Security level

Unanswered Question
Dec 31st, 2008

Pretty new with the ASA 5510 and I cannot seem to find any info on security levels.

I have an outside interface set at security level 0, the inside interface at 100, and the E:2 which will be the DMZ, I am not sure what to set the security level to. Is there some resource that shows the effects or permsisions of lets say a security level 50?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


Cisco defaults and recommendations are:-

1) Outside interface - security level 0

2) Inside interface - security level 100

The higher the interface security level the more trusted.

Any interface with a lower security CANNOT talk to an interface with a higher security level without an access list that permits the traffic.

Any interface with a higher security level can talk to any interface with a lower security level.

So if you have a DMZ - choose a number between 1 and 99. This will mean that any traffic from the DMZ to the outside will be OK. Any traffic from the Inside to the DMZ and Outside will be OK. Any traffic from the outside to the DMZ and or the Inside will not work - without a specific permit access-list.


Richard Burts Thu, 01/01/2009 - 20:05


As Andrew explains the basic principle is that a higher security level interface can initiate traffic to a lower security interface but a lower security level interface can only initiate traffic that is explicitly allowed to a higher security level interface.

Probably most of us split the difference and assign 50 as the security level when we configure a third interface (as DMZ). But the particular level we choose does not matter until we decide that we need a fourth interface. Functionaly it would work the same if we assigned a security level of 2 or of 99 or of 50 for the third interface.




This Discussion