Solved

Cannot ping ASA inside interface

Posted on 2014-11-29
23
3,340 Views
Last Modified: 2016-04-12
I have ASA firewall, as well as the host(virtualbox) on GNS3 as shown in the topology below. I also have windows7 installed on virtual box.
Windows 7 in virtualbox picked IP address 192168.56.101 and Virtualbox adapter on my laptop(Windows8) picked IP address 192.168.56.1. So I can ping from WIndows7 to my Laptop and Vice-versa.
I configured ASA interface that is connected to Virtualbox via ethernetswitch as follows:

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.56.200 255.255.255.0
!

Open in new window


However I cannot ping from ASA to neither Windows7(inside the virtualbox) nor to my Laptop(windows8).

Any help will be very much appreciated.

Thanks
asa.JPG
0
Comment
Question by:jskfan
  • 11
  • 5
  • 3
  • +2
23 Comments
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 144 total points
ID: 40472259
Since there is not enough details to make any conclusion, I can only hope that you will find missing steps and your solution here:
Configure GNS3 with Virtualbox (Video)
Configure GNS3 with Virtualbox (Manual)
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 143 total points
ID: 40472488
icmp should be disabled by default on the inside interface.

you'll need to explicitly permit it (and also all IP) and apply the access-group to the inside interface.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 142 total points
ID: 40472750
Hi
going off the diagram you posted above you are simply trying to ping the inside interface from an inside client.
This is definitely allowed with a default config? On an asa (fresh out of the box) you can ping any interface you are connected to.

after a failed ping from the windows machine (on which I assume you have disabled the windows firewall or pings won't work anyway). drop to command line and do 'arp -a' see if you can see the firewall at layer 2.
0
 

Author Comment

by:jskfan
ID: 40472983
I have redone the lab, leaving the same topology.
when I created Windows 7 in Virtualbox , a network adapter has been created on my Laptop and assigned IP address automatically (Virtualbox host-only Network) 192.168.61.1

I manually assigned windows 7 IP address 192.168.61.2 with default gateway 192.168.61.1
so I can ping from 192.168.61.2(windows7) to 192.168.61.1(Virtualbox host-only Network adapter on my Laptop )
 I configured ASA as follows:
ciscoasa(config)# interface gigabitEthernet 0
 ciscoasa(config-if)# ip address 192.168.61.3
ciscoasa(config-if)# no shut
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.

however when I cannot ping neither from Windows 7(VM) nor from my Laptop to ASA inside interface .
I cannot ping from ASA neither to my Laptop nor to Windows7
0
 

Author Comment

by:jskfan
ID: 40472987
Firewall is disabled on windows7 as well as on the Laptop
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40473286
If you attempt to ping the ASA from the virtual machine, what goes into the ARP table on that machine?
arp -a

Pete
0
 

Author Comment

by:jskfan
ID: 40473944
PeteLong,

 Below is the output of pinging Inside interface of ASA from Guest VM and the Arp table
arp
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 71 total points
ID: 40474090
Jan Springer already told why you can't ping the ASA- icmp to the interface is disabled by default. This is not handled in the rules set, it's configured something like this:
icmp permit any echo inside
icmp permit any echo-reply inside
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40474107
and then you apply it to the inside interface.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 142 total points
ID: 40474633
Sorry Guys unless I'm being vicariously dim (would not be the first time)

The poster has specified the interface is not shutdown.

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.56.200 255.255.255.0
!

Open in new window


The client initiating the pings is directly connected to the inside interface, 192.168.56.101

Then the poster rebuilt with 192.168.61.3 on the firewall (and specified the interface was 'no shut' and that the client was now on 192.168.61.3

He should NOT need either Icmp inspection or icmp permit commands, here is me doing exactly the same thing..
GNS3 screen Grab
jskfan I know this is not what you want but humor me,
1.  Disconnect SW1 and ASA1
2. Drag a router onto the workspace and connect it to ethernet0 on the ASA
3. Give the router the same ip you are giving to the virtual machine
4. Set its default route to the ip of Ethernet0/0 on the ASA.
5. Ping the ASA, it will repond to ping (providing the router is setup correctly - cause thats what I did above.)

What have you just proved? theres nothing wrong with the ASA config. Im not an expert with Virtual Box (I use VMware to do what you are doing, so my guess is thats where your problems lie.

to reiterate; on my ASA
PetesASA# show run | incl icmp
icmp unreachable rate-limit 1 burst-size 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
PetesASA#

Open in new window

I dont have
icmp permit any echo inside
icmp permit any echo-reply inside

Open in new window


And my pings work, you can see them replying above.

Pete
0
 

Author Comment

by:jskfan
ID: 40474770
Jan Springer

I have added the following commands to ASA.
icmp permit any echo inside
icmp permit any echo-reply inside


How do I apply then to the inside interface ?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 28

Expert Comment

by:Jan Springer
ID: 40475066
config t
access-group ACCESS_LIST_NAME in interface NAMEIF_OF_INSIDE_INTERFACE
end
0
 

Author Comment

by:jskfan
ID: 40475856
Jan Springer:

I have not created an Access list with Access list name. I just put the following couple of lines:

icmp permit any echo inside
 icmp permit any echo-reply inside

So can you post the whole ACL code along with 2 lines above and : access-group ACCESS_LIST_NAME in interface NAMEIF_OF_INSIDE_INTERFACE
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 143 total points
ID: 40476099
access-list inside_in extended permit ip any any
access-list inside_in extended permit icmp any any
access-group inside_in in interface inside

(this presumes that your inside interface nameif is "inside")
0
 

Author Comment

by:jskfan
ID: 40477318
even with the access list below , I still cannot get the VM nor the Laptop to ping ASA or the other way around

access-list inside_in extended permit ip any any 
 access-list inside_in extended permit icmp any any 
 access-group inside_in in interface inside

Open in new window

0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40477320
can you ping the vm from the ASA?

ping inside <IP of VM>

are the entries in the arp cache?

show arp
0
 

Author Comment

by:jskfan
ID: 40477338
I guess it is not ASA that is preventing the Ping to go through.
I put a router in between, and still cannot ping fom VM and laptop to the router interface (Though ip in the same subnet as the laptopn and VM).
I can ping from ASA to the router and back.
asa
0
 

Author Comment

by:jskfan
ID: 40477354
something unusual...

I can ping from VM  and the laptop to router g0/0 interface now, but it drops packets

From Laptop to router g0/0:
C:\Users\user>ping 192.168.61.4

Pinging 192.168.61.4 with 32 bytes of data:
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.

Ping statistics for 192.168.61.4:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 25ms, Maximum = 25ms, Average = 25ms

Open in new window


from VM to router interface g0/0
C:\Users\user>ping 192.168.61.4

Pinging 192.168.61.4 with 32 bytes of data:
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.

Ping statistics for 192.168.61.4:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 25ms, Maximum = 25ms, Average = 25ms

Open in new window

0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 144 total points
ID: 40477985
Typically that can be seen as output - when you have two equally cost routes and router is performing route balancing, but one route is bad.
0
 

Author Comment

by:jskfan
ID: 40478393
**Load balancing between what ?
If I understand the VM goes through the host(laptop which is its Default  Gateway), then reaches the interface g0/0 of the router.

** this is one thing, the other thing on which I need help is how to configure the router to route the traffic coming from VM to the network out on router g1/0 interface. If I manage to ping from VM to g1/0 interface of the router , I might be able to isolate the problem just to ASA
0
 

Author Comment

by:jskfan
ID: 40484492
Regarding the last diagram I posted and the issue related to  ping reply success then ping reply timout, I fixed that  by uninstalling AVG anti-virus...I know it is not safe, but just to get my Lab working...
I still want to know how to reach the network between the router and the ASA firewall from my Laptop and my VM. What kind of IP route command should I issue.??
0
 

Author Closing Comment

by:jskfan
ID: 40485383
Thank you Guys!...
I believe the issue is between laptop  and the router on GNS3
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now