Security Level Overview; Configuring Vlan Interfaces - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 4
Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Security Level Overview
Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For
example, you should assign your most secure network, such as the inside business network, to level 100.
The outside network connected to the Internet can be level 0. Other networks, such as a home network
can be in between. You can assign interfaces to the same security level. See the
Communication Between VLAN Interfaces on the Same Security Level" section on page 4-13
information.
The level controls the following behavior:
•
•
•
•
•
Configuring VLAN Interfaces
For each VLAN to pass traffic, you need to configure an interface name (the nameif command), and for
routed mode, an IP address. You should also change the security level from the default, which is 0. If
you name an interface "inside" and you do not set the security level explicitly, then the adaptive security
appliance sets the security level to 100.
For information about how many VLANs you can configure, see the
Interfaces for Your License" section on page
OL-10088-01
Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
For same security interfaces, there is an implicit permit for interfaces to access other interfaces on
the same security level or lower.
Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
NetBIOS inspection engine—Applied only for outbound connections.
–
SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port
–
exists between a pair of hosts, then only an inbound data connection is permitted through the
adaptive security appliance.
Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
For same security interfaces, you can filter traffic in either direction.
NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security
interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any
interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside
interface might require a special keyword.
established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
For same security interfaces, you can configure established commands for both directions.
4-2.
Cisco Security Appliance Command Line Configuration Guide
Configuring VLAN Interfaces
"Allowing
for more
"Maximum Active VLAN
4-5
Advertisement
Table of Contents
Troubleshooting
