12-31-2008 12:30 PM
Pretty new with the ASA 5510 and I cannot seem to find any info on security levels.
I have an outside interface set at security level 0, the inside interface at 100, and the E:2 which will be the DMZ, I am not sure what to set the security level to. Is there some resource that shows the effects or permsisions of lets say a security level 50?
01-01-2009 09:07 AM
Derek,
Cisco defaults and recommendations are:-
1) Outside interface - security level 0
2) Inside interface - security level 100
The higher the interface security level the more trusted.
Any interface with a lower security CANNOT talk to an interface with a higher security level without an access list that permits the traffic.
Any interface with a higher security level can talk to any interface with a lower security level.
So if you have a DMZ - choose a number between 1 and 99. This will mean that any traffic from the DMZ to the outside will be OK. Any traffic from the Inside to the DMZ and Outside will be OK. Any traffic from the outside to the DMZ and or the Inside will not work - without a specific permit access-list.
HTH>
01-01-2009 08:05 PM
Derek
As Andrew explains the basic principle is that a higher security level interface can initiate traffic to a lower security interface but a lower security level interface can only initiate traffic that is explicitly allowed to a higher security level interface.
Probably most of us split the difference and assign 50 as the security level when we configure a third interface (as DMZ). But the particular level we choose does not matter until we decide that we need a fourth interface. Functionaly it would work the same if we assigned a security level of 2 or of 99 or of 50 for the third interface.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide