About Routed and Transparent Mode Interfaces
The ASA supports two types of interfaces: routed and bridged.
Each Layer 3 routed interface requires an IP address on a unique subnet.
Bridged interfaces belong to a bridge group, and all interfaces are on the same network. The bridge group is represented by a Bridge Virtual Interface (BVI) that has an IP address on the bridge network. Routed mode only supports routed interfaces. Transparent firewall mode only supports bridge group and BVI interfaces.
Security Levels
Each interface must have a security level from 0 (lowest) to 100 (highest), including bridge group member interfaces. For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level.
In transparent mode, the BVI interface does not have a security level because it does not participate in routing between interfaces.
The level controls the following behavior:
-
Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an ACL to the interface.
If you enable communication for same-security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.
-
Inspection engines—Some application inspection engines are dependent on the security level. For same-security interfaces, inspection engines apply to traffic in either direction.
-
NetBIOS inspection engine—Applied only for outbound connections.
-
SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the ASA.
-
Dual IP Stack (IPv4 and IPv6)
The ASA supports both IPv6 and IPv4 addresses on an interface. Make sure you configure a default route for both IPv4 and IPv6.