Cisco Asa Lab Manual Final PDF

Cisco Certified Security Professional
SNAF
Securing Networks with ASA
Fundamentals
Lab Manual
Developed by
M. Irfan Ghauri
M. Tanzeel Nasir
C-32/1 Block-5 Gulshan-e-Iqbal, Karachi ESP Press

Ph #021-6034003 Copyrights 2011
1
ASA Lab Manual
LAB. LABS DESCRIPTION PAGE

NO.
1 ASA Basic & Accessing ASA through Telnet/SSH/HTTP 3
2 NETWORK ADDRESS TRANSLATION 8
Nat Control
Static NAT
Dynamic NAT
PAT
STATIC PAT
POLICY NAT
NAT 0
3 Fitering ACTIVEX Objects and JAVA Applets 17
4 Transparent Firewall 18
5 Syslog server 20
6 Cut through proxy through LOCAL database & AAA 21

server
7 Downloadable Acl 24
8 Tcp intercept Max connection 29
9 Object Grouping and Time-based Acl 30
10 Routing 32
a.Static Routing
b.Dynamic Routing
2
ASA Lab Manual
11 Dynamic Host Configuration Protocol 34
12 Demilitarized Zone 37
13 Intervlan Routing with ASA 39
14 Modular Policy Framework 41
15 Virtual Private Network 42

Site to Site VPN
Web VPN
Remote Access VPN
3
ASA Lab Manual
Lab # 1
ASA Basic
Configuration
How to verify Version

ciscoasa(config)# sh version
How to Set Hostname

ciscoasa(config)# hostname ESP
How to Set Time & Date

ciscoasa# clock set 03:40:50 29 december 2010
How to Set Desired Banners

ciscoasa(config)# banner exec "you are off"
How to Configure a particular Interface

ciscoasa(config)# interface ethernet 0/0
Assign IP
ciscoasa(config-if)# ip address 20.0.0.10
Alive Interface
ciscoasa(config-if)# no shutdown
Set Speed
ciscoasa(config-if)# speed auto
Give Label
ciscoasa(config-if)# nameif outside
Mention Security Level

ciscoasa(config-if)# security-level 0

4
ASA Lab Manual
ciscoasa(config-if)# nameif inside

How to check Particular Interface information

ciscoasa# sh interface ethernet 0/0
ciscoasa# sh interface ethernet 0/1
How to check the applied IP Addresses on the Device

ciscoasa# sh ip addresses
How to check interface Labels & Security Levels

ciscoasa# sh nameif
How to check Interfaces summary

ciscoasa(config)# sh interface ip brief
How to Save Configuration

ciscoasa(config)# copy running-config start
How to check state table

ciscoasa(config)# sh conn
How to check memory status

ciscoasa# sh memory
How to restrict access on Privilege mode

ciscoasa(config)# enable password cisco
How to check running configuration

ciscoasa(config)# sh run
How to check History of CLI

ciscoasa# sh history
5
ASA Lab Manual
Accessing ASA through Telnet/HTTP/SSH
Configuration
Assigning Speed & IP Address on Inside & Outside Interfaces.


How to Telnet Adaptive Security Appliance

ciscoasa(config)# telnet 10.0.0.4 255.255.255.255 inside
ciscoasa(config)# passwd cisco
ciscoasa(config)# enable password cisco
(Telnet only allow from inside)
How to HTTP Adaptive Security Appliance

ciscoasa(config)#http server enable
ciscoasa(config)#http 10.0.0.1 255.255.255.255 inside
How to SSH Adaptive Security Appliance
ciscoasa(config)# crypto key generate rsa modulus 1024

ciscoasa(config)# ssh 10.0.0.1 255.255.255.255 inside
ciscoasa(config)# ssh 20.0.0.4 255.255.255.255 outside
Authentication With local database

ciscoasa(config)#username tanzeel password cisco123
ciscoasa(config)# aaa authentication ssh console LOCAL
6
ASA Lab Manual
At Machine 10.0.0.1:
7
ASA Lab Manual
Verification Commands:
ciscoasa(config)# show ssh
ciscoasa(config)# show ssh session
ciscoasa(config)# ssh disconnect session_id
ciscoasa(config)# show crypto key mypubkey rsa
8
ASA Lab Manual
Lab # 2
NETWORK ADDRESS TRANSLATION
Network Address Translation allows to translate Private
Addresses into Public Addresses
Nat Control
Static NAT
Dynamic NAT
PAT
STATIC PAT
POLICY NAT
NAT 0
Configuration
Assigning Speed & IP Address on Inside & Outside Interfaces.


ciscoasa (config)#nat-control
ciscoasa (config)# access-list 1 permit ip any any

ciscoasa (config)# access-group 1 in interface outside
9
ASA Lab Manual
STATIC NETWORK ADDRESS TRANSLATION
Configuration
Establish Static NAT & ACLs.
ciscoasa (config)# static (inside,outside) 20.0.0.51 10.0.0.1

ciscoasa (config)# static (inside,outside) 20.0.0.52 10.0.0.2
Verify Configuration by using following commands.
ciscoasa (config)# show running-config nat

ciscoasa (config)# show xlate
ciscoasa (config)# show access-list 1
10
ASA Lab Manual
DYNAMIC NETWORK ADDRESS

TRANSLATION
Configuration
Establish Dynamic NAT, POOL & ACLss on Inside Interfaces.
ciscoasa (config)# nat (inside) 1 0 0

ciscoasa (config)# global (outside) 1 20.0.0.51-20.0.0.60
ciscoasa (config)# show running-config global

11
ASA Lab Manual
DYNAMIC PORT ADDRESS TRANSLATION
Configuration
Establish Dynamic PAT, POOL & ACLs

ciscoasa (config)# global (outside) 1 20.0.0.51
OR
Establish Dynamic PAT by assigning Outside Interface IP Address to

POOL

ciscoasa (config)# global (outside) 1 interface
12
ASA Lab Manual

13
ASA Lab Manual
STATIC PAT
Configuration
Establish Port Redirection & ACLs
ciscoasa (config)# static (inside,outside) tcp 20.0.0.50 http 10.0.0.1 80
Verify results by browsing 20.0.0.50 from outside machine.
(Outside Machine will successfully access local Web Server)

ciscoasa (config)# show running-config xlate
14
ASA Lab Manual
POLICY NAT
Configuration
Apply ACLs & NAT POLICY
ciscoasa (config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 host

20.0.0.1
ciscoasa (config)# access-list 102 permit ip 10.0.0.0 255.0.0.0 host
20.0.0.2
ciscoasa (config)# nat (inside) 1 access-list 101

ciscoasa (config)# nat (inside) 2 access-list 102

15
ASA Lab Manual

16
ASA Lab Manual
NAT CONTROL
AND
NAT 0
ALI requires a NAT

rule
IP Address IP Address
10.0.0.1 20.0.0.1
E1 EO
ATIF using NAT0
policy
10.0.0.210.0.0.2
10.0.0.10 20.0.0.10
IP Address
10.0.0.2 IP Address
20.0.0.2
Configuration
Enable Nat control.
ciscoasa (config)# nat-control
Apply NAT 0 Policy for ATIF.

ciscoasa (config)# nat (inside) 0 10.0.0.2 255.255.255.255

17
ASA Lab Manual
Lab # 3
FILTERING ACTIVEX OBJECTS

AND
JAVA APPLETS
Configuration
Apply Filters.
ciscoasa (config)# filter java 80 0 0 0 0

ciscoasa (config)# filter activex 80 0 0 0 0
Verify results by browsing outside machine from any inside

machine.
(Host will successfully access the HTML page )

18
ASA Lab Manual
Lab # 4
TRANSPARENT FIREWALL
IP Address
10.0.0.2
IP Address
10.0.0.1
IP Address
10.0.0.3
Configuration
Assigning Speed & no Shut Inside & Outside Interfaces.
ciscoasa (config)# firewall transparent
ciscoasa (config)# interface ethernet 0/0

ciscoasa (config-if)# no shutdown
ciscoasa (config-if)# speed auto
ciscoasa (config-if)# nameif outside
ciscoasa (config)# interface ethernet 0/1

ciscoasa (config-if)# no shutdown
ciscoasa (config-if)# speed auto
ciscoasa (config-if)# nameif inside
19
ASA Lab Manual

ciscoasa (config)# ip address 10.0.0.10 255.255.255.0
Verify results by IOS commands.
ciscoasa (config)# show firewall

ciscoasa (config)# show mac-address-table
20
ASA Lab Manual
Lab # 5
SYSLOG SERVER
10.0.0.1 20.0.0.1
E1 EO
10.0.0.10 20.0.0.10
SYSLOG
IP Address
10.0.0.2 IP Address
20.0.0.2
Configuration:
ciscoasa(config)# logging on
ciscoasa(config)# logging host inside 10.0.0.2
ciscoasa(config)# logging trap 7
ciscoasa(config)# show logging

21
ASA Lab Manual
Lab # 6
Cut through proxy through LOCAL database
& AAA server
IP Address
10.0.0.2 IP Address
20.0.0.1
E1 EO
10.0.0.10 20.0.0.10
IP Address
10.0.0.3
IP Address
20.0.0.2
AAA SERVER
IP Address
10.0.0.1
Configuration
Cut through Proxy through Local database

ciscoasa(config)# username admin password admin
ciscoasa(config)# aaa authentication include any inside 0 0 0 0 LOCAL
Cut through Proxy with AAA server

ciscoasa(config)# aaa-server esp protocol tacacs+
ciscoasa(config-aaa-server-group)# aaa-server esp host 10.0.0.1 cisco123
ciscoasa(config)# aaa authentication include any inside 0 0 0 0 esp
22
ASA Lab Manual
Configuration on ACS server

23
ASA Lab Manual
User accounts on AAA
ciscoasa(config)# show uauth

ciscoasa(config)# clear uauth
24
ASA Lab Manual
Lab # 7
Downloadable Acl
ALI
10.0.0.2 20.0.0.1
E1 EO
ATIF
10.0.0.10 20.0.0.10
IP Address
10.0.0.3
IP Address
20.0.0.2
AAA SERVER
IP Address
10.0.0.1
Cisco Secure ACS allows to create downloadable ACLs. By this

various ACLs can be formed for different users. Downloadable ACL
will be activated only when the particular user sign in.
Step 1:Configure AAA server using Radius Protocol.
ciscoasa(config)# aaa-server esp protocol radius

ciscoasa(config-aaa-server-group)# aaa-server esp host 10.0.0.4 cisco
ciscoasa(config-aaa-server-host)# aaa authentication include any inside 0
0 0 0 esp
25
ASA Lab Manual
Configuration on ACS server
Step 2:Form Downloadable ACL through Shared profile Components

(if Downloadable option is not available then click on Interface
Configuration. )
26
ASA Lab Manual
27
ASA Lab Manual
Now option is added in Shared Profile Components

28
ASA Lab Manual
Step 3: Add User Ali and apply Downloadable ACL on users profile.
Step 3: Verify results.
( Atif can successfully browse & ftp outside network)

BUT
( Ali can only successfully ftp outside network)
ciscoasa(config)# show uauth

ciscoasa(config)# clear uauth
ciscoasa(config)# show conn
29
ASA Lab Manual
Lab # 8
TCP Intercept Maximum Connection
10.0.0.1 20.0.0.1
E1 EO
10.0.0.10 20.0.0.10
FTP & WEB

SERVER
10.0.0.2 20.0.0.2
Configuration:
ciscoasa(config)# static (inside,outside) 20.0.0.50 10.0.0.1 1 0
ciscoasa(config)# access-list 1 permit ip any any
ciscoasa(config)# access-group 1 in interface outside
ciscoasa(config)# show running-config static

ciscoasa(config)# show local-host
ciscoasa(config)# show xlate
ciscoasa(config)# show conn
30
ASA Lab Manual
Lab # 9
Object Grouping
10.0.0.1 20.0.0.1
E1 EO
10.0.0.10 20.0.0.10
FTP & WEB

