Novice question on ASA 5505

itdaddyitdaddy Senior MemberMember Posts: 2,089 ■■■■□□□□□□
Hey CCSPs,

I have my ASA5505 at home and I am going to put a cisco border router ahead of it and then create my DMZ SL-50 and then SL-100 for internal LAN and of course SL-0 outside.

I am not sure about this but I might have it. Okay.
A security level 0 cannot breach a security level 50 unless a static NAT mapping is setup right? and when you do this does the firewall still
do it filtering?

And SL-50 can talk to SL-100 because communication can go higher but not lower with out setting up static mappings?

I am just concerned as to how do I have the firewalll do it firewall thing(lack of better terms) do I have to setup using my ASDM some kind of policy filtering? or does it do it by default with some kind of stateful inspection?

I just need to put the pieces together..thanks for your help.


  • shednikshednik Member Posts: 2,005
    Higher security levels are by default allowed to pass traffic to a lower level.

    IE inside - 100 outside - 0

    So traffic originating from the inside going outside is allowed by default. You can allow traffic the other way but must explicitly define it with FW rules and NAT if needed. ASAs depending on the code level sometimes will need everything to have a NAT entry even for NoNATs. I hope that made sense I'm kinda rushed so if you need some more help I'll check back later.
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    Security levels, with no other measures in place, allow stateful replies to traffic that flows from a higher to a lower security interface. This system is really aimed at allowing a PIX/ASA to do a decent job out of the box with just a basic interface config and no ACLs. Once you do place ACLs on the interfaces then Security levels have absolutely no bearing anymore. Since you will want to do some egress filtering on the Inside/DMZs at the very least then you will be placing ACLs and the sec levels as I said become moot.
    Whether NAT is prohibitive or not depends on what you have NAT-CONTROL set to (as simple as "no nat-control" to turn it off), at which point you don't need an Xlate of any kind for traffic flow, with it turned on you do (even if it's to set exemptions). Bear in mind though that once you enable NAT'ing of any kind on an interface every connection through it will need NAT - i.e. say you turn off nat-control globally, but enable an Xlate from INSIDE to OUTSIDE for the usual internet stuff, then you think you won't have a problem from INSIDE to the DMZ since you are using private subnets on both, it won't work as the existence of any NAT on the INSIDE interface now overrides the global 'no nat-control' config for anything to/from that interface so you'd need to do a NAT exemption (NAT 0 with an ACL being best) anyway for the INSIDE-DMZ traffic.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□

    hey thanks. what I am doing is running a 831 soho as my NAT router (border router) and then behind that 831 is a ASA5505 where I want
    it to do its thing. My 831 soho will do nat and have a 6t4 tunnel at the outside port. I am trying to setup 6to4 tunneling with the 831 at the border and the asa 5505 as another layer of security but I am not sure
    what it really does to be honest beside nat? I mean I have ideas like
    prevent DOS attacks etc..I think but I dont really know what else it does.
    I have right now the ASA as the border router and then a switch to my LAN. I am playing with ipv6 and want my network secure and dont want to screw things up. any suggestions? or should I just let the out of box deal with it as long as I set up the security levels 0 being outside of asa and dmz being say 50 and inside being 100..what you think about this? thanks
  • bwbecraftbwbecraft Registered Users Posts: 9 ■□□□□□□□□□
    itdaddy, what level license are you working with on the ASA?
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    you mean the 10 lan nodes on the inside? right?
Sign In or Register to comment.