Beginning January 1, 2011, one of the biggest changes CompTIA brought about was ending certification for life. The theory was A+ was considered a broad and entry-level certification. This meant that a successful candidate would’ve either left the business, or moved up the food chain.

To meet the standards set by the ISO (International Organization for standardization) and ANSI (American National Standards Inst.) CompTIA now requires either recertification every few years, or maintaining a log with them, proving Continual Educational Units (CEU)’s.

Honestly, there is a lot of bad information out on the Internet about the A+ exams. It may have been true at the time it was created, but isn’t now. For example:

The older exam 220-301 series in A+ had a question like what is the standard length of the parallel cable? It was a bad question because of the radio dial choices, two were actually correct. It depended on whether the parallel I/O was IEEE 1284 (15 feet) or not (10 feet).

In the older days to get a NIC card working you had to throw Jumper switches to set the IRQ and memory I/O address. These ISA-based cards have been long gone. So too is being able to regurgitate on the exam what IRQ typically does what.

What is needed to pass the CompTIA A+ Certification

Two exams are needed to attain the CompTIA A+ Certification. These are 220-701 (CompTIA A+ Essentials) and 220-702 (CompTIA A+ Practical Application).

Passing Score:

675 for CompTIA A+ Essentials
700 for CompTIA A+ Practical Application
(on a scale of 100-900)

Number of Questions:

100 questions for each exam.

Exam Languages Supported:

English, Spanish, German, Turkish, Japanese, Traditional Chinese (Taiwan), Simplified Chinese, Portuguese, Korean, Arabic

Tips for the Exam:

When taking a CompTIA exam, always remember what would be a ‘best practice’. Each question is standalone, and has nothing to do with other questions you may have seen.

Further, keep in mind a ‘best practice’ sometimes has little to do with the real world.

The second test for A+ (Practical Application), while being pretty fair, it can be daunting to someone without a broad background of experience. An exam candidate could be challenged by questions that are other than Microsoft Windows.

How to Prepare:

One final thought is the exams are not inexpensive. It can be costly to do a reconnaissance mission on either A+ exam. An excellent resource for keeping the overhead down would be to see the videos done by Paul Gadbois. The series from trainsignal.com is over 38 hours (equivalent to five days in the classroom) and is available online for less than $300. That comes out to less than eight dollars an hour!

Trainsignal is CAQC (CompTIA Authorized Quality Curriculum) approved.

There is no shortage of thoughts about the classic chicken and egg dilemma regarding Microsoft certification. Microsoft exams are intended to weed out candidates that do not have practical experience. Employers have little taste for hiring when a person does not have MCTS 70-640. This creates quite a dichotomy.

It is also true that the teams which do the actual item writing on not allowed to talk to the other Microsoft employees that create the training material.

There is no shortage of material for preparing for this exam. What there seems to be an extreme shortage of is good/current material for this digital witch-hunt.

Is Microsoft’s position that the exam will test on the latest and greatest versions. How that works in reality is dependent on how fast item writers can create new questions and have been verified by the psychometrician.

I can say definitively that the exam covers R2 specific features. For example, the new commands like djoin.exe and AD Recycle Bin.

I first became an MCT in 1997. My experience tells me that brain dump sites are a waste of time money and energy.

In reviewing study materials to break the chicken and egg dilemma created by Microsoft. I was a little surprised and quite delighted to see http://trainsignal.com come up with the top of the list for suggested guidance.

I suspect the reason for this is the training is video-based. Most of us can absorb new material faster by seeing than reading.

Further, since the exam is based on the assumption of Active Directory servers being in separate physical locations, the magic of video is like instant teleportation. And certainly without the expense of setting up different physical servers.

Anyhow, I wanted to list also the most popular posts on this blog that got the most visits in 2011. Here it is below:

1. How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial
2. How to configure a Cisco Layer 3 switch-InterVLAN Routing
3. Cisco Router 851 – 871 Interfaces and Basic Configuration
4. How to Configure VLANs on a Cisco Switch
5. Cisco Router-on-a-stick with Switch

For example assume the following scenario: A site-to-site IPSEC VPN is terminated on a router which happens to be the active HSRP router on a failover pair. If this router fails, then IPSEC must be immediately switched to HSRP standby Router. On diagram below, VIP means HSRP Virtual IP address.

