Networks Training

Cisco ASA 5500-X Firewall Security Levels Explained

This article describes the security levels concept as used in the Cisco ASA firewall appliance. The following information applies to both the older 5500 series and the newer 5500-X series of appliances.

A Security Level is assigned to interfaces (either physical or logical sub-interfaces) and it is basically a number from 0 to 100 designating how trusted an interface is relative to another interface on the appliance.

The higher the security level, the more trusted the interface (and hence the network connected behind it) is considered to be, relative to another interface.

Since each firewall interface represents a specific network (or security zone), by using security levels we can assign ‘trust levels’ to our security zones.

The primary rule for security levels is that an interface (or zone) with a higher security level can access an interface with a lower security level.

On the other hand, an interface with a lower security level cannot access an interface with a higher security level, without the explicit permission of a security rule (Access Control List – ACL).

Security Level Examples

Let us see some examples of security levels below:

  • Security Level 0: This is the lowest security level and it is assigned by default to the ‘Outside’ Interface of the firewall. It is the least trusted security level and must be assigned accordingly to the network (interface) that we don’t want it to have any access to our internal networks. This security level is usually assigned to the interface connected to the Internet. This means that every device connected to the Internet can not have access to any network behind the firewall, unless explicitly permitted by an ACL rule.
  • Security Levels 1 to 99: These security levels can be assigned to perimeter security zones (e.g. DMZ Zone, Management Zone, Database Servers Zone etc).
  • Security Level 100: This is the highest security level and it is assigned by default to the ‘Inside’ Interface of the firewall. It is the most trusted security level and must be assigned accordingly to the network (interface) that we want to apply the most protection from the security appliance. This security level is usually assigned to the interface connecting the Internal Corporate network behind it.
MORE READING:  Using the ROMMON to load a new image on Cisco ASA Firewall Step-by-Step

asa firewall security levels

The diagram above illustrates a typical example of security levels assignment in a network with an Inside, Outside, and DMZ zones.

This represents a pretty common network setup of an enterprise/corporate network whereby users are connected to the Inside (internal) network, some public servers (e.g web server, email server etc) are located in a DMZ network and the outside of the ASA is connected to the Internet.

Throughout this website, I represent the Cisco Firewall with the “Electrical Diode” symbol. As you can see, the Internal Corporate Network is connected to the Interface with the highest security level (Interface G0/1 with Security Level 100) which is also named as ‘Inside’.

The Interface name ‘Inside’ is given by default to the interface with the highest security level. Also, the INTERNET facing interface (G0/0) is named ‘Outside’ and is assigned a security level of 0.

A Perimeter Zone (DMZ) is also created with a Security Level of 50. The Red Arrows in the diagram represent the flow of traffic.

As you can see, the Inside Zone can access both DMZ and Outside Zones (Security Level 100 can access freely the Security Levels 50 and 0).

MORE READING:  Antivirus and Antispam protection with CSC SSM

The DMZ Zone can access only the Outside Zone (Security Level 50 can access Level 0), but not the Inside Zone. Lastly, the Outside Zone cannot access either the Inside or the DMZ zones.

What is described in the example above is the default behavior of the Cisco ASA Firewalls. We can override the default behavior and allow access from Lower Security Levels to Higher Security Levels by using Static NAT (only if required) and Access Control Lists.

Rules for Traffic Flow between Security Levels

  • Traffic from Higher Security Level to Lower Security Level: Allow ALL traffic originating from the higher Security Level unless specifically restricted by an Access Control List (ACL). If NAT-Control is enabled on the device, then there must be a dynamic NAT translation rule between High-to-Low Security Level interfaces (e.g PAT etc).
  • Traffic from Lower Security Level to Higher Security Level: Drop ALL traffic unless specifically allowed by an ACL. If NAT-Control is enabled on the device then there must be a Static NAT between High-to-Low Security Level interfaces.
  • Traffic between interfaces with same Security Level: By default this is not allowed, unless you configure the same-security-traffic permit inter-interface command (ASA version 7.2 and later).

Security level is one of the core concepts of ASA firewalls. You must carefully plan the assignment of security levels on a per-interface basis and then control traffic between interfaces accordingly.

Let me know in the comments section below if you have any questions or if you need any help configuring security levels.

Related Posts

Filed Under: Cisco ASA General

Download Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls


By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.












Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to amazon.com, amazon.co.uk , amazon.de, amazon.it, amazon.es and affiliated sites.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING