07-23-2010 10:54 AM - edited 02-21-2020 04:02 AM
Hello,
I'm designing a network where have 5580 ASAs in a Data center that will act as gateways for all business units in my DC.
I need to know what are the recommended security levels ( Database Servers, Users, Application servers) to benefit from all inspection and stateful ASA features knowing I won't use NATing in my enviroment
Regards
07-23-2010 05:54 PM
Security levels are used to define how secure the zone is considered. The less secure a zone is the lower the security level. And by definition you cannot flow from low to higher security levels without allowing it explicitly.
So I would put users in a lower security level, and then server on higher levels. I would set DB and App zone levels based on if you want DB servers to talk to App servers by default or not.
I hope it helps.
PK
07-23-2010 11:21 PM
Hello,
That's what I thought first but then I thought of putting users in higher security levels since they'll always be initiatng the connection( this way i'd take advantage of dynamic ports being opened for return traffic from higher to lower security zones, no?) will I lose in tems of inspection engine?
Regards
07-24-2010 02:52 PM
No, inspections will still inspect statefully.
You can also apply ACLs to explicity allow what someone is allowed to reach and talk to.
Levels are to provide granularity and set the security levels between zones.
PK
07-26-2010 12:00 AM
Thx for the useful info!
IF servers are dynamically opening ports for specific applications in return to client requests, should I use the established command or placing users in lower security levels can do the job?
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide