To check connectivity between two VMs using ping commands, first turn on ICMP debugging on the ASA using "debug icmp trace". Then ping between the VMs with a maximum of 3 packets using "-n3" or "-c3" to limit the packets and avoid leaving pings running. The VMs may not be able to ping each other by default as the ASA blocks inbound ICMP traffic from interfaces with lower security levels to higher levels by default, while allowing outbound ICMP.
To check connectivity between two VMs using ping commands, first turn on ICMP debugging on the ASA using "debug icmp trace". Then ping between the VMs with a maximum of 3 packets using "-n3" or "-c3" to limit the packets and avoid leaving pings running. The VMs may not be able to ping each other by default as the ASA blocks inbound ICMP traffic from interfaces with lower security levels to higher levels by default, while allowing outbound ICMP.
To check connectivity between two VMs using ping commands, first turn on ICMP debugging on the ASA using "debug icmp trace". Then ping between the VMs with a maximum of 3 packets using "-n3" or "-c3" to limit the packets and avoid leaving pings running. The VMs may not be able to ping each other by default as the ASA blocks inbound ICMP traffic from interfaces with lower security levels to higher levels by default, while allowing outbound ICMP.
Switch on the ICMP debugging trace logging, using the following command:
ciscoasa(config)# debug icmp trace
From the two VM’s connectivity can be checked using ping from console windows. Limit the ping packets to a max of 3 with –n3 –c3 or CTRL+C to stop the ping. DO NOT LEAVE PINGS RUNNING AS WE ARE WORKING ON SHARED VIRTUAL NETWORKS! Linux: ping –c3 dest_adddress Windows: ping –n3 dest_adddress Questions Q: Can the WINDOWS VM ping the Linux VM? Q: Can the Linux VM ping the WINDOWS VM? Q: What might be causing this? The ICMP ping traffic and traceroute traffic on the ASA are handled differently to a router by default. ICMP to an interface is replied to, but inbound ICMP through the ASA is blocked by default, as traffic is not allowed to go from an interface with a lower security level to an interface with a higher level (outside 0 to inside 100 is not allowed). Outbound ICMP is permitted (inside 100 to ouside 0 is allowed), but the reply is blocked by default