Equipment used in This lab:
HQ1 and HQ2 – c3725-advsecurityk9-mz.124-1c
The rest – 2691 IOS c2691-adventerprisek9-mz.123-17a

LAB Scenario:

We’ve got HQ with two HSRP routers, and two Remote Offices. The PCs in Branches must have access to servers located in HQ. Therefore the connection must be  using high availability and be secured, that’s why two routers are located in HQ, which provide high availability and VPN Termination.

First of all I’ve started EIGRP on external interfaces of Branches (Fa0/0) and on all interfaces of WAN Router. I’ll not talk about how I did that. That step was only necessary to establish full routing connectivity for my lab scenario.

HQ Routers Configuration:

For providing high availability on HQ’s LAN interface, HSRP should be used. I’ve configured high priority on HQ1 (value 145) for becoming Active Router, and Standby Router HQ2 has priority 140. Virtual IP address is 192.168.1.1. Also I’ve configured tracking of Fa0/0 and Fa0/1, which means that if Fa0/0 or Fa0/1 goes down, then priority of Router will decrease by 10, and if both of them go down, priority will decrease by 20. In our case if Fa0/0 or Fa0/1 on HQ1 goes down, this means that priority of HQ1 will be less than the priority of HQ2, therefore HQ2 will become the active device.

The Command “preempt” gives opportunity to router to become active if this router has higher priority than an existing one. For example: in our case when the lost interfaces on HQ1 come up again, the preempt command will bring HQ1 as active again.

hq1#show running-config interface fastEthernet 0/1
interface FastEthernet0/1
ip address 192.168.1.11 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 priority 145
standby 1 preempt
standby 1 track FastEthernet0/1
standby 1 track FastEthernet0/0       

hq2#show running-config interface fastEthernet 0/1
interface FastEthernet0/1
ip address 192.168.1.12 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 priority 140
standby 1 preempt
standby 1 track FastEthernet0/0
standby 1 track FastEthernet0/1     

! Configuration on WAN side is the same as on LAN. HSRP with the same priorities is on this interface as well. 
hq1#show running-config interface fastEthernet 0/0
interface FastEthernet0/0
ip address 192.168.2.11 255.255.255.0
standby 2 ip 192.168.2.2
standby 2 priority 145
standby 2 preempt
standby 2 track FastEthernet0/1
standby 2 track FastEthernet0/0

hq2#show running-config interface fastEthernet 0/0

interface FastEthernet0/0
ip address 192.168.2.12 255.255.255.0
standby 2 ip 192.168.2.2
standby 2 priority 140
standby 2 preempt
standby 2 track FastEthernet0/0
standby 2 track FastEthernet0/1

! Verify HSRP Configuration. Now active router for Group 1 and 2 are HQ1 and HQ2 is Standby.

hq1#show standby brief
                    P indicates configured to preempt.
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       2   145  P Active   local           192.168.2.12    192.168.2.2
Fa0/1       1   145  P Active   local           192.168.1.12    192.168.1.1     

hq2#show standby brief
                    P indicates configured to preempt.
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       2   140  P Standby  192.168.2.11    local           192.168.2.2
Fa0/1       1   140  P Standby  192.168.1.11    local           192.168.1.1   

! Now lets configure Crypto isakmp policy on HQ1 and HQ2 . Let’s use the most light policy and also indicate KEY as well.

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123 address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery  

! Create access list, by which the traffic, going through the VPN Tunnel, will be matched. In this case traffic going from 192.168.1.0/24 to 192.168.4.0/24 and 192.168.5.0/24 networks.
ip access-list extended vpn
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255     

! Create IPSEC Transform-set and dynamic crypto map.
crypto ipsec transform-set ts esp-3des esp-md5-hmac

crypto dynamic-map vpn 10
set transform-set ts
match address vpn
reverse-route

crypto map dynmap 10 ipsec-isakmp dynamic vpn

! Let’s consider the most interesting part, where we must do correlation between HSRP and IPSEC. Create a name of HSRP group and attach crypto map to HSRP group. After this we must assign HSRP virtual address to Branches in VPN Peer Addresses. When Active HSRP router switches to Standby Router, VPN tunnels will be switched from HSRP active router to HSRP Standby router as well.
interface FastEthernet0/0
standby 2 name VPNHA
crypto map dynmap redundancy VPNHA   

The above concludes the configuration of HQ Routers. Let’s look at configuration of Branches. There is a standard configuration on Branches and in fact nothing is changed. Just remember that the peer address of the VPN tunnel in branches must be the VIP HSRP address of the HQ routers.

