Cisco ASA - Security Levels / NAT Control

Within the Cisco Firewall family (PIX/ASA) there are 2 security features known as Security Levels and NAT Control.

Security Levels

Security levels are numeric values (between 0 and 100) which are assigned to the firewalls interfaces and used to control traffic flows. Traffic is allowed to pass from a higher security level to a lower security level but not vice-versa. To allow traffic from a lower security level to a higher security level an access-list is required. By default the security level for the outside interface is 0 and the inside interface 100.
Below provides an example on how to explicitly configure an interface security level.

asa(config)# interface eth2
asa(config-if)# nameif dmz
asa(config-if)# security-level 50

NAT Control

NAT Control mandates that any traffic transversing from a higher security level to a lower security level must match a NAT rule.
Belows provides an example on how to disable NAT Control

asa(config)# no nat-control

Tags: ASA

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as an SDN/NFV Solutions Architect and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001