Saturday, May 30, 2015

Security Levels in Cisco ASA

ASA Security Levels are used to define how traffic initiated from one interface is processed. When configuring an ASA with no access-list applied on any of the interface, no access lists are required for traffic from a high security level interface to go through a low security level interface, but the other way around low security level to higher security level is not possible unless we configure an access-list that permits this traffic.

The higher the security level, the more trusted the interface is. Each interface on the ASA is a security zone so by using these security levels we have different trust levels for our security zones.

User can manually assign security level for an interface with the command “security-level <level>”

Here are a couple of examples of security levels:

•  Security level 0: This is the lowest security level on the ASA and by default it is assigned to the “outside” interface. Since there is no lower security level this means that traffic from the outside is unable to reach any of our interfaces unless we permit it within an access-list.

•  Security level 100: This is the highest security level on our ASA and by default this is assigned to the “inside” interface (LAN). Since this is the highest security level, by default it can reach all the other interfaces.

•  Security level 1 – 99: We can create any other security levels that we want, for example we can use security level 50 for our DMZ. This means that traffic is allowed from our inside network to the DMZ (security level 100 -> 50) and also from the DMZ to the outside (security level 50 -> 0). Traffic from the DMZ however can’t go to the inside (without an access-list) because traffic from security level 50 is not allowed to reach security level 100. You can create as many security levels as you want…

•  Same Security level: Traffic between interfaces with the same security level is not allowed. For example, if you have an interface called “DMZ1” with security level 50 and another one called “DMZ2” with the same security level 50 then traffic between the two will be dropped. You can change this behavior with the global command "same-security-traffic permit inter-interface".

Leave your comment below


  1. It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content. security company

  2. Your content is very impressive and thanks for sharing this article. it’s very useful.
    Really this is a very useful blog.
    servicenow demo

  3. I really enjoy reading and also appreciate your work. private security

  4. I am continually amazed by the amount of information available on this subject. What you presented was well researched and well worded in order to get your stand on this across to all your readers. buy real instagram likes famoid

  5. It is very simple to get the value cites for the administrations offered by the security watches through different sites. Construction site security

  6. One improvement prompts another and he never just stops and headway and progress in endless and is an on going task.cyber security in hyderabad

  7. In today's fast-paced world there seems to be some newfangled security gadget or 24response software coming out almost daily. I have been around long enough to become accustomed to scanners that read vehicle license plates.

  8. Very efficiently written information. It will be beneficial to anybody who utilizes it, including me. Keep up the good work. For sure i will check out more posts. This site seems to get a good amount of visitors. ip cameras

  9. The most interesting text on this interesting topic that can be found on the net ... Sincerly René