Cisco ASA – Security Levels / NAT Control

Within the Cisco Firewall family (PIX/ASA) there are 2 security features known as Security Levels and NAT Control.

Security Levels

Security levels are numeric values (between 0 and 100) which are assigned to the firewalls interfaces and used to control traffic flows. Traffic is allowed to pass from a higher security level to a lower security level but not vice-versa. To allow traffic from a lower security level to a higher security level an access-list is required. By default the security level for the outside interface is 0 and the inside interface 100.
Below provides an example on how to explicitly configure an interface security level.

asa(config)# interface eth2
asa(config-if)# nameif dmz
asa(config-if)# security-level 50

NAT Control

NAT Control mandates that any traffic transversing from a higher security level to a lower security level must match a NAT rule.
Belows provides an example on how to disable NAT Control

asa(config)# no nat-control

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial