What are Cisco ASA firewall security levels?
ASA Security Levels are used to define how traffic initiated from one interface is allowed to return from another interface. Higher level security interfaces can initiate traffic to a lower level without an access list. Any traffic returning from a higher level initiated communications are allowed to pass thru from lower to higher security levels. The higher the security level setting on an interface, the more trusted it is.
When configuring an ASA, no access lists are required for traffic from a high security level interface to go thru a low security level interface. And return traffic for the high level to the low level is allowed to passed based on it meeting expected criteria in the ASA translation tables.
The ASA allows traffic to pass from trusted network to untrusted network, but not the reverse. Each interface must have a security level from 0 (lowest) to 100 (highest).
For example, you should assign your most secure network such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0., ASA blocks traffic from interfaces with lower settings from passing through to interfaces with higher settings.
To illustrate, consider a common scenario where the inside interface has a security level number of 100 and the outside has a level of 0. The ASA allows traffic to pass from the inside to the outside; however, the ASA prevents traffic initiated from the outside to the inside because the inside has a higher security level and there is no Access List.
The following are the primary security levels created and used on the Cisco ASA:
-
Security level 100
The highest possible level and most trusted, it is used by the inside interface by default.
-
Security level 0
The lowest possible level, most untrusted, it’s used by the outside interface by default.
- Security levels 1–99
Can be assigned to any other interface on the ASA. On a three-pronged ASA firewall, the inside is typically 100, the outside is 0, and the dmz interface is 50.
I believe you made a typo. “Lower level security interfaces can initiate traffic to a higher level and not be blocked.”
Rather, it should be reversed. “Higher level security interfaces can initiate traffic to a lower level and not be blocked.”
Corrected.. thanks..
Great summary.
One question, in the second paragraph you wrote, “And RETURN traffic for the high level to the low level is allowed to passed based on it meeting EXPECTED CRITERIA in the ASA translation tables” (my emphasis added)
What is the expected criteria the return traffic needs? Is it sequence number for the packet?
Thanks for clear the logical concept of Security level .
What definitions are predefined in ASA for security level from 0 to 100, pls share any url to understand that definitions.
Is it possible to have 2 ports with security level 0 and 2 with security level 100 ?
Excellent Article.
Thank you for this.
One thing I’m not sure of, is there any other difference between security levels.
Let’s say I have 100 for inside and 0 for outside.
Would it matter if I set DMZ server on 30, 50, or 70? (or 1 or 99)…
Praveen,
Thank You for the article. Exactly what I needed for an AM refresh as I haven’t used ASA’s in a little while.
Thanks Again!
Never found anywhere or has it been explained correctly in the situation where you may have two interfaces with the same security level. Say i have a Dev and Dev1 interfaces on different networks but with the same security level 67.