ASA recommended security levels in a data center

Unanswered Question
Jul 23rd, 2010


I'm designing a network where  have 5580 ASAs in a Data center that will act as gateways for all business units in my DC.

I need to know what are the recommended security levels ( Database Servers, Users, Application servers) to benefit from all inspection and stateful ASA features knowing I won't use NATing in my enviroment


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Fri, 07/23/2010 - 17:54

Security levels are used to define how secure the zone is considered. The less secure a zone is the lower the security level. And by definition you cannot flow from low to higher security levels without allowing it explicitly.

So I would put users in a lower security level, and then server on higher levels. I would set DB and App zone levels based on if you want DB servers to talk to App servers by default or not.

I hope it helps.


k.abillama Fri, 07/23/2010 - 23:21


That's what I thought first but then I thought of putting users in higher security levels since they'll always be initiatng the connection( this way i'd take advantage of dynamic ports being opened for return traffic from higher to lower security zones, no?) will I lose in tems of inspection engine?


Panos Kampanakis Sat, 07/24/2010 - 14:52

No, inspections will still inspect statefully.

You can also apply ACLs to explicity allow what someone is allowed to reach and talk to.

Levels are to provide granularity and set the security levels between zones.


k.abillama Mon, 07/26/2010 - 00:00

Thx for the useful info!

IF servers are dynamically opening ports for specific applications in return to client requests, should I use the established command or placing users in lower security levels can do the job?



This Discussion