How to configure the DHCP server on a Cisco ASA device?  

DHCP (Dynamic Host Configuration Protocol) servers provide all the basic information the client wants to operate on the network, including DNS address, Default Gateway, IP addresses, and subnet. masks and many more.

In this blog, we configure the Cisco ASA firewall to act as a DHCP (Dynamic Host Configuration Protocol) server. DHCP simplifies the process of IP address assignment in your network. In this scenario, we’ll set up the ASA to provide IP addresses to internal LANs using different DHCP scopes.

let's see the configuration: 

Topology:-

• configure the topology as per the diagram 
• configure the IP addresses on ASA and configure security
• configure DHCP server on ASA 
• verify the configuration with show commands and ping. 

ciscoasa(config)# interface gigabitEthernet 0

ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

ciscoasa(config-if)# security 100

ciscoasa(config-if)# nameif inside

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# exit

ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.240 inside

ciscoasa(config)# dhcpd dns 8.8.8.8

ciscoasa(config)# dhcpd domain internetworks

ciscoasa(config)# dhcpd option 3 ip 192.168.1.1

ciscoasa(config)# dhcpd lease 3000

ciscoasa(config)# dhcpd enable inside

ciscoasa(config)# exit

ciscoasa# show dhcpd binding

IP address       Client Identifier        Lease expiration        Type

    192.168.1.2    0100.5079.6668.00            2399 seconds    Automatic

    192.168.1.3    0100.5079.6668.01            2941 seconds    Automatic

    192.168.1.4    0100.5079.6668.02            2949 seconds    Automatic

    192.168.1.5    0100.5079.6668.03            2956 seconds    Automatic

    192.168.1.6    0100.5079.6668.04            2963 seconds    Automatic

    192.168.1.7    0100.5079.6668.05            2970 seconds    Automatic

    192.168.1.8    0100.5079.6668.06            2977 seconds    Automatic

ciscoasa# show dhcpd statistics

DHCP UDP Unreachable Errors: 0

DHCP Other UDP Errors: 0

Address pools        1

Automatic bindings   7

Expired bindings     0

Malformed messages   0

Message              Received

BOOTREQUEST          0

DHCPDISCOVER         7

DHCPREQUEST          14

DHCPDECLINE          0

DHCPRELEASE          0

DHCPINFORM           0

Message              Sent

BOOTREPLY            0

DHCPOFFER            7

DHCPACK              14

DHCPNAK              0

ciscoasa# show dhcpd state

Context  Configured as DHCP Server

Interface inside, Configured for DHCP SERVER

PC2> ip dhcp

DORA IP 192.168.1.3/24 GW 192.168.1.1

PC2> show ip

NAME        : PC2[1]

IP/MASK     : 192.168.1.3/24

GATEWAY     : 192.168.1.1

DNS         : 8.8.8.8

DHCP SERVER : 192.168.1.1

DHCP LEASE  : 2565, 3000/1500/2625

DOMAIN NAME : internetworks

MAC         : 00:50:79:66:68:01

LPORT       : 10017

RHOST:PORT  : 127.0.0.1:10018

MTU:        : 1500

Cisco ASA access management with ASDM, SSH, telnet and dedicated management interface.

 

A Cisco ASA firewall is a barrier between LAN and WAN networks (trusted and untrusted networks), we configure the firewall in the forwarding path of the network so each packet has to be checked by our firewall. Cisco ASA firewall offers several ways to connect and interact. The Administrative user can access the ASA using Telnet, Secure Shell SSH, and ASDM.   

Cisco ASA supports In-band management and Out-band management.

In-band management ASA uses the same data network that carries regular user traffic and protocols like Telnet, SSH, or HTTPS over the same network interfaces that handle user traffic. Inband management uses the same transit path as user traffic. (data plane  + management plane)

you can see the data plane traffic (normal traffic) and management plane ( Telnet, SSH, and ASDM traffic) using the same transit path. it can be any interface fast ethernet, gigabyte ethernet serial interface, or loopback but not a dedicated management interface. 

Now this kind of topology has advantages and disadvantages.  It's easy to configure because of the existing network infrastructure and no need for separate dedicated management interfaces. Disadvantages are a security risk, dependent on network availability and shared resources. 

Out-band management  

Out-band management Cisco ASA offers a dedicated management interface separate from regular data interfaces.  The administrator uses a dedicated management physical port on the ASA to access the device and this interface is only used for outbound management purposes. 