SERVER
10.0.0.2 20.0.0.2
Configuration:
Create network object

ciscoasa(config)# object-group network esp
ciscoasa(config-network)# network-object host 20.0.0.1
ciscoasa(config-network)# exi
Create service object

ciscoasa(config)# object-group service httpftp tcp
ciscoasa(config-service)# port-object eq 80
ciscoasa(config-service)# port-object eq 21
ciscoasa(config-service)# exi
31
ASA Lab Manual
Calling object in ACL

ciscoasa(config)# access-list 101 extended permit tcp object-group esp
host 10.0.0.1 object-group httpftp
Time-based Acl
Configuration:
ciscoasa(config)#time-range test
ciscoasa(config-time-range)#periodic daily 15:00 to 15:30
ciscoasa(config-time-range)#exit
ciscoasa(config)# access-list 101 permit ip any any time-range test

ciscoasa(config)#access-group 101 in interface outside
Verifying commands
ciscoasa(config)# show access-list
ciscoasa(config)# show run object-group
32
ASA Lab Manual
Lab # 10
Routing
IP Address 15.0.0.1 IP Address 15.0.0.2

E0 Fa0/0
R2
IP Address
10.0.0.10 IP Address
Ethernet 1 20.0.0.10
Fa0/1
WEB Server
IP Address
20.0.0.1 FTP Server
Host B
Host A IP Address IP Address
IP Address 10.0.0.2 20.0.0.2
10.0.0.1
Configuration :

33
ASA Lab Manual

Static Routing
Dynamic Routing
RIP
OSPF
EIGRP
Static Routes Commands on Asa

ciscoasa(config)#route outside 20.0.0.0 255.0.0.0 15.0.0.2
Rip Commands on Asa
ciscoasa(config)#router rip
ciscoasa(config-router)#network 15.0.0.0
Ospf Commands on Asa
ciscoasa(config)#router ospf 64
ciscoasa(config-router)#network 15.0.0.0 255.0.0.0 area 0
ciscoasa(config-router)#network 10.0.0.0 255.0.0.0 area 0
Eigrp Commands on Asa
ciscoasa(config)#router eigrp 10
ciscoasa(config-router)#exit
Verifying Commands
ciscoasa(config)#sh route
ciscoasa(config)#sh rip database
ciscoasa(config)#sh ospf interface
ciscoasa(config)#sh ospf neighbor
ciscoasa(config)# sh eigrp interfaces
ciscoasa(config)# sh eigrp neighbors
34
ASA Lab Manual
Lab # 11
DYNAMIC HOST CONFIGURATION PROTOCOL
ASA Firewall has features that let it be Configured as a

DHCP SERVER
DHCP CLIENT

DHCP SERVER
Configuration
Create POOL for Inside Hosts.
ciscoasa(config)# dhcpd address 10.0.0.51-10.0.0.61 inside
Enable DHCP on the ASA Firewall.
ciscoasa(config)#dhcpd enable inside

35
ASA Lab Manual
ciscoasa(config)# show dhcpd binding

ciscoasa(config)# show dhcpd state
ciscoasa(config)# clear dhcpd bindings
ciscoasa(config)# debug dhcpd events
ciscoasa(config)# debug dhcpd packet
DHCP CLIENT
Configuration
Step 1: Enable DHCP Client.
ciscoasa(config)#int e0/0
ciscoasa(config)# ip address dhcp
36
ASA Lab Manual
Step 2: Define new scope for IP addresses range.
Step 3: Verify Configuration by using following commands.
ciscoasa(config)#debug dhcpd events

ciscoasa(config)#debug dhcpd packet
37
ASA Lab Manual
Lab # 12
Demilitarized Zone
Configuration
Step 1:Assign IPs and Define Security Levels.


38
ASA Lab Manual

ciscoasa(config-if)# nameif dmz
Apply PAT for inside Users & Static Nat for server on DMZ Interface.
ciscoasa(config)# nat (inside) 1 0 0

ciscoasa(config)# global (outside) 1 interface
ciscoasa(config)# static (dmz,outside) 40.0.0.51 30.0.0.1

ciscoasa(config)# static (dmz,outside) 40.0.0.52 30.0.0.2
Establish ACL to allow traffic from lower security level to servers.
ciscoasa(config)# access-list 101 permit tcp any host 40.0.0.51 eq www

ciscoasa(config)# access-list 101 permit tcp any host 40.0.0.52 eq ftp
Verifying Commands
ciscoasa(config)#sh run access-list

ciscoasa(config)#sh run interface
39
ASA Lab Manual
Lab # 13
INTER-VLAN ROUTING WITH ASA
10.0.0.10 20.0.0.10
Ethernet 0/1 Ethernet 0/0
E 0 / 2.30 E 0 / 2.40
IP Address 20.0.0.1
IP Address 10.0.0.1 30.0.0.10 / 8 40.0.0.10 / 8
Security-level 30 Security-level 40
Fa 0/24
Fa 0/3 Fa 0/4
2950
Vlan 40
Vlan 30
WEB Server FTP Server

