1.

Basic Configuration
A. Interface configuration
B. Security Levels
C. Management [Telnet / SSH]
D. Routing
- Static Routes
- RIPv2
- EIGRP
- OSPF
- BGP
2. NAT
A. Dynamic NAT
B. Static NAT
C. Dynamic PAT
D. Static PAT
E. Manual NAT
3. Access Policies (ACL & Basic Inspection)
4. Transparent firewall
A. Initialization
B. Access policies
C. Ethertype ACLs
5. Redundancy
A. Redundant Interfaces
B. Port-channels
C. Security Contexts
==================================================
-----------------------------------------------------------------------------------
------------------------------------------------------------------------
Lab # 1 - Initialize the ASA Firewall based on the Diagram. Make sure it can reach
the routers around it.
-----------------------------------------------------------------------------------
------------------------------------------------------------------------

ASA

Interface Gig 0/0

nameif Outside
ip address 192.1.20.10
no shut
!
Interface Gig 0/1
nameif Inside
ip add 10.11.11.10 255.255.255.0
no shut
!
Interface Gig 0/2
nameif DMZ-3
security-level 50
ip address 192.168.3.10
no shut
!
Interface Gig 0/3
nameif DMZ-4
security-level 50
ip address 192.168.4.10
no shut

Verification Commads:
Show interface ip brief
Show nameif

Default Traffic Flows:

Inside - To - Outside

- All traffic allowed. Only TCP & UDP is inspected.

Telnet R1 to R2 - It should Work

Ping R1 to R2 - It will not Work

Outside - To - Inside (Initiated Traffic)

- No Traffic is allowed from Outside (Low) towards Inside (High).

DMZ-3 - To - DMZ4

No traffic is allowed as they have the same Security-Level. Even an ACL will not
help.

-----------------------------------------------------------------------------------
---
Lab # 2 - Controlling Traffic Thru & To the Firewall - ICMP
-----------------------------------------------------------------------------------
---

Requirement # 1 : The Inside Network should be allowed to Ping the Outside Network.

Option A : Use an ACL

- An ACL on the firewall is a Named Extended ACL. It uses a Normal Mask. It only
affects THRU traffic. It has no affect on traffic destined to the the Firewall
Interfaces.

access-list OUTSIDE permit icmp any 10.11.11.0 255.255.255.0 echo-reply

!
access-group OUTSIDE in Interface outside

Option B : Inspecting ICMP Traffic

policy-map global_policy
class inspection_default
inspect icmp

Requirement # 2 : Block ICMP on the Outside Interface. The firewall should be able
to Ping the Outside Networks. Allow a Node on the Internet (150.5.5.1) to ping the
outside interface

icmp permit any echo-reply outside

icmp permit host 150.5.5.1 echo outside

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 3 - Allow full access between R3 & R4 without changing the Security level or
applying an ACL
-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Note : By default, all traffic going between 2 interfaces with the same security
levels is blocked completely. Even an ACL will not help.

same-security-traffic permit inter-interface

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 4 - Management Access
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

Requirement # 1 : Allow the Inside & DMZ-3 Administrator to manage the Firewall
remotely. Configure the ASA with a Telnet password of cisco123 and allow the
10.11.11.0/24 & 192.168.3.0/24 networks to access it for Telnet.

Enable the Telnet Service on the Inside & DMZ-3 interface and specify the allowed
Network

telnet 10.11.11.0 255.255.255.0 inside

telnet 192.168.3.0 255.255.255.0 dmz-3

Configure a Password for Telnet

passwd cisco123

Requirement # 2 : Allow the Outside & DMZ-3 Administrator to manage the Firewall
remotely. Configure the ASA with a Username admin1 with a password of cisco123 and
allow the 192.1.20.0/24 & 192.168.3.0/24 networks to access it for SSH.

Configure the Username and Password in the Local Database

username admin1 password cisco123

Generate a RSA Key Pair for the ASA

domain-name cisco.com
crypto key generate rsa modulus 1024

Enable the SSH Service on the Outside & DMZ-3 interface and specify the allowed
Network

ssh 192.1.20.0 255.255.255.0 outside

ssh 192.168.3.0 255.255.255.0 dmz-3

Configure SSH to authenticate to the LOCAL username/password Database

aaa authentication ssh console LOCAL

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 5 - Static Routes
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

Static Route Syntax:

route [Exit Interface] [Destination Network] [Mask] [Next-hop]

- Create a static route for the 10.10.10.0/24. This network is behind R1.
route inside 10.10.10.0 255.255.255.0 10.11.11.1

- Configure a Default Gateway on the ASA Firewall pointing towards R2.

route outside 0 0 192.1.20.2

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 6 - Configure RIPv2 on the ASA to communicate to R3 & R4. Authenticate using
MD5 the RIP neighbor relationships
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

Basic RIPv2 Configuration on the ASA, R3 & R4

R3

router rip
version 2
no auto-summary
network 192.168.3.0
network 10.0.0.0

R4

router rip
version 2
no auto-summary
network 192.168.4.0
network 10.0.0.0

ASA

router rip
version 2
no auto-summary
network 192.168.4.0
network 192.168.3.0

Authentication

R3

Key chain ABC

key 1
key-string cisco123
!
Interface E 0/0
ip rip authentication mode md5
ip rip authentication key-chain ABC

R4

Key chain ABC

key 1
key-string cisco123
!
Interface E 0/0
 ip rip authentication mode md5
ip rip authentication key-chain ABC

ASA

Interface Gig 0/2

rip authentication mode md5
rip authentication key cisco123 key_id 1
!
Interface Gig 0/3
rip authentication mode md5
rip authentication key cisco123 key_id 1

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 7 - Configure EIGRP on the ASA in AS 111 to communicate to R1. Authenticate
using MD5 the EIGRP neighbor relationship
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

Basic EIGRP Configuration on the ASA & R1

R1

router eigrp 111

no auto-summary
network 10.0.0.0

ASA

router eigrp 111

no auto-summary
network 10.11.11.0 255.255.255.0

Authentication

R1

Key chain ABC

key 1
key-string cisco123
!
Interface E 0/0
ip authentication mode eigrp 111 md5
ip authentication key-chain eigrp 111 ABC

ASA

Interface Gig 0/1

authentication mode eigrp 111 md5
authentication key eigrp 111 cisco123 key-id 1

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 8 - Configure OSPF on the ASA in Area 0 to communicate to R2. Authenticate
using MD5 the OSPF neighbor relationship
-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Basic OSPF Configuration on the ASA & R2

R2

router ospf 1
router-id 0.0.0.2
network 10.2.2.0 0.0.0.255 area 0
network 192.1.20.0 0.0.0.255 area 0

ASA

router ospf 1
router-id 0.0.0.10
network 192.1.20.0 255.255.255.0 area 0

Authentication

R2

Interface E 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco123

ASA

Interface Gig 0/0

ospf authentication message-digest
ospf message-digest-key 1 md5 cisco123

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 9 - Redistribute the Routing Domains on the ASA Firewall
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

ASA

Into RIP

router rip
redistribute static
redistribute ospf 1 metric 1
redistribute eigrp 111 metric 1

Into EIGRP

router eigrp 111

redistribute static
redistribute ospf 1 metric 10 10 10 10 10
redistribute Rip metric 10 10 10 10 10

Into OSPF

router ospf 1
redistribute static subnets
redistribute eigrp 111 subnets
redistribute Rip subnets

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 10 - Configure BGP between R2 (AS 200) and the ASA (AS 1000) to exchange BGP
updates
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

R2

Router bgp 200

network 199.1.1.0
network 200.1.1.0
neighbor 192.1.20.10 remote-as 1000
neighbor 192.1.20.10 password cisco123

ASA

router bgp 1000

address-family ipv4 unicast
neighbor 192.1.20.2 remote-as 200
neighbor 192.1.20.2 activate
neighbor 192.1.20.2 password cisco123
!
router eigrp 111
redistribute bgp 1000 metric 10 10 10 10 10
!
router rip
redistribute bgp 1000 metric 1

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 11 - Configuring Dynamic NAT
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

- Translates Private IP's to Public IP's to conserve Public Internet IP Address

space.
- In Dynamic NAT, you create a pool of Public IPs.
- You link it to internal addresses that can use the Pool of Public IPs.
- When the Internal devices tries to go out, it picks an unused IP address from the
Pool and translates it.
- It keeps the translation in a table known as the Translation table.
- When the packet returns, the Destination gets untranslated back to the original
IP and is sent back to the Original Device.
- It is generally configured to allow internal devices going towards the Internet.

