Prerequisite – Adaptive security appliance (ASA)
ASA is a Cisco security device that can perform a firewall capabilities with VPN capabilities, routing support, antivirus capability and many other features.
Security levels –
ASA uses security level associated with a routable interface. Remember, ASA interface is by default in routed mode i.e operating at layer 3.These interfaces are assigned security levels which are numbers ranging from 0 to 100.Bigger the number, more will be the trust to the network connected to that ASA interface.
On the basis of security levels, ASA takes action (whether to permit or deny the packet).
Also, note that we can assign names to the ASA interface like inside, outside or DMZ. As soon as we assign these names to an interface, it automatically assigns a security level to itself. For example, if we have assign a name inside to an interface, it will assign 100 (Security level) to itself i.e most trusted network. If we assign name Outside or DMZ or any other name to an interface, it will assign security level 0 to automatically . These are default value and can be changed.
It is a good practice to give security level 100 (maximum) to inside (most trusted network), 0(least) to outside (untrusted or public network) and 50 to DMZ (organisation public device network).
It is not mandatory to assign a name (INSIDE, OUTSIDE or DMZ) to ASA interface but it is good practice to assign these names as they are simple and meaningful.
Default Flow of traffic –
Note that if the traffic is inspected then the state of the packet will be kept i.e connection table will be maintained therefore the replies will be allowed (from untrusted network) while if the action on the traffic is pass, only the traffic will be passed and no connection table is maintained.
By default, ASA allows flow of traffic from higher security level to lower security level. If the traffic is initiated by the devices in higher security level, then it will be pass to go through the firewall to reach the devices in lower security levels like outside or DMZ.
And if the (TCP or UDP) traffic is initiated from higher security level then the replies (for higher security level) from lower security level (outside or DMZ) are allowed. This is due to default stateful inspection (means state of the packet will be maintained in connection table) .
But if the traffic is of ICMP that is to be sent from higher security level to lower security level then it will reach the lower security level device and the lower security level will also sent echo reply but the firewall (ASA) will drop it as only TCP and UDP traffic is inspected by default.
If we want ICMP traffic to be inspected by the ASA then we have to do it manually by the command.
asa(config)#fixup protocol ICMP
Also, if the lower security level (outside or DMZ) want to send any traffic (TCP, UDP or ICMP) to the higher security level then it is denied by ASA firewall due to its default policy. To allow it, access-list can be used.
Also, note that when we give security level 50 to DMZ, 100 to inside and 0 to outside, then the traffic will be allowed from DMZ to outside but DMZ devices still not be able to reach inside devices.
Also, by default if two interfaces have same security level then the traffic will not be allowed.
But the traffic can be allowed manually (between the two interfaces having same security level) by the command
asa(config)#same-security-traffic permit inter-interface