Branch Routers Configuration:
! Configure crypto isapkmp policy
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2

!set remote Peer IP address. In this case this will be the HSRP Virtual ip address.
crypto isakmp key 123 address 192.168.2.2

!create IPsec Transform set.
crypto ipsec transform-set ts esp-3des esp-md5-hmac
!
!For Branch 1 Create Access-list which matches Interesting Traffic for VPN Tunnel.
ip access-list extended vpn
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

!For Branch 2 Create Access-list which matches Interesting Traffic for VPN Tunnel.
ip access-list extended vpn
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

! Create crypto map. In peer we indicate HSRP Virtual IP address. All the rest are not changed. Also turn on Reverse route, because when VPN tunnel is established, in Branches’ routing table the VPN Tunnel Destination network will be added statically.
crypto map vpn 10 ipsec-isakmp
set peer 192.168.2.2
set transform-set ts
match address vpn
reverse-route

First check VPN, ping SRV from Host1 and Host2 and see if VPN establishes and the traffic we want  is matched.

host1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
..!!!

branch1#show crypto isakmp sa
dst             src             state          conn-id slot
192.168.2.2     192.168.3.2     QM_IDLE              1    0

branch1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: vpn, local addr. 192.168.3.2

protected vrf:
local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 192.168.2.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest 15
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0

branch1#show access-lists vpn
Extended IP access list vpn
10 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 (32 matches)

host2#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!

branch2#show crypto isakmp sa
dst             src             state          conn-id slot
192.168.2.2     192.168.3.3     QM_IDLE              1    0

branch2#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: vpn, local addr. 192.168.3.3

protected vrf:
local  ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 192.168.2.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

branch2#show access-lists vpn
Extended IP access list vpn
10 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 (39 matches)

We see that everything is working as we want. Now let’s see how High availability is working. Ping SRV from Host1 and at the same time let’s switch off Fa0/1 on HQ1 and see how this switching will be done.

host1#ping 192.168.1.2 repeat 100000
Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!……………………………..
….!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 76 percent (127/167), round-trip min/avg/max = 8/52/172 ms

hq1#show crypto isakmp sa
dst             src             state          conn-id slot status
192.168.2.2     192.168.3.2     QM_IDLE              1    0 ACTIVE
192.168.2.2     192.168.3.3     QM_IDLE              2    0 ACTIVE

hq1#show standby brief
P indicates configured to preempt.
|
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       2   135  P Standby  192.168.2.12    local           192.168.2.2
Fa0/1       1   135  P Init     unknown         unknown         192.168.1.1

hq2#show crypto isakmp sa
dst             src             state          conn-id slot status
192.168.2.2     192.168.3.2     QM_IDLE              1    0 ACTIVE

hq2#show standby brief
P indicates configured to preempt.
|
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       2   140  P Active   local           192.168.2.11    192.168.2.2
Fa0/1       1   140  P Active   local           unknown         192.168.1.1

High availability is working as we planned. As a result of shutting down, some pings failed and soon switching occurred to HSRP Standby router and connection was established again.

If you are planning to travel by car from New York to California, you certainly need a plan. You would get a map, plan what route you would take, plan when and where to stay for the nights etc. You certainly wouldn’t just take you car and start driving blindly hoping to arrive to your destination.

Similarly to our example above, studying towards a CCNA or CCNP exam needs a study plan. And this must be a solid study plan which you must follow with discipline. It wouldn’t be a good idea to just study randomly for a few minutes per day “when you feel like it”. Also, do not procrastinate about your study. The perfect time to start working on your certification preparation is not tomorrow. The best time to start is today.

Here are some tips for your study plan:

• You will be much better off with one-two hours of focused and continuous study per day without interruptions at all, instead of 4 hours a day with a lot of breaks and interruptions in between.
• Make a strict schedule of your study time. Consider this study time as an appointment with a client. Would you skip an important 1-hour meeting with a client and stay home to watch TV instead? Certainly not. Consider your study time as an important meeting with the most important client, which is YOU in this situation.
• Avoid all possible interruptions during your study time. Turn off your cell phone, TV, fixed line phone, computer etc. Having a solid and focused study time is essential for passing your CCNA and CCNP exams.
• Create a deadline for your studies. The best think to do this is to go ahead and pay and reserve your exam in order to take it within a time period in the future. It is proved that we do our best work when we have a deadline and a schedule. Therefore, creating some helpful stress with a deadline is a good thing for your CCNA/CCNP preparation. Again, consider the exam study period as a project for a client.

