Security Level in Cisco ASA Firewall | Tech Space KH Page 1 of 9

Understanding Security Level in Cisco ASA Firewall

Appliance

l techspacekh } December 26, 2016

m IT Network  Cisco ASA Firewall, Security

1. Overview

Basically, to work with Cisco ASA firewall appliance, you need to understand the logic of security levels which is assigned to ASA
physical or logical sub-interface and how it works. This understanding is very important to work with Access Control List (ACL) to
control the traffic flows across Cisco ASA firewall interfaces.

Kup Teraz

In this article will explain you the simple concept and easy to understand of security levels and how it work in Cisco ASA firewall
appliance.

2. Prerequisites

In this tutorial, it is assumed that:

a. You have some basic concept of security firewall.

b. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco
ASAv QCOW2 with GNS3 VM

3. Understanding Security Level

file:///C:/Users/projo/AppData/Local/Temp/Low/TUPBUR2U.htm 02/05/2021
Security Level in Cisco ASA Firewall | Tech Space KH Page 2 of 9

Cisco ASA bases on security level to determine the traffic flow between the connected interfaces. The security level is known as the
number which value between from 0 to 100. The higher the security level assigned to an interface of Cisco ASA firewall, the more
trusted interface it is. Traffic can flow from an interface with a higher security level to a lower security level interface without any Access
Control List (ACL) to allow.

Koszula męska
P20WF-1X-076-G - Pako…
Koszula męska w kolorze granatowym
ozdobiona intensywnym, kontrastowym
mikrowzorem. Wykonana z bawełny z
minimalnym dodatkiem elastanu. Klasyczny…

Rozpocznij zakupy Elegancka moda męska

Pako Lorente

In contrast, the traffic cannot flow from a lower security level interface to an interface with a higher security level. If you want to allow
traffic to flow from a lower security level interface to a higher security level interface, you need to create an Access Control List (ACL) to
allow it.

4. Security Levels and Rules of Traffic Flow

There are three principle rules relatively to security level in Cisco ASA firewall appliance.

4.1. From a Higher Security Level Interface to a Lower Security Level Interface

All traffic initiated from the higher Security level interface is allowed. If you want to block traffic to flow from a higher security level
interface to a lower security level interface, an Access Control List (ACL) is needed. Normally, you should apply that Access Control List
(ACL) as Out not In to the lower security level interface.

file:///C:/Users/projo/AppData/Local/Temp/Low/TUPBUR2U.htm 02/05/2021
Security Level in Cisco ASA Firewall | Tech Space KH Page 3 of 9

4.2. From a Lower Security Level interface to a Higher Security level Interface

All traffic initiated from the lower security level interface is blocked. An Access Control List (ACL) is needed if you want to allow traffic to
flow from a lower security level interface to a higher security level interface. Normally, you should apply as In not Out for that Access
Control List (ACL) to the lower security level interface.

4.3. From an Interface to Another Interface With the Same Security Level

Even the security level is assigned the same to each interfaces, the traffic is not allow to flow across. To allow traffic to flow from an
interface to another interface with the same security level configured, the command “same-security-traffic permit inter-interface”
need to be executed. Use Access Control List (ACL) if you want to block traffic flow between these interfaces.

# same-security-traffic permit inter-interface

file:///C:/Users/projo/AppData/Local/Temp/Low/TUPBUR2U.htm 02/05/2021
Security Level in Cisco ASA Firewall | Tech Space KH Page 4 of 9

5. Common Security level Configuration

The following is the common security level configuration that most network security professional always configured on Cisco ASA
firewalls under their administration.

Dokończ zakupy w księgarni Czytam.pl i zapisz

Czytam.pl

Księgarnia
się Online
do naszego Czytam.pl
programu lojalnościowego! KUP TERAZ

Interface “inside”: the highest security level with number value of 100 is always found on an interface that connect to Local Area
Network (LAN). They normally name it as “inside”.