Configuration:

! 1. Configure a Pool of Public IP Addresses

object network POOL-A

range 192.1.20.51 192.1.20.200

! 2. Specify the NAT Statement to link the internal network that is allowed to use
the POOL

Syntax :

object network [NAME]

subnet [INSIDE NETWORK]
 nat (HIGH,LOW) dynamic POOL-A

object network NET-10.11.11.0

subnet 10.11.11.0 255.255.255.0
nat (Inside,Outside) dynamic POOL-A

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 12 - Configuring Static NAT
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

- Translates Private IP's to Public IP's to conserve Public Internet IP Address

space.
- In Static NAT, you manually create an entry in the translation table whereas in
Dynamic NAT, a user initiates a flow for an entry to be created.
- Static NAT is generally used to translated the Public facing servers on the DMZ.
The reason for that is the clients from the Internet will need a fixed IP address
to send their request.
- Although you have translated your Servers for the Internet users, at this point
they will not be able to access the servers. You still need to take care of the
Traffic flow.
- From Outside to Inside, the Firewall in 9.x translates the flow before checking
the ACL.

Requirement:

Translate the following servers:

192.168.3.11 - 192.1.20.21 - Web Server (80,443)

192.168.3.12 - 192.1.20.22 - DNS (53)
192.168.3.13 - 192.1.20.23 - E-mail (25)
192.168.3.3 - 192.1.20.24 - Telnet/ICMP

Configure the ACL to allow access to these servers

Configuration:

! 1. Specify the NAT Statement to link the internal address to the Public address.

Syntax :

object network [NAME]

host [HIGH ADDRESS]
nat (HIGH,LOW) static [LOW ADDRESS]

object network WWW1

host 192.168.3.11
nat (DMZ-3,Outside) static 192.1.20.21
!
object network DNS1
host 192.168.3.12
nat (DMZ-3,Outside) static 192.1.20.22
!
object network EMAIL1
host 192.168.3.13
nat (DMZ-3,Outside) static 192.1.20.23
!
object network R3
 host 192.168.3.3
nat (DMZ-3,Outside) static 192.1.20.24

access-list OUTSIDE permit tcp any host 192.168.3.11 eq 80

access-list OUTSIDE permit tcp any host 192.168.3.11 eq 443
access-list OUTSIDE permit udp any host 192.168.3.12 eq 53
access-list OUTSIDE permit tcp any host 192.168.3.13 eq 25
access-list OUTSIDE permit tcp any host 192.168.3.3 eq 23
access-list OUTSIDE permit icmp any host 192.168.3.3
!
access-group OUTSIDE in interface outside

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 13 - Configuring Destination NAT
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

Requirement: R3 is a non-routable device. You want a remote IP (199.1.1.1) to

communicate to it. It should be seen on the local network as 192.168.3.99

object network [NAME]

host [Source]
nat (Source,Destination) static [Destination]
!
object network H-199
host 199.1.1.1
nat (outside,dmz-3) static 192.168.3.99

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 14 - Configuring Dynamic PAT
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

- Dynamic PAT allow multiple Internal devices to go out to the Internet using a
Single Common IP.
- The translation table uses the randomnly generated source Port number in the
translation table to keep the entry unique.
- In case, 2 internal devices use the same random source port, the ASA will change
the Source IP and the Source Port number in the outgoing packet to keep it unique.

Configuration:

Requirement:

The Network 10.1.1.0/24 should be able to go out using a Single Public IP of

192.1.20.41

object network NET-10.1.1.0

subnet 10.1.1.0 255.255.255.0
nat (Inside,Outside) dynamic 192.1.20.41

or

object network NET-10.1.1.0

subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 14 - Configuring Static PAT
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

- Translates Private IP's to Public IP's to conserve Public Internet IP Address

space.
- In Static PAT, you manually create an entry in the translation table whereas in
Dynamic NAT, a user initiates a flow for an entry to be created.
- Static PAT is generally used to translated the Public facing servers on the DMZ.
The reason for that is the clients from the Internet will need a fixed IP address
to send their request.
- In Static PAT, we create an entry manually based on a common IP address but with
separate port numbers.
- Although you have translated your Servers for the Internet users, at this point
they will not be able to access the servers. You still need to take care of the
Traffic flow.
- From Outside to Inside, the Firewall in 9.x translates the flow before checking
the ACL.

Configuration:

Requirement:

Translate the following servers:

192.168.4.11 - 192.1.20.42 - Web Server (80)

192.168.4.12 - 192.1.20.42 - DNS (53)
192.168.4.13 - 192.1.20.42 - E-mail (25)
192.168.4.4 - 192.1.20.42 - Telnet

Configure the ACL to allow access to these servers

Configuration:

! 1. Specify the NAT Statement to link the internal address to the Public address.

