Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cannot ping ASA inside interface

Posted on 2014-11-29
23
Medium Priority
?
6,905 Views
Last Modified: 2016-04-12
I have ASA firewall, as well as the host(virtualbox) on GNS3 as shown in the topology below. I also have windows7 installed on virtual box.
Windows 7 in virtualbox picked IP address 192168.56.101 and Virtualbox adapter on my laptop(Windows8) picked IP address 192.168.56.1. So I can ping from WIndows7 to my Laptop and Vice-versa.
I configured ASA interface that is connected to Virtualbox via ethernetswitch as follows:

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.56.200 255.255.255.0
!

Open in new window


However I cannot ping from ASA to neither Windows7(inside the virtualbox) nor to my Laptop(windows8).

Any help will be very much appreciated.

Thanks
asa.JPG
0
Comment
Question by:jskfan
  • 11
  • 5
  • 3
  • +2
23 Comments
 
LVL 31

Assisted Solution

by:Predrag
Predrag earned 432 total points
ID: 40472259
Since there is not enough details to make any conclusion, I can only hope that you will find missing steps and your solution here:
Configure GNS3 with Virtualbox (Video)
Configure GNS3 with Virtualbox (Manual)
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 429 total points
ID: 40472488
icmp should be disabled by default on the inside interface.

you'll need to explicitly permit it (and also all IP) and apply the access-group to the inside interface.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 426 total points
ID: 40472750
Hi
going off the diagram you posted above you are simply trying to ping the inside interface from an inside client.
This is definitely allowed with a default config? On an asa (fresh out of the box) you can ping any interface you are connected to.

after a failed ping from the windows machine (on which I assume you have disabled the windows firewall or pings won't work anyway). drop to command line and do 'arp -a' see if you can see the firewall at layer 2.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:jskfan
ID: 40472983
I have redone the lab, leaving the same topology.
when I created Windows 7 in Virtualbox , a network adapter has been created on my Laptop and assigned IP address automatically (Virtualbox host-only Network) 192.168.61.1

I manually assigned windows 7 IP address 192.168.61.2 with default gateway 192.168.61.1
so I can ping from 192.168.61.2(windows7) to 192.168.61.1(Virtualbox host-only Network adapter on my Laptop )
 I configured ASA as follows:
ciscoasa(config)# interface gigabitEthernet 0
 ciscoasa(config-if)# ip address 192.168.61.3
ciscoasa(config-if)# no shut
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.

however when I cannot ping neither from Windows 7(VM) nor from my Laptop to ASA inside interface .
I cannot ping from ASA neither to my Laptop nor to Windows7
0
 

Author Comment

by:jskfan
ID: 40472987
Firewall is disabled on windows7 as well as on the Laptop
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40473286
If you attempt to ping the ASA from the virtual machine, what goes into the ARP table on that machine?
arp -a

Pete
0
 

Author Comment

by:jskfan
ID: 40473944
PeteLong,

 Below is the output of pinging Inside interface of ASA from Guest VM and the Arp table
arp
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 213 total points
ID: 40474090
Jan Springer already told why you can't ping the ASA- icmp to the interface is disabled by default. This is not handled in the rules set, it's configured something like this:
icmp permit any echo inside
icmp permit any echo-reply inside
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40474107
and then you apply it to the inside interface.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 426 total points
ID: 40474633
Sorry Guys unless I'm being vicariously dim (would not be the first time)

The poster has specified the interface is not shutdown.

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.56.200 255.255.255.0
!

Open in new window


The client initiating the pings is directly connected to the inside interface, 192.168.56.101

Then the poster rebuilt with 192.168.61.3 on the firewall (and specified the interface was 'no shut' and that the client was now on 192.168.61.3

He should NOT need either Icmp inspection or icmp permit commands, here is me doing exactly the same thing..
GNS3 screen Grab
jskfan I know this is not what you want but humor me,
1.  Disconnect SW1 and ASA1
2. Drag a router onto the workspace and connect it to ethernet0 on the ASA
3. Give the router the same ip you are giving to the virtual machine
4. Set its default route to the ip of Ethernet0/0 on the ASA.
5. Ping the ASA, it will repond to ping (providing the router is setup correctly - cause thats what I did above.)