I hope the above study tips will help you in your endeavor of passing the CCNA or CCNP certification exams (or any other I.T exam you are planning to take).

• To pass a single certification exam, which is called the CCNA Composite 640-802.
• To pass two separate certification exams, namely the ICND1 (640-822) and ICND2 (640-816).

First of all let me clarify something here: The CCNA certification will be the same, no matter which path you have chosen to follow. The certification does not change with different versions of the exam, or by which exams taken, or how many times you have tried the test. It will always be the Cisco Certified Network Associate.

Now, regarding taking one or two exams, my personal opinion is to go for the single (composite) exam option, the 640-802. Why?

If you opt to pay for the 2 exams options, the first one, the 640-822, will give you the CCENT certification as well. But this certification (at least for now) it’s not that important in your resume.

Consequently, the only advantage I find to divide the certification in two exams, is that the first test needs shorter preparation with a more limited agenda, and therefore serves as the first encounter with the certification system and makes it easier to pursue the more advanced examination (640-816) which is more extensive and complex.

But for the 640-816 exam you cannot ignore the topics that were necessary to study for the first exam. That is, taking the second test is practically almost similar with taking the composite exam, with the only difference being that you will already have some experience in the interface and test environment.

This means, duplicate exam preparation time is needed (i.e longer overall preparation), more dedication is required, and also higher cost. I do not think it’s worthwhile to take the two exam path for the CCNA.

However, it is not to be considered completely unwise. In contrast, those who have chosen the way of Cisco training academy may find it better and easier to take first the 640-822 (complete the first 2 modules of the training), and finally take the 640-816 to complete modules 3 and 4. It’s a completely valid option as well.

Cisco introduced the Virtual Security Gateway (VSG) some time ago. Now, it brings the proven and trusted Cisco ASA technology in the cloud to complement the VSG offering. The new ASA cloud product is called Cisco ASA 1000V Cloud Firewall.

The product employs the mainstream ASA (Adaptive Security Appliance) security technology that has been optimized for virtual environments. It works with the Cisco Nexus 1000V virtual switch and also integrates with the Cisco VNMC (Virtual Network Management Center) for administration and management purposes.

The ASA 1000V comes as a software package which is downloadable as an Open Virtualization Format file. It works with the VMware vSphere 4.1 or later releases with VMware ESX or ESXi servers.

A Vlan access-map is placed on the whole Vlan, which means that the incoming and outgoing traffic in a Vlan are filterd by the VLan access-map. We can apply a VLAN access-map to a Layer3 access-list and also to a mac access-list.

We know that the usual access control list (ACL), which is the most well known concept, has an implied DENY IP ANY ANY at the end. Of course, a VACL has the same implied deny statement, but this is not recommended, as we will see next.

Because a normal ACL checks only Layer 3 packet traffic, therefore it doesn’t block Layer 2 protocols like STP, VTP, ARP etc. On the other hand, a VLAN access-map blocks L2 protocols (in addition to Layer3), if we don’t explicitly allow them. That’s why it’s recommended to have an implicit deny all at the end.

Looking now at the details, let’s consider the following example: we have two Routers R1 and R2 which are in the same VLAN (Broadcast Domain) and they are connected to each other via a switch as shown below. Let’s block only Telnet protocol from R1 and permit all the rest.

Before starting configuration, let’s check if telnet works from R1.

R1#telnet 192.168.10.2
Trying 192.168.10.2 … Open

User Access Verification

Password:

R1#quit

[Connection to 192.168.10.2 closed by foreign host]
R1#

As we see, telnet is working, so now let’s start the VLAN access-map configuration which will block telnet and permit everything else.

!Create access-list, by which interesting traffic will be matched. As I’ve already said, the principle of VLAN access-map config is similar to the route-map working principle. Later we snap this access-list to a VLAN access-map.

switch(config)#ip access-list extended  restrict_telnet_R2
switch(config-ext-nacl)#permit tcp host 192.168.10.1 host 192.168.10.2 eq 23

After this we’ll create a vlan access-map, which has two main parameters: action and match.

Match: by this parameter the interesting traffic is matched and here RACL or MAC ACL can be applied as well.

Action: what to do with matched traffic. Two main parameters exist: Drop and Forward. In case of Drop, matched traffic will be dropped, and in case of forward, matched traffic will be allowed. Also, on High-End devices, a Redirect and Capture parameters also exist in the Action statement.

