ASA Security Levels are used to define how traffic initiated from one interface is allowed to return from another interface. Higher level security interfaces can initiate traffic to a lower level without an access list. Any traffic returning from a higher level initiated communications are allowed to pass thru from lower to higher security levels. The higher the security level setting on an interface, the more trusted it is.
When configuring an ASA, no access lists are required for traffic from a high security level interface to go thru a low security level interface. And return traffic for the high level to the low level is allowed to passed based on it meeting expected criteria in the ASA translation tables.
The ASA allows traffic to pass from trusted network to untrusted network, but not the reverse. Each interface must have a security level from 0 (lowest) to 100 (highest).
For example, you should assign your most secure network such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0., ASA blocks traffic from interfaces with lower settings from passing through to interfaces with higher settings.
To illustrate, consider a common scenario where the inside interface has a security level number of 100 and the outside has a level of 0. The ASA allows traffic to pass from the inside to the outside; however, the ASA prevents traffic initiated from the outside to the inside because the inside has a higher security level and there is no Access List.
The following are the primary security levels created and used on the Cisco ASA:
Security level 100
The highest possible level and most trusted, it is used by the inside interface by default.
Security level 0
The lowest possible level, most untrusted, it’s used by the outside interface by default.
- Security levels 1–99
Can be assigned to any other interface on the ASA. On a three-pronged ASA firewall, the inside is typically 100, the outside is 0, and the dmz interface is 50.