Firewalls use stateful filtering to keep track of all incoming and outgoing connections. They are also able (depending on the firewall) to inspect up to layer 7 of the OSI model, looking into the payload of applications.
They also use security zones where traffic from a high security level is permitted to go to a lower security level. Traffic from a low security level to a higher security level will be denied, exceptions can be made with access-lists,
Most companies will have one or more servers that should be reachable from the Internet. Perhaps a mail or web server. Instead of placing these on the INSIDE, we use a third zone called the DMZ (Demilitarized Zone)
.The DMZ security zone will have a security level that is in between the INSIDE and OUTSIDE.
erase configuration:
ciscoasa# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa(config)# configure factory-default 192.168.1.1 255.255.255.0
Based on the management IP address and mask, the DHCP address
pool size is reduced to 253 from the platform limit 256
As you can see above this clears the configuration and enables the management interface with the IP address we specified. It also enables DHCP server and HTTP server so that we can connect through ASDM.
Cisco ASA Security Levels
Traffic from a higher security level to lower security level is allowed
Traffic from a lower security level to a higher security level is not allowed
Traffic between interfaces with the same security level is not allowed,You can change this behavior with the global same-security-traffic permit inter-interface command.
The Cisco ASA Firewall uses so called “security levels” that indicate how trusted an interface is compared to another interface. The higher the security level, the more trusted the interface is. Each interface on the ASA is a security zone so by using these security levels we have different trust levels for our security zones.
Security level 0: This is the lowest security level there is on the ASA and by default it is assigned to the “outside” interface.
Security level 100:This is the highest security level on our ASA and by default this is assigned to the “inside” interface. Normally we use this for our “LAN”. Since this is the highest security level, by default it can reach all the other interfaces.
Security level 1 – 99: We can create any other security levels that we want, for example we can use security level 50 for our DMZ.