Привет uanog, Есть PIX с несколькими интерфейсами, с одинаковыми security PIX Version 7.0(4) ! interface Ethernet0 nameif inside1 security-level 100 ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2 ! [dd] ! interface Ethernet2 nameif inside2 security-level 100 ip address 192.168.12.1 255.255.255.0 standby 192.168.12.2 ! interface Ethernet3 nameif inside3 security-level 100 ip address 192.168.13.2 255.255.255.0 standby 192.168.13.3 ! [dd] same-security-traffic permit inter-interface [dd] nat (inside1) 1 0.0.0.0 0.0.0.0 nat (inside2) 1 0.0.0.0 0.0.0.0 nat (inside3) 1 0.0.0.0 0.0.0.0 [dd] access-group OUT_TO_IN in interface outside (больше ACL ни на каком интерфейсе не висят) Вопрос заключается в том, какой доке верить? Одна говорит Two interfaces at same level can't send packets to each other. Connections and traffic are normally permitted from higher to lower security level interfaces. Connections the other way (from low to high security) are disallowed unless the configuration explicitly permits them. Другая говорит Allowing communication between same security interfaces provides the following benefits: • ..... • You want traffic to flow freely between all same security interfaces without access lists. [dd] To enable interfaces on the same security level so that they can communicate with each other, enter the following command: hostname(config)# same-security-traffic permit inter-interface C выше приведенным конфигом, трафик из одной inside сети не ходит в другую. Спасибо. -- С уважением, мазай. MAZ-RIPE mailto:rassylkaformazaj@ukr.net =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message
явно прописать acl на интерфейсах и не морочить себе голову -- Best regard, Aleksander Trotsai aka MAGE-RIPE aka MAGE-UANIC My PGP key at ftp://blackhole.adamant.ua/pgp/trotsai.key[.asc] Когда все сходится, что-то должно не сойтись =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message
participants (2)
-
Alexander Trotsai
-
Мазай