Solved: ASA Security Level Help

joepeters1982 · ‎10-12-2015

Hi

I've just started a new role and after looking at the ASA 5550 config I have an issue. The inside interface has security level 0 and outside security level 100!

It's been like this for years!

So there're lots of inbound rules , some NAT entries and a couple of site-to-site VPN's attached to outside interface that has built up over the years so the config is working.

So what I'm asking is if I were to swap security levels to the way it should be, surly the exiting config shouldn't be affected by the change?

Cheers

Rishabh Seth · ‎10-12-2015

Hi,

If you are planning to change the security levels of the interface then should consider the traffic that should be permitted from the new lower security level interface to higher security level interface.

Also you have mentioned that you already have ACLs on the inside interface. So once you change the security level to 100 on the inside interface, the ACL will still take precedence and you will need to add more ACL entries to permit/deny traffic.

Hope it helps!!!

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

View solution in original post

Rishabh Seth · ‎10-12-2015

Hi,

If you are planning to change the security levels of the interface then should consider the traffic that should be permitted from the new lower security level interface to higher security level interface.

Also you have mentioned that you already have ACLs on the inside interface. So once you change the security level to 100 on the inside interface, the ACL will still take precedence and you will need to add more ACL entries to permit/deny traffic.

Hope it helps!!!

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

joepeters1982 · ‎10-14-2015

Thanks Rishabh

After checking and re-checking finally swapped security levels, all seems ok so far...PHEW

Rishabh Seth · ‎10-14-2015

Great :)!!!