Professional Documents
Culture Documents
com/t5/security-documents/basic-troubleshooting-for-traffic-through-asa-
firewall/ta-p/3162819
https://www.geeksforgeeks.org/default-flow-of-traffic-asa/
Security levels –
ASA uses security level associated with a routable interface. Remember, ASA interface is by default in
routed mode i.e operating at layer 3.These interfaces are assigned security levels which are numbers
ranging from 0 to 100.Bigger the number, more will be the trust to the network connected to that ASA
interface.
On the basis of security levels, ASA takes action (whether to permit or deny the packet).
Also, note that we can assign names to the ASA interface like inside, outside or DMZ. As soon as we
assign these names to an interface, it automatically assigns a security level to itself. For example, if we
have assign a name inside to an interface, it will assign 100 (Security level) to itself i.e most trusted
network. If we assign name Outside or DMZ or any other name to an interface, it will assign security
level 0 to automatically . These are default value and can be changed.
It is a good practice to give security level 100 (maximum) to inside (most trusted network), 0(least) to
outside (untrusted or public network) and 50 to DMZ (organisation public device network).
Note –
It is not mandatory to assign a name (INSIDE, OUTSIDE or DMZ) to ASA interface but it is good practice
to assign these names as they are simple and meaningful.
And if the (TCP or UDP) traffic is initiated from higher security level then the replies (for higher
security level) from lower security level (outside or DMZ) are allowed. This is due to default stateful
inspection (means state of the packet will be maintained in connection table) .
But if the traffic is of ICMP that is to be sent from higher security level to lower security level then it
will reach the lower security level device and the lower security level will also sent echo reply but the
firewall (ASA) will drop it as only TCP and UDP traffic is inspected by default.
If we want ICMP traffic to be inspected by the ASA then we have to do it manually by the command.
Also, if the lower security level (outside or DMZ) want to send any traffic (TCP, UDP or ICMP) to the
higher security level then it is denied by ASA firewall due to its default policy. To allow it, access-list
can be used.
Also, note that when we give security level 50 to DMZ, 100 to inside and 0 to outside, then the traffic
will be allowed from DMZ to outside but DMZ devices still not be able to reach inside devices.
Also, by default if two interfaces have same security level then the traffic will not be allowed.
But the traffic can be allowed manually (between the two interfaces having same security level) by
the command
asa(config)#same-security-traffic
Permit inter-interface