Even though we have the ability to configure Global and Interface ACLs on the Cisco ASA, Security Levels are still a key element to understand. Security Levels control the default behavior of transit traffic on the ASA. The rules are simple.
- Each interface gets a security level.
- Transit traffic can go from a higher to a lower security level, which creates an entry in the state table and allows for return traffic.
- Transit traffic from a lower to a higher security level is denied by default.
So, assuming the diagram below we can understand default traffic behavior.
In our above topology, outbound traffic can transit the ASA from:
- The DMZ to the OUTSIDE
- The INSIDE to the DMZ
- The INSIDE to the OUTSIDE
Additionally, inbound traffic would be denied if it were:
- OUTSIDE to DMZ
- OUTSIDE to INSIDE
- DMZ to INSIDE
The easy way to remember this..
Low to High, let the packet die! High to Low, go!
That’s all there is to it, until you start to talk about interfaces with the same security level, traffic between two hosts on the same interface (VPN), and the application of ACLs. However, we’re going to save those scenarios in another post.