Knowledge Base

Design & Configure

Cisco ASA: Security level and nameif

Technology: Network Security
Area: Firewalls
Vendor: Cisco
Software: 8.X, 9.X
Platform: Cisco ASA

Each logical ASA interface must have ip address, security-level and nameif configured to work. Security levels are numbered from 0 to 100. Traffic is allowed to pass from higher to lower security level interface by default. Traffic is denied from lower to higher security level by default. To change this behavior ACLs must be used. Term “traffic” means session being initiated. ASA “understands” sessions and treats packet flows as whole sessions. So term “Traffic allowed from higher to lower interface” means: session that is initiated from higher to lower interface direction. The nameif is your custom name for particular logical interface. You can think of it as a security zone thus give it the meaningful name as a best practice.

To set the nameif and security level issue following commands:

ASA#configure terminal
ASA(config)#interface GigabitEthernet0/0
ASA(config-if)#nameif outside
ASA(config-if)#security-level 10
ASA(config-if)#ip address 
ASA(config-if)#no shutdown




Author: Marcin Bialy