ASA Security Levels

    ASA Security Levels

Even though we have the ability to configure Global and Interface ACLs on the Cisco ASA, Security Levels are still a key element to understand. Security Levels control the default behavior of transit traffic on the ASA.

The rules are simple.

qEach interface gets a security level.

qTransit traffic can go from a higher to a lower security level, which creates an entry in the state table and allows for return traffic.

qTransit traffic from a lower to a higher security level is denied by default.

So, assuming the diagram below we can understand default traffic behavior.

In our above topology, outbound traffic can transit the ASA from:

1.The DMZ to the OUTSIDE

2.The INSIDE to the DMZ

3.The INSIDE to the OUTSIDE

Additionally, inbound traffic would be denied if it were:

1.OUTSIDE to DMZ

2.OUTSIDE to INSIDE

3.DMZ to INSIDE

Security level 100 —The highest possible level, it is used by the inside interface by default. Using the trusted-untrusted terminology, this level is considered the most trusted.
Security level 0 —The lowest possible level, it's used by the outside interface by default, making it the most untrusted interface. Traffic can pass from this interface to other interfaces only if manually configured to do so.

Cisco ASA bases on security level to determine that traffic is inbound connection or outbound connection.

It’s an inbound connection, if traffic is initiated from a lower security lever toward a higher security level. By default, an inbound connection is considered unsecure, so traffic from a lower-security interface to a higher one can’t pass unless additional explicit inspection and filtering checks are passed.

It’s an outbound connection, if traffic is initiated from a higher security level toward a lower security level. An outbound connection is considered secure and automatically being inspection, so traffic doesn’t require any access list for returning traffic.

Note that,

ICMP traffic is stateless and no icmp inspection is enabled by default so that ICMP coming from a higher security level interface to a lower security level interface will be blocked. To permit ICMP traffic in this case, user can enable ICMP inspection globally or configure an inbound ACL.

Setup:

       Connection between R1’s f0/0 and ASA’s e0/1 are configured in VLAN 101

       Connection between R2’s f0/0 and ASA’s e0/0 are configured in VLAN 102

       Connection between R4’s f0/0 and ASA’s e0/2 are configured in VLAN 104

       R1’s Loopback0 ip address 1.1.1.1.1/24; f0/0.101 ip address 10.1.101.1/24

       R2’s Loopback0 ip address 2.2.2.2/24; f0/0.102 ip address 10.1.102.1/24

       R3’s Loopback0 ip address 4.4.4.4/24; f0/0.104 ip address 10.1.104.1/24

       ASA’s e0/0.102 ip address 10.1.102.10/24; e0/1.101 ip address 10.1.101.10; e0/2.104 ip address 10.1.104.10/24

Task:
On ASA, permits traffic telnet, ssh, 80 from 1.1.1.1 to R4’s networks; permits ip 1.1.1.1 with source range port 4000 – 5000 access to host 10.1.102.2 with FTP protocol; permits network inside access http, https, pop3, icmp echo.

E0/1.101: interface name is inside and ip address is 10.1.101.10/24

E0/0.102: interface name is outside and ip address is 10.1.102.10/24

E0/2.104: interface name is DMZ; ip address is 10.1.104.10; security-level is 50

R1, R2 & R4 point default route to ASA; ASA points default route to R2 and adds static route to networks’ interface loopback

Make sure ASA is configured to allow ping from inside to other networks and allow telnet, ssh from outside & DMZ to inside

R1's Configuration

R1#sh run

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0.101

 encapsulation dot1Q 101

 ip address 10.1.101.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 10.1.101.10

!

R2's Configuration

R2#sh run

hostname R2

!

interface Loopback0

 ip address 2.2.2.2 255.255.255.0

interface FastEthernet0/0.102

 encapsulation dot1Q 102

 ip address 10.1.102.2 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 10.1.102.10

R4's Configuration

R4#sh run

hostname R4

no aaa new-model

!

interface Loopback0

 ip address 4.4.4.4 255.255.255.0

interface FastEthernet0/0.104

 encapsulation dot1Q 104

 ip address 10.1.104.4 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 10.1.104.10

Cisco ASA's Configuration

ASA Version 8.0(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0.102

 vlan 102

 nameif outside

 security-level 0

 ip address 10.1.102.10 255.255.255.0

interface Ethernet0/1.101

 vlan 101

 nameif inside

 security-level 100

 ip address 10.1.101.10 255.255.255.0

interface Ethernet0/2.104

 vlan 104

 nameif DMZ

 security-level 50

 ip address 10.1.104.10 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

object-group network Networkinside

  network-object 10.1.101.0 255.255.255.0

  network-object 1.1.1.0 255.255.255.0

object-group network r1lo

  network-object host 1.1.1.1

object-group network E01-Subnet

  network-object 10.1.101.0 255.255.255.0

object-group network R4

  network-object host 10.1.104.4

  network-object host 4.4.4.4

object-group network F0-R2

  network-object host 10.1.102.2

object-group service Inside-out

  service-object tcp eq www

  service-object tcp eq https

  service-object tcp eq pop3

  service-object icmp echo

object-group service R4-Services tcp

  port-object eq telnet

  port-object eq ssh

  port-object eq www

object-group service Telnet-SSH tcp

  port-object eq telnet

  port-object eq ssh

object-group service FTP

  service-object tcp source range 4000 5000 eq ftp

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended permit tcp any object-group Networkinside object-group Telnet-SSH

access-list INSIDE extended permit tcp object-group r1lo object-group R4 object-group R4-Services

access-list INSIDE extended permit object-group FTP object-group r1lo object-group F0-R2

access-list INSIDE extended permit object-group Inside-out object-group E01-Subnet any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

access-group outside_in in interface outside

access-group INSIDE in interface inside

access-group outside_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 10.1.102.2 1

route inside 1.1.1.0 255.255.255.0 10.1.101.1 1

route DMZ 4.4.4.0 255.255.255.0 10.1.104.4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

telnet timeout 5

ssh timeout 5