The book I’m referring to is the Cisco ASA Firewall Fundamentals .

Regarding pinging the ip addresses of the ASA, by default it does not allow you to ping an interface IP from another zone.

My book covers the most common and frequent scenarios that people encounter in the field. It does not cover EVERY single detail and scenario that can be found. You will learn though important concepts that will help you to tackle any scenario.

Yes, both zone are security level 0. And there’s no outside zone, only inside and DMZ.

For number 2, let say on DMZ port I assigned 192.168.0.1 which will be the gateway for the DMZ devices (e.g. Server), and I assigned 10.10.0.1 on Inside Port which will be the gateway on Inside devices (e.g. Server. Now my question is how can I let the server’s on DMZ tp ping the inside gateway (10.10.0.1)? I already set the proper ACL but got no lucky, I’m getting hard time since this project quite conflicated request since they don’t want to have a NAT applied.

Anyway I’ll try your suggestion the “No nat-control”, and maybe it will resolve the issue.

BTW, you still didn’t answer my inquiry regarding the book.

Do you mean that both security zones are security level 0?

Regarding nat, you can disable it using “no nat-control”. Then just use access-lists to control traffic between security zones.

For ASA5505, if you have a basic license, the DMZ zone will not be able to communicate with the inside zone.

Explain also number 2 more. Which gateway do you want to ping? The inside IP address of ASA? Why is this so important?

I have an issue with 5505 wherein 2 zone (inside and dmz) is set to security level 0. Both are on different subnet, now my problem is that the management don’t want to use NAT, below is my concern
1.how can I make the inside and dmz will communicate each other without NAT? I already applied/permit ACL even a any any, but still cannot.
2. how can I set that the devices on DMZ can ping the gateway from inside and vice versa?

I really hope admin can help me on this, and also is the book cover such complecated ASA configuration? I want to purchase your book but need an assurance since I already been purchasing and all doesn’t provide such answer.

Unfortunately the books are available only in electronic format. You can print them out however and make them a hard cover copy

I don’t suppose your books comes in physical form do they? Would be a good book to keep on my desk.

I don’t know from where to start

“On an ASA 5505 running 8.4, do you create ACLs like on a router and apply them to the outside (VLAN2) interface?”

You create ACLs like the PIX and apply them using an access-group command (like the PIX again).

e.g

ciscoasa(config)# access-list OUT_IN extended permit tcp host 200.200.200.3 eq 25
ciscoasa(config)# access-group OUT_IN in interface outside

For the PAT configuration, the way you have it in your comment is correct. Regarding NAT and static NAT etc, I suggest you to visit the following Cisco forums post for more information:

https://supportforums.cisco.com/docs/DOC-9129/version/3

On the link above you will find also info about static 1 to 1 NAT translation in order to allow access from outside to inside.

“Lastly, there seem to be a lot of people here who are using a standard DSL router already running NAT and then having the outside interface of the ASA obtain a private IP from the DSL routers internal DHCP range. I assume this would work for PAT and in effect it you are NATing a NAT’d network (or NATing a PAT’d connection to be precise) – but I assume there would be no way to do what I need to do above with this setup? i.e. gain RDP access to a server behind the ASA?”

The above scenario is mostly for outbound traffic only (i.e if there is no access originated from internet needed). If you need to access an internal RDP server, then the outside DSL router must be doing some sort of port redirection from its outside interface towards the outside interface of ASA, and then another static NAT on the ASA.

I have been using PIX firewalls for quite a few years and the time has come to start migrating a lot of them to ASA’s. It seems that even the latest version (8.4(1)) is not too dissimilar to the old Pix 501 PixOS 6.3(4) so getting a test unit up and running with basic PAT was a breeze however there is not much documentation about relating to inbound NAT rules.

A typical setup for me is to have a DSL line with a number is static IP’s, one assigned to the DSL router (NAT disabled), one assigned to the PIX outside interface and one would be for an Exchange server for example which would have a 1:1 NAT on the Pix with it’s private LAN IP.

The firewall would also be running PAT for outbound traffic

On a Pix 501 I would do the following:

ip address outside 200.200.200.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 200.200.200.1 1
access-group outside_in in interface outside
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 200.200.200.3 192.168.1.3 netmask 255.255.255.255 0 0

object-group network trusted-hosts
network-object host 201.201.201.1
network-object host 202.202.202.2

access-list outside_in permit tcp object-group trusted-hosts host 200.200.200.3 eq 3389
access-list outside_in permit tcp any host 200.200.200.3 eq 25

On an ASA 5505 running 8.4, do you create ACLs like on a router and apply them to the outside (VLAN2) interface?
Does the ASA still do the equivalent of the Pix ‘fixup’ and if so, can it be disabled at all on a per service/port basis?

For the PAT on the ASA, I have:
object network obj_any
subnet 0.0.0.0 0.0.0.0

and also
object network obj_any
nat (inside,outside) dynamic interface

These two confuse me slightly as you would expect both the subnet (which I assume is the source range allowed to be translated) and the nat rule to be in the same ‘object network obj_any’ container so its looks wrong… I assume it isnt?

There is no ‘static’ command so how do you create 1:1 NAT translations?

Lastly, there seem to be a lot of people here who are using a standard DSL router already running NAT and then having the outside interface of the ASA obtain a private IP from the DSL routers internal DHCP range. I assume this would work for PAT and in effect it you are NATing a NAT’d network (or NATing a PAT’d connection to be precise) – but I assume there would be no way to do what I need to do above with this setup? i.e. gain RDP access to a server behind the ASA?

Thanks in advance for any help you are able to provide, apologies for the essay