ASA Security Rules
A PIX firewall has a very simple mechanism to control traffic between interfaces. The ASA uses a concept of security levels to determine whether traffic can pass between two interfaces. The higher the security level setting on an interface, the more trusted it is.
Security Levels
The ASA allows traffic to pass from trusted to untrusted, but not the reverse. Therefore, traffic can pass from interfaces with higher security levels to interfaces with lower security levels. Correspondingly, ASA blocks traffic from interfaces with lower settings from passing through to interfaces with higher settings. To illustrate, consider a common scenario where the inside interface has a security level number of 100 and the outside has a level of 0. The ASA allows traffic to pass from the inside to the outside; however, the ASA prevents traffic from flowing from the outside to the inside because the inside has a higher security level.
Figure 3.7 shows a three-pronged firewall with different security levels on each interface. Interface e0 has security a level of 0, which makes it the lowest security level of all the interfaces. Any traffic initiated on this side of the firewall will not be able to communicate with computers on the other side of the firewall.
The following are the primary security levels created and used on the PIX firewall:
Security level 100The highest possible level, it is used by the inside interface by default. Using the trusted-untrusted terminology, this level is considered the most trusted.
Security level 0The lowest possible level, it's used by the outside interface by default, making it the most untrusted interface. Traffic can pass from this interface to other interfaces only if manually configured to do so.
Security levels 199Can be assigned to any other interface on the PIX. On a three-pronged PIX firewall, the inside is typically 100, the outside is 0, and the third interface could be 50. Traffic from interfaces between 1 and 99 can pass through to the outside (0), but it is prevented from passing to the inside (100). This is because the interface has a lower security level setting than the inside.
Figure 3.7 Security levels.
CAUTION
Security levels are a very import concept with PIX configuration. Remember, only higher security-level traffic can pass to lower security-level interfaces by default. The default value for the inside interface is 100, and the outside value is 0.
Connection and Translation Tables
The ASA uses two tables to track traffic flowing through the PIXthe connection table and the translation (xlate) table. The connection table contains a reference to the session connection between the two computers that are talking. The translation table maintains a reference between the inside IP address and the translated global IP address. These topics are covered in further detail later.