Cisco ASA: Security Levels and Zones Explained

In this article, we will discuss Cisco ASA Firewall Security Levels and Zones in detail. During the initial deployment of the Cisco ASA firewall in Layer 3 or Routing Mode we need to configure the security zones on each logical interface. Further, We need to assign the Security Level to each logical interface. Let’s have a better understanding of Security Levels and Zones.

cisco-asa-security-level-and-zones

Understanding Interfaces and Security Zones in Cisco ASA Firewall

Before understanding the Security Levels, let’s understand the Interfaces and Security Zones in Cisco ASA Firewall. In Routing or Layer 3 mode deployment, we must need to define an IP Address, Security Level, and nameif (Zone) on each interface.

A single logical interface has only one security zone and Security Level. So, multiple interfaces can have different security levels and different zones.

We can easily control the traffic among different security zones using ACL (Access Control Lists).

Now, let’s understand the Security Level!

Security Levels in Cisco ASA Firewall

Security Level is nothing but a number between 0 to 100. High-Security Level means we have higher trust and Low-Security Level means Lower trust in that particular zone.

First, have a look at the below image to understand the security levels.cisco-asa-security-levels-and-zones

Cisco ASA Firewall has configured 3 different interfaces. Interface Gig0/0 is configured with IP Address 1.1.1.1/29 and it’s connected with ISP. It has an outside security zone with a 0 security level.

Interface Gig0/1 is configured with IP address 192.168.1.1/24 and it’s connected with the internal Core. It has an inside security zone with a 100 security level.

Interface Gig0/2 is configured with IP address 172.16.1.1/24 and it’s connected with the DMZ Network. It has a DMZ security zone with a 50 security level.

By default, all traffic from the Highest Security Level to the Lowest Security Level is allowed. So, usually, we define the highest security level to the LAN or Inside interface i.e. 100, and the lowest security level to the Outside or Internet interface, i.e. 0.

Similarly, the traffic from the Low-Security Level to the High-Security Level is denied by default. You must need to configure ACL to allow that particular traffic.

To have a better understanding of the Security Level let’s discuss the below examples:

Cisco ASA: Security Level 100

  • This is the highest security level and it is assigned to the most Trusted Interface/Zone. Usually, we assign Highest Security Level to the LAN / Corporate Interface.
  • Traffic from High-Security Level to Low-Security Level is allowed by default.

By default, inside security zone has a security level of 100. But, it is always 0 in different security zones names, i.e. outside, dmz.

Cisco ASA: Security Level 0

  • This is the Lowest Security Level and it is assigned to the most untrusted Interface/Zone. Usually, we assigned Lowest Security to the ISP or Internet Interface.
  • Traffic from Low-Security Level to High-Security Level is denied by default.

Accordingly we need to configure Access Control Lists (ACLs) to allow this traffic from Outside to Inside or DMZ.

Cisco ASA: Security Level between 1 – 99

  • Security Levels between 1 – 99 can be assigned to the different zones such as DMZ.
  • The traffic from the High-security level, i.e. inside (100) to Low-Security level i.e, DMZ (50) is allowed by default.
  • The traffic from the Low-Security level, i.e. outside (0) to High-Security level i.e, DMZ (50) is denied by default.

Default Traffic Behaviour in Cisco ASA

We have discussed the security levels and security zones in detail. Now let’s understand the default traffic behavior in detail.

  • Traffic from inside zone to outside & DMZ is allowed by default.
  • Traffic from outside zone to inside and DMZ is denied by default.
  • Similarly, Traffic from DMZ to the inside zone is denied by default. Therefore, we need to implement the ACLs to allow the traffic.
  • Traffic from the DMZ to the outside zone is allowed by default.

Security Levels and Zones (nameif) configuration on Cisco ASA Firewall

At last, I’ll configure the security levels and zones on Cisco ASA Firewall. We can do the same via ASDM as well as CLI. In this example, we will do the configuration via CLI. Let’s start!

The Outside Interface:

ASA#configure terminal
ASA(config)# interface gigabitethernet0/0
ASA(config-if)#┬ánameif outside
ASA(config-if)# ip address 1.1.1.1 255.255.255.248
ASA(config-if)# security-level 0
ASA(config-if)# no shutdown

The Inside Interface:

ASA#configure terminal
ASA(config)# interface gigabitethernet0/1
ASA(config-if)# nameif inside
ASA(config-if)# ip address 192.168.1.1 255.255.255.0
ASA(config-if)# security-level 100
ASA(config-if)# no shutdown

The DMZ Interface:

ASA#configure terminal
ASA(config)# interface gigabitethernet0/2
ASA(config-if)# nameif DMZ
ASA(config-if)# ip address 172.16.1.1 255.255.255.0
ASA(config-if)# security-level 50
ASA(config-if)# no shutdown

Related Articles

References

Summary

In this article, we have discussed Cisco ASA Firewall Security Zones and Security Level in detail. Security Zone must be configured during the initial deployment in Layer 3 mode. It helps to secure our internal assets (Users, Servers) using ACLs. We discussed Security Level is a number between 0 to 100. The traffic from High-Security Level to Low-Security Level is allowed by default. However, the traffic from Low-Security Level to High-Security Level is denied by default. Therefore, we need to configure Access Control Lists (ACLs) to allow that traffic. Finally, we configure security zones and security levels on each interface.

Hope you have enjoined this article. In case you like this article, please share it on different platforms. Also, please comment in the comment box for any suggestions.

Leave a Reply

Your email address will not be published.