30.0.0.1/8 40.0.0.1/8
30.0.0.10 40.0.0.10
Configuration
ciscoasa(config)#Interface Ethernet0/2
ciscoasa(config-if)#no shut
ciscoasa(config-if)#no ip add
ciscoasa(config-if)#exit
40
ASA Lab Manual
ciscoasa(config)#Interface Ethernet0/2.30
ciscoasa(config-if)#vlan 30
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif www
ciscoasa(config-if)#security-level 30
ciscoasa(config-if)#ip address 30.0.0.10 255.0.0.0
ciscoasa(config)#Interface Ethernet0/2.40
ciscoasa(config-if)#vlan 40
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif ftp
ciscoasa(config-if)#security-level 40
ciscoasa(config-if)#ip address 40.0.0.10 255.0.0.0
After Configuration inside(100) users access ftp(40) and web(30)

service now if u want to allow outside users to access ftp and web
service make an access-list to allow them
ciscoasa(config)# access-list 101 permit tcp any host 30.0.0.1 eq ftp

ciscoasa(config)#access-group 101 in interface outside
Switch configuration
Switch(config)#vlan 30
Switch(config-vlan)#name www
Switch(config)#vlan 40
Switch(config-vlan)#name ftp
Switch(config)#interface fa0/3
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 30
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 40
Switch(config-if)#switchport mode trunk
Verifying Commands
ciscoasa(config)#sh run access-list

ciscoasa(config)#sh run interface
41
ASA Lab Manual
Lab # 14
MODULAR POLICY FRAMEWORK
Configuration
Step 1:Define Class Name.
ASA(config)# class-map http

ASA(config-cmap)# match port tcp eq 80
Step 2:Define Classes to the Policy Map
ASA(config)# policy-map esp

ASA(config-pmap)# class-map http
ASA(config-pmap-c)# priority-queue inside
ASA(config)# service-policy esp interface inside
Step 3:Verify Results by IOS commands.

ASA# show service-policy
42
ASA Lab Manual
Lab # 15
SITE TO SITE VPN
IP Address 15.0.0.1 IP Address 15.0.0.2

E0 Fa0/0
WAN
RmtRouter
IP Address
IP Address 20.0.0.10
10.0.0.10 Fa0/1
Ethernet 1
Rmt
Users
WEB Server
IP Address
20.0.0.1
FTP Server
IP Address
Host A Host B 20.0.0.2
10.0.0.1 10.0.0.2
Configuration
Site-to-Site Vpn Configuration on Asa
ciscoasa(config)#crypto isakmp enable outside
ciscoasa(config-isakmp-policy)#crypto isakmp policy 10

ciscoasa(config)# authen pre-share
ciscoasa(config)# hash md5
ciscoasa(config)# encrypt des
ciscoasa(config)# group 2
ciscoasa(config)# tunnel-group 15.0.0.2 type ipsec-l2l

ciscoasa(config)# tunnel-group 15.0.0.2 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key cisco123
43
ASA Lab Manual
ciscoasa(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 20.0.0.0

255.0.0.0
ciscoasa(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac
ciscoasa(config)# crypto map outside_map 1 set peer 15.0.0.2

ciscoasa(config)# crypto map outside_map 1 set transform-set aset
ciscoasa(config)#crypto map outside_map 1 match address 101
ciscoasa(config)# crypto map outside_map interface outside

44
ASA Lab Manual
IPsec(Site-to-Site) VPN Wizard

45
ASA Lab Manual
46
ASA Lab Manual
47
ASA Lab Manual
48
ASA Lab Manual
CLIENT LESS WEB VPN
Unlike a standard IPSec VPN which requires specific client software,

Web VPN is a clientless Remote-Access VPN that uses a web browser
to access a Corporate Network.
E0
WAN
IP Address 20.0.0.1
With no Vpn client
IP Address
10.0.0.10
Ethernet 1
IP Address 20.0.0.5
With no Vpn client
Local FTP Server

IP Address 10.0.0.3
Host A
IP Address
10.0.0.1
Local web Server
IP Address 10.0.0.2
Configuration
SSL VPN Wizard

49
ASA Lab Manual
50
ASA Lab Manual
51
ASA Lab Manual
52
ASA Lab Manual
53
ASA Lab Manual
54
ASA Lab Manual
Verify results by accessing Corporate Network.