Out-band management isolates management traffic from normal data traffic. The console port and management physical port both are out-band management.  

let's see the configuration of all the methods to access the ASA firewall, 

1. in the first lab, we are going to configure the Talent
2. in the second lab, we are going to configure the Secure Shell
3. in the third lab, we are going to configure a dedicated management interface
4. in the fourth  lab, we are going to configure the ASDM

 First lab topology:-

• configure the topology as per the diagram 
• configure the IP addresses as per the topology 
• configure the zone inside and outside 
• enable telnet because by default telnet is disabled on ASA 
• configure router-1 to act as a PC for verification. 

  

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.10 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# security 100
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit

ciscoasa(config)# ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/50 ms

ciscoasa(config)# interface gigabitEthernet 1
ciscoasa(config-if)# security 0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 12.12.12.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit

ciscoasa(config)# username admin password admin
ciscoasa(config)# telnet 192.168.1.0 255.255.255.0 inside

R1#telnet 192.168.1.1 /source-interface fastEthernet 0/0
Trying 192.168.1.1 ... Open

User Access Verification
Password:

ciscoasa> enable
Password:

ciscoasa# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.1.1     YES manual up                    up
GigabitEthernet1           12.12.12.1      YES manual up                    up
GigabitEthernet2           unassigned      YES unset  administratively down up
GigabitEthernet3           unassigned      YES unset  administratively down up
ciscoasa#
ciscoasa# exit
Logoff

[Connection to 192.168.1.1 closed by foreign host]
R1#
R1#

How to configure PAT NAT on ASA Firewall?

 NAT (Network Address Translation) is used to translate private IP addresses into public IP addresses. NAT changes the source and destination IP addresses and ports. NAT Address translation reduces the need for IPv4 public addresses and it also hides private network address ranges. NAT generally operates on a router or firewall. previously we configure SNAT, DNAT, and PAT on the router now we are going to configure PAT on the ASA firewall. 

Port Address Translation (PAT)- This NAT is also known as dynamic NAT overload. PAT allows thousands of users can access to the internet using only one real global registered public IP address. PAT maps thousands to one by using ports. PAT is the only reason or solution we have not run out of valid IP addresses on the internet. This PAT is cost-effective because of single public IP is used; the port number is used to distinguish the traffic means which traffic belongs to which IP address.

let's configure PAT on the ASA firewall:

Topology: -

• configure the topology as per the diagram 
• configure the IP addresses as per the topology 
• configure the Access-list permit ICMP traffic from lower level to higher level.  
• configure access-list on the interface 
• configure network object
• configure PAT statement 

(On ASA)

ciscoasa(config)# int Gig 0

ciscoasa(config-if)# no shut

ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

ciscoasa(config-if)# nameif INSIDE

ciscoasa(config-if)# security-level 100

ciscoasa(config-if)# exit

ciscoasa(config)# int Gig 1

ciscoasa(config-if)# no shut

ciscoasa(config-if)# ip address 192.168.2.1 255.255.255.0

ciscoasa(config-if)# nameif DMZ

ciscoasa(config-if)# security-level 50

ciscoasa(config-if)# exit

ciscoasa(config)# int Gig 2

ciscoasa(config-if)# no shut

ciscoasa(config-if)# ip address 101.1.1.1 255.255.255.0

ciscoasa(config-if)# nameif OUTSIDE

ciscoasa(config-if)# security-level 0

ciscoasa(config-if)# exit

(On router)

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip address 101.1.1.2 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#interface fastEthernet 1/0

R1(config-if)#ip address 30.1.1.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#exit

ciscoasa# show interface ip brief

Interface                        IP-Address      OK? Method Status                Protocol

GigabitEthernet0           192.168.1.1     YES manual up                    up

GigabitEthernet1           192.168.2.1     YES manual up                    up

GigabitEthernet2           101.1.1.1       YES manual up                    up

(On PC 1)

PC1> ip 192.168.1.10 255.255.255.0 192.168.1.1

Checking for duplicate addresses...

PC1 : 192.168.1.10 255.255.255.0 gateway 192.168.1.1

(On PC2)

PC2> ip 192.168.2.10 255.255.255.0 192.168.2.1

Checking for duplicate addresses...

PC1 : 192.168.2.10 255.255.255.0 gateway 192.168.2.1

(On PC3)

PC3> ip 30.1.1.2 255.0.0.0 30.1.1.1

Checking for duplicate addresses...

PC1 : 30.1.1.2 255.0.0.0 gateway 30.1.1.1

(On ASA)

ciscoasa(config)# access-list traffic_out permit icmp any any

ciscoasa(config)# access-list traffic_dmz permit icmp any any

ciscoasa(config)# access-group traffic_out in interface outside

ciscoasa(config)# access-group traffic_dmz in interface dmz

ciscoasa(config)# object network inside-nat

ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0

ciscoasa(config-network-object)# exit

ciscoasa(config)# nat (INSIDE,OUTSIDE) source dynamic inside-nat  interface

ciscoasa(config)#object network dmz-nat

ciscoasa(config-network-object)# subnet 192.168.2.0 255.255.255.0

ciscoasa(config-network-object)# exit

ciscoasa(config)# nat (DMZ,OUTSIDE) source dynamic dmz-nat interface

ciscoasa(config)# object network dmz-nat-pool

ciscoasa(config-network-object)# range 120.1.1.1 120.1.1.10

ciscoasa(config-network-object)# exit

ciscoasa(config)# route OUTSIDE 0.0.0.0 0.0.0.0 101.1.1.2

(Now ping from INSIDE to OUTSIDE and from DMZ to OUTSIDE)

(from PC1)

(From PC 2)

(As you can see, we can ping outside from inside and DMZ)

(from ASA)

ciscoasa# show xlate

10 in use, 15 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

ICMP PAT from DMZ:192.168.2.10/2689 to OUTSIDE:101.1.1.1/61018 flags ri idle 0:00:02 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/2433 to OUTSIDE:101.1.1.1/25249 flags ri idle 0:00:03 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/2177 to OUTSIDE:101.1.1.1/28580 flags ri idle 0:00:04 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/1921 to OUTSIDE:101.1.1.1/6494 flags ri idle 0:00:05 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/1665 to OUTSIDE:101.1.1.1/14856 flags ri idle 0:00:06 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/2177 to OUTSIDE:101.1.1.1/21203 flags ri idle 0:00:05 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/1665 to OUTSIDE:101.1.1.1/1845 flags ri idle 0:00:06 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/1409 to OUTSIDE:101.1.1.1/63559 flags ri idle 0:00:07 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/897 to OUTSIDE:101.1.1.1/56354 flags ri idle 0:00:08 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/385 to OUTSIDE:101.1.1.1/51849 flags ri idle 0:00:08 timeout 0:00:30

ciscoasa# show nat pool

UDP PAT pool INSIDE, address 0.0.0.0, range 1-511, allocated 0

UDP PAT pool INSIDE, address 0.0.0.0, range 512-1023, allocated 0

UDP PAT pool INSIDE, address 0.0.0.0, range 1024-65535, allocated 4

UDP PAT pool DMZ, address 192.168.2.1, range 1-511, allocated 0

UDP PAT pool DMZ, address 192.168.2.1, range 512-1023, allocated 0

UDP PAT pool DMZ, address 192.168.2.1, range 1024-65535, allocated 4

UDP PAT pool OUTSIDE, address 0.0.0.0, range 1-511, allocated 0

UDP PAT pool OUTSIDE, address 0.0.0.0, range 512-1023, allocated 0

UDP PAT pool OUTSIDE, address 0.0.0.0, range 1024-65535, allocated 4

ICMP PAT pool OUTSIDE, address 101.1.1.1, range 1-511, allocated 0

ICMP PAT pool OUTSIDE, address 101.1.1.1, range 512-1023, allocated 0

ICMP PAT pool OUTSIDE, address 101.1.1.1, range 1024-65535, allocated 0

{thank you so much for visiting, please watch our YouTube videos)

https://youtube.com/@internetworkss

What is ASA Firewall Static NAT? How to configure Static Network Address Translation

 Static Network Address Translation

 

Static NAT –

This means a single private IP address (unregistered) is configured and mapped with the public IP address (registered) one-to-one mapped.

This is not for organizations because of many devices. We use this in web hosting or home networks.

In the previous blog, we have seen dynamic NAT where the inside network can access the outside but now the outside wants to reach our DMZ server. Let's see how to configure 

Topology:-

Goal:

• configure the topology as per the diagram 
• configure the IP addresses to their interfaces 
• configure security zones and levels 
• configure access lists 
• configure Static NAT 
• make sure PCs can reach servers 

INSIDE-ROUTER(config)#interface gigabitEthernet 0/0/1

INSIDE-ROUTER(config-if)#ip address 10.1.1.1 255.0.0.0

INSIDE-ROUTER(config-if)#no shutdown 

INSIDE-ROUTER(config-if)#exit

%LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up

DMZ-ROUTER(config)#interface gigabitEthernet 0/0/1

DMZ-ROUTER(config-if)#ip address 20.1.1.1 255.0.0.0

DMZ-ROUTER(config-if)#no shutdown 

DMZ-ROUTER(config-if)#exit

 

