The truth about security-level

When you start studying Cisco ASA, the first thing that will interest you the most is the security-level of an interface. How traffic from a higher security-level interface is permitted to a lower security-level interface and how traffic from a lower security-level interface to a higher security-level interface is denied ‘by default’. This could be termed or referred as default access policies that are implicitly present on every interface on the ASA when configured with a security-level.

The truth is – in the real world you are never going to find an ASA that depends on these so called default access policies to filter traffic on the interface. The security-levels of the interface are not going to decide the fate of your network. Period. And I’ll tell you why…

Right out of the box, the security-level configured on an interface works just fine as it is intended to unless you configure an Access Control List on an interface. Once you apply an ACL on an interface, ASA does not consider the security-level of that interface while making permit/deny decisions, instead it checks the configured ACL on that interface for appropriate actions to be taken when there is a match. Any other traffic that doesn’t have a match is denied by the hidden implicit deny statement at the end of the ACL.

And here’s a hidden fact – Security-level does play an important role when making NAT Exemption decisions. More on this later…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s