Cisco ASA Security Levels

This topic is to discuss the following lesson:

hi renee ;
I was trying to work on your toplogy above but for some reason I cant ping to otherside of ASA .interfaces are up and even applied this default command

ASA1(config)# policy-map global_policy
ASA1(config-pmap)# class inspection_default
ASA1(config-pmap-c)# inspect icmp

still doesnt work on my gns3 .do you have any idea about it ?

1 Like

Hi Georgi,

What if you try something else that doesn’t require changing the policy-map? For example telnetting from one device in a high security level to something in a low security level?


1 Like

telnet is working fine and I actually found 2 ways to allow ping in ASA
first one is ;

class-map global_policy
class-map icmp-class
 match default-inspection-traffic
class-map icmp
 match any
class-map inspection_default
policy-map icmp_policy
 class icmp
  inspect icmp 
service-policy icmp_policy global

and the second one is creating access list like this ;

access-list ICMP extended permit icmp any any
access-group ICMP interface global

both do the same job .

1 Like



Working on this Lab using ASA 5505 verison Cisco Adaptive Security Appliance Software Version 8.4(2)

I tried to replicate the lab above, but I can’t add an IP address to the actual interface I need to add them to a VLAN interface. How can I do that and have each zone on a different subnet ?Any advice/example would be greatly appreciated.


Juan Iniguez

Hi Juan,

The main difference between the 5505 and the 5510 or higher is that the 5505 has switchports and VLAN interfaces. The 5510 only has L3 interfaces.

Configuration is similar to a L3 switch, here’s an example for an INSIDE and OUTSIDE:

ASA(config)# interface vlan 100
 ASA(config-if)# nameif OUTSIDE
 ASA(config-if)# security-level 0
 ASA(config-if)# ip address
 ASA(config-if)# no shutdown

 ASA(config-if)# interface vlan 200
 ASA(config-if)# nameif INSIDE
 ASA(config-if)# security-level 100
 ASA(config-if)# ip address
 ASA(config-if)# no shutdown

 ASA(config)# interface ethernet 0/0
 ASA(config-if)# switchport access vlan 100
 ASA(config-if)# no shutdown

 ASA(config-if)# interface ethernet 0/1
 ASA(config-if)# switchport access vlan 200
 ASA(config-if)# no shutdown

The 5505 is the last ASA that uses these switchports and VLAN interfaces, the 5506 has 8x L3 interfaces.

Hope this helps!


1 Like



I guess my biggest issue is how can I ping from the inside zone to dmz or outside zone ? Since they are on different VLANS ?

Hi Juan,

The only thing you have to do is to make sure that devices on the inside use your ASA as the default gateway. Traffic on the outside should use your ASA as the destination when they want to reach the subnet of your inside or dmz, that’s it.

In this lesson:

I am using a router on the inside and outside, both are using the ASA as their default gateway.


1 Like

Hi Rene,

I have tested(pinging) the topo with your configuration and got okk but when i try to ping the ASA interface ip( & from insde host , its not pinging . Could you please little bit explain on it . Thanks

Hi Mohammad,

By design, the ASA doesn’t allow pinging an interface on the ASA from a host that is behind another interface. Like in your example, you won’t be able to ping the outside or DMZ interfaces from a inside host.

It’s the default behavior but I’m not sure why they designed it like this.


1 Like

What is the security level of DMZ and Outside ? I think it could be any value from 0 to 100.Please do clear on it .Thanks


Hi Zaman,

The default security level of an interface will be 0. The only exception is “inside” which has security level 100 by default.

For the DMZ you can pick anything between 1-99, I personally like to pick 50 if I only need inside/outside and DMZ.



In the above diagram does the router in front of the ASA represent an on premise router or an ISP router?

I have Comcast connected to ASA 5505 then a 2821 router between the LAN and ASA 5505.

Should an on premise router be in front of the firewall? So the connection would be Comcast into 2821 then ASA 5505 between ASA 5505 and the LAN?


Hi Donald,

In this example, I only used the routers so that I would have some devices to ping with/to. I also could have used computers but routers are easier since you can access them through the CLI and you don’t have to worry about firewalls blocking ICMP traffic.

Sometimes, it can be useful to have a router in front of the ASA. As a firewall, the ASA does a great job at packet filtering / VPNs but it’s a poor router. If you want to use specific features (like policy based routing) then using a router in front of the ASA works very well. If you don’t need any router specific features, you might as well connect the ASA directly to your ISP.


OK. Got it. Thanks

Hi Rene,

To allow the DMZ traffic would you need to put an ACL on the inside interface allowing DMZ traffic or on the Inside interface allowing DMZ source to come in? Or do you need to put ACLs on both interfaces?

If DMZ is say range and Inside is range. Would you put ACL in DMZ interface allowing access to and then put the same ACL on inside as well?

Hi Zahan,

Traffic from a higher security level to a lower security level is no problem. DMZ traffic (50) is allowed to go to the outside (0) by default.

Traffic from the outside (0) to the DMZ (50) is prohibited so you’ll need an access-list to permit it.

Take a look at this example:

Cisco ASA Access-List


Hi Rene,

I have a similar ? like one of the others, im using packet tracer and with the 5505…I cant create a DMZ, it lets me create all except when I try and create NAMEIF it gives me:

ciscoasa(config-if)#nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a "no forward" command on this interface or on 1 interface(s) with nameif already configured.

and the show ver - shows 3 vlans with DMZ restricted -

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual

Please explain why. Thanks

Hi Marcus,

The base license only allows you to create 3 VLANs, but the DMZ is restricted. Here’s how it works:

Let’s say you have an INSIDE, OUTSIDE and DMZ interface. This means you can have traffic like this:


The ASA 5505 base license doesn’t allow these three different traffic paths. You need to disable one of the traffic paths and I believe in one direction only. You can use the no forward command for this. For example, you could use this to disable traffic from INSIDE > DMZ, once you do this, you should be able to use all 3 interfaces.

It is a kinda lame restriction. The security plus license gets rid of this…


I follow all step but I can’t ping from inside to outside.

When I telnet from R1 to

R1(config)#do telnet
Trying ... 
% Destination unreachable; gateway or host down


Do I have to configure route on ASA?