Syntax :

object network [NAME]

host [HIGH ADDRESS]
nat (HIGH,LOW) static [LOW ADDRESS] service [TCP/UDP] [HIGH] [LOW]

object network WWW2

host 192.168.4.11
nat (DMZ-4,Outside) static 192.1.20.42 service tcp 80 80
!
object network DNS2
host 192.168.4.12
nat (DMZ-4,Outside) static 192.1.20.42 service udp 53 53
!
object network EMAIL2
host 192.168.4.13
nat (DMZ-4,Outside) static 192.1.20.42 service tcp 25 25
!
object network R4
host 192.168.4.4
nat (DMZ-4,Outside) static 192.1.20.42 service tcp 23 2399
!
access-list OUTSIDE permit tcp any host 192.168.4.11 eq 80
access-list OUTSIDE permit udp any host 192.168.4.12 eq 53
access-list OUTSIDE permit tcp any host 192.168.4.13 eq 25
access-list OUTSIDE permit tcp any host 192.168.4.4 eq 23

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 15 - Configuring Policy NAT / Manual NAT
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

- Normally when translation is taking place, the Firewall looks at either the
Source or the Destination IP address in the packet to match for NAT entries.
- Policy NAT allows you the ability to match a flow to perform NAT Lookups.
- This is also referred to as Manual NAT. Manual NAT has the highest priority in
case of a conflict.

Requirement:

R1 (10.11.11.1) should be translated to 192.1.20.36 when it is communicating to

199.1.1.1
R1 (10.11.11.1) should be translated to 192.1.20.37 when it is communicating to
200.1.1.1
Don't forget that you already have the normal Dynamic NAT for the network
10.11.11.0/24 for the pool from 192.1.20.51-192.1.20.200.

Configuration:

! 1. Create an object for each IP that will be used

object network R1
host 10.11.11.1
object network D1
host 199.1.1.1
object network D2
host 200.1.1.1
object network X1
host 192.1.20.36
object network X2
host 192.1.20.37

! 2. Create the manual/policy nat entries to define the translations based on the
flow

nat (inside,outside) source static R1 X1 Destination static D1 D1

nat (inside,outside) source static R1 X2 Destination static D2 D2

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 16 - Initializing a Transparent Firewall
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

- Transparent allows the ASA to act as a L2 device with Firewall capabilities.

- This allows the Service provider to terminate MPLS VPN connections at the
internal routers while maintaining the security policies / Standards that require
the first device to be a Firewall.
Basic Configuration

R1

host R1
!
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
Interface E 0/0
ip address 192.1.10.1 255.255.255.0
no shut
!
Interface loopback 0
ip add 1.1.1.1 255.0.0.0
!
line vty 0 4
password cisco
login
transport input all

R2

host R2
!
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
Interface E 0/0
ip address 192.1.10.2 255.255.255.0
no shut
!
Interface loopback 0
ip add 2.2.2.2 255.0.0.0
!
line vty 0 4
password cisco
login
transport input all

R3

host R3
!
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
Interface E 0/0
ip address 192.1.10.3 255.255.255.0
no shut
!
Interface loopback 0
 ip add 3.3.3.3 255.0.0.0
!
line vty 0 4
password cisco
login
transport input all

Requirement:

Configure the ASA as a Transparent Firewall. Link the Gig 0/0 and Gig 0/1
interfaces into a single Bridge Group. Configure a Bridge Virtual Interface (BVI)
on the ASA with an IP Address of 192.1.10.10.

! 1. Configure the Firewall as a Transparent Firewall

firewall transparent

! 2. Configure the Interfaces

Interface E0
nameif Outside
bridge-group 11
no shut
!
Interface E1
nameif Inside
bridge-group 11
no shut

! 3. Configure the BVI Interface to enable IP on the Firewall. This can also be
used for Remote Management of the Firewall

Interface BVI 11
ip address 192.1.10.10

Note: At this point, the firewall works with the same default policies as a normal
L3 ASA

( High - To - Low Allowed - Inspected for TCP & UDP)

( Low - To - High Blocked - ACL required)

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 17 - Access Policies thru the ASA
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

Requirement: R1 should be able to Ping 192.1.10.2. R1 should be able to Telnet to

R3.

access-list OUTSIDE permit icmp host 192.1.10.1 host 192.1.10.2 echo

access-list OUTSIDE permit tcp host 192.1.10.1 host 192.1.10.3 eq 23
!
access-group OUTSIDE in interface Outside

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 18 - Configure Routing between R1, R2 & R3.
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

