CISCO ASA Firewall Commands Cheat Sheet [Part 3]

May 18, 2016 | Views: 5870

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

CCNP Security Firewall

CISCO ASA Firewall Commands Cheat Sheet – Part 3

This sheet, and its previous parts, assume you have the required knowledge of CCNA, CCNA Security, CCNP and could be handy if you’re already enrolled in CCNP Security pathway.

Let’s begin…



Configuring Dynamic NAT

NAT inside 1 network_ip  subnet_mask

        Global outside 1 pool_translated_ip  netmask  netmask

Timeout xlate 1:00:00


A Must-Read Note: Dynamic NAT is a type of NAT where a pool of public IP addresses are assigned to local host every time they initiate an outbound connection to the outside world. But, but for hosts in DMZ, the connection back from the client will not happen because of the dynamic IP address assignment.

Note 1: The first commands specify the inside interface and every local host connected to it, which will be subjected to Dynamic NAT

Note 1.1: The second command specifies the outside interface in which the translation will take place along with the pool of the selected IP addresses and their netmask

Note 1.2: The third command specifies the lease time for each local host before a new assignment of public IP addresses occur



Configuring Dynamic PAT

Nat DMZ 2 dmz_network_ip  subnet_mask tcp 0 0 udp 0

Nat inside 2 inside_network_ip  subnet_mask  tcp 0 0 udp 0

Global outside 2 interface

Global DMZ 2 global_ip_addr  netmask


A Must-Read Note: Dynamic PAT is a type of address translation where group of local hosts either on the DMZ or the client hosts are translated to single IP address or limited pool of IP addresses, along with port used in each session initiated to the outside world.

Note 2: The first command specifies the DMZ interface to be subject to PAT, along with the IP addresses that exist in this space

Note 2.1: The second command specifies the inside interface with its local hosts IP addresses to be subject to PAT, along with the ports

Note 2.2: The third command specifies the outside interface in which PAT occurs

Note 2.3: The fourth command specifies the global IP address that will be used for the DMZ hosts in order to initiate connections to the internet and receive back

Note 2.4: In the fourth command, a pool of IP addresses can be specified; the subnet mask must be accordingly changed.



Verifying Dynamic PAT and NAT

Show xlate


Note 3: The commands are used to show the table designated for translation entries



Configure Host-Static NAT

Static DMZ  public_ip local_host_ip netmask tcp 0 0 udp 0


A Must-Read Note: Host-static NAT is a type of translation where a single local host IP address is subject to translation into a single public IP address.

Note 4: The command above used the DMZ for translation of local host on the DMZ into public IP address



Configure Network – Static NAT:

Static DMZ public_ip network_ip_local_hosts netmask netmask tcp 0 0 udp 0


A Must-Read Note: In Network-Static NAT, a group of local hosts either on the DMZ or client hosts are subject to translation into one single public IP address. This type is ideal for client hosts that do not need to receive connection back from the internet.

Note 5: The command above used the network IP of the local hosts instead of single IP as used in Note 4



Configure Static PAT

 static DMZ  tcp public_ip  translated_port  server_private_ip original_port netmask tcp 0 0 udp 0


A Must-Read Note: Static PAT is type of address translation where single or group of local IP addresses more commonly in DMZ are translated into one single public IP address along with their port numbers and that is the ideal type for servers receiving connection back from clients.

Note 6: The command above specifies a public IP, translated port (the port used to allow clients from outside to connect back to the server ) and the original port



Configure No-Translation or NAT Exempt

NAT inside network_ip   subnet_mask   0  0  tcp 0  0  udp 0


A Must-Read Note: NAT exempt states that no translation takes place for local hosts and this type is used for connections in the internal space only.

Note 7: The command above specifies that a network of local hosts IP addresses will not be subject to translation kind



Configure Identity Static NAT:

Static inside local_host_ip   same_local_host_ip  netmask tcp 0 0 udp 0


A Must-Read Note:T his type of NAT is the most preferred for connections between DMZ and clients hosts and vice versa. It uses the same IP as the translated IP address.

Note 8: The commands above could be specified for inside of DMZ interface on the ASA with the host IP address remains the same after translation


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. thank you very much

  2. Thank you for sharing the information!

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



Is Linux Worth Learning in 2020?
Views: 297 / December 14, 2019
How do I Get MTA Certified?
Views: 894 / December 12, 2019
How much does your PAM software really cost?
Views: 1345 / December 10, 2019
How Do I Get into Android Development?
Views: 1724 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?