HANGED: Interface GigabitEthernet0/0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up

DMZ-ROUTER(config)#interface gigabitEthernet 0/0/0

DMZ-ROUTER(config-if)#ip address 192.168.2.1 255.255.255.0

DMZ-ROUTER(config-if)#no shutdown 

DMZ-ROUTER(config-if)#exit

%LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to up

OUTSIDE-ROUTER(config)#interface gigabitEthernet 0/0/1

OUTSIDE-ROUTER(config-if)#ip address 30.1.1.1 255.0.0.0

OUTSIDE-ROUTER(config-if)#no shutdown 

OUTSIDE-ROUTER(config-if)#exit

%LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up

CISCO-ASA(config)#interface gigabitEthernet 1/1

CISCO-ASA(config-if)#ip address 192.168.1.2 255.255.255.0

CISCO-ASA(config-if)#no shutdown 

CISCO-ASA(config-if)#nameif inside 

CISCO-ASA(config-if)#security-level 100

CISCO-ASA(config-if)#exit

CISCO-ASA(config)#interface gigabitEthernet 1/3

CISCO-ASA(config-if)#ip address 192.168.2.2 255.255.255.0

CISCO-ASA(config-if)#no shutdown 

CISCO-ASA(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

CISCO-ASA(config-if)#security-level 50

CISCO-ASA(config-if)#exit

CISCO-ASA(config)#interface gigabitEthernet 1/2

CISCO-ASA(config-if)#ip address 192.168.3.2 255.255.255.0

CISCO-ASA(config-if)#no shutdown 

CISCO-ASA(config-if)#nameif outside

CISCO-ASA(config-if)#security-level 0

CISCO-ASA(config-if)#exit

INSIDE-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2

INSIDE-ROUTER(config)#exit

DMZ-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 

DMZ-ROUTER(config)#exit

OUTSIDE-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2

OUTSIDE-ROUTER(config)#exit

CISCO-ASA(config)#route inside 192.168.1.0 255.255.255.0 192.168.1.1

CISCO-ASA(config)#route dmz 192.168.2.0 255.255.255.0 192.168.2.1

CISCO-ASA(config)#route dmz 192.168.3.0 255.255.255.0 192.168.3.1

CISCO-ASA(config)#route inside 10.0.0.0 255.0.0.0 192.168.1.1

CISCO-ASA(config)#route inside 20.0.0.0 255.0.0.0 192.168.2.1

CISCO-ASA(config)#route inside 30.0.0.0 255.0.0.0 192.168.3.1

CISCO-ASA(config)#exit

CISCO-ASA(config)#access-list traffic_outside permit icmp any any 

CISCO-ASA(config)#access-list traffic_dmz permit icmp any any 

CISCO-ASA(config)#access-group traffic_outside in interface outside

CISCO-ASA(config)#access-group traffic_dmz in interface dmz

CISCO-ASA(config)#object network inside-outside-nat

CISCO-ASA(config-network-object)#host 192.168.1.1

CISCO-ASA(config-network-object)#nat (inside,outside) static 110.1.1.1

CISCO-ASA(config-network-object)#exit

CISCO-ASA(config)#object network dmz-outside-nat

CISCO-ASA(config-network-object)#host 192.168.2.1

CISCO-ASA(config-network-object)#nat (dmz,outside) static 111.1.1.1

CISCO-ASA(config-network-object)#exit

CISCO-ASA#show nat

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static dmz-outside-nat 111.1.1.1

translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static inside-outside-nat 110.1.1.1

translate_hits = 0, untranslate_hits = 0

{ ping PC 0 to PC 2 (inside to outside) }

{ ping PC 1 to PC 2 (DMZ to OUTSIDE)}

{Now ping from PC 2 to SERVER (OUTSIDE to DMZ)}

What is ASA firewall security zones? How to configure security zones?

 By default, Cisco routers permit and forward all the packets they receive if the route is matched in their routing table. In case we want to restrict some routes.

 We have to configure some access lists but if we have a lot of access-list rules this becomes a nightmare to configure on each interface. 

.

From the above diagram, our router has two incoming access-list to deny some routes from the host's LAN. And also, our router has two access-list to prevent some routes from the internet WAN from entering our LAN network. its means we have to apply an access list to four interfaces in order to protect our LAN network. there is another solution that is better is called a security zone with an ASA firewall. 

let's see the example of how a security zone works. 

 

As you can see above, we have two security zones.

