Cisco ASA Security Levels 10/05/2020, 15:00

Courses # Forum Support Welcome,

# Search … !
Samuel!

You are here: Home » Cisco » ASA Firewall

Cisco ASA Security Levels Table of Contents

ASA Firewall

The Cisco ASA Firewall uses so called “security levels” that indicate how trusted an
Unit 1: Basics of the ASA
!
interface is compared to another interface. The higher the security level, the more Firewall
trusted the interface is. Each interface on the ASA is a security zone so by using these Introduction to Firewalls
security levels we have di!erent trust levels for our security zones. Cisco ASA Erase Con"guration

Cisco ASA ASDM Con"guration

An interface with a high security level can access an interface with a low security level but
Cisco ASA Security Levels
the other way around is not possible unless we con"gure an access-list that permits this
" Unit 2: NAT / PAT
tra#c.
" Unit 3: Access-Lists

" Unit 4: VLANs and Trunking

Here are a couple of examples of security levels:
" Unit 5: IPSEC VPN

" Unit 6: SSL VPN

Security level 0: This is the lowest security level there is on the ASA and by default
" Unit 7: Network Management
it is assigned to the “outside” interface. Since there is no lower security level this
" Unit 8: Troubleshooting
means that tra#c from the outside is unable to reach any of our interfaces unless
we permit it within an access-list.
Security level 100: This is the highest security level on our ASA and by default this
is assigned to the “inside” interface. Normally we use this for our “LAN”. Since this is
the highest security level, by default it can reach all the other interfaces.
Security level 1 – 99: We can create any other security levels that we want, for
example we can use security level 50 for our DMZ. This means that tra#c is
allowed from our inside network to the DMZ (security level 100 -> 50) and also
from the DMZ to the outside (security level 50 -> 0). Tra#c from the DMZ however
can’t go to the inside (without an access-list) because tra#c from security level 50 is
not allowed to reach security level 100. You can create as many security levels as
you want…

Let’s take a look at a Cisco ASA "rewall with three interfaces so you can see this behavior
in action, here’s the topology I will use:

https://networklessons.com/cisco/asa-firewall/cisco-asa-security-levels Page 1 of 7
Cisco ASA Security Levels 10/05/2020, 15:00

Above you see the Cisco ASA in the middle with three interfaces:

Interface E0/0 as the INSIDE.

Interface E0/1 as the OUTSIDE.
Interface E0/2 as our DMZ.

I will use the routers so we can generate some tra#c between the di!erent security
levels. Let’s con"gure the ASA with these interfaces:

ASA1(config)# interface E0/0

ASA1(config-if)# nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown

ASA1(config)# interface E0/1

ASA1(config-if)# nameif OUTSIDE
INFO: Security level for "OUTSIDE" set to 0 by default.
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown

ASA1(config)# interface E0/2

ASA1(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ASA1(config-if)# security-level 50
ASA1(config-if)# ip address 192.168.3.254 255.255.255.0
ASA1(config-if)# no shutdown

The nameif command is used to specify a name for the interface, unlike the description
command the name of your interface is actually used in many commands so pick
something useful. As you can see the ASA recognizes INSIDE, OUTSIDE and DMZ names.
It uses a default security level of 100 for INSIDE and 0 for OUTSIDE/DMZ. I manually
changed the security level of the DMZ interface to 50.

Let’s see what tra#c patterns are allowed now shall we? First we’ll send some pings from
the ASA…

https://networklessons.com/cisco/asa-firewall/cisco-asa-security-levels Page 2 of 7
Cisco ASA Security Levels 10/05/2020, 15:00

Traffic from the ASA

The ASA can reach any device on any interface:

ASA1# ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10
ms

ASA1# ping 192.168.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1
ms

ASA1# ping 192.168.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1
ms

As you can see the ASA can reach any device in each of the di!erent security zones. This
makes sense since these devices are also using the ASA as their default gateway. Next
step is to test some tra#c between devices in di!erent security zones.

By default the ASA has a global inspection policy (that we’ll discuss in another
lesson) that doesn’t permit ICMP tra#c. If you want to ping between devices
through your ASA "rewall then we have to inspect ICMP tra#c, you can do it
like this:

$ ASA1(config)# policy-map global_policy

ASA1(config-pmap)# class inspection_default
ASA1(config-pmap-c)# inspect icmp

Now ICMP tra#c will be allowed between di!erent interfaces.

Traffic from Inside

https://networklessons.com/cisco/asa-firewall/cisco-asa-security-levels Page 3 of 7
Cisco ASA Security Levels 10/05/2020, 15:00

Let’s send some pings from R1 to R2 (outside) and R3 (DMZ):

R1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4
ms

R1#ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4
ms

Both pings work because we are going from security level 100 (inside) to 0 (outside) and
50 (DMZ).

Traffic from Outside

Now we’ll send some pings from R2 which is on the outside…

R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2
seconds:
.....
Success rate is 0 percent (0/5)

R2#ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2
seconds:
.....
Success rate is 0 percent (0/5)

This doesn’t work since we are trying to go from a security level of 0 (outside) to 100
(inside) or 50 (DMZ). If you want to allow this tra#c then we would have to use an access-
list. Last but not least, let’s try the DMZ:

Traffic from DMZ

https://networklessons.com/cisco/asa-firewall/cisco-asa-security-levels Page 4 of 7
Cisco ASA Security Levels 10/05/2020, 15:00

R3#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2
seconds:
.....
Success rate is 0 percent (0/5)

R3#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1
ms

The "rst ping doesn’t work since we try to go from security level 50 (DMZ) to 100 (inside).
The second one works because we go to a lower security level 0 (outside).

Rules
In short, this is how the security levels work:

Tra#c from a higher security level to lower security level is allowed. For
example tra#c from the inside is allowed to reach the outside. Of course it’s
possible to restrict this with access-lists.
Tra#c from a lower security level to a higher security level is not allowed. This
could be tra#c from the outside headed towards the inside. You can also change
this with an access-list, this might be useful if you have servers in the DMZ that you
want to reach from the outside.
Tra#c between interfaces with the same security level is not allowed. For
example, if you have an interface called “DMZ1” with security level 50 and another
one called “DMZ2” with the same security level then tra#c between the two will be
dropped. You can change this behavior with the global same-security-tra!c
permit inter-interface command.

That’s basically it. I hope this lesson has helped you to understand the Cisco ASA security
levels. If you have any questions, feel free to leave a comment.

« Previous Lesson
Cisco ASA ASDM
Con"guration
Next Lesson
Cisco ASA Dynamic NAT
Con"guration
»
% Tags: Security

Forum Replies

https://networklessons.com/cisco/asa-firewall/cisco-asa-security-levels Page 5 of 7
Cisco ASA Security Levels 10/05/2020, 15:00

ReneMolenaar

Hi Donald,

In this example, I only used the routers so that I would have some devices to ping with/to. I also could have used computers but routers are easier
since you can access them through the CLI and you don’t have to worry about "rewalls blocking ICMP tra#c.

Sometimes, it can be useful to have a router in front of the ASA. As a "rewall, the ASA does a great job at packet "ltering / VPNs but it’s a poor router. If
you want to use speci"c features (like policy based routing) then using a router in front of the ASA works very well. If you don’t need an

... Continue reading in our forum

zahanison

Hi Rene,

To allow the DMZ tra#c would you need to put an ACL on the inside interface allowing DMZ tra#c or on the Inside interface allowing DMZ source to
come in? Or do you need to put ACLs on both interfaces?

If DMZ is say 172.16.1.0/24 range and Inside is 192.168.1.0/24 range. Would you put ACL in DMZ interface allowing 172.16.1.0/24 access to
192.168.1.0/24 and then put the same ACL on inside as well?

zahanison

Hi Rene,

Thanks for that. Still want clari"cation on something. If I want a subnet in the DMZ to access a subnet on the INSIDE, do I put the ACL on DMZ interface
OR Inside Interface OR on Both? It’s just that in my live environment I see ACL on the DMZ interface for DMZ subnet to access INSIDE subnet so not
sure if it is required.

robbo7987

Hi,quick question regarding the service policy placement on the ASA, not including global because that’s pretty self explanatory. I created just a simple
topology where the ASA was in the middle and has 2 routers on either side, the outside interface had a security level of 0 and inside 100, the outside
interface is also blocking all tra#c coming in. I implemented NAT on the ASA as well to change the inside network IP’s to the outside interface.

My policy map inspects ICMP and i applied it to a service policy that was placed on the inside interface, i tested

... Continue reading in our forum

MOD-NETWORK

Hi, Thanks From Post,

i have Done Everything and Worked "nd, unfortunately my "rewall Dose not Allow DNS resolution from outside interface to in inside
should i apply another ACL or inspect DNS Tra#c from outside to inside and VS ?
----------------------------------------------------------------------------------------------------------------------------

https://networklessons.com/cisco/asa-firewall/cisco-asa-security-levels Page 6 of 7
Cisco ASA Security Levels 10/05/2020, 15:00

ASA3/SRV-A(config)# packet-tracer input TO-OUT tcp 0.0.0.0 53 6.6.6.6 53

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROU

... Continue reading in our forum

& 24 more replies! Ask a question or join the discussion by visiting our Community Forum

© 2013 - 2020 NetworkLessons.com 29855 Disclaimer Privacy Policy Support About

https://networklessons.com/cisco/asa-firewall/cisco-asa-security-levels Page 7 of 7