flow-export destination <interface-facing-netflow-server> <netflow-server-IP> <netflow-server-port(9998)>
access-list netflow-acl permit ip any any

class-map netflow_class
  match access-list netflow-acl
policy-map global_policy
  class netflow_class
    flow-export event-type <flow-create|flow-denied|flow-teardown|all> destination <netflow-server-IP>

[ # ]

!! NAT order: nat 0 -> Statics -> globals + nats (version 6 - 8.2)
!! nat-control - When enable, NAT is required from low to high security level

!! NONAT - Pix 6 - 8.2
access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list nonat

!! NONAT - Pix 8.3+
!! For each encryption network, create a "nat" statement like the one below
object network Local_LAN
  subnet 192.168.0.0 255.255.0.0
object network Remote_LAN
  subnet 172.16.0.0 255.255.0.0
nat (inside,outside) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN

!! Dynamic NAT - Pix 8.3+
object network HideNATRange
  range 2.2.2.1 2.2.2.10
object network Local_LAN
  subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic HideNATRange

!! Hide NAT (Dynamic PAT) - Pix 6 - 8.2
nat (inside) 1 192.168.0.0 255.255.0.0
global (outside) 1 interface

!! Hide NAT (Dynamic PAT) - Pix 8.3+
object network Local_LAN
  subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic interface

!! Hide NAT Alternative - Pix 8.3+
object network inside-ANY
  subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic outside

!! Static NAT - Pix 6 - 8.2
static (inside,outside) 2.2.2.2 192.168.0.1 net mask 255.255.255.255
access-list outside permit ip any host 2.2.2.2

!! Static NAT - Pix 8.3+
object network 192.168.0.1
  host 192.168.0.1
nat (inside,outside) static 2.2.2.2
access-list outside permit ip any host 192.168.0.1

!! Static NAT with Port Translation - Pix 6 - 8.2
static (inside,outside) tcp interface 8080 192.168.0.1 80 net mask 255.255.255.255

!! Static NAT with Port Translation - Pix 8.3+ (ACL should reflect real ip and real port)
object network http-server
  host 192.168.0.1
nat (inside,outside) static interface service tcp 80 8080
access-list outside permit tcp any host 192.168.0.1 eq 8080

Notes:

  • REGARDING 8.3+ NATS Auto Nat
  • Specified within the object
  • Cannot specify nat conditions based on source and destination together

  • REGARDING 8.3+ NATS Manual Nat
  • Specified outside the object
  • Allows for specifying translating the source and destination based on the source / destination (ie an ACL NAT with nat/global on pre-8.3)

[ # ]

configure terminal
config factory-default
write memory

[ # ]

  1. Reboot device
  2. At prompt, hit escape to break the boot sequence
  3. 'confreg' !! prompt will start with 'rommon #'
  4. Note your current configuration register (0x1 is the default)
  5. Choose 'Y' to change the configuration
  6. Accept all the defaults EXCEPT 'disable system configuration'. Set this to 'Y'
  7. 'boot'
  8. 'enable' after device has booted !! Just hit enter for the password
  9. 'copy startup-config running-config'
  10. Reset the passwords in 'conf t':

    password <password> enable password <password> username <username> password <password>

  11. 'config-register
  12. 'copy running-config startup-config'

Notes:

  • Must be performed via the console port

Documentation

[ # ]

show ospf database
show ospf neighbor
debug ospf events

[ # ]

interface Ethernet0/1                !! inside for instance
 ospf cost 10
 ospf message-digest-key 1 md5 <md5 key>
 ospf authentication message-digest
interface Ethernet0/2                !! outside for instance
 ospf cost 10
 exit
router ospf 1
 network <internal ip> <internal network> area <area number>  !! Each network that we will advertise
 log-adj-changes
 redistribute rip subnets        !! redistribute RIP if needed !
 exit

[ # ]

prompt hostname state

[ # ]

same-security-traffic permit intra-interface

nat (Outside) 1 172.16.1.0 255.255.255.0
group-policy <name> attributes
  split-tunnel-policy tunnelall

Notes:

  • The last 3 lines are to allow traffic over a client-to-site VPN to pass all traffic through the firewall and to the internet. ie. No split tunneling

[ # ]

access-list no_inspect_ESMTP deny tcp <source> <destination> eq 25
access-list no_inspect_ESMTP permit tcp any any eq 25

class-map no_inspect_ESMTP
 match access-list no_inspect_ESMTP 
 exit

policy-map global_policy 
 class no_inspect_ESMTP 
  inspect ESMTP 
  exit 
 class inspection_default
  no inspect esmtp
  exit

Notes:

  • It's important that the last ACL is specific for port 25 and not all IP. Traffic will break if left as 'ip'

[ # ]

access-list <ACL Name> permit <protocol> <host> <host> eq port> inactive

Notes:

  • This will overwrite the previous ACL, if it exists
  • Re-issue ACL command without inactive to enable ACL again

Documentation

[ # ]