Even though we have the ability to configure Global and Interface ACLs on the Cisco ASA, Security Levels are still a key element to understand. Security Levels control the default behavior of transit traffic on the ASA. The rules are simple.
- Each interface gets a security level.
- Transit traffic can go from a higher to a lower security level, which creates an entry in the state table and allows for return traffic.
- Transit traffic from a lower to a higher security level is denied by default.
So, assuming the diagram below we can understand default traffic behavior.
In our above topology, outbound traffic can transit the ASA from:
- The DMZ to the OUTSIDE
- The INSIDE to the DMZ
- The INSIDE to the OUTSIDE
Additionally, inbound traffic would be denied if it were:
- OUTSIDE to DMZ
- OUTSIDE to INSIDE
- DMZ to INSIDE
The easy way to remember this..
Low to High, let the packet die! High to Low, go!
That’s all there is to it, until you start to talk about interfaces with the same security level, traffic between two hosts on the same interface (VPN), and the application of ACLs. However, we’re going to save those scenarios in another post.
Happy Labbing!
I have never had a problem with remembering that packets can freely flow (by default) from inside to outside. I do think it can be a challenge to recall which interface is 100 and which is 0. To remember that the outside interface is “0”, I just think of outside starting with a “zero”.
I know that it is cheesy, but it has always worked for me.
I totally agree Paul, but I’ve recently noticed a lot if people using the 0 or 0/0 interface for inside networks. Doesn’t make sense to me, but they are. Have you noticed this too?
We can remember it geometricaly like this from. when there is an obstacle no traffic pass when there is a hitch then traffic pass
100
________
/ 50
0 / ________
_______/_____________/