Re: What makes the outside interface "outside" ?

From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Fri Mar 14 2008 - 16:55:24 ARST

• Next message: Shine Joseph: "RE: VERY confused on summarization"
• Previous message: Hoogen: "Re: What makes the outside interface "outside" ?"
• Maybe in reply to: Carlos G Mendioroz: "Re: What makes the outside interface "outside" ?"
• Next in thread: Farrukh Haroon: "Re: What makes the outside interface "outside" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You need, try it.
Seeing I'm not the only one, I did lab it (7.2).
And the answer is ... security_level <> 100.

I made an interface "outside" and could login w/o trouble.
But as soon as I changed the sec level to 90, the telnet connects
but you get no service (i.e. no password or login prompt)

So telnet only works on sec level 100 interfaces (wich is an ok
policy for me!, just wanted to know it :)

-Carlos
P.S.
no takers on why transparent pix does PING destination to learn its mac?

Hoogen @ 14/3/2008 16:30 -0600 dixit:
> I dont think you need an static nat statement...just enabling telnet on the
> outside interface is good enough...
>
> Well Carlos you are right you can name anything you like to...outside is
> just that mostly internet links are connected to...so the outside world can
> access it..least secure zone..usually zero...But you can even name it
> internet give it a security level of 30 too...just have to remember that
> your more secure zones...servers placed in dmz or your internal lan inside
> zones need to have more security level..and not lesser than the outside or
> internet zone...
>
> -Hoogen
>
>
> On 3/14/08, Tony Varriale <tvarriale@flamboyaninc.com> wrote:
>> The nameif command and the security-level.
>>
>>
>> Tony
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Carlos G Mendioroz
>> Sent: Friday, March 14, 2008 11:59 AM
>> To: ccielab@groupstudy.com
>> Subject: OT?: What makes the outside interface "outside" ?
>>
>> Pixen do not allow telnet to the outside interface w/o ipsec.
>> There are a number of ways out (ipsec, static to inside, etc).
>>
>> But what makes an interface an "outside" interface ? The name ?
>> The sec level ? Just curious if somebody knows (and lazy to go
>> and lab it up!)
>>
>> Regards,
>> -Carlos
>> --
>> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina

• Next message: Shine Joseph: "RE: VERY confused on summarization"
• Previous message: Hoogen: "Re: What makes the outside interface "outside" ?"
• Maybe in reply to: Carlos G Mendioroz: "Re: What makes the outside interface "outside" ?"
• Next in thread: Farrukh Haroon: "Re: What makes the outside interface "outside" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART