Workbook for Cisco ASA Course

Workbook for Cisco ASA course:

Can be useful for –

Practical implementation of Cisco ASA firewalls, that is primary purpose of this workbook and the course.

This workbook is part of Cisco ASA implementation 5 days course that I am offering. This part of workbook is for Day 2.

Can also be used for CCNP Security studies

Solutions are based on CLI configurations

For details of the course or for any questions related to any task in this workbook or to buy the workbook for all 5 days (small price of £20) please send me an email on

Logical Topology

Task 1:

Add a 3rd interface to EFirewall1 and configure it as follows:

Name = DMZ

Security Level = 50

IP address = 10.1.200.254/24

Basic Service Policy

Task 2:

There is a server in DMZ with an IP of 10.1.200.11 that need access to our customer network host (172.16.11.100) on TCP port 22 and 443 that customer host will be reachable via a VPN that will configured later on this firewall. Make sure that access is configured.

There is a Jump host (10.1.200.12) in DMZ network that need RDB access to our inside network

Configure an explicit deny for any other traffic coming from DMZ

Task 3:

Allow inside network to have following access

Host/Subnet / Source port / Destination host/Subnet / Destination port
2.2.2.2 / Any / 10.1.200.4
4.4.4.4 / tcp/23
tcp/22
tcp/80
2.2.2.2 / 4000 – 5000 / 10.1.200.4 / tcp/21
5.5.5.5 / Any / Any / tcp/80
tcp/443
tcp/110
tcp/23
icmp-echo

Verify your access using packet tracer where actual hosts are not available.

Static NAT (IOS Version 8.3+)

Task 4:

Change IP address of outside interface of EFirewall1 to 65.97.12.2/28 so we can have more IP address to use.

Task 5 (Static NAT):

Configure EFirewall1 in such a way that when someone from outside tries to reach 65.97.12.5 he/she should be pointed to internal network IP address of 5.5.5.5 (assigned to router loopback0). Configure all required access list rules as well to make it work.

Test by trying to telnet to 65.97.12.5 from ISP router.

Task 6 (Static PAT):

Configure the firewall EFirewall1 in such a way that when someone from outside tries to connect to 65.97.12.6 on port 23 it will be pointed to Ethernet0/0 interface of R2 (10.1.100.2)

Task 7:

Configure EFirewall1 so that R3’s loopback0 when it want to reach loopback1 of ISP-RTR gets translated into outside interface IP of EFirewall1.

Dynamic NAT (IOS Version 8.3+)

Task 8:

Configure EFirewall1 in such a way that all traffic coming out of DMZ network should be translated to 65.97.12.7 when try to reach any destination outside.

Task 9 (Exempt Static NAT Entry):

Configure EFirewall1 in a way that it will carry on translating like setup in Task 8 (DMZ network translated to 65.97.12.7) but only one IP 10.1.200.9 (R9’s G0/0) should not be translated and left as 10.1.200.9 when going outside.

Task 10:

When going outside from inside subnet (10.1.100.0/24) all IPs will be translated to an external IP pool of 65.97.12.11 to 65.97.12.13 and if that pool is exhausted then all traffic will be NATed to 65.97.12.14 IP address.

Task 11:

Configure EFirewall1 so that when host 10.1.100.4 in inside network access hosts in DMZ network, its IP is translated into interface IP of DMZ interface.