Defining Firewall Zones is a part of Security framework which needs to be followed while configuring cisco ASA Firewall (In Routed/Layer 3 mode). Without configuring Zones, the required level of security across assets may not be possible. “Security Level” indicates how trusted an interface is compared to other interfaces. As a thumb rule – High Security level means High trust interface while Low Security Level means Low trust interface.Each interface on the ASA is a security zone.
Cisco ASA can be configured to have multiple security levels (from 0 to 100).Below is description of the security levels –
Security Level 100 – This is the highest and most trusted security level of ASA Firewall. “Inside” interface is by default assigned this security level. LAN subnets (Like corporate user subnets etc.) usually come under this category level. As default Firewall behaviour, Security Level 100 traffic can reach any other lower security Levels configured on the same Firewall.
Security level 0 – This is the lowest and considered least secured Security Level on ASA Firewall. By default outside Interface of ASA Firewall comes under Security Level 0.Generally Internet or other untrusted links are terminated over this Zone. Default Firewall behaviour is to block any traffic from untrusted Zone (Security Level 0) trying to reach any destination of other security level.
Security level 1 – 99 – Security Level from 1 to 99 can be assigned to multiple Zone like DMZ may be assigned Security Level 50. Another case is extranet Zone which may be assigned customised Security Level of 50.
It’s essential to highlight that traffic from Higher Security Level may reach destination in Lower Security Level Zone For e.g. – LAN Zone traffic (Security Level 100) can reach to unsecured Internet Zone ( Security Level 0) however Traffic back from Internet/Outside Zone can’t reach Inside/LAN Zone.Access List needs to be implemented to complete communication from lower security zone to higher security zone.
A sample lab scenario will help us with configuration of “Security Zone” on ASA Firewall –
Below is the Interface and Zone configuration on ASA Firewall –
Below command wil verify whether the configuration has been implemented on Interface “E0” of Firewall –
ASA# sh run interface e0
In same way we can verify for E1 to E3 Interfaces.