R1

router eigrp 111

network 192.1.10.0
network 1.0.0.0

R2

router eigrp 111

network 192.1.10.0
network 2.0.0.0

R3

router eigrp 111

network 192.1.10.0
network 3.0.0.0

ASA

access-list OUTSIDE permit eigrp host 192.1.10.1 host 192.1.10.2

access-list OUTSIDE permit eigrp
access-list OUTSIDE permit eigrp
!
access-list INSIDE permit ip any
access-group INSIDE in interface
host 192.1.10.1 host 192.1.10.3
host 192.1.10.1 host 224.0.0.10
any
Inside

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 19 - Configure the ASA to allow MPLS to work thru the Firewall
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

access-list ABC ethertype permit 0x8847

!
access-group ABC in interface Outside
access-group ABC in interface inside

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 20 - Configure Redundant Interfaces for the ASA
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

- Redundant Interfaces allows you to combine multiple interfaces as a single

logical interface.
- Although you might have multiple interface combined as a single interface, only
one of them is forwarding.
- Prior to 8.4, this was the only Interface level redundancy feature.

Configuration:

Switch Configuration

Interface range E 0/0 - 2

switchport mode access
switchport access vlan 10
ASA

! 1. Bring up the Physical Ports

Interface E2
no shut
!
Interface E3
no shut

! 2. Create the Redundant Interface and assign the Physical Ports to it.

Interface redundant 1
member-interface E2
member-interface E3
no shut

! 3. Configure the normal Interface characteristics

Interface Redundant 1
nameif Inside
ip add 10.11.11.10 255.255.255.0
mac-address 0001.1111.AAAA

Note: For manually specifyint the Active Interface "redundant-interface redundant 1

active-member E3"

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 21 - Configure Port-channel for the ASA
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

Switch Configuration

Interface range E 0/1 - 2

channel-group 20 mode active
!
Interface port-channel 20
switchport mode access
switchport access vlan 20
!
Interface E 0/0
switchport mode access
switchport access vlan 20

Note: On Eve, make sure to manually do the VLAN Assignment command under the
Physical ports

Interface range E 0/1 - 2

switchport mode access
switchport access vlan 20

ASA

! 1. Configure the Physical Ports to be members of the same Port-channel

Interface E0
 channel-group 1 mode active
no shut
!
Interface E1
channel-group 1 mode active
no shut

! 2. Configure the normal commands under the Port-Channel Interface

Interface port-channel 1
nameif Outside
ip address 192.1.20.10
mac-address 0001.aaaa.bbbb
no shut

-----------------------------------------------------------------------------------
-------------------------------------------------------------------
Lab # 22 - Configure ASA in a Multi-Context Mode
-----------------------------------------------------------------------------------
-------------------------------------------------------------------

! 1. Change the Mode of the Firewall to Multi-Context

mode multiple

Notes:

- This will restart the device in Multi-Context Mode. You will be put into the
System Context. It will have one additional context created by default. It is the
Admin Context called Admin.

- You now need to create the other context with the appropriate interfaces and
specify the Startup-Config name for each context.

! 2. Create the Contexts

! A. Bring up the Interfaces

Interface E0
no shut
Interface E1
no shut
Interface E2
no shut
Interface E3
no shut

! B. Create the Context and assign the Resources to it.

context SALES
allocate-interface E0
allocate-interface E1
config-url flash:SALES.cfg
!
context MARK
allocate-interface E2 OUT
allocate-interface E3 INS
config-url flash:MARK.cfg
! 3. Configure the individual contexts

SALES

changeto context SALES

!
Interface E0
nameif Outside
ip address 192.1.10.11
!
Interface E1
nameif Inside
ip address 10.30.30.11 255.255.255.0
!
route out 0 0 192.1.10.1
!
object network POOL-A
range 192.1.10.51 192.1.10.200
object network NET-10.30.30
subnet 10.30.30.0 255.255.255.0
nat (Inside,Outside) dynamic POOL-A
!
telnet 10.30.30.0 255.255.255.0 inside
passwd cisco123

MARK

changeto context MARK

!
Interface OUT
nameif Outside
ip address 192.1.20.21
!
Interface INS
nameif Inside
ip address 10.40.40.21 255.255.255.0
!
route out 0 0 192.1.20.2
!
object network POOL-A
range 192.1.20.51 192.1.20.200
object network NET-10.40.40
subnet 10.40.40.0 255.255.255.0
nat (Inside,Outside) dynamic POOL-A
!
object network R4
host 10.40.40.4
nat (ins,out) static 192.1.20.4
!
access-list OUTSIDE permit tcp any host 10.40.40.4 eq 23
access-list OUTSIDE permit icmp any host 10.40.40.4
!
access-group OUTSIDE in interface outside
!
telnet 10.40.40.0 255.255.255.0 inside
passwd cisco123