Re: Fw: cisco pix does not log traffic targetted to itself?

[Brian Ford <brford () cisco com>]

Kevin,

>   i'm told you can assign
> multiple interfaces the same security level

No.

Regarding the original question: Sure it does.

And there is a "deny all"  at the end of an ACL in PIX (just like in IOS).

Liberty for All,

Brian

At 12:00 PM 1/12/2003 -0500, firewall-wizards-request () honor icsalabs com wrote:

> Message: 1
> Date: Fri, 10 Jan 2003 15:13:14 -0800
> From: Kevin Steves <stevesk () pobox com>
> To: Jose y Romy <joseromy () telefonica net>
> Cc: firewall-wizards () honor icsalabs com, stevesk () pobox com
> Subject: Re: Fw: [fw-wiz] cisco pix does not log traffic targetted to itself?
>
> On Mon, Jan 06, 2003 at 09:40:50PM +0100, Jose y Romy wrote:
> >  Well,Pix uses the security levels at the interfaces ,and by default do not
> >  permit (except ACL or static/conduit command)the traffic from a less 
> secure
> >  to a more secure
> >  interface (by default 0 (lower level) is assigned to the outside interface
> >  and 100 (higher level) to the inside interface).
> >  In the normal ACLs there is an implied "deny all" at the end.
>
> i have never liked the ASA/security level approach that PIX uses--i
> would rather not have implied policies.  i'm told you can assign
> multiple interfaces the same security level, which will block the
> implied policies for those interfaces, but i have not tried it and i
> think it may not be supported (the documentation i've read doesn't
> mention that case at all).


Brian Ford
Consulting Engineer
Corporate Consulting Engineering, Office of the Chief Technology Officer
Cisco Systems, Inc.
http://www.cisco.com
e-mail: brford () cisco com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards