YOlanie_Visser
asked on
ESXi Virtual Machines With No Internet Access.
hi Guys,
Have just run into an issue and can't seem to solve it, I have just setup ESXi and started populating it with VM's. The issue is I cannot establish an internet connection from inside the VM's, they can ping each other and the gateway, but can't access the internet...
The Gateway is a Cisco ASA
Any ideas?
Have just run into an issue and can't seem to solve it, I have just setup ESXi and started populating it with VM's. The issue is I cannot establish an internet connection from inside the VM's, they can ping each other and the gateway, but can't access the internet...
The Gateway is a Cisco ASA
Any ideas?
ASKER
I have a VPN to that site, I can remote onto the actual VM's with no issue at all, they ping the gateway too...but they do not exceed the gateway.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please post screen-shot of Configuration -> Networking tab.
If I understand your problem correctly, it may be that the VMs do not have a port group configured on the vSwitch to access the internet.
If I understand your problem correctly, it may be that the VMs do not have a port group configured on the vSwitch to access the internet.
ASKER
I've tried ping ing both the IP (173.194.37.104) and the DNS( Google.com) and still nothing.
If I do an NSlookup:
C:\Documents and Settings\Administrator>nsl ookup google.com
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 10.254.254.248: Timed out
Server: UnKnown
Address: 10.x.x.248
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
If I do an NSlookup:
C:\Documents and Settings\Administrator>nsl
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 10.254.254.248: Timed out
Server: UnKnown
Address: 10.x.x.248
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
I assume that the VM runs Windows as Guest OS.
Open a command prompt and run ipconfig /all
Post the details here.
Open a command prompt and run ipconfig /all
Post the details here.
1.How many physical NICs do you have on the ESXi host ?
2.What is the hardware model (Dell / HP or IBM) on which ESXi is installed ?
2.What is the hardware model (Dell / HP or IBM) on which ESXi is installed ?
ASKER
Image attached..
Clipboard01.jpg
Clipboard01.jpg
ASKER
1: 4 NIC's
2:HP DL360 G7
C:\Documents and Settings\Administrator>tra cert www.google.com
Unable to resolve target system name www.google.com.
C:\Documents and Settings\Administrator>tra cert 173.194.37.104
Tracing route to 173.194.37.104 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
2:HP DL360 G7
C:\Documents and Settings\Administrator>tra
Unable to resolve target system name www.google.com.
C:\Documents and Settings\Administrator>tra
Tracing route to 173.194.37.104 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
ASKER
Right now I have no DNS servers for the inside interface, as no DNS server is setup, not sure this makes a difference? I should be able to access external IP's though...
Yes you are right,
I was just making sure that everything is configured right
but the problem now is that You are not Even getting out from the VM
something is blocking you at the ESXi, you haven't reached the ASA yet (based on the trace route).
are you sure that "ESXi host" & "VM" are able to ping the ASA Firewall ?
I was just making sure that everything is configured right
but the problem now is that You are not Even getting out from the VM
something is blocking you at the ESXi, you haven't reached the ASA yet (based on the trace route).
are you sure that "ESXi host" & "VM" are able to ping the ASA Firewall ?
ASKER
Yes, I can ping the gateway (inside interface of ASA)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, i've just put the ISP's DNS servers in the DNS setting on the server:
C:\Documents and Settings\Administrator>nsl ookup google.com
Server: res1.dns.cogentco.com
Address: 66.28.0.45
Non-authoritative answer:
Name: google.com
Addresses: 72.14.204.104, 72.14.204.147, 72.14.204.99, 72.14.204.103
I can access the internet, still can't ping or tracert though..weird.
C:\Documents and Settings\Administrator>nsl
Server: res1.dns.cogentco.com
Address: 66.28.0.45
Non-authoritative answer:
Name: google.com
Addresses: 72.14.204.104, 72.14.204.147, 72.14.204.99, 72.14.204.103
I can access the internet, still can't ping or tracert though..weird.
ahhh Great
Yeah that's weird,
check Windows firewall it might be blocking those stuff & check if the ICMP enabled & allowed
Yeah that's weird,
check Windows firewall it might be blocking those stuff & check if the ICMP enabled & allowed
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well things were ok, iv just enabled the rule for ICMP and have no access again...
disabled it..and nothing again,..
disabled it..and nothing again,..
1.Are you sure that Windows Firewall is disabled on the VMs ?
2.Are you using McAfee Antivirus or Symantec Endpoint Protection ? These may also block ping replies.
2.Are you using McAfee Antivirus or Symantec Endpoint Protection ? These may also block ping replies.
ASKER
I meant the internet connection...since i enabled the ICM echo replies, i lost access again..i have disabled it still no internet..
Try adding allow icmp all to all of your firewall interfaces - if that works we can work on backing things down. Can you post a sanitized (mask passwords and public ip addresses) config of the ASA?
ASKER
: Saved
:
ASA Version 7.2(4)
!
hostname E000001
domain-name default.domain.invalid
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.254.254.248 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 30.100.100.100 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list EIx_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.254.254.8 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 10.253.254.8 255.255.255.248
access-list EI_VA_splitTunnelAcl standard permit any
access-list inside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VA_IP_Pool 10.254.254.10-10.254.254.1 5 mask 255.255.255.0
ip local pool EI_VA_253 10.253.254.10-10.253.254.1 5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 38.101.186.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.253.254.0 255.255.255.0 inside
http 10.254.254.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
group-policy EIx internal
group-policy EIx attributes
dns-server value 10.254.254.226 10.254.254.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EIVA_splitTunnelAcl
default-domain value cohort.internal
group-policy EI_x internal
group-policy EI_x attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EI_x_splitTunnelAcl
username admin password qqwweerrtt encrypted privilege 15
username vpnaccess password sdfdfsdfsdfsdfsfd encrypted privilege 0
username vpnaccess attributes
vpn-group-policy EIx
username sd password encrypted privilege 15
tunnel-group EIVA type ipsec-ra
tunnel-group EIVA general-attributes
address-pool VA_IP_Pool
default-group-policy EIVA
tunnel-group EIVA ipsec-attributes
pre-shared-key *
tunnel-group EI_VA_253 type ipsec-ra
tunnel-group EI_VA_253 general-attributes
address-pool EI_VA_253
tunnel-group EI_VA_253 ipsec-attributes
pre-shared-key *
tunnel-group EI_VA type ipsec-ra
tunnel-group EI_VA general-attributes
address-pool EI_VA_253
default-group-policy EI_VA
tunnel-group EI_VA ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:dgfdfgdfgd6 58334991b7 98asdfsdfs dfsdfsdfsd fsdfsdf
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
:
ASA Version 7.2(4)
!
hostname E000001
domain-name default.domain.invalid
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.254.254.248 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 30.100.100.100 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list EIx_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.254.254.8 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 10.253.254.8 255.255.255.248
access-list EI_VA_splitTunnelAcl standard permit any
access-list inside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VA_IP_Pool 10.254.254.10-10.254.254.1
ip local pool EI_VA_253 10.253.254.10-10.253.254.1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 38.101.186.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.253.254.0 255.255.255.0 inside
http 10.254.254.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
group-policy EIx internal
group-policy EIx attributes
dns-server value 10.254.254.226 10.254.254.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EIVA_splitTunnelAcl
default-domain value cohort.internal
group-policy EI_x internal
group-policy EI_x attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EI_x_splitTunnelAcl
username admin password qqwweerrtt encrypted privilege 15
username vpnaccess password sdfdfsdfsdfsdfsfd encrypted privilege 0
username vpnaccess attributes
vpn-group-policy EIx
username sd password encrypted privilege 15
tunnel-group EIVA type ipsec-ra
tunnel-group EIVA general-attributes
address-pool VA_IP_Pool
default-group-policy EIVA
tunnel-group EIVA ipsec-attributes
pre-shared-key *
tunnel-group EI_VA_253 type ipsec-ra
tunnel-group EI_VA_253 general-attributes
address-pool EI_VA_253
tunnel-group EI_VA_253 ipsec-attributes
pre-shared-key *
tunnel-group EI_VA type ipsec-ra
tunnel-group EI_VA general-attributes
address-pool EI_VA_253
default-group-policy EI_VA
tunnel-group EI_VA ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:dgfdfgdfgd6
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No Cigar...
I have no internet again... I got access when i added the public DNS servers to the server settings then I applied the rule and lost connectivity again.
Should the DNS servers be configured on the ASA too? or Just on the Server? I've tried both methods but still no success.
I have no internet again... I got access when i added the public DNS servers to the server settings then I applied the rule and lost connectivity again.
Should the DNS servers be configured on the ASA too? or Just on the Server? I've tried both methods but still no success.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ASKER
Running out of ideas..have even rebooted the device...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Perfect! allowed ICMP from both ends and the traffic. All is working now( Image below)
Thanks a lot for the help!
Capture.JPG
Thanks a lot for the help!
Capture.JPG
No problem - glad it is working for you
ASKER
Problem is solved. DNS and ASA Rules were the issue
1 - Make sure that ASA is allowing internet for that IP.
2 - Make sure you configured the ESXI Host with the proper IP address & GW.
3 - Make sure you configured the VM with the proper IP address & GW.
is there any other HOST on the same VLAN ?
is there is any other VM's on the same HOST ? if yes does it access internet ?
Walid Wahba