Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

changing security-level

Hello,

I need to change the security-level on an interface for a cisco asa 5520. I am not sure if this will cause downtime, can someone please inform me? I cannot seem to find anything on the internet about this. Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: changing security-level

Hi,

If you have interface ACLs configured on all interfaces already then changing the "security-level" will not change anything.

If you however have some interfaces that dont use ACLs and you are for example changing some other interfaces "security-level" to a higher value than the interface which doesnt have an interface ACL, then you might start blocking all traffic from behind the interface with no ACL to the network behind the interface thats "security-level" got changed.

There is also one NAT related issue that might arise from changing "security-level" value but it only applies to software level 8.2 and below. It also is a NAT configuration that is very rare (atleast I have not run into it that many times)

This NAT related situation specifically comes when you are doing Dynamic NAT/PAT and the source addresses/networks are behind an interface which "security-level" is lower than the destination interfaces.

A simple example could be

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.248

interface GigabitEthernet0/1

nameif 3rdparty

security-level 2

ip add 2.2.2.2 255.255.255.248

If you wanted to configure Dynamic PAT between these interfaces then the "nat" command would require an extra parameter at the end. Specifically "outside" (this doesnt refer to any interface name)

global (3rdparty) 1 interface

nat (outside) 1 10.10.10.0 255.255.255.0 outside

The above configuration is meant to illustrate a situation for example where you want some VPN Client or L2L VPN remote network to be able to access some 3rd party site and the "security-level" values of the interfaces are the other way around than typically from going from secure to unsecure.

There might also be some minor cosmetic changes in the command output and syslogs. For example the "security-level" defines in what order the "show conn" output is shown for the source and destination IP address. Also the connection forming logs are mentioned as either "inbound" or "outbound" based on the "security-level" value. (Outbound from higher to lower and Inbound from lower to higher)

But as I said, these are just cosmetic changes.

There might be some other things but I cant think of anything else than the ones above.

- Jouni

2 REPLIES
Super Bronze

Re: changing security-level

Hi,

If you have interface ACLs configured on all interfaces already then changing the "security-level" will not change anything.

If you however have some interfaces that dont use ACLs and you are for example changing some other interfaces "security-level" to a higher value than the interface which doesnt have an interface ACL, then you might start blocking all traffic from behind the interface with no ACL to the network behind the interface thats "security-level" got changed.

There is also one NAT related issue that might arise from changing "security-level" value but it only applies to software level 8.2 and below. It also is a NAT configuration that is very rare (atleast I have not run into it that many times)

This NAT related situation specifically comes when you are doing Dynamic NAT/PAT and the source addresses/networks are behind an interface which "security-level" is lower than the destination interfaces.

A simple example could be

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.248

interface GigabitEthernet0/1

nameif 3rdparty

security-level 2

ip add 2.2.2.2 255.255.255.248

If you wanted to configure Dynamic PAT between these interfaces then the "nat" command would require an extra parameter at the end. Specifically "outside" (this doesnt refer to any interface name)

global (3rdparty) 1 interface

nat (outside) 1 10.10.10.0 255.255.255.0 outside

The above configuration is meant to illustrate a situation for example where you want some VPN Client or L2L VPN remote network to be able to access some 3rd party site and the "security-level" values of the interfaces are the other way around than typically from going from secure to unsecure.

There might also be some minor cosmetic changes in the command output and syslogs. For example the "security-level" defines in what order the "show conn" output is shown for the source and destination IP address. Also the connection forming logs are mentioned as either "inbound" or "outbound" based on the "security-level" value. (Outbound from higher to lower and Inbound from lower to higher)

But as I said, these are just cosmetic changes.

There might be some other things but I cant think of anything else than the ones above.

- Jouni

New Member

Re: changing security-level

Thanks for the information Jouni. This is a new interface that doesn't have any rules on it at the moment and I don't believe any other interfaces need access to this interface at the moment. And this ASA is using code version 8.3(2) so it sounds like I should be good. Thanks again!

154
Views
0
Helpful
2
Replies
CreatePlease login to create content