cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2506
Views
0
Helpful
14
Replies

ASA 5505 and Virtual Machines

Hello,

Have an ASA 5505 v8 Everything is working fine so far except once I tried running a Virtual machine on a computer in the DMZ.

My setup is pretty straight forward, 3 vlans, Inside, outside and a DMZ. Only have the security bundle license. Since this is a test bed I have loosened up the security as much as I can find/think of but still here is the problem I have:

When a machine running a Host OS, tried many flavors of Linux, Windows XP, and Mac OS X 10.5, hosts a guest OS via VMware Player 2.04 (networking set to bridged) and is on the DMZ the guest OS can not get connected to anything off the DMZ on any protocol. The host OS works fine and can do everything that it is allowed to.

If I take this exact same setup and plug it into an old Linksys Router I have sitting around it works great, both host and Guest OS have perfect connectivity.

What is tripping me up is the logs are not showing me anything. If I ping from the Host OS to anything on the DMZ or the Internet I can see the traffic and it works fine. (Yes, I have allowed icmp DMZ->Internet) If I ping from the Guest OS to anything on the DMZ works great and I can see the traffic. If I try to ping anything on the internet I get nothing. Further if I try to access http/https or even DNS off the DMZ I get nothing. No connection, no log file entries. It just does not work.

My best guess is that something to do with the VMware Bridge setup (vmnet0) is tripping something on the ASA causing it to drop packets?

If so, anyone know how to make them allowed?

Anyone else have a Vitrual Machine running on their DMZ?

Thanks in advance for any and all help

My best guess is that something to do with the VMware Bridging

14 Replies 14

Anyone have a VM running on their DMZ? Know what on the 5505 I would need to change to allow it?

Any help is greatly appreciated!

So as I typed this out I thought of something I had not tried.

If I run the same setup from the inside LAN it works fine...

I now think it is a combination of two things. The licensing restrictions and how the VMware Bridging vmnet0 works.

Any insight?

mm .. it sounds interesting .. are you able to ping the ASA's DMZ interface from the guest OS ? .. Can you post the configuration of your ASA ?

Yes, When the Host and Guest are on the DMZ both can ping the DMZ interface. The Guest can even ping other computers on the DMZ.

To that end I thought at first it was just a DNS issue, Guest could not get updates, so I setup a DNS server on the DMZ and pointed to guest to it. That allowed DNS resolution but the Guest could still not get off the network.

I will post my config shortly.

See attached:

Can put it multiple replies if need be. I also added a couple notes. There are a few things in there I would not normally have setup, like DHCP on the DMZ, and a specific ACL for the Guest OS.

All were attempts at making it work.

Thanks for any help.

Hi .. try adding

nat (dmz) 1 192.168.2.0 255.255.255.0

Thanks but no luck.

It does rule out a global policy being the issue though so thank you for that.

I think I am going to blast out the config and try again. I may have over troubleshot it.

Reset to factory defaults, set it back up with a very basic config same results.

Host and Guest on inside Vlan no problems, Host and Guest on DMZ (with base license) guest can not make connections beyond the DMZ.

Nothing shows up in the logs.

I am going to try VirtualBox instead of VMware and hope for the best

What are the IP's of the guest OS and the the IP of the Host OS?

Magnus Mortensen
Cisco Employee
Cisco Employee

Also, aside from the question about the IP addresses, does the Guest OS even get ARP resolution for its default gateway?

WHat is the output of 'ipconfig /all' and 'arp -a' from the guest OS after trying to ping the ASA's DMZ interface?

Yes it does, and the ASA 5505 also shows it in its dynamic ARP cache.

The MAC associated with it is different from the MAC of the Host.

I have had issues with the Proxy ARP on the ASA 5505 and Nix' boxes before, I will try shutting it off and see what happens.

I apologize I missed the IP question. I am using 192.168.2.0/24 for the DMZ.

Using:

Host 192.168.2.4

Guest 192.168.2.5

SOLUTION!

Install a second NIC bind vmnet0 to eth1 instead of eth0

Details:

Goal was to have the Host OS (Ubuntu 8.04) which is running an Apache web server also serve as an e-mail gateway (SpamTitan) since on a heavy day the web server might hit 5% CPU.

Why but a whole new machine, right?

When it did not work right away I went into troubleshooting mode and tried several different things as mentioned above. Which led me to the idea to create my own VM of SpamTitan and bind it to a different NIC.

Before I went that far I tried reassigning vmnet0 from eth0 to my newly installed eth1 and running it. That seems to have done the trick!

So now the setup is:

eth0 192.168.2.4

eth1 192.168.2.5

vmnet0 192.168.2.6

With vmnet0 bridged to eth1

Why is it working now and not before?

I am unsure. It is not a Linux thing because I tried both Windows XP and OS X 10.5 with the same result. I think it has more to do with primary network and associated services than Host OS.

If anyone has any insight please let me know. Otherwise I am going to chase it down later.

Thanks again for your responses!

I'm having issues with Virtual Machines at any of my customers with Cisco ASA as the edge firewall/router.

It doesn't matter what VM technology - it happens with both VMWare Fusion and VirtualBox.

It doesn't matter how I setup the networking - NAT or bridge.

It doesn't matter what the host OS is - it happens on ArchBang Linux and on OSX.

It doesn't matter what the guest OS is - it happens on Windows XP and Windows 7.

Basically, when I open the virtual machine, both the host and guest OS's start having problems accessing the internet.  Sometimes it's bad packet loss, sometimes it won't work at all.  Sometimes it will work fine for a few minutes then start acting up again.

The only thing that is the same is a Cisco ASA 5505.

These are laptops on wifi, so installing a secondary NIC and binding the VM's interface to it is not a solution for me.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: