Thursday 22 December 2022

What is ASA Firewall Static NAT? How to configure Static Network Address Translation

 Static Network Address Translation


Static NAT –

This means a single private IP address (unregistered) is configured and mapped with the public IP address (registered) one-to-one mapped.

This is not for organizations because of many devices. We use this in web hosting or home networks.

In the previous blog, we have seen dynamic NAT where the inside network can access the outside but now the outside wants to reach our DMZ server. Let's see how to configure 



  • configure the topology as per the diagram 
  • configure the IP addresses to their interfaces 
  • configure security zones and levels 
  • configure access lists 
  • configure Static NAT 
  • make sure PCs can reach servers 

INSIDE-ROUTER(config)#interface gigabitEthernet 0/0/1
INSIDE-ROUTER(config-if)#ip address
INSIDE-ROUTER(config-if)#no shutdown 

%LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up

DMZ-ROUTER(config)#interface gigabitEthernet 0/0/1
DMZ-ROUTER(config-if)#ip address
DMZ-ROUTER(config-if)#no shutdown 

HANGED: Interface GigabitEthernet0/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up

DMZ-ROUTER(config)#interface gigabitEthernet 0/0/0
DMZ-ROUTER(config-if)#ip address
DMZ-ROUTER(config-if)#no shutdown 

%LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to up

OUTSIDE-ROUTER(config)#interface gigabitEthernet 0/0/1
OUTSIDE-ROUTER(config-if)#ip address
OUTSIDE-ROUTER(config-if)#no shutdown 

%LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up

CISCO-ASA(config)#interface gigabitEthernet 1/1
CISCO-ASA(config-if)#ip address
CISCO-ASA(config-if)#no shutdown 
CISCO-ASA(config-if)#nameif inside 
CISCO-ASA(config-if)#security-level 100

CISCO-ASA(config)#interface gigabitEthernet 1/3
CISCO-ASA(config-if)#ip address
CISCO-ASA(config-if)#no shutdown 
CISCO-ASA(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

CISCO-ASA(config-if)#security-level 50

CISCO-ASA(config)#interface gigabitEthernet 1/2
CISCO-ASA(config-if)#ip address
CISCO-ASA(config-if)#no shutdown 
CISCO-ASA(config-if)#nameif outside
CISCO-ASA(config-if)#security-level 0

INSIDE-ROUTER(config)#ip route

DMZ-ROUTER(config)#ip route 

OUTSIDE-ROUTER(config)#ip route

CISCO-ASA(config)#route inside

CISCO-ASA(config)#route dmz

CISCO-ASA(config)#route dmz

CISCO-ASA(config)#route inside

CISCO-ASA(config)#route inside

CISCO-ASA(config)#route inside


CISCO-ASA(config)#access-list traffic_outside permit icmp any any 
CISCO-ASA(config)#access-list traffic_dmz permit icmp any any 

CISCO-ASA(config)#access-group traffic_outside in interface outside
CISCO-ASA(config)#access-group traffic_dmz in interface dmz

CISCO-ASA(config)#object network inside-outside-nat
CISCO-ASA(config-network-object)#nat (inside,outside) static

CISCO-ASA(config)#object network dmz-outside-nat
CISCO-ASA(config-network-object)#nat (dmz,outside) static

CISCO-ASA#show nat

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static dmz-outside-nat

translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static inside-outside-nat

translate_hits = 0, untranslate_hits = 0

{ ping PC 0 to PC 2 (inside to outside) }

{ ping PC 1 to PC 2 (DMZ to OUTSIDE)}

{Now ping from PC 2 to SERVER (OUTSIDE to DMZ)}

Sunday 18 December 2022

How to configure ASA Firewall Dynamic NAT?

 Network address translation

NAT is the method of translation of a private IP address into a public IP address. In order to communicate with the internet, we must have a registered public IP address.

Address translation was originally developed to solve two problems:

To handle a shortage of IPv6 addresses

 Hide network addressing schemes.

Types of NAT: -Static NAT

Dynamic NAT

Port Address Translation (PAT)

Static NAT- one-to-one mapping was done manually for every private IP needed on registered IP address (one-to-one)

Dynamic NAT- one-to-one mapping is done automatically for every private IP that needs one registered IP address (one-to-one)

Port address translation (Dynamic NAT Overload)- Allows thousands of users to connect to the internet using only one real global IP address. Maps many to one by using different ports. PAT is the real reason we haven’t run out of valid IP addresses on the internet.

Just like the Cisco IOS routers, we can configure NAT / PAT on our Cisco ASA firewall.

I'm assuming that you already know about NAT, if you don't, please click here 

let's configure dynamic NAT: -

Topology: -

Goal: -

  • configure topology as per the diagram 
  • configure an IP address on ISP router 
  • configure VLANs on ASA firewall
  • configure DHCP on the ASA firewall for inside 
  • configure a static route for VLAN 1 (inside)
  • configure on ASA Dynamic NAT for VLAN 1
  • make sure PC-A can ping web server

ISP-ROUTER(config)#interface gigabitEthernet 0/0
ISP-ROUTER(config-if)#ip address
ISP-ROUTER(config-if)#no shutdown 