In our case we must block matched traffic and permit all the rest.
switch(config-ext-nacl)#vlan access-map VACL 10
switch(config-access-map)#action drop
switch(config-access-map)#match ip address restrict_telnet_R2
switch(config-access-map)#vlan access-map VACL 20
switch(config-access-map)#action forward
switch(config-access-map)#exit

After creating the VLAN access-map, it should be applied to a VLAN or VLANs. In this case we’ll apply it to VLAN 10 which is specified by “vlan-list 10”.

switch(config)#vlan filter VACL vlan-list 10

By this configuration is completed. Let’s see if telnet is blocked and ping works.

R1#ping 192.168.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!

R1#telnet 192.168.10.2
Trying 192.168.10.2 …
% Connection timed out; remote host not responding

As we see, ping is okay from R1 and telnet is blocked as we planned.

So, if you really want to be a successful CCIE or Architect, you must become a successful CCNA and CCNP first. If you become master in CCNA and CCNP certifications, it is a sure fire way to become a successful CCIE, and hence a successful high-level professional.

Indeed, the reasons that the pyramids of Egypt are so strong and the reason they have lasted for thousands of years, is that their foundation (base) is so strong. The same analogy can be drawn for Cisco career certifications. If you built a strong foundation (CCNA, CCNP), then the skills that you will acquire from these levels will follow you and support your whole future career. Therefore, becoming a CCIE depends on how strong your knowledge base is. Indeed, your CCNA studies are the most important studies of your career as a network engineer. If you don’t master basic concepts, such as subnetting, IP addressing, basic routing and switching functionality, binary math, routing protocols functionality and so on, how do you think you will become a successful CCIE? So, keep this in mind: When you’re studying for your CCNA, you’re not just studying for a certification exam – you’re building the foundation for the rest of your Cisco certifications and the rest of your career.

So, take your CCNA studies seriously, learn as much material and theory as you can absorb, and you will not be disappointed. My 15 years in the field of networking have taught me that .

In ASA, for traffic to pass through interfaces, several conditions must be met. Since we are talking here for inside and outside interfaces, this means from higher security level (inside) to lower security level (outside). The most important conditions to examine here is the NAT (if used) and the access control list. Lets see more details below:

Traffic from inside to outside using NAT

This is the most common scenario. NAT is most commonly used in real networks to hide the internal network range and to translate the non-routable private addresses (internal network) to publicly routable IP addresses on the outside.

We can have two types of NAT:

1. Dynamic NAT (with Port Address Translation – PAT being a subcategory of this)
2. Static NAT (internal addresses are permanently mapped to external public addresses)

Here we will examine the most common scenario which is PAT. This is a many-to-one translation which allows us to translate all internal IP addresses into a single public IP address which is assigned to us by the ISP and exists on the outside of the ASA. For ASA to keep track of all these many-to-one translations, it uses port numbers. A different port number (out of the range of 65000) is assigned to a different internal IP address.

Lets see the configuration for allowing all traffic from inside to outside using PAT:

Assume the following:

inside LAN range: 192.168.1.0/24
Public IP addresses available: 100.100.100.1 – 100.100.100.32
ASA outside interface IP address: 100.100.100.1

Option1:

Using the ASA interface IP (100.100.100.1) to translate all internal addresses:

ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0
ciscoasa(config)# global (outside) 1 interface

Commands for ASA version 8.3 and later:

ciscoasa(config)# object network internal_lan
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface

Option2:

Using one of the other available public IP addresses for translation:

ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0
ciscoasa(config)# global (outside) 1 100.100.100.2 netmask 255.255.255.255

Commands for ASA version 8.3 and later:

ciscoasa(config)# object network internal_lan
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic 100.100.100.2

After taking care of the NAT commands, we need to see our access-list commands. By default, if you don’t have an access-list applied on the inside interface, then all traffic is allowed to pass because the inside is the highest security level (100). However, if for any reason you apply an access-list to the inside interface, then you must explicitly allow all IP traffic to pass using the ACL.

ciscoasa(config)#access-list INSIDE_IN extended permit ip any any
ciscoasa(config)# access-group INSIDE_IN in interface inside

Traffic from inside to outside without NAT

There are some cases where we don’t want to have NAT between inside to outside. In this scenario, the ASA works like a router but it still applies firewall inspection to the traffic. All you have to do here is to disable NAT and then allow traffic with an ACL:

ciscoasa(config)#no nat-control
ciscoasa(config)#access-list INSIDE_IN extended permit ip any any
ciscoasa(config)# access-group INSIDE_IN in interface inside

Thats it.