Networks Training

You are here: Home / Cisco ASA General / Cisco ASA Firewall (5500 and 5500-X) Security Levels Explained

Cisco ASA Firewall (5500 and 5500-X) Security Levels Explained

This article describes the security levels concept as used in the Cisco ASA firewall appliance. The following information applies to both the older 5500 series and the newer 5500-X series of appliances.

What is Security Level

A Security Level is assigned to interfaces (either physical or logical sub-interfaces) and it is basically a number from 0 to 100 designating how trusted an interface is relative to another interface on the appliance.

The higher the security level, the more trusted the interface (and hence the network connected behind it) is considered to be, relative to another interface.

Since each firewall interface represents a specific network (or security zone), by using security levels we can assign ‘trust levels’ to our security zones.

The primary rule for security levels is that an interface (or zone) with a higher security level can access an interface with a lower security level.

On the other hand, an interface with a lower security level cannot access an interface with a higher security level, without the explicit permission of a security rule (Access Control List – ACL).

Security Level Examples

Let us see some examples of security levels below:

  • Security Level 0: This is the lowest security level and it is assigned by default to the ‘Outside’ Interface of the firewall. It is the least trusted security level and must be assigned accordingly to the network (interface) that we don’t want it to have any access to our internal networks. This security level is usually assigned to the interface connected to the Internet. This means that every device connected to the Internet can not have access to any network behind the firewall, unless explicitly permitted by an ACL rule.
  • Security Levels 1 to 99: These security levels can be assigned to perimeter security zones (e.g. DMZ Zone, Management Zone, Database Servers Zone etc).
  • Security Level 100: This is the highest security level and it is assigned by default to the ‘Inside’ Interface of the firewall. It is the most trusted security level and must be assigned accordingly to the network (interface) that we want to apply the most protection from the security appliance. This security level is usually assigned to the interface connecting the Internal Corporate network behind it.
MORE READING:  How to Recover a preshared key of IPSEC VPN on Cisco ASA

asa firewall security levels

The diagram above illustrates a typical example of security levels assignment in a network with an Inside, Outside, and DMZ zones.

This represents a pretty common network setup of an enterprise/corporate network whereby users are connected to the Inside (internal) network, some public servers (e.g web server, email server etc) are located in a DMZ network and the outside of the ASA is connected to the Internet.

Throughout this website, I represent the Cisco Firewall with the “Electrical Diode” symbol. As you can see, the Internal Corporate Network is connected to the Interface with the highest security level (Interface G0/1 with Security Level 100) which is also named as ‘Inside’.

The Interface name ‘Inside’ is given by default to the interface with the highest security level. Also, the INTERNET facing interface (G0/0) is named ‘Outside’ and is assigned a security level of 0.

A Perimeter Zone (DMZ) is also created with a Security Level of 50. The Red Arrows in the diagram represent the flow of traffic.

As you can see, the Inside Zone can access both DMZ and Outside Zones (Security Level 100 can access freely the Security Levels 50 and 0).

The DMZ Zone can access only the Outside Zone (Security Level 50 can access Level 0), but not the Inside Zone. Lastly, the Outside Zone cannot access either the Inside or the DMZ zones.

What is described in the example above is the default behavior of the Cisco ASA Firewalls. We can override the default behavior and allow access from Lower Security Levels to Higher Security Levels by using Static NAT (only if required) and Access Control Lists.

Rules for Traffic Flow between Security Levels

  • Traffic from Higher Security Level to Lower Security Level: Allow ALL traffic originating from the higher Security Level unless specifically restricted by an Access Control List (ACL). If NAT-Control is enabled on the device, then there must be a dynamic NAT translation rule between High-to-Low Security Level interfaces (e.g PAT etc).
  • Traffic from Lower Security Level to Higher Security Level: Drop ALL traffic unless specifically allowed by an ACL. If NAT-Control is enabled on the device then there must be a Static NAT between High-to-Low Security Level interfaces.
  • Traffic between interfaces with same Security Level: By default this is not allowed, unless you configure the same-security-traffic permit inter-interface command (ASA version 7.2 and later).
MORE READING:  How to Block Access to Websites with a Cisco ASA Firewall (with FQDN)

Using Interfaces with Same Security Levels on Cisco ASA

Most Cisco ASA firewall models allow you to have a maximum number of VLANs greater than 100 (e.g 150, 200, 250).

Each Layer 2 VLAN on the ASA is essentially a different security zone, with its own Security Level number.

As we know, security levels can range from 0 to 100 (i.e we have 101 security levels). One obvious question arises here: How can we have lets say 150 VLANs on the firewall, but we have only 101 possible security levels?

The answer is simple: We can have the same security level number on different interfaces / subinterfaces (security zones). This feature will allow us to have more than 101 communicating interfaces on the firewall.

By default, interfaces with the same security level can not communicate between them. To allow traffic to flow freely between interfaces with same security level, use the following command:

ASA(config)# same-security-traffic permit inter-interface

There is another option also for this command:
ASA(config)# same-security-traffic permit intra-interface

The last command above allows traffic to enter and exit the same interface, which by default is not allowed. This is useful in networks where the ASA firewall acts as a HUB in a HUB-and-SPOKE VPN topology, where spokes need to communicate with each through the hub (this is also called “hairpinning“).

Security level is one of the core concepts of ASA firewalls. You must carefully plan the assignment of security levels on a per-interface basis and then control traffic between interfaces accordingly.

Let me know in the comments section below if you have any questions or if you need any help configuring security levels.

Related Posts

Filed Under: Cisco ASA General

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available on Amazon and on this website as well.

Comments

  1. Marthelous says

    Hey Andrea,

    I’m a network engineer and I bought several books from you in the past but I have a question. I have a Cisco ASA5506 and a layer 3 switch so I configure multiple intervlan in the switch only one VLAN is able to ping one subnet, access the internet but the other intervlan are not pinging. Host that are connected to them. I have policy-map but the other intervlan in the switch is not pingable with other hosts on a different subnet.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING

BLOGROLL

Tech21Century
Firewall.cx
shares