Cisco Systems OL-16647-01 Default State of Interfaces, Default Security Level

8-8

Cisco ASDM User Guide

OL-16647-01

Chapter 8 Configuring Interfaces in Multiple Mode

Configuring Interface Parameters within each Context (Multiple Mode)

Default State of Interfaces

In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the

interface is in the system execution space. However, for traffic to pass through the interface, the interface

also has to be enabled in the system execution space. If you shut down an interface in the system

execution space, then that interface is down in all contexts that share it.

In single mode or in the system execution space, interfaces have the following default states:

• Physical interfaces—Disabled.

• Redundant Interfaces—Enabled. However, for traffic to pass through the redundant interface, the

member physical interfaces must also be enabled.

• Subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical interface

must also be enabled.

Default Security Level

The default security level is 0. If you name an interface “inside” and you do not set the security level

explicitly, then the security appliance sets the security level to 100.

Note If you change the security level of an interface, and you do not want to wait for existing connections to

time out before the new security information is used, you can clear the connections using the

clear local-host command.

Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should

assign your most secure network, such as the inside host network, to level 100. While the outside

network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You

can assign interfaces to the same security level. See the “Enabling Same Security Level Communication

(Multiple Mode)” section on page 8-10 for more information.

The level controls the following behavior:

• Network access—By default, there is an implicit permit from a higher security interface to a lower

security interface (outbound). Hosts on the higher security interface can access any host on a lower

security interface. You can limit access by applying an access list to the interface.

For same security interfaces, there is an implicit permit for interfaces to access other interfaces on

the same security level or lower.

• Inspection engines—Some application inspection engines are dependent on the security level. For

same security interfaces, inspection engines apply to traffic in either direction.

–

NetBIOS inspection engine—Applied only for outbound connections.

–

SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port

exists between a pair of hosts, then only an inbound data connection is permitted through the

security appliance.

• Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level

to a lower level).

For same security interfaces, you can filter traffic in either direction.

• NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security

interface (inside) when they access hosts on a lower security interface (outside).