Cisco pix 535

Discussion in 'Cisco' started by Mitch Silver, Oct 14, 2004.

  1. Mitch Silver

    Mitch Silver Guest

    I'm configuring a pair of FO 535's and I have a design question. I'm
    going to have 8 active interfaces on my pix and of course my inside
    and outside will be 100 and 0, but the interior one's are troubling
    me. Out of the six dmz int remaining, 2 are going to be used for some
    network equitpment and test networks. They'll have security level of
    90 and 80 respectively. However, the remaining 4 dmz ints will all
    house different projects, none of which should be able to talk to the
    other. As a simple solution I was just going to make them all the
    same security level of 20. From my understanding this will nto allow
    them to route between each other however it will allow them to route
    to the other security levels. Is it safe to say that my understanding
    is correct? Anyone see any network/security flaws with this design?
    Suggestions and comments are appreciated. Thanks...
     
    Mitch Silver, Oct 14, 2004
    #1
    1. Advertisements

  2. Mitch Silver

    JLoaf Guest

    From what I know you're correct saying that they won't be able to
    communicate with each other. They will however be able to communicate
    with the outside interface (if you specify NAT) and the other interfaces
    if you specify static nat, and allow them to enter those zones.

    Jacek.
     
    JLoaf, Oct 14, 2004
    #2
    1. Advertisements

  3. :I'm configuring a pair of FO 535's and I have a design question. I'm
    :going to have 8 active interfaces on my pix and of course my inside
    :and outside will be 100 and 0, but the interior one's are troubling
    :me. Out of the six dmz int remaining, 2 are going to be used for some
    :network equitpment and test networks. They'll have security level of
    :90 and 80 respectively. However, the remaining 4 dmz ints will all
    :house different projects, none of which should be able to talk to the
    :eek:ther. As a simple solution I was just going to make them all the
    :same security level of 20. From my understanding this will nto allow
    :them to route between each other however it will allow them to route
    :to the other security levels.

    Correct in current releases. Someone has said that the now-late
    PIX 7.0 software release will allow routing between interfaces with
    the same security level (and thus allow the PIX to send packets
    back out the same interface they came in on.) I'm not beta nor
    NDA for that release, so I have no real information about whether
    that feature will be present or not. One would think that if it is,
    that it will be enabled via a sysopt so as not to change the behaviour
    of existing configurations that rely on the feature.... but that's
    a supposition into the workings of a rumoured featureand may have
    no connection to reality.
     
    Walter Roberson, Oct 14, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.