You are here: Home » Cisco » ASA Firewall

Cisco ASA Security Levels

The Cisco ASA Firewall uses so called “security levels” that indicate how trusted an interface is compared to another interface. The higher the security level, the more trusted the interface is. Each interface on the ASA is a security zone so by using these security levels we have different trust levels for our security zones.

An interface with a high security level can access an interface with a low security level but the other way around is not possible unless we configure an access-list that permits this traffic.

Here are a couple of examples of security levels:

Security level 0: This is the lowest security level there is on the ASA and by default it is assigned to the “outside” interface. Since there is no lower security level this means that traffic from the outside is unable to reach any of our interfaces unless we permit it within an access-list.
Security level 100: This is the highest security level on our ASA and by default this is assigned to the “inside” interface. Normally we use this for our “LAN”. Since this is the highest security level, by default it can reach all the other interfaces.
Security level 1 – 99: We can create any other security levels that we want, for example we can use security level 50 for our DMZ. This means that traffic is allowed from our inside network to the DMZ (security level 100 -> 50) and also from the DMZ to the outside (security level 50 -> 0). Traffic from the DMZ however can’t go to the inside (without an access-list) because traffic from security level 50 is not allowed to reach security level 100. You can create as many security levels as you want…

Let’s take a look at a Cisco ASA firewall with three interfaces so you can see this behavior in action, here’s the topology I will use:

Above you see the Cisco ASA in the middle with three interfaces:

Interface E0/0 as the INSIDE.
Interface E0/1 as the OUTSIDE.
Interface E0/2 as our DMZ.

I will use the routers so we can generate some traffic between the different security levels. Let’s configure the ASA with these interfaces:

ASA1(config)# interface E0/0
ASA1(config-if)# nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown

ASA1(config)# interface E0/1
ASA1(config-if)# nameif OUTSIDE
INFO: Security level for "OUTSIDE" set to 0 by default.
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown

ASA1(config)# interface E0/2
ASA1(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ASA1(config-if)# security-level 50
ASA1(config-if)# ip address 192.168.3.254 255.255.255.0
ASA1(config-if)# no shutdown

The nameif command is used to specify a name for the interface, unlike the description command the name of your interface is actually used in many commands so pick something useful. As you can see the ASA recognizes INSIDE, OUTSIDE and DMZ names. It uses a default security level of 100 for INSIDE and 0 for OUTSIDE/DMZ. I manually changed the security level of the DMZ interface to 50.

Let’s see what traffic patterns are allowed now shall we? First we’ll send some pings from the ASA…

Traffic from the ASA

The ASA can reach any device on any interface:

ASA1# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA1# ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA1# ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

As you can see the ASA can reach any device in each of the different security zones. This makes sense since these devices are also using the ASA as their default gateway. Next step is to test some traffic between devices in different security zones.

By default the ASA has a global inspection policy (that we’ll discuss in another lesson) that doesn’t permit ICMP traffic. If you want to ping between devices through your ASA firewall then we have to inspect ICMP traffic, you can do it like this:

ASA1(config)# policy-map global_policy
ASA1(config-pmap)# class inspection_default
ASA1(config-pmap-c)# inspect icmp

Now ICMP traffic will be allowed between different interfaces.

Traffic from Inside

Let’s send some pings from R1 to R2 (outside) and R3 (DMZ):
[teaser]

R1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R1#ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Both pings work because we are going from security level 100 (inside) to 0 (outside) and 50 (DMZ).

Traffic from Outside

Now we’ll send some pings from R2 which is on the outside…

R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R2#ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

This doesn’t work since we are trying to go from a security level of 0 (outside) to 100 (inside) or 50 (DMZ). If you want to allow this traffic then we would have to use an access-list. Last but not least, let’s try the DMZ:

Traffic from DMZ

R3#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

The first ping doesn’t work since we try to go from security level 50 (DMZ) to 100 (inside). The second one works because we go to a lower security level 0 (outside).

Rules

In short, this is how the security levels work:

Traffic from a higher security level to lower security level is allowed. For example traffic from the inside is allowed to reach the outside. Of course it’s possible to restrict this with access-lists.
Traffic from a lower security level to a higher security level is not allowed. This could be traffic from the outside headed towards the inside. You can also change this with an access-list, this might be useful if you have servers in the DMZ that you want to reach from the outside.
Traffic between interfaces with the same security level is not allowed. For example, if you have an interface called “DMZ1” with security level 50 and another one called “DMZ2” with the same security level then traffic between the two will be dropped. You can change this behavior with the global same-security-traffic permit inter-interface command.

That’s basically it. I hope this lesson has helped you to understand the Cisco ASA security levels. If you have any questions, feel free to leave a comment.

