ASA 5505 and Virtual Machines

Unanswered Question
Jul 10th, 2008

Hello,

Have an ASA 5505 v8 Everything is working fine so far except once I tried running a Virtual machine on a computer in the DMZ.

My setup is pretty straight forward, 3 vlans, Inside, outside and a DMZ. Only have the security bundle license. Since this is a test bed I have loosened up the security as much as I can find/think of but still here is the problem I have:

When a machine running a Host OS, tried many flavors of Linux, Windows XP, and Mac OS X 10.5, hosts a guest OS via VMware Player 2.04 (networking set to bridged) and is on the DMZ the guest OS can not get connected to anything off the DMZ on any protocol. The host OS works fine and can do everything that it is allowed to.

If I take this exact same setup and plug it into an old Linksys Router I have sitting around it works great, both host and Guest OS have perfect connectivity.

What is tripping me up is the logs are not showing me anything. If I ping from the Host OS to anything on the DMZ or the Internet I can see the traffic and it works fine. (Yes, I have allowed icmp DMZ->Internet) If I ping from the Guest OS to anything on the DMZ works great and I can see the traffic. If I try to ping anything on the internet I get nothing. Further if I try to access http/https or even DNS off the DMZ I get nothing. No connection, no log file entries. It just does not work.

My best guess is that something to do with the VMware Bridge setup (vmnet0) is tripping something on the ASA causing it to drop packets?

If so, anyone know how to make them allowed?

Anyone else have a Vitrual Machine running on their DMZ?

Thanks in advance for any and all help

My best guess is that something to do with the VMware Bridging

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
AQPadministrator Thu, 07/10/2008 - 15:17

Anyone have a VM running on their DMZ? Know what on the 5505 I would need to change to allow it?

Any help is greatly appreciated!

AQPadministrator Thu, 07/10/2008 - 15:34

So as I typed this out I thought of something I had not tried.

If I run the same setup from the inside LAN it works fine...

I now think it is a combination of two things. The licensing restrictions and how the VMware Bridging vmnet0 works.

Any insight?

Fernando_Meza Thu, 07/10/2008 - 15:35

mm .. it sounds interesting .. are you able to ping the ASA's DMZ interface from the guest OS ? .. Can you post the configuration of your ASA ?

AQPadministrator Thu, 07/10/2008 - 15:54

Yes, When the Host and Guest are on the DMZ both can ping the DMZ interface. The Guest can even ping other computers on the DMZ.

To that end I thought at first it was just a DNS issue, Guest could not get updates, so I setup a DNS server on the DMZ and pointed to guest to it. That allowed DNS resolution but the Guest could still not get off the network.

I will post my config shortly.

AQPadministrator Thu, 07/10/2008 - 16:20

See attached:

Can put it multiple replies if need be. I also added a couple notes. There are a few things in there I would not normally have setup, like DHCP on the DMZ, and a specific ACL for the Guest OS.

All were attempts at making it work.

Thanks for any help.

AQPadministrator Fri, 07/11/2008 - 10:23

Thanks but no luck.

It does rule out a global policy being the issue though so thank you for that.

I think I am going to blast out the config and try again. I may have over troubleshot it.

AQPadministrator Fri, 07/11/2008 - 13:46

Reset to factory defaults, set it back up with a very basic config same results.

Host and Guest on inside Vlan no problems, Host and Guest on DMZ (with base license) guest can not make connections beyond the DMZ.

Nothing shows up in the logs.

I am going to try VirtualBox instead of VMware and hope for the best

Magnus Mortensen Fri, 07/11/2008 - 21:05

Also, aside from the question about the IP addresses, does the Guest OS even get ARP resolution for its default gateway?

WHat is the output of 'ipconfig /all' and 'arp -a' from the guest OS after trying to ping the ASA's DMZ interface?

AQPadministrator Sat, 07/12/2008 - 09:03

Yes it does, and the ASA 5505 also shows it in its dynamic ARP cache.

The MAC associated with it is different from the MAC of the Host.

I have had issues with the Proxy ARP on the ASA 5505 and Nix' boxes before, I will try shutting it off and see what happens.

AQPadministrator Sat, 07/12/2008 - 12:05

I apologize I missed the IP question. I am using 192.168.2.0/24 for the DMZ.

Using:

Host 192.168.2.4

Guest 192.168.2.5

AQPadministrator Sat, 07/12/2008 - 12:25

SOLUTION!

Install a second NIC bind vmnet0 to eth1 instead of eth0

Details:

Goal was to have the Host OS (Ubuntu 8.04) which is running an Apache web server also serve as an e-mail gateway (SpamTitan) since on a heavy day the web server might hit 5% CPU.

Why but a whole new machine, right?

When it did not work right away I went into troubleshooting mode and tried several different things as mentioned above. Which led me to the idea to create my own VM of SpamTitan and bind it to a different NIC.

Before I went that far I tried reassigning vmnet0 from eth0 to my newly installed eth1 and running it. That seems to have done the trick!

So now the setup is:

eth0 192.168.2.4

eth1 192.168.2.5

vmnet0 192.168.2.6

With vmnet0 bridged to eth1

Why is it working now and not before?

I am unsure. It is not a Linux thing because I tried both Windows XP and OS X 10.5 with the same result. I think it has more to do with primary network and associated services than Host OS.

If anyone has any insight please let me know. Otherwise I am going to chase it down later.

Thanks again for your responses!

dlogan151 Wed, 03/13/2013 - 08:00

I'm having issues with Virtual Machines at any of my customers with Cisco ASA as the edge firewall/router.

It doesn't matter what VM technology - it happens with both VMWare Fusion and VirtualBox.

It doesn't matter how I setup the networking - NAT or bridge.

It doesn't matter what the host OS is - it happens on ArchBang Linux and on OSX.

It doesn't matter what the guest OS is - it happens on Windows XP and Windows 7.

Basically, when I open the virtual machine, both the host and guest OS's start having problems accessing the internet.  Sometimes it's bad packet loss, sometimes it won't work at all.  Sometimes it will work fine for a few minutes then start acting up again.

The only thing that is the same is a Cisco ASA 5505.

These are laptops on wifi, so installing a secondary NIC and binding the VM's interface to it is not a solution for me.

Actions

This Discussion