Cisco ASA Security Levels

Hi Rene,

I have tested(pinging) the topo with your configuration and got okk but when i try to ping the ASA interface ip(192.168.2.254 & 192.168.3.254) from insde host , its not pinging . Could you please little bit explain on it . Thanks

Hi Mohammad,

By design, the ASA doesn’t allow pinging an interface on the ASA from a host that is behind another interface. Like in your example, you won’t be able to ping the outside or DMZ interfaces from a inside host.

It’s the default behavior but I’m not sure why they designed it like this.

Rene

1 Like

What is the security level of DMZ and Outside ? I think it could be any value from 0 to 100.Please do clear on it .Thanks

br//
zaman

Hi Zaman,

The default security level of an interface will be 0. The only exception is “inside” which has security level 100 by default.

For the DMZ you can pick anything between 1-99, I personally like to pick 50 if I only need inside/outside and DMZ.

Rene

Rene

In the above diagram does the router in front of the ASA represent an on premise router or an ISP router?

I have Comcast connected to ASA 5505 then a 2821 router between the LAN and ASA 5505.

Should an on premise router be in front of the firewall? So the connection would be Comcast into 2821 then ASA 5505 between ASA 5505 and the LAN?

Thanks.

Hi Donald,

In this example, I only used the routers so that I would have some devices to ping with/to. I also could have used computers but routers are easier since you can access them through the CLI and you don’t have to worry about firewalls blocking ICMP traffic.

Sometimes, it can be useful to have a router in front of the ASA. As a firewall, the ASA does a great job at packet filtering / VPNs but it’s a poor router. If you want to use specific features (like policy based routing) then using a router in front of the ASA works very well. If you don’t need any router specific features, you might as well connect the ASA directly to your ISP.

Rene

OK. Got it. Thanks

Hi Rene,

To allow the DMZ traffic would you need to put an ACL on the inside interface allowing DMZ traffic or on the Inside interface allowing DMZ source to come in? Or do you need to put ACLs on both interfaces?

If DMZ is say 172.16.1.0/24 range and Inside is 192.168.1.0/24 range. Would you put ACL in DMZ interface allowing 172.16.1.0/24 access to 192.168.1.0/24 and then put the same ACL on inside as well?

Hi Zahan,

Traffic from a higher security level to a lower security level is no problem. DMZ traffic (50) is allowed to go to the outside (0) by default.

Traffic from the outside (0) to the DMZ (50) is prohibited so you’ll need an access-list to permit it.

Take a look at this example:

Cisco ASA Access-List

Rene

Hi Rene,

I have a similar ? like one of the others, im using packet tracer and with the 5505…I cant create a DMZ, it lets me create all except when I try and create NAMEIF it gives me:

ciscoasa(config-if)#nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a "no forward" command on this interface or on 1 interface(s) with nameif already configured.

and the show ver - shows 3 vlans with DMZ restricted -

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual

Please explain why. Thanks

Hi Marcus,

The base license only allows you to create 3 VLANs, but the DMZ is restricted. Here’s how it works:

Let’s say you have an INSIDE, OUTSIDE and DMZ interface. This means you can have traffic like this:

INSIDE <> OUTSIDE
INSIDE <> DMZ
DMZ <> OUTSIDE

The ASA 5505 base license doesn’t allow these three different traffic paths. You need to disable one of the traffic paths and I believe in one direction only. You can use the no forward command for this. For example, you could use this to disable traffic from INSIDE > DMZ, once you do this, you should be able to use all 3 interfaces.

It is a kinda lame restriction. The security plus license gets rid of this…

Rene

I follow all step but I can’t ping from inside to outside.

When I telnet from R1 to 192.168.2.2

R1(config)#do telnet 192.168.2.2
Trying 192.168.2.2 ... 
% Destination unreachable; gateway or host down

R1(config)#

Do I have to configure route on ASA?

Hi Rene,

Thanks for that. Still want clarification on something. If I want a subnet in the DMZ to access a subnet on the INSIDE, do I put the ACL on DMZ interface OR Inside Interface OR on Both? It’s just that in my live environment I see ACL on the DMZ interface for DMZ subnet to access INSIDE subnet so not sure if it is required.

Hello Bounpasong!

Please check your configuration again, it should function correctly. If you still have problems, please share the relevant portions of your configuration.

Thanks!

Laz

Hello Zahan!

In order to allow a subnet on the DMZ to access a subnet on the INSIDE, you will require an access list on the DMZ interface. Depending on your NAT configuration, you may also be required to configure a static NAT translation.

You can find additional information at the following Cisco support community link: https://supportforums.cisco.com/discussion/11011491/asa-5520-config-dmz-inside-access.

I hope this has been helpful!

Laz

1 Like

Question about the icmp inspect. Does that automatically allow ping from outside to inside or outside to DMZ? Because typically when I would enable this is only to allow ping between DMZ and INSIDE.

Hi Ryan,

It won’t. You still have to explicitly permit the (ICMP) traffic if you want to go from a lower to a higher security level.

Rene

1 Like

Hey Rene,

Is there another protocol/command to allow http traffic through an Cisco ASA other than a ACL?

Hi @iniguezjuan,

For traffic from INSIDE to OUTSIDE (and the return traffic), the default security levels will permit this. No need to add ACLs. You only need to use ACLs if you want to permit traffic that originated in the OUTSIDE and that goes to the INSIDE (or DMZ).

Rene

1 Like

19 posts were merged into an existing topic: Cisco ASA Security Levels