https://community.cisco.com/t5/network-security/asa-recommended-security-levels-in-a-data-center/m-p/1501821#M417420 <P>Hello,</P><P></P><P>I'm designing a network where&nbsp; have 5580 ASAs in a Data center that will act as gateways for all business units in my DC.</P><P>I need to know what are the recommended security levels ( Database Servers, Users, Application servers) to benefit from all inspection and stateful ASA features knowing I won't use NATing in my enviroment</P><P></P><P>Regards</P> Fri, 21 Feb 2020 12:02:08 GMT k.abillama 2020-02-21T12:02:08Z https://community.cisco.com/t5/network-security/asa-recommended-security-levels-in-a-data-center/m-p/1501821#M417420 <P>Hello,</P><P></P><P>I'm designing a network where&nbsp; have 5580 ASAs in a Data center that will act as gateways for all business units in my DC.</P><P>I need to know what are the recommended security levels ( Database Servers, Users, Application servers) to benefit from all inspection and stateful ASA features knowing I won't use NATing in my enviroment</P><P></P><P>Regards</P> Fri, 21 Feb 2020 12:02:08 GMT https://community.cisco.com/t5/network-security/asa-recommended-security-levels-in-a-data-center/m-p/1501821#M417420 k.abillama 2020-02-21T12:02:08Z https://community.cisco.com/t5/network-security/asa-recommended-security-levels-in-a-data-center/m-p/1501822#M417421 <HTML><HEAD></HEAD><BODY><P>Security levels are used to define how secure the zone is considered. The less secure a zone is the lower the security level. And by definition you cannot flow from low to higher security levels without allowing it explicitly.</P><P></P><P>So I would put users in a lower security level, and then server on higher levels. I would set DB and App zone levels based on if you want DB servers to talk to App servers by default or not.</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Sat, 24 Jul 2010 00:54:56 GMT https://community.cisco.com/t5/network-security/asa-recommended-security-levels-in-a-data-center/m-p/1501822#M417421 Panos Kampanakis 2010-07-24T00:54:56Z https://community.cisco.com/t5/network-security/asa-recommended-security-levels-in-a-data-center/m-p/1501823#M417422 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>That's what I thought first but then I thought of putting users in higher security levels since they'll always be initiatng the connection( this way i'd take advantage of dynamic ports being opened for return traffic from higher to lower security zones, no?) will I lose in tems of inspection engine?</P><P></P><P>Regards</P></BODY></HTML> Sat, 24 Jul 2010 06:21:13 GMT https://community.cisco.com/t5/network-security/asa-recommended-security-levels-in-a-data-center/m-p/1501823#M417422 k.abillama 2010-07-24T06:21:13Z https://community.cisco.com/t5/network-security/asa-recommended-security-levels-in-a-data-center/m-p/1501824#M417423 <HTML><HEAD></HEAD><BODY><P>No, inspections will still inspect statefully.</P><P>You can also apply ACLs to explicity allow what someone is allowed to reach and talk to.</P><P></P><P>Levels are to provide granularity and set the security levels between zones.</P><P></P><P>PK</P></BODY></HTML> Sat, 24 Jul 2010 21:52:00 GMT https://community.cisco.com/t5/network-security/asa-recommended-security-levels-in-a-data-center/m-p/1501824#M417423 Panos Kampanakis 2010-07-24T21:52:00Z https://community.cisco.com/t5/network-security/asa-recommended-security-levels-in-a-data-center/m-p/1501825#M417424 <HTML><HEAD></HEAD><BODY><P>Thx for the useful info!</P><P>IF servers are dynamically opening ports for specific applications in return to client requests, should I use the established command or placing users in lower security levels can do the job?</P><P></P><P>Regards</P></BODY></HTML> Mon, 26 Jul 2010 07:00:02 GMT https://community.cisco.com/t5/network-security/asa-recommended-security-levels-in-a-data-center/m-p/1501825#M417424 k.abillama 2010-07-26T07:00:02Z