Cisco ASA - Security Levels / NAT Control
Within the Cisco Firewall family (PIX/ASA) there are 2 security features known as Security Levels and NAT Control.
Security levels are numeric values (between 0 and 100) which are assigned to the firewalls interfaces and used to control traffic flows. Traffic is allowed to pass from a higher security level to a lower security level but not vice-versa. To allow traffic from a lower security level to a higher security level an access-list is required. By default the security level for the outside interface is 0 and the inside interface 100.
Below provides an example on how to explicitly configure an interface security level.
asa(config)# interface eth2
asa(config-if)# nameif dmz
asa(config-if)# security-level 50
NAT Control mandates that any traffic transversing from a higher security level to a lower security level must match a NAT rule.
Belows provides an example on how to disable NAT Control
asa(config)# no nat-control