Cisco ASA Security Zones

Note: This is a guest post by Ahmed Mukhtar, CCIE# 56428 on Cisco ASA Security Zones. We are pleased to have his wonderful tutorials shared on our blog once again.

In this post, Ahmed first explains security levels on Cisco ASA firewall and then shows how to configure them in order to allow or block your trusted or untrusted traffic from an interface. 

Before delving further into firewall security zones, I would like to share a brief introduction about trust levels. Security levels are basically defined and applied to set a level of trust to an interface. They can range from values between 0 to 100 where 0 is the least trusted and 100 is the most trusted level. By default, an interface has level 0 and is considered as untrusted. The most common example is the outside interface as you can’t trust anybody from outside unless specified. Similarly, the inside interface is always the most trusted and hence, gets assigned a security level of 100.

Lastly, traffic flow is allowed from an interface with a higher security level to an interface with a lower security level, provided no ACL is applied to the interface. On the contrary, traffic from a lower interface to a higher interface will be denied.

Ahmed has explained these concepts, their configurations and more in detail in the following videos.

Cisco ASA Security Zones – Part 1

Cisco ASA Security Zones – Part 2

In case you have any queries or would like to follow Ahmed, please subscribe to his Youtube channel called, Doctor Networks.

The following two tabs change content below.

Ahmed Mukhtar

Team Lead Networks, CCIE# 56428 (R&S)
Ahmed Mukhtar is CCIE RS (CCIE# 56428) certified and has a vast amount of experience in Cisco technologies. He is currently working as Team Lead Networks for a leading technology provider of products, services and solutions in Pakistan. In case of any questions or feedback, please feel free to follow him on his Youtube channel, Doctor Networks.

Latest posts by Ahmed Mukhtar (see all)

One thought on “Configuring Cisco ASA Security Zones”

  1. I have using zone based firewall, and using 2 internet connection (isp1,isp2) and add into 1 outside zone.
    I want to create port forwarding for specific server to access specific port from outside so below warning receive when i create access rules.

    ciscoasa(config)# access-group allow in interface isp1
    WARNING: one or more interfaces in the same zone are using different access-list
    WARNING: interface isp2 is not using access-list on direction IN

Leave a Reply

Your email address will not be published. Required fields are marked *