you
    do not install ASDM.

    Of course the time involved to do so, together with the disruption
    of client networking, is worth far far more than the cost of
    a simple switch. Depending on the exact needs, a $US40 switch
    might be good enough.
    Walter Roberson, Dec 12, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PIXn00b
    Replies:
    0
    Views:
    2,132
    PIXn00b
    Nov 7, 2006
  2. Replies:
    1
    Views:
    412
    Walter Roberson
    Jul 25, 2007
  3. Replies:
    0
    Views:
    390
  4. Giuen
    Replies:
    0
    Views:
    864
    Giuen
    Sep 12, 2008
  5. Replies:
    10
    Views:
    5,492
Loading...

Share This Page