ASA security levels

Cisco ASA devices can route traffic from an interface with a higher security level to an interface with a lower security level. Traffic arriving on an interface cannot be routed out of interfaces that have a lower or equal security level. More specifically:

  • Traffic incoming on an interface can be routed to an interface that has a lower security level than that of the incoming interface.
  • Traffic incoming on an interface cannot be routed to an interface that has a higher security level than that of the incoming interface.
  • Traffic incoming on an interface cannot be routed to an interface that has the same security level as that of the incoming interface.

To overcome these default behaviors, you can use access lists. But remember, that by adding an access list, you also add an implicit deny at the end which will block all additional traffic not matched by the Access-List (ACL).

For traffic between interfaces of the same security level, it is possible to change this behavior with the same-security-traffic command.