Cisco ASA: Security level and nameif

Design & Configure

Configuration General (15)

Design Corner (7)

DevOps (4)

Enterprise Routing (25)

Enterprise Switching (24)

Enterprise WAN (15)

LAN Security (2)

Network Security (33)

Network Services (3)

SD-WAN (3)

Cisco ASA: Security level and nameif

Technology: Network Security
Area: Firewalls
Vendor: Cisco
Software: 8.X, 9.X
Platform: Cisco ASA

Each logical ASA interface must have ip address, security-level and nameif configured to work. Security levels are numbered from 0 to 100. Traffic is allowed to pass from higher to lower security level interface by default. Traffic is denied from lower to higher security level by default. To change this behavior ACLs must be used. Term “traffic” means session being initiated. ASA “understands” sessions and treats packet flows as whole sessions. So term “Traffic allowed from higher to lower interface” means: session that is initiated from higher to lower interface direction. The nameif is your custom name for particular logical interface. You can think of it as a security zone thus give it the meaningful name as a best practice.

To set the nameif and security level issue following commands:

ASA#configure terminal ASA(config)#interface GigabitEthernet0/0 ASA(config-if)#nameif outside ASA(config-if)#security-level 10 ASA(config-if)#ip address 192.168.202.201 255.255.255.0 ASA(config-if)#no shutdown

Author: Marcin Bialy