Allowing Communication Between Interfaces On The Same Security Level - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Configuring Interfaces
If you change the security level of an interface, and you do not want to wait for existing connections to
Note
time out before the new security information is used, you can clear the translation table using the clear
xlate command. However, clearing the translation table disconnects all current connections.
To name an interface, enter the following command:
FWSM/contexta(config)# nameif {vlan n | context_map_name} name [security] n
For multiple context mode, if you gave the VLAN interface a mapped name for the context in the system
configuration, then you must use the mapped name.
The name is a text string up to 48 characters, and is not case-sensitive.
The security level is an integer between 0 and 100. 0 is the least secure and 100 the most secure. You
can optionally include the word security before the level number to make your configuration easier to
read. To assign more than one interface to the same level, see the
Interfaces on the Same Security Level" section on page 6-8
For example, enter the show nameif command to view the interface names:
FWSM# show nameif
nameif vlan100 outside security0
nameif vlan101 inside security100
nameif vlan102 dmz security50
Allowing Communication Between Interfaces on the Same Security Level
By default, interfaces on the same security level cannot communicate with each other, even if you
configure NAT and ACLs.
Allowing communication between same security interfaces provides the following benefits:
•
•
•
If you enable same security interface communication, you can still configure interfaces at different
security levels as usual.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
6-8
You do not need to configure NAT between same security interfaces.
You can, however, configure NAT if desired. If you configure dynamic NAT for an interface, then to
allow connections initiated from another interface, even if it is on the same security level, you need
to configure static NAT.
If you want to configure connection limits but do not want to configure NAT (where connection
limits are set), you can configure identity NAT or NAT exemption. (See the
Connection Limits for Non-NAT Configurations" section on page 6-10
section on page
9-29.)
You can configure more than 101 communicating interfaces.
If you use different levels for each interface, you can configure only one interface per level (0 to
100).
You want protection features to be applied equally for traffic between two interfaces; for example,
you have two departments that are equally secure.
For different security level interfaces, many protection features apply only in one direction, for
example, inspection engines, TCP intercept, and connection limits.
Chapter 6
Configuring Basic Settings
"Allowing Communication Between
to enable this feature.
"Configuring
or the
"Bypassing NAT"
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
