Cannot ping ASA inside interface

I have ASA firewall, as well as the host(virtualbox) on GNS3 as shown in the topology below. I also have windows7 installed on virtual box.
Windows 7 in virtualbox picked IP address 192168.56.101 and Virtualbox adapter on my laptop(Windows8) picked IP address 192.168.56.1. So I can ping from WIndows7 to my Laptop and Vice-versa.
I configured ASA interface that is connected to Virtualbox via ethernetswitch as follows:

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.56.200 255.255.255.0
!

Open in new window


However I cannot ping from ASA to neither Windows7(inside the virtualbox) nor to my Laptop(windows8).

Any help will be very much appreciated.

Thanks
asa.JPG
jskfanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
Since there is not enough details to make any conclusion, I can only hope that you will find missing steps and your solution here:
Configure GNS3 with Virtualbox (Video)
Configure GNS3 with Virtualbox (Manual)
0
Jan SpringerCommented:
icmp should be disabled by default on the inside interface.

you'll need to explicitly permit it (and also all IP) and apply the access-group to the inside interface.
0
Pete LongTechnical ConsultantCommented:
Hi
going off the diagram you posted above you are simply trying to ping the inside interface from an inside client.
This is definitely allowed with a default config? On an asa (fresh out of the box) you can ping any interface you are connected to.

after a failed ping from the windows machine (on which I assume you have disabled the windows firewall or pings won't work anyway). drop to command line and do 'arp -a' see if you can see the firewall at layer 2.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

jskfanAuthor Commented:
I have redone the lab, leaving the same topology.
when I created Windows 7 in Virtualbox , a network adapter has been created on my Laptop and assigned IP address automatically (Virtualbox host-only Network) 192.168.61.1

I manually assigned windows 7 IP address 192.168.61.2 with default gateway 192.168.61.1
so I can ping from 192.168.61.2(windows7) to 192.168.61.1(Virtualbox host-only Network adapter on my Laptop )
 I configured ASA as follows:
ciscoasa(config)# interface gigabitEthernet 0
 ciscoasa(config-if)# ip address 192.168.61.3
ciscoasa(config-if)# no shut
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.

however when I cannot ping neither from Windows 7(VM) nor from my Laptop to ASA inside interface .
I cannot ping from ASA neither to my Laptop nor to Windows7
0
jskfanAuthor Commented:
Firewall is disabled on windows7 as well as on the Laptop
0
Pete LongTechnical ConsultantCommented:
If you attempt to ping the ASA from the virtual machine, what goes into the ARP table on that machine?
arp -a

Pete
0
jskfanAuthor Commented:
PeteLong,

 Below is the output of pinging Inside interface of ASA from Guest VM and the Arp table
arp
0
mikebernhardtCommented:
Jan Springer already told why you can't ping the ASA- icmp to the interface is disabled by default. This is not handled in the rules set, it's configured something like this:
icmp permit any echo inside
icmp permit any echo-reply inside
0
Jan SpringerCommented:
and then you apply it to the inside interface.
0
Pete LongTechnical ConsultantCommented:
Sorry Guys unless I'm being vicariously dim (would not be the first time)

The poster has specified the interface is not shutdown.

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.56.200 255.255.255.0
!

Open in new window


The client initiating the pings is directly connected to the inside interface, 192.168.56.101

Then the poster rebuilt with 192.168.61.3 on the firewall (and specified the interface was 'no shut' and that the client was now on 192.168.61.3

He should NOT need either Icmp inspection or icmp permit commands, here is me doing exactly the same thing..
GNS3 screen Grab
jskfan I know this is not what you want but humor me,
1.  Disconnect SW1 and ASA1
2. Drag a router onto the workspace and connect it to ethernet0 on the ASA
3. Give the router the same ip you are giving to the virtual machine
4. Set its default route to the ip of Ethernet0/0 on the ASA.
5. Ping the ASA, it will repond to ping (providing the router is setup correctly - cause thats what I did above.)

What have you just proved? theres nothing wrong with the ASA config. Im not an expert with Virtual Box (I use VMware to do what you are doing, so my guess is thats where your problems lie.

to reiterate; on my ASA
PetesASA# show run | incl icmp
icmp unreachable rate-limit 1 burst-size 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
PetesASA#

Open in new window

I dont have
icmp permit any echo inside
icmp permit any echo-reply inside

Open in new window


And my pings work, you can see them replying above.

Pete
0
jskfanAuthor Commented:
Jan Springer

I have added the following commands to ASA.
icmp permit any echo inside
icmp permit any echo-reply inside


How do I apply then to the inside interface ?
0
Jan SpringerCommented:
config t
access-group ACCESS_LIST_NAME in interface NAMEIF_OF_INSIDE_INTERFACE
end
0
jskfanAuthor Commented:
Jan Springer:

I have not created an Access list with Access list name. I just put the following couple of lines:

icmp permit any echo inside
 icmp permit any echo-reply inside

So can you post the whole ACL code along with 2 lines above and : access-group ACCESS_LIST_NAME in interface NAMEIF_OF_INSIDE_INTERFACE
0
Jan SpringerCommented:
access-list inside_in extended permit ip any any
access-list inside_in extended permit icmp any any
access-group inside_in in interface inside

(this presumes that your inside interface nameif is "inside")
0
jskfanAuthor Commented:
even with the access list below , I still cannot get the VM nor the Laptop to ping ASA or the other way around

access-list inside_in extended permit ip any any 
 access-list inside_in extended permit icmp any any 
 access-group inside_in in interface inside

Open in new window

0
Jan SpringerCommented:
can you ping the vm from the ASA?

ping inside <IP of VM>

are the entries in the arp cache?

show arp
0
jskfanAuthor Commented:
I guess it is not ASA that is preventing the Ping to go through.
I put a router in between, and still cannot ping fom VM and laptop to the router interface (Though ip in the same subnet as the laptopn and VM).
I can ping from ASA to the router and back.
asa
0
jskfanAuthor Commented:
something unusual...

I can ping from VM  and the laptop to router g0/0 interface now, but it drops packets

From Laptop to router g0/0:
C:\Users\user>ping 192.168.61.4

Pinging 192.168.61.4 with 32 bytes of data:
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.

Ping statistics for 192.168.61.4:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 25ms, Maximum = 25ms, Average = 25ms

Open in new window


from VM to router interface g0/0
C:\Users\user>ping 192.168.61.4

Pinging 192.168.61.4 with 32 bytes of data:
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.

Ping statistics for 192.168.61.4:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 25ms, Maximum = 25ms, Average = 25ms

Open in new window

0
JustInCaseCommented:
Typically that can be seen as output - when you have two equally cost routes and router is performing route balancing, but one route is bad.
0
jskfanAuthor Commented:
**Load balancing between what ?
If I understand the VM goes through the host(laptop which is its Default  Gateway), then reaches the interface g0/0 of the router.

** this is one thing, the other thing on which I need help is how to configure the router to route the traffic coming from VM to the network out on router g1/0 interface. If I manage to ping from VM to g1/0 interface of the router , I might be able to isolate the problem just to ASA
0
jskfanAuthor Commented:
Regarding the last diagram I posted and the issue related to  ping reply success then ping reply timout, I fixed that  by uninstalling AVG anti-virus...I know it is not safe, but just to get my Lab working...
I still want to know how to reach the network between the router and the ASA firewall from my Laptop and my VM. What kind of IP route command should I issue.??
0
jskfanAuthor Commented:
Thank you Guys!...
I believe the issue is between laptop  and the router on GNS3
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.