07-11-2012 06:24 PM - edited 03-11-2019 04:29 PM
i just wanna make it clear,
can i ping asa interface that not in the same zone, for example im in inside zone, i can ping asa inside interface, but i can i ping other asa interface(outside,dmz,etc) ?
just a newbie
07-11-2012 11:01 PM
You cannot ping the other interface ip's of the firewall... that is a restricted by design.....
07-11-2012 11:05 PM
You cannot ping the distant interfaces of the firewalls from other zones.... Because the DMZ interface is not considered as the host in network... it is an firewall interface which is offering service for the dmz zone.....
07-11-2012 11:01 PM
No, you can't.
It is by design that you can't ping cross interfaces, ie: from inside host you can only ping the inside interface, and you can't ping dmz interface.
However, if you VPN in, you can ping 1 cross interface when you have the command: "management-access
07-11-2012 11:15 PM
No you Can't Ping the other interface.
But If you are connected via VPN in that case by using management access on your firewall you can ping the interface.
07-12-2012 02:50 PM
Hi,
Adding to what gaurav said, you can use "management-access dmz" command to manage the dmz interface via vpn. using this command you will be able to ping.
You can use this command only for 1 interface.
Regards,
Dinkar
07-13-2012 06:34 AM
And then my question came to,in my understanding in wccp router id is the highest ip address of interface. If wccp server in the diffrent zone as the router id then wccp must be have route to that interface. Whats the meaning "have route" ? For sure we cannot ping that highest ip if in diffrent zone.
Thx
07-13-2012 09:35 AM
Hi Ibrahim,
Yes the router ID of the ASA will be its highest IP address, but if you take a close look to the debugs and the packets that the ASA sends when it sees the WCCP server (Here I am, I see you); the IP address that the ASA uses to send the "I see you" message is the IP address of the closest interface to WCCP server. The highest IP adddress is only used to establish the GRE tunnel and perform the traffic redirection.
Luis
07-13-2012 09:49 PM
one question, which ip i should give NAT/ IP Public ?
07-13-2012 10:42 PM
Hello Ibrahim,
No need for nat as WCCP will work just for users behind the same ASA interface, so there is no need to use nat as the traffic will not go to a different zone or the ASA.
Regards,
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: