CCIE Security Archives - Page 11 of 21 - Anthony Sequeira's Blog Home

Videos: ACIT.in Class Video 3 – NAT on the ASA – record date 3/9/2015

Notes:

This might be a small point section, but it is critical since it impacts core reachability
The issue with NAT is that we are responsible for 8.2 and 8.6 code versions! “Old” NAT and “New” NAT
Dynamic NAT/PAT 8.2
- nat and global commands
- show xlate
- packet-tracer
- nat-control
Dynamic NAT/PAT 8.6
- There is no nat-control any longer
- Remember – if there is a matching nat rule – there must be an address available for translation
- No static or global commands, just nat command
- Manual or object NAT
- Manual – nat (inside,outside) source dynamic any interface…
- show nat – notice sequence numbering
Static 8.2
- static (inside, outside) 135.1.1.1 192.168.1.1
- Remember, the above command is bidirectional
- In 8.2, static always take precedence over dynamic
- In 8.2, access lists hit first – then NAT – so IP address referenced is the mapped address
- In 8.6, we use the real address, as NAT happens first

Practice Labs:

Videos: ACIT.in Class Video 2 – ASA ACLs – record date 3/6/2015

Notes:

Packet tracer is your friend!!!
packet-tracer input outside icmp 2.2.2.2 8 0 192.168.56.100
REMEMBER – inspection first, then ACLs for reply packets
Traceroute – tricky for ACLs – uses UDP for source, then replies are ICMP – time-exceeded and unreachables
Careful with outbound ACLs – you start blocking everything and need to punch holes
Objects (one entity) versus object-groups (one or more entities)
Admin access – by default telnet is disabled – on 8.4/8.6 there is no default password
For ASDM – enable the http server and set the enable password

Practice Labs:

Anthony Sequeira's Blog Home