Defining Firewall Zones is a part of the Security framework which needs to be followed while configuring cisco ASA Firewall (In Routed/Layer 3 mode).
Without configuring Zones, the required level of security across assets may not be possible. “Security Level” indicates how trusted an interface is compared to other interfaces.
As a thumb rule – High-Security level means High trust interface while Low-Security Level means Low trust interface.
Related – Factory Reset ASA 5505
Each interface on the ASA is a security zone. Cisco ASA can be configured to have multiple security levels (from 0 to 100).
Related- Cisco ASA NAT
Below is a description of the firewall security levels –
Security Level 100 – This is the highest and most trusted security level of ASA Firewall security level. “Inside” interface is by default assigned this security level.
LAN subnets (Like corporate user subnets etc.) usually come under this category level.
As default Firewall behaviour, Security Level 100 traffic can reach any other lower security Levels configured on the same Firewall.
Security level 0 – This is the lowest and considered least secured Security Level on the ASA Firewall. By default outside Interface of ASA Firewall comes under Security Level 0. Generally, the Internet or other untrusted links are terminated over this Zone.
Default Firewall behaviour is to block any traffic from untrusted Zone (Security Level 0) trying to reach any destination of another security level.
Security level 1 – 99 – Security Level from 1 to 99 can be assigned to multiple Zone-like DMZ may be assigned Security Level 50. Another case is extranet Zone which may be assigned customised Security Level of 50.
Related- Internet vs Extranet
It’s essential to highlight that traffic from Higher Security Level may reach a destination in Lower Security Level Zone For e.g. – LAN Zone traffic (Security Level 100) can reach to unsecured Internet Zone ( Security Level 0) however Traffic back from Internet/Outside Zone can’t reach Inside/LAN Zone.
Access List needs to be implemented to complete communication from a lower security zone to a higher security zone.
A sample lab scenario will help us with the configuration of “Security Zone” on ASA Firewall –
Below is the Interface and Zone configuration on ASA Firewall –
Below command, will verify whether the configuration has been implemented on Interface “E0” of Firewall –
ASA# sh run interface e0
In the same way, we can verify for E1 to E3 Interfaces.
Hope this article would have cleared your doubt around firewall security level. Read these articles to know more about firewall –