Well so far its set to Bridged, the Cisco has been setup to route the external IP through to 192.168.1.100 with the correct ports open but it can't route anything through. We can't even ping or connect from outside the firewall, only from within the network.

If I set VMPlayer to NAT, I cant see/ping it either on the internal network or extranally through the firewall... which matches what you said.

I'm discounted firewall rules etc being the problem as we have no issues configuring the Cisco, in fact its done by Rackspace so I trust them more than I trust myself to do it.

This is the last comment from RS techs -

"I have took a look at your server. I see that you are running VMWARE Player logged in with the administrator account. I would like to remind you that VMWare is not a supported application, but here is what I can offer. Because of the nature of VMWARE Player and terminal services, I am unable to see how you have configured the network interface for this guest OS. My suggestion to you would be to confirm that you are using the "Bridged" network for this guest. Looking at the Virtual Network Editor, I see that you have configured a Virtual Network labeled "VMnet0" that is "Bridged". I would make sure this network is the network you are using for this guest. Beyond that, I do not have any other suggestions for you. "

You've done a good job tracing the problem so far.

Your network is bridged, and you can ping the virtual machine from your internal network.

Next step, to check connectivity, is to ping the vm from your firewall.

If that step is successful, you check the firewall rules.

No it cant be pinged from the firewall at present.

The firewall has (or should have) an interface on this network (192.168.1.x).

So what you're saying is that you can ping the virtual machine from the whole network except the firewall?

However unrelated to VMware Player this may be...

What is the name of the firewall zone containing the 192.168.1.x network?

What is the IP address of the firewall interface connected to the 192.168.1.x?

1. The firewall IP address should be 192.168.1.1 or something on the 192.168.1.x network.

2. The netmask on this interface should be the same as on your virtual machine.

3. The default gateway on your virtual machine should (normally) be the firewall IP-address.

(4. If the gateway on your virtual machine is not the PIX, it may be using another router (or routing capable equipment). This may be a problem, because it could mean that the firewall doesn't have direct connection to your virtual machine.)

You should be able to ping the virtual machine from the PIX by issuing the command 'ping 192.168.1.100'. Note that simply pinging the IP address without giving the zone name will not work.

If that didn't work, there is most likely something wrong in your network. Either the firewall, the virtual machine, or both.

I'm beginning to think the issue is related to the copy of linux and its config that VMplayer is using. I've searched high and low on the net and I cant see anything even related tot he problem I'm having so I can only assume this is the issue. The IP 192.168.1.202 is configured in the linux itself, but I dont have this IP set in any of the physical or virtual network adaptors - should I have? I'm beginning to think about just leasing a cheap linux box elsewhere as I just cant see any reason why the internal machines can talk to the VM linux but the firewall cant route external traffic to it.

Ah...

So if you run the command 'ifconfig eth0' in Linux, which IP address does it show?

192.168.1.202?

Then this is the IP of your virtual machine, and not 192.168.1.100.

Try pinging the address of your virtual machine from the PIX again.

Use ssh (a free ssh client for Windows is Putty, the ssh command is usually built-in in Linux) and try to connect to 192.168.1.202.

When you log in, you will see if this is your virtual machine.

Remember: You know this machine is virtual, but for all intents and purposes this is just another machine on your network.

And no two machines on the same network should have the same IP address. The IP address of your virtual machine should only be found on your virtual machine, and not anywhere else. Not even on the physical machine where the virtual machine resides.

(If any of this seems low level, it's not at all an attempt of mockery. I just have no idea of your technical knowledge level.)

Dont worry about the low level, I usually find its the basics that cause problems like this

Ignore the 102 reference earlier, it was a typo I should have said .100.

On the VM if I do ifconfig I get

eth0 - inet addr: 192.168.1.100 Bcast 192.168.1.255 Mask 255.255.255.0

Which all looks ok to me. As before, this IP isnt anywhere else on the network, and its definately the VM. If I take the VM down I cant ping it from another box and the VM has some apps like Webmin which arent anywhere else on the network which when the VM is running I can connect to just fine from another box on the network. I just cant connect to it externally through the firewall!

I've double and triple checked the firewall rules, for example I took the VM down and gave the physical net adaptor the .100 IP address and I can connect just fine. It just seems like the firewall cant talk to the IP if its "virtual". Rackspace say its the bridging protocol but that doesnt really help me either!

Someone else at RS suggested I check some config files on the VM, dont know if this will help

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

ONBOOT=yes

BOOTPROTO=static

IPADDR=192.168.1.100

NETMASK=255.255.255.0

GATEWAY=192.168.1.1

/etc/resolv.conf :

nameserver 192.168.1.1

I'm drawing a blank here...

I've used VMware virtual machines and accessed them through PIX as early as in 2001. Never had any problems.

The VM has an IP address and a unique MAC address, visible on your LAN.

That should be all that's needed...

It's very possible that there is a simple fix, but I just don't have any more leads.

The only thing I can think of is to clear the arp table and the translation table on the firewall.

But you can check them first, to see if they are correct.

'show arp' will show the arp table.

It's just the IP addresses and their associated MAC addresses that the PIX has discovered.

An 'ifconfig eth0' will show you the MAC address of your virtual machine.

'show xlate' will show the translation table.

Check http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1084248, and search for 'show xlate' for more info.

If you suspect any conflicts or errors, clear the arp and translation table:

'clear arp'

'clear xlate'

Note that all established connections through the firewall will be disconnected when issuing 'clear xlate'.

Rackspace finally came through - here is their solution -

"I was able to get this VM pinging to the outside world by running the following command on the virtual Linux system.

route add default gw 192.168.1.1 eth0"

I dont know what that command does, my linux knowledge is non existant. Not even sure if I will need to run that command each time we load the VM but hey, at least I can connect.

Thanks for all your info and feedback, it was sending your last comment to RS techs that finally got one of them to login to the server and take a look.

Glad to hear you found a solution.

I'm don't really think this was it though...

Unless the file /etc/sysconfig/network has another gateway setting, that is.

You sent an earlier mail with the contents of /etc/sysconfig/network-scripts/ifcfg-eth0, and one of the lines were:

GATEWAY=192.168.1.1

This parameter is setting the gateway for eth0 to 192.168.1.1.

This setting defines which way you go to get out of your LAN.

Your firewall has the information about other networks, and the capability to send traffic to these networks. This would be other zones on the firewall, and maybe even the whole Internet (or at least the way to other equipment who knows about the whole Internet).

I'm happy you figured it out, and I wish you a merry Christmas.

interestingly etc/sysconfig/network just has this within it -

NETWORKING=yes

HOSTNAME=savasm

GATEWAY=192.168.1.1

I'll keep investigating this, in the meantime thanks very much for all of your assistance and Happy Xmas