Same security level interface

    The Cisco ASA Firewall uses “security levels” this indicate how trusted an interface is compared to another interface. The higher the security level, the more trusted the interface is. Each interface on the ASA is a security zone so by using these security levels we have different trust levels for our security zones.

    An interface with a high security level can access an interface with a low security level by default whilst the reverse is impossible unless we configure an access-list that permits this traffic.

    By default Cisco ASA Firewall have 2 security levels:

    1. Security level 0: This is the lowest security level on the ASA and by default it is assigned to the “outside” interface (Untrusted Interfaces e.g Public internet facing interface). This means that traffic from the outside interface is unable to reach any of our other interfaces unless we explicitly permit it within an access-list.
    2. Security level 100: This is the highest security level on the ASA and by default this is assigned to the “inside” interface (Our LAN facing interface). Since this is the highest security level, by default it can reach all the other interfaces.

    Aside above we can create further security level to fit the above analogy of traffic flow :

    • Security level 1 – 99: We can create any other security levels that we want, common example is where we use security level 50 for our DMZ. This means that traffic is allowed from our inside network to the DMZ (security level 100 -> 50) and also from the DMZ to the outside (security level 50 -> 0). Traffic from the DMZ however cannot access inside interface without an access-list, Remember traffic from security level 50 is not allowed to reach security level 100.

    Sometimes you cannot decide which interface should be higher or lower and you give two or more interfaces the same Security level. Traffic between the same security level interfaces is by default denied but you can change this behaviour.

    To change this, use command:

    ASA#configure terminal
    ASA(config)#same-security-traffic permit inter-interface

    Above commands applies to traffic with the same security level.

    What if we have traffic hairpining the same interface? let say VPN traffic with no split tunneling. All VPN users traffic which is vpn-encrypted bounces the outside interface and returns back to Internet unencrypted. This is intra-interface traffic and such scenario has to be allowed by intra command:

    ASA#configure terminal
    ASA(config)#same-security-traffic permit intra-interface