ISP-ROUTER(config)#interface gigabitEthernet 0/1
ISP-ROUTER(config-if)#ip address
ISP-ROUTER(config-if)#no shutdown 

ciscoasa(config)#interface vlan 1
ciscoasa(config-if)#ip address
ciscoasa(config-if)#nameif inside
ciscoasa(config-if)#security-level 100

ciscoasa(config)#interface ethernet 0/2
ciscoasa(config-if)#switchport access vlan 1

ciscoasa(config)#interface vlan 2
ciscoasa(config-if)#ip address
ciscoasa(config-if)#nameif outside
ciscoasa(config-if)#security-level 0
ciscoasa(config-if)#no shutdown

ciscoasa(config)#interface vlan 3
ciscoasa(config-if)#no forward interface vlan 1
ciscoasa(config-if)#ip address
ciscoasa(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ciscoasa(config-if)#security-level 50

ciscoasa(config)#interface ethernet 0/1
ciscoasa(config-if)#switchport access vlan 3

ciscoasa#show interface ip brief 
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                YES manual up                    up
Vlan2             YES manual up                    up
Vlan3                YES manual up                    up

ciscoasa#show ip address 
System IP Addresses:
Interface             Name                 IP address      Subnet mask     Method
Vlan1                 inside            manual
Vlan2                 outside       manual
Vlan3                 dmz               manual

Current IP Addresses:
Interface             Name                 IP address      Subnet mask     Method
Vlan1                 inside            manual
Vlan2                 outside       manual
Vlan3                 dmz               manual

ciscoasa#show switch vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    inside                           up        Et0/2, Et0/3, Et0/4, Et0/5
                                                Et0/6, Et0/7
2    outside                          up        Et0/0
3    dmz                              up        Et0/1

ciscoasa(config)#dhcpd address inside
ciscoasa(config)#dhcpd dns interface inside
ciscoasa(config)#dhcpd enable inside

(Verify PC-A-B-C is getting IP configuration from DHCP ASA firewall)




ciscoasa(config)#route outside

ciscoasa(config)#object network inside
ciscoasa(config-network-object)#nat (inside,outside) dynamic interface

ciscoasa(config)#access-list ASA extended permit tcp any any
ciscoasa(config)#access-list ASA extended permit icmp any any
ciscoasa(config)#access-group ASA in interface outside

Wednesday 14 December 2022

What are the basics of ethical hacking?

 Ethical Hacking (basic)

White-hat hackers are also known as ethical hackers and they are professionals with expertise in cybersecurity. They are authorized by the company and certified to hack the systems. They hack systems from the loop to find weaknesses in the system. They never intend to harm the system, rather than try to find out weaknesses in a computer or a network system as a part of penetration testing and vulnerability assessments. well, Ethical hacking is not illegal actually it is one of the most demanding jobs available in the IT Industry. many companies hire ethical hackers for penetration testing and vulnerability assessments. ethical hackers' job is to protect the system network from hackers.

What is hacking?

Hacking is the act of finding the possible entry points that exist in a computer system or computer network and finally entering into them. hacking is usually done to gain unauthorized access to a computer system or a computer network, either to harm the system or to steal sensitive information available on the computer. Hacking is not always a malicious activity, but the term has mostly negative connotations due to its association with cybercrime. hacking is usually legal as long as it is being done to find weaknesses in a computer or network system for testing purposes. 

Types of hacking (BASIC)

we can segregate hacking into different categories, based on what is being hacked. 

here is a set of basic hacking examples: 

Social engineering

Social engineering is a manipulation technique. Using a fake identity and various psychological tricks, hackers can deceive you into disclosing personal or financial information. They rely on phishing scams, spam emails or instant messages, or even fake websites to achieve hacking.

Hacking passwords

Hackers use many ways to gain passwords. The trial-and-error method in which involves hackers trying to guess every possible combination to obtain access. Hackers also use simple algorithms to generate different combinations for letters, numbers, and symbols to help them identify password combinations. Another technique is known as a dictionary attack, which is a program that inserts common words into password fields to see if one works.


 Malware hacking

Hackers infiltrate a user’s device to install malware. More likely, hackers will target potential victims via email, instant messages, and websites with downloadable content or peer-to-peer networks.


Wireless Networks Hacking

hackers just simply take advantage of open wireless networks. Many people do not secure their Wi-Fi routers, and this can be exploited by hackers driving around looking for open and unsecured wireless connections. This is an activity known as wardriving. When hackers are connected to an unsecured network, they only need to bypass basic security to gain access to devices connected to that network.


Website hacking

Website hacking: hacking a website means taking unauthorized control over a web server and its associated software such as databases and other interfaces. 

Network hacking

Network hacking a network means gathering information about a network by using tools like telnet, NS lookup, ping, tracert, netstat, etc. with the intent to harm the network system and hamper its operation. 

Email hacking

Email hacking includes getting unauthorized access to an email account and using it without taking the consent of its owner. 



The advantages of hacking 

are quite valuable for the following scenarios:

Whenever you need to recover lost information, especially in case you lost your password. 

When you want to perform penetration testing to strengthen computer and network security. 

when to put adequate preventative measures in place to prevent security breaches. 

to have a computer system that prevents malicious hackers from gaining access. 


The disadvantages of hacking 

are quite dangerous if it is done with harmful intent. it can cause: 

massive security breach. 

unauthorized system access to private information. 

privacy violation. 

hampering system operation.

denial of service attacks 

malicious attack on the system. 

purpose of hacking 

there could be various positive and negative intentions behind performing hacking activities, here is a list of some probable reasons why people indulge in hacking activities: 

just of fun 


steal important information 

damaging the system 

hampering privacy 

money extortion 

system security testing 

to break policy compliance


What is Virtual Router Redundancy Protocol (VRRP)? How to configure Virtual Router Redundancy Protocol (VRRP)?

 Virtual Router Redundancy Protocol (VRRP) is a gateway redundancy networking protocol used to create a virtual gateway similar to HSRP . VR...