• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 289
  • Last Modified:

Adding an Interface to PIX


I have a pix with 3 running interfaces - Inside, Outside, DMZ
Security levels - 100, 0, 50 repectively

I am looking to add a fourth, highly secure interface.

This interface will operate completely separate from the other three.  The LAN segment will also be separate.

The fourth interface will not need to pass traffic between the inside and DMZ.  Only outbound web traffic from the fourth interface needs to pass through to the outside.

I plan on setting the security level of interface 4 to 100, equal to that of the inside interface.  From what I understand interfaces with equal security levels cannot pass traffic.  And since the dmz and outiside have a lower security level they will not be able reach interface 4.  Please confirm.

Also, what other settings are required to ensure that interface 4 can only pass http traffic on port 80?

Thank you.

  • 2
1 Solution
You really don't want to make the security levels equal. Make the new one 95 or something..
I'm not sure what you mean by the servers on this dmz#2 can only pass http traffic. Are they web servers or browsing the web?

>Only outbound web traffic

All depends on what version OS you have, and whether you are using conduits or access-lists...
If using conduits, use access-list with "outbound apply"
If using acls, simply create a single entry acl and apply it to the dmz2 interface:
access-list dmz2_out permit udp host <host ip> any eq 53
access-list dmz2_out permit tcp host <host ip> any eq http
access-list dmz2_out permit tcp host <host ip> any eq https
access-group dmz2_out in interface dmz2
You can do host-by-host, or use the subnet
You need to permit DNS name resolution as in my example.

Be default, no traffic will be permitted from any higher security interface to any lower security interface without conduit or acl entry, so this will be a totally independent segment.
jimm123Author Commented:

Thanks for the info.

The os on the pix is 6.3(1) but we are using conduits - Haven't switched over to all acl just yet.

I am not sure what you mean by access-list with "outbound apply"
Could you provide an example?

The 4rth interface (dmz2) will need to browse the web only and will not host any web servers.


outbound 1 deny 0 0 0
outbound 1 permit 80 tcp
outbound 1 permit 53 udp
apply (dmz2) 1 outgoing_src

If you want them to be able to browse, you also must permit dns name resolution
Do you also want to permit access to secure web servers? Then permit tcp 443 also
outbound 1 permit 443 tcp
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now