CISCO ASA – WORLDSKILLS MODULE C (EXTENDED CHEAT SHEET) ===================================== 1. INTERFACES / ZONES ===================================== interface g0/0 nameif outside security-level 0 ip address no shut interface g0/1 nameif inside security-level 100 ip address no shut interface g0/2 nameif dmz security-level 50 ip address no shut ===================================== 2. ROUTING ===================================== Default route: route outside 0.0.0.0 0.0.0.0 Static routes: route inside ===================================== 3. NAT ===================================== 3.1 PAT (Inside → Internet) object network LAN subnet nat (inside,outside) dynamic interface 3.2 Static NAT (1:1) object network SERVER host nat (dmz,outside) static 3.3 Port Forwarding object network WEB host nat (dmz,outside) static interface service tcp 80 80 3.4 NAT Exemption (VPN) object network LOCAL subnet object network REMOTE subnet nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup ===================================== 4. ACL ===================================== Inbound: access-list OUTSIDE-IN permit tcp any host eq 80 access-list OUTSIDE-IN permit tcp any host eq 443 access-group OUTSIDE-IN in interface outside ICMP: access-list OUTSIDE-IN permit icmp any any ===================================== 5. OBJECT GROUPS ===================================== object-group network SERVERS network-object network-object object-group service WEB tcp port-object eq 80 port-object eq 443 ===================================== 6. POLICY / INSPECTION ===================================== policy-map global_policy class inspection_default inspect icmp inspect ftp ===================================== 7. VPN (SITE-TO-SITE) ===================================== IKE: crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 14 IPsec: crypto ipsec ikev1 transform-set TS esp-aes esp-sha-hmac Interesting traffic: access-list VPN-ACL permit ip Crypto map: crypto map VPN-MAP 10 match address VPN-ACL crypto map VPN-MAP 10 set peer crypto map VPN-MAP 10 set ikev1 transform-set TS crypto map VPN-MAP interface outside Tunnel: tunnel-group type ipsec-l2l tunnel-group ipsec-attributes ikev1 pre-shared-key ===================================== 8. TROUBLESHOOTING ===================================== show route show nat show xlate show access-list show conn show arp show crypto ikev1 sa show crypto ipsec sa ===================================== 9. PACKET TRACER ===================================== packet-tracer input inside tcp 12345 80 packet-tracer input outside tcp 12345 443 ===================================== 10. COMMON MISTAKES ===================================== - Missing default route - Wrong NAT interface mapping - ACL applied wrong direction - No NAT exemption for VPN - Wrong interesting traffic ACL - Missing return route - Using wrong public/private IP in ACL - Forgetting access-group binding - Security-level misunderstanding - NAT order conflict (manual vs auto) ===================================== 11. EXAM FLOW ===================================== 1. Interfaces 2. Routing 3. NAT 4. ACL 5. VPN 6. Testing ===================================== 12. QUICK CHECK ===================================== show run show route show nat show access-list show crypto ikev1 sa show crypto ipsec sa