!! NAT order: nat 0 -> Statics -> globals + nats (version 6 - 8.2)
!! nat-control - When enable, NAT is required from low to high security level

!! NONAT - Pix 6 - 8.2
access-list nonat permit ip
nat (inside) 0 access-list nonat

!! NONAT - Pix 8.3+
!! For each encryption network, create a "nat" statement like the one below
object network Local_LAN
object network Remote_LAN
nat (inside,outside) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN

!! Dynamic NAT - Pix 8.3+
object network HideNATRange
object network Local_LAN
nat (inside,outside) dynamic HideNATRange

!! Hide NAT (Dynamic PAT) - Pix 6 - 8.2
nat (inside) 1
global (outside) 1 interface

!! Hide NAT (Dynamic PAT) - Pix 8.3+
object network Local_LAN
nat (inside,outside) dynamic interface

!! Hide NAT Alternative - Pix 8.3+
object network inside-ANY
nat (inside,outside) dynamic outside

!! Static NAT - Pix 6 - 8.2
static (inside,outside) net mask
access-list outside permit ip any host

!! Static NAT - Pix 8.3+
object network
nat (inside,outside) static
access-list outside permit ip any host

!! Static NAT with Port Translation - Pix 6 - 8.2
static (inside,outside) tcp interface 8080 80 net mask

!! Static NAT with Port Translation - Pix 8.3+ (ACL should reflect real ip and real port)
object network http-server
nat (inside,outside) static interface service tcp 80 8080
access-list outside permit tcp any host eq 8080


  • REGARDING 8.3+ NATS Auto Nat
  • Specified within the object
  • Cannot specify nat conditions based on source and destination together

  • REGARDING 8.3+ NATS Manual Nat
  • Specified outside the object
  • Allows for specifying translating the source and destination based on the source / destination (ie an ACL NAT with nat/global on pre-8.3)

[ # ]

flow-export destination <interface-facing-netflow-server> <netflow-server-IP> <netflow-server-port(9998)>
access-list netflow-acl permit ip any any

class-map netflow_class
  match access-list netflow-acl
policy-map global_policy
  class netflow_class
    flow-export event-type <flow-create|flow-denied|flow-teardown|all> destination <netflow-server-IP>

[ # ]

boot system flash:/<new-imagename>
no boot system flash:/<old-imagename>

[ # ]

!! As of writing this, some (or all) versions of Android do not support AES 256 so AES 128 is in use here
crypto ikev1 policy 20
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

!! Configure Nat-T for Android phones
crypto isakmp nat-traversal

!! Configure the phase 2 transform set for Android
crypto ipsec ikev1 transform-set aes-128-sha-transport esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set aes-128-sha-transport mode transport

!! Assign the transform-set to the first dynamic-map if possible
!! note, aes-256-sha is a previously used transform-set I use with my iphone
crypto dynamic-map dynMap 10 set ikev1 transform-set aes-256-sha aes-128-sha-transport

!! Configure l2tp group-policy
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec

!! Configure tunnel-group to use the required PSK and pool
tunnel-group DefaultRAGroup general-attributes
 address-pool <ip-pool>
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key <pre-shared-key>

!! Configure group-policy of group-policy username lock to also accept l2tp
group-policy <group-policy-related-to-lock> attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec <etc>

!! Configure username with mchap encryption and lock to the required group-policy
username <username> password <password> mschap
username <username> attributes
  vpn-group-policy <group-policy-related-to-group>

[ # ]

‚ÄčIn order to create a read-only account for ASDM access, you need to ensure the following command is set for the privilege level you are looking to permit the read-only access for:

privilege cmd level 5 mode exec command more


[ # ]

!! Define the traffic that will require the custom timeout

access-list <Match-ACL-Name> extended permit <traffic-to-match>
!! Define the class-map with the match of the ACL above

class-map <Class-Map-Name>
 match access-list <Match-ACL-Name>
!! Define the policy-map to be applied to an interface
!! Note: Only one policy-map can be defined per interface. If you have one already defined for an interface, add the 'class' and settings to the existing policy-map

policy-map <Policy-Map-Name>
 class <Class-Map-Name>
  set connection timeout idle <Timeout-in-HH:MM:SS-Format>
!! Note: Only one policy-map can be defined per interface. If you have one already defined for an interface, the following line is not necessary

service-policy <Policy-Map-Name> interface <interface> 


access-list SSH-24Hour-ACL extended permit tcp object-group SSH_24Hour_Hosts any eq 22

class-map SSH-24Hour-ClassMap
 match access-list SSH-24Hour-ACL

policy-map inside-policy-map
 class SSH-24Hour-ClassMap
  set connection timeout idle 24:00:00

service-policy inside-policy-map interface inside 


  • See documentation for information regarding the interface direction
  • This was designed for versions 8.3+ although it may work on version 8.2


[ # ]

interface GigabitEthernet0/2
  description <optional description>
  vlan 40  !! optional
  nameif <name for interface>
  security-level <0-100>
  ip address <ip> <netmask> standby <standby ip>


  • The 'standby' portion of the IP address can be omitted if this is not part of a High Availability pair of firewalls

[ # ]

same-security-traffic permit intra-interface

nat (Outside) 1
group-policy <name> attributes
  split-tunnel-policy tunnelall


  • The last 3 lines are to allow traffic over a client-to-site VPN to pass all traffic through the firewall and to the internet. ie. No split tunneling

[ # ]

Pix 6

ca zeroize rsa
ca generate rsa key 1024
sh ca mypubkey rsa
ca save all

Pix 7+

crypto key zeroize rsa 
crypto key generate rsa modulus 1024
sh crypto key mypubkey rsa


  • The command "crypto key zeroize rsa" will remove certificates using the default keychain as well

[ # ]

show failover  !! View current failover status, statistics, etc
show failover history  !! View recent failover and sync history 
show failover state  !! View last failover reasons and information

[ # ]