Understanding Security Level in Cisco ASA Firewall Appliance

1. Overview

 

Basically, to work with Cisco ASA firewall appliance, you need to understand the logic of security levels which is assigned to ASA physical or logical sub-interface and how it works. This understanding is very important to work with Access Control List (ACL)  to control the traffic flows across Cisco ASA firewall interfaces.

In this article will explain you the simple concept and easy to understand of security levels and how it work in Cisco ASA firewall appliance.

2. Prerequisites

 

In this tutorial, it is assumed that:

a. You have some basic concept of security firewall.
b. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM

3. Understanding Security Level

 

Cisco ASA bases on security level to determine the traffic flow between the connected interfaces. The security level is known as the number which value between from 0 to 100. The higher the security level assigned to an interface of Cisco ASA firewall, the more trusted interface it is. Traffic can flow from an interface with a higher security level to a lower security level interface without any Access Control List (ACL) to allow.

In contrast, the traffic cannot flow from a lower security level interface to an interface with a higher security level. If you want to allow traffic to flow from a lower security level interface to a higher security level interface, you need to create an Access Control List (ACL) to allow it.

 

4. Security Levels and Rules of Traffic Flow

 

There are three principle rules relatively to security level in Cisco ASA firewall appliance.

4.1. From a Higher Security Level Interface to a Lower Security Level Interface

 

All traffic initiated from the higher Security level interface is allowed. If you want to block traffic to flow from a higher security level interface to a lower security level interface, an Access Control List (ACL) is needed. Normally, you should apply that Access Control List (ACL) as Out not In to the lower security level interface.

4.2. From a Lower Security Level interface to a Higher Security level Interface

 

All traffic initiated from the lower security level interface is blocked. An Access Control List (ACL) is needed if you want to allow traffic to flow from a lower security level interface to a higher security level interface. Normally, you should apply as In not Out for that Access Control List (ACL) to the lower security level interface.

4.3. From an Interface to Another Interface With the Same Security Level

 

Even the security level is assigned the same to each interfaces, the traffic is not allow to flow across. To allow traffic to flow from an interface to another interface with the same security level configured, the command “same-security-traffic permit inter-interface” need to be executed. Use Access Control List (ACL) if you want to block traffic flow between these interfaces.

# same-security-traffic permit inter-interface

5. Common Security level Configuration

 

The following is the common security level configuration that most network security professional always configured on Cisco ASA firewalls under their administration.

Interface “inside”: the highest security level with number value of 100 is always found on an interface that connect to Local Area Network (LAN). They normally name it as “inside”.

Interface “outside”: the lowest security level with number value of 0 is always found on an interface that connect to public network or internet. They normally name it as “outside”.

Interface “dmz”: Mostly people prefer security level of 50 for interface DMZ. Nevertheless, it can always be assigned any value from 1 to 99.

6. Allowing ICMP Ping Between Interfaces

 

By default ASA does not allow icmp traffic between interface with different security levels. However, TCP and UDP protocol can always access from a higher security level interface to a lower security level interface. For example, inside interface with security level 100 can access telnet to dmz interface with security level 50 even thought it not able to ping.

To allow icmp ping between interfaces with different security level configured, we need to add icmp inspection to the global policy on Cisco ASA firewall as the following:

# policy-map global_policy
   class inspection_default
     inspect icmp
     inspect icmp erro

After applying the above command, you can try to ping from “PC1” to “PC2”.

7. Example of Security Levels

Case1: From a Higher Security Level Interface to a Lower Security Level Interface

In this case, interface Gi0/0 is assigned with security level to 100 and interface Gi0/1 is assigned with security level of 0.

# interface GigabitEthernet0/0
    nameif inside
    security-level 100
    ip address 10.10.10.1 255.255.255.0

# interface GigabitEthernet0/1
   nameif outside
   security-level 0
   ip address 10.10.20.1 255.255.255.0

Configure IP addresses for PC1 and PC2.

PC1> ip 10.10.10.2/24 10.10.10.1

PC2> ip 10.10.20.2/24 10.10.20.1

Now let ping from PC1 to PC2. We will get ping success result in this case because PC1 is connected to a higher security level interface of Cisco ASA.

Case2: From a Lower Security Level interface to a Higher Security level Interface

In this case, we will test to ping from PC2 that is connected to a lower security interface to PC1 that is connected a higher security level interface. Absolutely, we will get failure ping result because traffic cannot flow from the lower security to the higher security level interface.

   

Case3: From an Interface to Another Interface With the Same Security Level

Now let change the security level to be the same on each interface. As in the picture above both inside and outside interface have security level value of 100 configured.

# interface GigabitEthernet0/1
   nameif outside
   security-level 100
   ip address 10.10.20.1 255.255.255.0

If we try to ping from PC1 to PC2, we will not get successful result.

For this case, to allow traffic to flow across from one interface to another interface, we need to apply the following command.

# same-security-traffic permit inter-interface

Now let try to ping from PC1 to PC2 again. We should get the follow result.

8. Conclusion

 

Now you should have a precise idea about how security level works in Cisco ASA firewall appliance. It is the basic knowledge that you need to know before start working with Cisco ASA firewall appliance. I hope you enjoy this tutorial. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them. Thank you and have a nice day.

Comments

comments