https://community.cisco.com/t5/network-security/asa-and-security-levels/m-p/2141319#M359288 <HTML><HEAD></HEAD><BODY><P>In practice, most interesting firewall designs end up putting access-lists on all the interfaces, at which point the security levels are moot.&nbsp;&nbsp; The primary effect of Cisco security-level concept is that an out of the box vanilla configuration with just an inside and an outside network will more or less work: the firewall will block unsolicited inbound traffic, allow outbound traffic, and allow reply packets for existing connections in.</P><P></P><P>-- Jim Leinweber, WI State Lab of Hygiene</P></BODY></HTML> Fri, 29 Mar 2013 18:54:21 GMT James Leinweber 2013-03-29T18:54:21Z https://community.cisco.com/t5/network-security/asa-and-security-levels/m-p/2141315#M359284 <P>Hey guys I have a very basic question, as much as I know about Firewalls. This matter escapes, can someone explain to me what does the security levels mean on the interface and could have the same security level on two different interfaces that facing the internet?</P><P></P><P>Please advise and thank you</P><P></P><P>Matt</P> Tue, 12 Mar 2019 01:21:08 GMT https://community.cisco.com/t5/network-security/asa-and-security-levels/m-p/2141315#M359284 mingram27 2019-03-12T01:21:08Z https://community.cisco.com/t5/network-security/asa-and-security-levels/m-p/2141316#M359285 <HTML><HEAD></HEAD><BODY><P>Hello Matthew,</P><P></P><P>The security level protects higher security&nbsp; networks&nbsp; from lower security networks by imposing additional protection&nbsp; between&nbsp; the two. </P><P></P><P> The level controls the following behavior: </P><P></P><P> <A name="wp1422206"></A></P><P> •<IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />Network&nbsp;&nbsp; access—By default, there is an implicit permit from a higher security&nbsp;&nbsp; interface to a lower security interface (outbound). Hosts on the higher&nbsp;&nbsp; security interface can access any host on a lower security interface.&nbsp;&nbsp; You can limit access by applying an access list to the interface. </P><P></P><P>Normally,&nbsp; interfaces on the same security level&nbsp; cannot communicate. If you want&nbsp; interfaces on the same security level to&nbsp; communicate, you need to add&nbsp; the same-security-traffic inter-interface. You might want to assign two&nbsp; interfaces to the same level and&nbsp; allow protection features to be&nbsp; applied&nbsp; equally for traffic between two interfaces; for example, you&nbsp; have two&nbsp; departments that are equally secure. </P><P></P><P>I hope it helps. </P><P></P><P>Regards,</P><P>Juan Lombana</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Thu, 28 Mar 2013 14:17:19 GMT https://community.cisco.com/t5/network-security/asa-and-security-levels/m-p/2141316#M359285 julomban 2013-03-28T14:17:19Z https://community.cisco.com/t5/network-security/asa-and-security-levels/m-p/2141317#M359286 <HTML><HEAD></HEAD><BODY><P>Perfect answer!!! Thank you</P></BODY></HTML> Thu, 28 Mar 2013 15:42:27 GMT https://community.cisco.com/t5/network-security/asa-and-security-levels/m-p/2141317#M359286 mingram27 2013-03-28T15:42:27Z https://community.cisco.com/t5/network-security/asa-and-security-levels/m-p/2141318#M359287 <HTML><HEAD></HEAD><BODY><P>Your welcome!!!! </P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Thu, 28 Mar 2013 15:45:51 GMT https://community.cisco.com/t5/network-security/asa-and-security-levels/m-p/2141318#M359287 julomban 2013-03-28T15:45:51Z https://community.cisco.com/t5/network-security/asa-and-security-levels/m-p/2141319#M359288 <HTML><HEAD></HEAD><BODY><P>In practice, most interesting firewall designs end up putting access-lists on all the interfaces, at which point the security levels are moot.&nbsp;&nbsp; The primary effect of Cisco security-level concept is that an out of the box vanilla configuration with just an inside and an outside network will more or less work: the firewall will block unsolicited inbound traffic, allow outbound traffic, and allow reply packets for existing connections in.</P><P></P><P>-- Jim Leinweber, WI State Lab of Hygiene</P></BODY></HTML> Fri, 29 Mar 2013 18:54:21 GMT https://community.cisco.com/t5/network-security/asa-and-security-levels/m-p/2141319#M359288 James Leinweber 2013-03-29T18:54:21Z