Previous Lesson
Cisco ASA ASDM Configuration

Next Lesson
Cisco ASA Dynamic NAT Configuration

Tags: Security

Notable Replies

telnet is working fine and I actually found 2 ways to allow ping in ASA
first one is ;

class-map global_policy
class-map icmp-class
 match default-inspection-traffic
class-map icmp
 match any
class-map inspection_default
!
!
policy-map icmp_policy
 class icmp
  inspect icmp 
!
service-policy icmp_policy global

and the second one is creating access list like this ;

access-list ICMP extended permit icmp any any
access-group ICMP interface global

both do the same job .

ReneMolenaar says:

Hi Donald,

In this example, I only used the routers so that I would have some devices to ping with/to. I also could have used computers but routers are easier since you can access them through the CLI and you don’t have to worry about firewalls blocking ICMP traffic.

Sometimes, it can be useful to have a router in front of the ASA. As a firewall, the ASA does a great job at packet filtering / VPNs but it’s a poor router. If you want to use specific features (like policy based routing) then using a router in front of the ASA works very well. If you don’t need any router specific features, you might as well connect the ASA directly to your ISP.

Rene
zahanison says:

Hi Rene,

To allow the DMZ traffic would you need to put an ACL on the inside interface allowing DMZ traffic or on the Inside interface allowing DMZ source to come in? Or do you need to put ACLs on both interfaces?

If DMZ is say 172.16.1.0/24 range and Inside is 192.168.1.0/24 range. Would you put ACL in DMZ interface allowing 172.16.1.0/24 access to 192.168.1.0/24 and then put the same ACL on inside as well?
robbo7987 says:

Hi,quick question regarding the service policy placement on the ASA, not including global because that’s pretty self explanatory. I created just a simple topology where the ASA was in the middle and has 2 routers on either side, the outside interface had a security level of 0 and inside 100, the outside interface is also blocking all traffic coming in. I implemented NAT on the ASA as well to change the inside network IP’s to the outside interface.

My policy map inspects ICMP and i applied it to a service policy that was placed on the inside interface, i tested it and everything worked as it should. NAT worked and allowed the traffic back into the inside network, the outside router could not ping the outside ASA interface IP and any inside network addresses. So everything is fine there. The same was done for the outside interface and the same behaviour was present.

My main question is then, how does the traffic get back through when the service policy is placed on the inside interface, when the class map matches ICMP then the inspection is applied on the policy map and the service policy is assigned to the inside interface, so the source IP would be the private IP of the host on the inside network, it then goes through NAT where NAT changes the source IP to the outside IP, when the return traffic comes back then it comes back with a destination address of the ASA outside IP but the dynamic ACL return traffic is for the destination address of the private IP, so how does it get through when there is no ACL for the traffic coming into the outside interface?

This is different from assigning the service policy on the outside where the dynamic ACL is the outside IP as the destination which can then be allowed and then the NAT binding table can direct traffic along it’s merry way.

Does anyone know the answer to this?

Hi, Thanks From Post,
i have Done Everything and Worked find, unfortunately my firewall Dose not Allow DNS resolution from outside interface to in inside
should i apply another ACL or inspect DNS Traffic from outside to inside and VS ?
----------------------------------------------------------------------------------------------------------------------------

ASA3/SRV-A(config)# packet-tracer input TO-OUT tcp 0.0.0.0 53 6.6.6.6  53

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   6.6.6.6         255.255.255.255 inside

Result:
input-interface: TO-OUT
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

**ASA3/SRV-A(config)# show run**
: Saved
:
: Serial Number: 123456789AB
: Hardware:   ASA5520, 512 MB RAM, CPU Pentium II 1000 MHz
:
ASA Version 9.1(5)16 <context>
!
hostname SRV-A
domain-name mod.gov.af
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif inside
 security-level 100
 ip address 172.16.3.1 255.255.255.0
 hold-time eigrp 100 60
!
interface Ethernet2
 nameif TO-OUT
 security-level 0
 ip address 172.16.8.2 255.255.255.0
 hold-time eigrp 100 60
!
dns server-group DefaultDNS
 domain-name mod.gov.af
access-list icmp extended permit icmp any any
pager lines 24
mtu inside 1500
mtu TO-OUT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group icmp in interface TO-OUT
!
router eigrp 100
 eigrp router-id 33.33.33.33
 network 172.16.3.0 255.255.255.0
 network 172.16.5.0 255.255.255.0
 network 172.16.8.0 255.255.255.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  message-length maximum server auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:bc0fd5f01c98ca935e7632181d832257
: end

Continue the discussion forum.networklessons.com

25 more replies!

NetworkLessons.com