 

1.      INSIDE: which is our LAN network.

2.      OUTSIDE: Which is our WAN network (internet)

 These security zones have two simple rules. 

 

The ASA interface has been assigned to the correct security zone. Security zones have two simple rules:

Traffic coming from a high-security level to a lower security level should be permitted.

The traffic coming from a lower security level to a high-security level is should be denied.

 

Security levels – 

The ASA interface is by default in routed mode, operating at layer 3.

ASA firewall interfaces are assigned security level which is numbers between 0 to 100. The higher number, the more trust in the network connected to the ASA firewall.

 

Earlier we have seen some names like INSIDE, OUTSIDE, or DMZ

Also, note that we can assign names to the ASA interface like inside, outside, or DMZ. As soon as we assign these names to an interface, it automatically assigns a security level to itself. For example, if we have assigned a name inside an interface, it will assign 100 (Security level) to itself i.e most trusted network. If we assign the name Outside or DMZ or any other name to an interface, it will assign security level 0 automatically. These are default values and can be changed. 

It is a good practice to give a security level of 100 (maximum) to inside (most trusted network), 0(least) to outside (untrusted or public network), and 50 to DMZ (organization public device network). 

Note –  
It is not mandatory to assign a name (INSIDE, OUTSIDE, or DMZ) to the ASA interface but it is good practice to assign these names as they are simple and meaningful. 

 

 

 

 

Our LAN is our trusted network, which would have a high-security level. The WAN is untrusted so it will have a low-security level. This means that traffic from our LAN > WAN will be permitted. Traffic from the WAN to our LAN will be denied. Since the firewall is stateful, it keeps track of outgoing connections and will permit the return traffic from our LAN.

If you want to make an exception and permit traffic from the WAN to the LAN then this can be accomplished with an access list.

Most companies will have one or more servers that should be reachable from the Internet. Perhaps a mail or web server. Instead of placing these on the INSIDE, we use a third zone called the DMZ (Demilitarized Zone).

 

DMZ security level is between INSIDE and OUTSIDE.

Traffic coming from INSIDE going to OUTSIDE is permitted.

Traffic coming from DMZ going to OUTSIDE is permitted.

Traffic coming from INSIDE going to DMZ is permitted.

Traffic coming from DMZ to going to INSIDE is denied.

Traffic is coming from OUTSIDE going to INSIDE is denied.

In order to provide full connectivity between DMZ and OUTSIDE we will use access list which only permits traffic to the IP or port numbers. If something happened to one of our servers (hacked), our inside network will still secure.

Let’s see the configurations: -

 Topology:-

Goal:

configure the topology as per the diagram 

configure IP address to their ports 

configure gig1/1 to outside zone

configure gig1/3 to the inside zone

configure gig 1/2 to DMZ

ciscoasa(config)#interface gigabitEthernet 1/1

ciscoasa(config-if)#nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)#ip address 192.168.30.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#exit

ciscoasa(config)#interface gigabitEthernet 1/3

ciscoasa(config-if)#nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)#ip address 192.168.10.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#exit

ciscoasa(config)#interface gigabitEthernet 1/2

ciscoasa(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ciscoasa(config-if)#ip address 192.168.20.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#security-level 50

ciscoasa(config-if)#exit

FROM SERVER

Router(config)#interface fastEthernet 0/0

Router(config-if)#ip address 192.168.30.2 255.255.255.0

Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Router(config-if)#exit

FROM PC

C:\>IPCONFIG

FastEthernet0 Connection:(default port)

Link-local IPv6 Address.........: FE80::2E0:B0FF:FECD:EE09

IP Address......................: 192.168.10.3

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1

Bluetooth Connection:

Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0

ciscoasa#show ip address

System IP Addresses:

Interface Name IP address Subnet mask Method

GigabitEthernet1/1                outside 192.168.30.1 255.255.255.0 CONFIG

GigabitEthernet1/2                 dmz 192.168.20.1 255.255.255.0 DHCP

GigabitEthernet1/3                  inside 192.168.10.1 255.255.255.0 unset

Current IP Addresses:

Interface                        Name IP address Subnet mask Method

GigabitEthernet1/1        outside     192.168.30.1 255.255.255.0 CONFIG

GigabitEthernet1/2             dmz     192.168.20.1 255.255.255.0 DHCP

GigabitEthernet1/3         inside     192.168.10.1 255.255.255.0 unset

ciscoasa#ping 192.168.10.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/11/25 ms

ciscoasa#ping 192.168.20.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/16 ms

ciscoasa#ping 192.168.30.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.30.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/10/20 ms