![CISCO ASA Firewall Commands Cheat Sheet [Part 3]](https://www.cybrary.it/wp-content/uploads/2016/05/blue-hue-cable2-cybrary.jpg)
Ready to Start Your Career?
By: Motasem
May 18, 2016
CISCO ASA Firewall Commands Cheat Sheet [Part 3]
By: Motasem
May 18, 2016
CCNP Security Firewall
CISCO ASA Firewall Commands Cheat Sheet – Part 3This sheet, and its previous parts, assume you have the required knowledge of CCNA, CCNA Security, CCNP and could be handy if you’re already enrolled in CCNP Security pathway.Let’s begin… Configuring Dynamic NATNAT inside 1 network_ip subnet_mask
Global outside 1 pool_translated_ip netmask netmaskTimeout xlate 1:00:00
A Must-Read Note: Dynamic NAT is a type of NAT where a pool of public IP addresses are assigned to local host every time they initiate an outbound connection to the outside world. But, but for hosts in DMZ, the connection back from the client will not happen because of the dynamic IP address assignment. Note 1: The first commands specify the inside interface and every local host connected to it, which will be subjected to Dynamic NATNote 1.1: The second command specifies the outside interface in which the translation will take place along with the pool of the selected IP addresses and their netmaskNote 1.2: The third command specifies the lease time for each local host before a new assignment of public IP addresses occur Configuring Dynamic PATNat DMZ 2 dmz_network_ip subnet_mask tcp 0 0 udp 0
Nat inside 2 inside_network_ip subnet_mask tcp 0 0 udp 0
Global outside 2 interface
Global DMZ 2 global_ip_addr netmask 255.255.255.255
A Must-Read Note: Dynamic PAT is a type of address translation where group of local hosts either on the DMZ or the client hosts are translated to single IP address or limited pool of IP addresses, along with port used in each session initiated to the outside world.Note 2: The first command specifies the DMZ interface to be subject to PAT, along with the IP addresses that exist in this spaceNote 2.1: The second command specifies the inside interface with its local hosts IP addresses to be subject to PAT, along with the portsNote 2.2: The third command specifies the outside interface in which PAT occursNote 2.3: The fourth command specifies the global IP address that will be used for the DMZ hosts in order to initiate connections to the internet and receive backNote 2.4: In the fourth command, a pool of IP addresses can be specified; the subnet mask must be accordingly changed. Verifying Dynamic PAT and NAT Show xlate Note 3: The commands are used to show the table designated for translation entries Configure Host-Static NATStatic DMZ public_ip local_host_ip netmask 255.255.255.255 tcp 0 0 udp 0 A Must-Read Note: Host-static NAT is a type of translation where a single local host IP address is subject to translation into a single public IP address.Note 4: The command above used the DMZ for translation of local host on the DMZ into public IP address Configure Network – Static NAT:Static DMZ public_ip network_ip_local_hosts netmask netmask tcp 0 0 udp 0 A Must-Read Note: In Network-Static NAT, a group of local hosts either on the DMZ or client hosts are subject to translation into one single public IP address. This type is ideal for client hosts that do not need to receive connection back from the internet.Note 5: The command above used the network IP of the local hosts instead of single IP as used in Note 4 Configure Static PATstatic DMZ tcp public_ip translated_port server_private_ip original_port netmask 255.255.255.255 tcp 0 0 udp 0
A Must-Read Note: Static PAT is type of address translation where single or group of local IP addresses more commonly in DMZ are translated into one single public IP address along with their port numbers and that is the ideal type for servers receiving connection back from clients.Note 6: The command above specifies a public IP, translated port (the port used to allow clients from outside to connect back to the server ) and the original port Configure No-Translation or NAT Exempt NAT inside network_ip subnet_mask 0 0 tcp 0 0 udp 0 A Must-Read Note: NAT exempt states that no translation takes place for local hosts and this type is used for connections in the internal space only.Note 7: The command above specifies that a network of local hosts IP addresses will not be subject to translation kind Configure Identity Static NAT: Static inside local_host_ip same_local_host_ip netmask 255.255.255.255 tcp 0 0 udp 0 A Must-Read Note:T his type of NAT is the most preferred for connections between DMZ and clients hosts and vice versa. It uses the same IP as the translated IP address. Note 8: The commands above could be specified for inside of DMZ interface on the ASA with the host IP address remains the same after translation