What have you just proved? theres nothing wrong with the ASA config. Im not an expert with Virtual Box (I use VMware to do what you are doing, so my guess is thats where your problems lie.

to reiterate; on my ASA
PetesASA# show run | incl icmp
icmp unreachable rate-limit 1 burst-size 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
PetesASA#

Open in new window

I dont have
icmp permit any echo inside
icmp permit any echo-reply inside

Open in new window


And my pings work, you can see them replying above.

Pete
0
 

Author Comment

by:jskfan
ID: 40474770
Jan Springer

I have added the following commands to ASA.
icmp permit any echo inside
icmp permit any echo-reply inside


How do I apply then to the inside interface ?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40475066
config t
access-group ACCESS_LIST_NAME in interface NAMEIF_OF_INSIDE_INTERFACE
end
0
 

Author Comment

by:jskfan
ID: 40475856
Jan Springer:

I have not created an Access list with Access list name. I just put the following couple of lines:

icmp permit any echo inside
 icmp permit any echo-reply inside

So can you post the whole ACL code along with 2 lines above and : access-group ACCESS_LIST_NAME in interface NAMEIF_OF_INSIDE_INTERFACE
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 429 total points
ID: 40476099
access-list inside_in extended permit ip any any
access-list inside_in extended permit icmp any any
access-group inside_in in interface inside

(this presumes that your inside interface nameif is "inside")
0
 

Author Comment

by:jskfan
ID: 40477318
even with the access list below , I still cannot get the VM nor the Laptop to ping ASA or the other way around

access-list inside_in extended permit ip any any 
 access-list inside_in extended permit icmp any any 
 access-group inside_in in interface inside

Open in new window

0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40477320
can you ping the vm from the ASA?

ping inside <IP of VM>

are the entries in the arp cache?

show arp
0
 

Author Comment

by:jskfan
ID: 40477338
I guess it is not ASA that is preventing the Ping to go through.
I put a router in between, and still cannot ping fom VM and laptop to the router interface (Though ip in the same subnet as the laptopn and VM).
I can ping from ASA to the router and back.
asa
0
 

Author Comment

by:jskfan
ID: 40477354
something unusual...

I can ping from VM  and the laptop to router g0/0 interface now, but it drops packets

From Laptop to router g0/0:
C:\Users\user>ping 192.168.61.4

Pinging 192.168.61.4 with 32 bytes of data:
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.

Ping statistics for 192.168.61.4:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 25ms, Maximum = 25ms, Average = 25ms

Open in new window


from VM to router interface g0/0
C:\Users\user>ping 192.168.61.4

Pinging 192.168.61.4 with 32 bytes of data:
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.
Reply from 192.168.61.4: bytes=32 time=25ms TTL=255
Request timed out.

Ping statistics for 192.168.61.4:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 25ms, Maximum = 25ms, Average = 25ms

Open in new window

0
 
LVL 31

Assisted Solution

by:Predrag
Predrag earned 432 total points
ID: 40477985
Typically that can be seen as output - when you have two equally cost routes and router is performing route balancing, but one route is bad.
0
 

Author Comment

by:jskfan
ID: 40478393
**Load balancing between what ?
If I understand the VM goes through the host(laptop which is its Default  Gateway), then reaches the interface g0/0 of the router.

** this is one thing, the other thing on which I need help is how to configure the router to route the traffic coming from VM to the network out on router g1/0 interface. If I manage to ping from VM to g1/0 interface of the router , I might be able to isolate the problem just to ASA
0
 

Author Comment

by:jskfan
ID: 40484492
Regarding the last diagram I posted and the issue related to  ping reply success then ping reply timout, I fixed that  by uninstalling AVG anti-virus...I know it is not safe, but just to get my Lab working...
I still want to know how to reach the network between the router and the ASA firewall from my Laptop and my VM. What kind of IP route command should I issue.??
0
 

Author Closing Comment

by:jskfan
ID: 40485383
Thank you Guys!...
I believe the issue is between laptop  and the router on GNS3
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Considering cloud tradeoffs and determining the right mix for your organization.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question