i just wanna make it clear,
can i ping asa interface that not in the same zone, for example im in inside zone, i can ping asa inside interface, but i can i ping other asa interface(outside,dmz,etc) ?
just a newbie
You cannot ping the distant interfaces of the firewalls from other zones.... Because the DMZ interface is not considered as the host in network... it is an firewall interface which is offering service for the dmz zone.....
No, you can't.
It is by design that you can't ping cross interfaces, ie: from inside host you can only ping the inside interface, and you can't ping dmz interface.
However, if you VPN in, you can ping 1 cross interface when you have the command: "management-access
No you Can't Ping the other interface.
But If you are connected via VPN in that case by using management access on your firewall you can ping the interface.
Adding to what gaurav said, you can use "management-access dmz" command to manage the dmz interface via vpn. using this command you will be able to ping.
You can use this command only for 1 interface.
And then my question came to,in my understanding in wccp router id is the highest ip address of interface. If wccp server in the diffrent zone as the router id then wccp must be have route to that interface. Whats the meaning "have route" ? For sure we cannot ping that highest ip if in diffrent zone.
Yes the router ID of the ASA will be its highest IP address, but if you take a close look to the debugs and the packets that the ASA sends when it sees the WCCP server (Here I am, I see you); the IP address that the ASA uses to send the "I see you" message is the IP address of the closest interface to WCCP server. The highest IP adddress is only used to establish the GRE tunnel and perform the traffic redirection.
No need for nat as WCCP will work just for users behind the same ASA interface, so there is no need to use nat as the traffic will not go to a different zone or the ASA.