ASA Security Levels

Outside network e0

• Security level 0

• Interface name = outside

PIX Firewall I

Inside network e1

• Security level 100

• Interface name = inside

PIX Firewall I

Inside network e1

• Security level 100

• Interface name = inside

Outside network e0

• Security level 0

• Interface name = outside

Perimeter network e2

• Security level 50

• Interface name = pix/intf2

©2000, Cisco Systems,

CSPFA 1.01-2-5

The ASA security levels designate whether an interface is inside (trusted) or outside (untrusted) relative to another interface. An interface is considered inside in relation to another interface if its security level is higher than that of the other interface, and is considered outside in relation to another interface if its security level is lower than that of the other interface.

The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level. Conversely, an interface with a lower security level cannot access an interface with a higher security level without a conduit (discussed later). Security levels range from 0 to 100 The following are more specific rules for these security levels:

■ Security level 100—This is the highest security level for the inside interface of the PIX Firewall. This is the default setting for the PIX Firewall and cannot be changed. Because 100 is the most trusted interface security level, your corporate network should be set up behind it. This is so no one else can access it unless they are specifically given permission, and every device behind this interface can have access outside of the corporate network.

■ Security level 0—This is the lowest security level for the outside interface of the PIX Firewall. This is the default setting for the PIX Firewall and cannot be changed. Because 0 is the least trusted interface security level, you should set your most untrusted network behind this interface so that it does not have access to other interfaces unless it is specifically given permission. This interface is usually used for your Internet connection.

■ Security levels 1-99—These are the security levels that you can assign to the perimeter interfaces connected to the PIX Firewall. You assign the security levels based on the type of access you want each device to have.

The following are examples of different interface connections between the PIX

Firewall and other perimeter devices:

■ More secure interface (the higher security level) to a less secure interface (the lower security level)—Traffic originating from the inside interface of the PIX Firewall with a security level of 100 to the outside interface of the PIX Firewall with a security level of 0 follows this rule: allow all IP-based traffic unless restricted by access lists, authentication, or authorization.

■ Less secure interface (lower security level) to a more secure interface (higher security level)—Traffic originating from the outside interface of the PIX Firewall with a security level of 0 to the inside interface of the PIX Firewall with a security level of 100 follows this rule: drop all packets unless specifically allowed by the conduit command. Further restrict the traffic if authentication and authorization is used.

■ Same secure interface to a same secure interface—No traffic flows between two interfaces with the same security level.

The following table explains the diagram in the previous figure.

Interface Pair

Relative Interface Relationship for Ethernet 2 (DMZ) Interface

Configuration Guidelines

Outside security 0to DMZ security 50

DMZ is considered inside

Statics and conduits must be configured to enable sessions originated from the outside interface to the DMZ interface.

Inside security 100 to DMZ security 50

DMZ is considered outside

Globals and NAT are configured to enable sessions originated from the inside interface to the DMZ interface. Statics may be configured for the DMZ interface to ensure service hosts have same source address.

Note The PIX Firewall can have up to four perimeter networks for a total of six interfaces.

Note The PIX Firewall can have up to four perimeter networks for a total of six interfaces.

0 0

Post a comment