• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2850
  • Last Modified:

ASA 5505 NAT/Routing

Odd problem on an ASA 5505 running 9.1.1

outside interface address 1.2.245.110 255.255.255.248
internal interface address 192.168.30.1
default gateway 1.2.245.105

The default gateway is a "bonded" ADSL2+ router (Comtrend) on Bethere (UK ISP) it has a primary address of .105 and a secondary of .106

from the ASA I can ping both the .105 and the .106 addresses

from inside I can traceroute out over the ASA and the first hop seen is the .105 address

C:\temp>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  1.2.245.105
  2     *        *        *     Request timed out.
  3   129 ms   133 ms   127 ms  94.195.96.17

Open in new window


from inside I can ping the .106 address

from inside I cannot ping the .105 address

If I use the ASA packet tracer, it can get to the .106 address

asa5505# packet-tracer input inside tcp 192.168.30.3 8080 1.2.245.106 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.245.104   255.255.255.248 ISP

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,ISP) source dynamic PR-30 interface
Additional Information:
Dynamic translate 192.168.30.3/8080 to 1.2.245.110/8080

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,ISP) source dynamic PR-30 interface
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 996698, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: allow

Open in new window


but it can't get to the .105 address

asa5505# packet-tracer input inside tcp 192.168.30.3 8080 1.2.245.105 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.245.104   255.255.255.248 ISP

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Open in new window


To say I'm confused by the "no route to host" is putting it mildly...

sanitized config as per the attached.
5505cleaned.txt
0
ArneLovius
Asked:
ArneLovius
  • 6
  • 6
1 Solution
 
fgasimzadeCommented:
You subnet mask is incorrect

With 255.255.255.248 mask your ip address on the ASA and on the ADSL modem are in different subnets

With this subnet mask you have 2 separate subnets

1. 1.2.245.0 - 1.2.245.7, where .0 and .7 are network and broadcast addresses, they can not be assigned

2. 1.2.245.8 - 1.2.245.15, where .8 and .15 are network and broadcast addresses, they can not be assigned

This is why it says you have no route to the ADSL modem

I would suggest changing the subnet mask on ASA to 255.255.255.240
0
 
ArneLoviusAuthor Commented:
I think you have misread the config, possibly mistaking .105 for .005

If the subnet mask was incorrect, I would not be able to traceroute over the ASA, neither would I be able to ping each of the addresses from the ASA.

Just for clarification, it is an ADSL router, not an ADSL modem.
0
 
fgasimzadeCommented:
no mistake here, your asa outside interface and adsl router are in different aubnets
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
ArneLoviusAuthor Commented:
The ADSL router is on 1.2.245.105
The ASA is 1.2.245.110

With a 255.255.255.248 subnet mask (a /29) the network address is 1.2.245.104 and the broadcast is 1.2.245.111

Rather than explain further, here is an online subnet calculator which demonstrates

http://jodies.de/ipcalc?host=1.2.245.110&mask1=29&mask2=
0
 
fgasimzadeCommented:
0
 
fgasimzadeCommented:
By the way, I think you should be calculating like this:

http://jodies.de/ipcalc?host=1.2.245.0&mask1=29&mask2=
0
 
fgasimzadeCommented:
Can you post your config btw
0
 
ArneLoviusAuthor Commented:
As per my initial post, the config is attached to the first post.

My subnet mask is correct, as per the link I provided in 39184418
Address:   1.2.245.105           00000001.00000010.11110101.01101 001
Netmask:   255.255.255.248 = 29  11111111.11111111.11111111.11111 000
Network:   1.2.245.104/29        00000001.00000010.11110101.01101 000
Broadcast: 1.2.245.111           00000001.00000010.11110101.01101 111
HostMin:   1.2.245.105           00000001.00000010.11110101.01101 001
HostMax:   1.2.245.110           00000001.00000010.11110101.01101 110

Open in new window

105 and 110 are in the same subnet when used with 255.255.255.248

This is NOT a subnet mask issue.
0
 
fgasimzadeCommented:
You config looks good to me
0
 
ArneLoviusAuthor Commented:
I'm aware that the config looks good, I'm trying to find out why I'm experiencing this issue, and how to resolve it...
0
 
ArneLoviusAuthor Commented:
There was an error in the config, the NAT ordering needed changing

nat (inside,ISP) 3 source dynamic PR-30 interface destination static BeBox BeBox

Open in new window

0
 
ArneLoviusAuthor Commented:
With the addition of the specific NAT rule that uses the interface prior to the general NAT rule that uses a different address on the ASA, traffic can flow using the interface to the router address.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now