Type username and password .
55
ASA Lab Manual
Step 3(A): Verify results by IOS commands.
ciscoasa# show running-config webvpn

56
ASA Lab Manual
REMOTE-ACCESS VPN
Access VPN provides secure communication with remote users who
are working from home and connect through modem or mobile but
they should have client Hardware & client Software running on
there computers.
E0
WAN
IP Address 20.0.0.1
With Vpn client
IP Address
10.0.0.10
Ethernet 1
IP Address 20.0.0.5
With Vpn client
Local FTP Server

IP Address 10.0.0.3
Host A
IP Address
10.0.0.1
Local web Server
IP Address 10.0.0.2
Configuration
IPsec(Remote-access) VPN Wizard

57
ASA Lab Manual
58
ASA Lab Manual
59
ASA Lab Manual
60
ASA Lab Manual
61
ASA Lab Manual

Cisco Asa Lab Manual Final PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Asa Lab Manual Final PDF

Uploaded by

Copyright:

Available Formats

Cisco Certified Security Professional

C-32/1 Block-5 Gulshan-e-Iqbal, Karachi ESP Press

LAB. LABS DESCRIPTION PAGE

1 ASA Basic & Accessing ASA through Telnet/SSH/HTTP 3

2 NETWORK ADDRESS TRANSLATION 8

3 Fitering ACTIVEX Objects and JAVA Applets 17

6 Cut through proxy through LOCAL database & AAA 21

8 Tcp intercept Max connection 29

9 Object Grouping and Time-based Acl 30

11 Dynamic Host Configuration Protocol 34

13 Intervlan Routing with ASA 39

14 Modular Policy Framework 41

15 Virtual Private Network 42

How to verify Version

How to Set Hostname

How to Set Time & Date

How to Set Desired Banners

How to Configure a particular Interface

Mention Security Level

ciscoasa(config)# interface ethernet 0/1

ciscoasa(config-if)# nameif inside

How to check Particular Interface information

How to check the applied IP Addresses on the Device

How to check interface Labels & Security Levels

How to check Interfaces summary

How to Save Configuration

How to check state table

How to check memory status

How to restrict access on Privilege mode

How to check running configuration

How to check History of CLI

Accessing ASA through Telnet/HTTP/SSH

Assigning Speed & IP Address on Inside & Outside Interfaces.

ciscoasa(config)# interface ethernet 0/1

How to Telnet Adaptive Security Appliance

(Telnet only allow from inside)

How to HTTP Adaptive Security Appliance

How to SSH Adaptive Security Appliance

ciscoasa(config)# crypto key generate rsa modulus 1024

Authentication With local database

ciscoasa(config)# interface ethernet 0/0

ciscoasa(config)# interface ethernet 0/1

ciscoasa (config)# access-list 1 permit ip any any

STATIC NETWORK ADDRESS TRANSLATION

ciscoasa (config)# static (inside,outside) 20.0.0.51 10.0.0.1

Verify Configuration by using following commands.

ciscoasa (config)# show running-config nat

DYNAMIC NETWORK ADDRESS

ciscoasa (config)# nat (inside) 1 0 0

Verify Configuration by using following commands.

ciscoasa (config)# show running-config global

DYNAMIC PORT ADDRESS TRANSLATION

ciscoasa (config)# nat (inside) 1 0 0

Establish Dynamic PAT by assigning Outside Interface IP Address to

ciscoasa (config)# nat (inside) 1 0 0

Verify Configuration by using following commands.

ciscoasa (config)# show running-config global

ciscoasa (config)# static (inside,outside) tcp 20.0.0.50 http 10.0.0.1 80

Verify results by browsing 20.0.0.50 from outside machine.

(Outside Machine will successfully access local Web Server)

Verify Configuration by using following commands.

ciscoasa (config)# show running-config nat

ciscoasa (config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 host