Global Config Technology Solutions, Inc.

Technology Insights, Tutorials and Course Development

  • Home
  • My Video Courses
  • About Me
    • Disclaimers
  • Contact Me
  • Subscribe Options
You are here: Home / Tutorials / Easy Way To Understand ASA Security Levels

Easy Way To Understand ASA Security Levels

April 7, 2014 by bcarroll 3 Comments

Even though we have the ability to configure Global and Interface ACLs on the Cisco ASA, Security Levels are still a key element to understand. Security Levels control the default behavior of transit traffic on the ASA. The rules are simple.

  1. Each interface gets a security level.
  2. Transit traffic can go from a higher to a lower security level, which creates an entry in the state table and allows for return traffic.
  3. Transit traffic from a lower to a higher security level is denied by default.

So, assuming the diagram below we can understand default traffic behavior.

Simple ASA Network

In our above topology, outbound traffic can transit the ASA from:

  1. The DMZ to the OUTSIDE
  2. The INSIDE to the DMZ
  3. The INSIDE to the OUTSIDE

Additionally, inbound traffic would be denied if it were:

  1. OUTSIDE to DMZ
  2. OUTSIDE to INSIDE
  3. DMZ to INSIDE

The easy way to remember this..

Low to High, let the packet die! High to Low, go!

That’s all there is to it, until you start to talk about interfaces with the same security level, traffic between two hosts on the same interface (VPN), and the application of ACLs. However, we’re going to save those scenarios in another post.

Happy Labbing!

Filed Under: Tutorials Tagged With: asa, asa 9.1, asa 9.x, cisco asa, Firewalls, SENSS

Comments

  1. Paul Stewart, CCIE 26009 (Security) says

    April 8, 2014 at 5:54 pm

    I have never had a problem with remembering that packets can freely flow (by default) from inside to outside. I do think it can be a challenge to recall which interface is 100 and which is 0. To remember that the outside interface is “0”, I just think of outside starting with a “zero”.

    I know that it is cheesy, but it has always worked for me.

    Reply
    • Brandon Carroll, CCIE #23837 says

      April 9, 2014 at 7:26 am

      I totally agree Paul, but I’ve recently noticed a lot if people using the 0 or 0/0 interface for inside networks. Doesn’t make sense to me, but they are. Have you noticed this too?

      Reply
  2. Not submitted says

    August 27, 2015 at 3:53 am

    We can remember it geometricaly like this from. when there is an obstacle no traffic pass when there is a hitch then traffic pass

    100
    ________
    / 50
    0 / ________
    _______/_____________/

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Find Me Online

  • Facebook
  • Twitter
  • YouTube

Archives

Copyright © 2017 · Global Config Technology Solutions, Inc. · Log in