Interface “outside”: the lowest security level with number value of 0 is always found on an interface that connect to public network or
internet. They normally name it as “outside”.

Interface “dmz”: Mostly people prefer security level of 50 for interface DMZ. Nevertheless, it can always be assigned any value from 1
to 99.

6. Allowing ICMP Ping Between Interfaces

file:///C:/Users/projo/AppData/Local/Temp/Low/TUPBUR2U.htm 02/05/2021
Security Level in Cisco ASA Firewall | Tech Space KH Page 5 of 9

By default ASA does not allow icmp traffic between interface with different security levels. However, TCP and UDP protocol can always
access from a higher security level interface to a lower security level interface. For example, inside interface with security level 100 can
access telnet to dmz interface with security level 50 even thought it not able to ping.

To allow icmp ping between interfaces with different security level configured, we need to add icmp inspection to the global policy on
Cisco ASA firewall as the following:

# policy-map global_policy
class inspection_default
inspect icmp
inspect icmp erro

After applying the above command, you can try to ping from “PC1” to “PC2”.

7. Example of Security Levels

Case1: From a Higher Security Level Interface to a Lower Security Level Interface

file:///C:/Users/projo/AppData/Local/Temp/Low/TUPBUR2U.htm 02/05/2021
Security Level in Cisco ASA Firewall | Tech Space KH Page 6 of 9

In this case, interface Gi0/0 is assigned with security level to 100 and interface Gi0/1 is assigned with security level of 0.

# interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
# interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.10.20.1 255.255.255.0

Configure IP addresses for PC1 and PC2.

PC1> ip 10.10.10.2/24 10.10.10.1

PC2> ip 10.10.20.2/24 10.10.20.1

Now let ping from PC1 to PC2. We will get ping success result in this case because PC1 is connected to a higher security level interface
of Cisco ASA.

Case2: From a Lower Security Level interface to a Higher Security level Interface

In this case, we will test to ping from PC2 that is connected to a lower security interface to PC1 that is connected a higher security level
interface. Absolutely, we will get failure ping result because traffic cannot flow from the lower security to the higher security level
interface.

file:///C:/Users/projo/AppData/Local/Temp/Low/TUPBUR2U.htm 02/05/2021
Security Level in Cisco ASA Firewall | Tech Space KH Page 7 of 9

Case3: From an Interface to Another Interface With the Same Security Level

Now let change the security level to be the same on each interface. As in the picture above both inside and outside interface have
security level value of 100 configured.

# interface GigabitEthernet0/1
nameif outside
security-level 100
ip address 10.10.20.1 255.255.255.0

If we try to ping from PC1 to PC2, we will not get successful result.

For this case, to allow traffic to flow across from one interface to another interface, we need to apply the following command.

# same-security-traffic permit inter-interface

Now let try to ping from PC1 to PC2 again. We should get the follow result.

file:///C:/Users/projo/AppData/Local/Temp/Low/TUPBUR2U.htm 02/05/2021
Security Level in Cisco ASA Firewall | Tech Space KH Page 8 of 9

8. Conclusion

Now you should have a precise idea about how security level works in Cisco ASA firewall appliance. It is the basic knowledge that you
need to know before start working with Cisco ASA firewall appliance. I hope you enjoy this tutorial. If you have any questions or
suggestions you can always leave your comments below. I will try all of my best to review and reply them. Thank you and have a nice
day.

Comments
0 comments

0 Comments Sort by Oldest

Add a comment...

Facebook Comments Plugin

Related Posts:

file:///C:/Users/projo/AppData/Local/Temp/Low/TUPBUR2U.htm 02/05/2021
Security Level in Cisco ASA Firewall | Tech Space KH Page 9 of 9

Access Control Configuring Configuring Fail Configuring

List (ACL) on Site-to-Site Over IPSec Site- Cisco

← Previous post Next post →

file:///C:/Users/projo/AppData/Local/Temp/Low/TUPBUR2U.htm 02/05/2021