Home 0P3N Blog CISCO ASA Firewall Commands Cheat Sheet [Part 3]
Ready to Start Your Career?
Create Free Account
Motasem s profile image
By: Motasem
May 18, 2016

CISCO ASA Firewall Commands Cheat Sheet [Part 3]

By: Motasem
May 18, 2016
Motasem s profile image
By: Motasem
May 18, 2016

CCNP Security Firewall

CISCO ASA Firewall Commands Cheat Sheet – Part 3This sheet, and its previous parts, assume you have the required knowledge of CCNA, CCNA Security, CCNP and could be handy if you’re already enrolled in CCNP Security pathway.Let’s begin…  Configuring Dynamic NAT

NAT inside 1 network_ip  subnet_mask

        Global outside 1 pool_translated_ip  netmask  netmask

Timeout xlate 1:00:00

 A Must-Read Note: Dynamic NAT is a type of NAT where a pool of public IP addresses are assigned to local host every time they initiate an outbound connection to the outside world. But, but for hosts in DMZ, the connection back from the client will not happen because of the dynamic IP address assignment. Note 1: The first commands specify the inside interface and every local host connected to it, which will be subjected to Dynamic NATNote 1.1: The second command specifies the outside interface in which the translation will take place along with the pool of the selected IP addresses and their netmaskNote 1.2: The third command specifies the lease time for each local host before a new assignment of public IP addresses occur  Configuring Dynamic PAT

Nat DMZ 2 dmz_network_ip  subnet_mask tcp 0 0 udp 0

Nat inside 2 inside_network_ip  subnet_mask  tcp 0 0 udp 0

Global outside 2 interface

Global DMZ 2 global_ip_addr  netmask  255.255.255.255

 A Must-Read Note: Dynamic PAT is a type of address translation where group of local hosts either on the DMZ or the client hosts are translated to single IP address or limited pool of IP addresses, along with port used in each session initiated to the outside world.Note 2: The first command specifies the DMZ interface to be subject to PAT, along with the IP addresses that exist in this spaceNote 2.1: The second command specifies the inside interface with its local hosts IP addresses to be subject to PAT, along with the portsNote 2.2: The third command specifies the outside interface in which PAT occursNote 2.3: The fourth command specifies the global IP address that will be used for the DMZ hosts in order to initiate connections to the internet and receive backNote 2.4: In the fourth command, a pool of IP addresses can be specified; the subnet mask must be accordingly changed.  Verifying Dynamic PAT and NAT Show xlate Note 3: The commands are used to show the table designated for translation entries  Configure Host-Static NATStatic DMZ  public_ip local_host_ip netmask 255.255.255.255 tcp 0 0 udp 0 A Must-Read Note: Host-static NAT is a type of translation where a single local host IP address is subject to translation into a single public IP address.Note 4: The command above used the DMZ for translation of local host on the DMZ into public IP address  Configure Network – Static NAT:Static DMZ public_ip network_ip_local_hosts netmask netmask tcp 0 0 udp 0 A Must-Read Note: In Network-Static NAT, a group of local hosts either on the DMZ or client hosts are subject to translation into one single public IP address. This type is ideal for client hosts that do not need to receive connection back from the internet.Note 5: The command above used the network IP of the local hosts instead of single IP as used in Note 4  Configure Static PAT

 static DMZ  tcp public_ip  translated_port  server_private_ip original_port netmask 255.255.255.255 tcp 0 0 udp 0

 A Must-Read Note: Static PAT is type of address translation where single or group of local IP addresses more commonly in DMZ are translated into one single public IP address along with their port numbers and that is the ideal type for servers receiving connection back from clients.Note 6: The command above specifies a public IP, translated port (the port used to allow clients from outside to connect back to the server ) and the original port  Configure No-Translation or NAT Exempt NAT inside network_ip   subnet_mask   0  0  tcp 0  0  udp 0 A Must-Read Note: NAT exempt states that no translation takes place for local hosts and this type is used for connections in the internal space only.Note 7: The command above specifies that a network of local hosts IP addresses will not be subject to translation kind  Configure Identity Static NAT: Static inside local_host_ip   same_local_host_ip  netmask 255.255.255.255 tcp 0 0 udp 0 A Must-Read Note:T his type of NAT is the most preferred for connections between DMZ and clients hosts and vice versa. It uses the same IP as the translated IP address. Note 8: The commands above could be specified for inside of DMZ interface on the ASA with the host IP address remains the same after translation 
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry