can i ping asa interface that not in the same zone, for example im in inside zone, i can ping asa inside interface, but i can i ping other asa interface(outside,dmz,etc) ?
You cannot ping the distant interfaces of the firewalls from other zones.... Because the DMZ interface is not considered as the host in network... it is an firewall interface which is offering service for the dmz zone.....
Adding to what gaurav said, you can use "management-access dmz" command to manage the dmz interface via vpn. using this command you will be able to ping.
And then my question came to,in my understanding in wccp router id is the highest ip address of interface. If wccp server in the diffrent zone as the router id then wccp must be have route to that interface. Whats the meaning "have route" ? For sure we cannot ping that highest ip if in diffrent zone.
Yes the router ID of the ASA will be its highest IP address, but if you take a close look to the debugs and the packets that the ASA sends when it sees the WCCP server (Here I am, I see you); the IP address that the ASA uses to send the "I see you" message is the IP address of the closest interface to WCCP server. The highest IP adddress is only used to establish the GRE tunnel and perform the traffic redirection.
No need for nat as WCCP will work just for users behind the same ASA interface, so there is no need to use nat as the traffic will not go to a different zone or the ASA.
Regards,
Julio
Julio Carvajal Senior Network Security and Core Specialist CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
