ArneLovius
asked on
ASA 5505 NAT/Routing
Odd problem on an ASA 5505 running 9.1.1
outside interface address 1.2.245.110 255.255.255.248
internal interface address 192.168.30.1
default gateway 1.2.245.105
The default gateway is a "bonded" ADSL2+ router (Comtrend) on Bethere (UK ISP) it has a primary address of .105 and a secondary of .106
from the ASA I can ping both the .105 and the .106 addresses
from inside I can traceroute out over the ASA and the first hop seen is the .105 address
from inside I can ping the .106 address
from inside I cannot ping the .105 address
If I use the ASA packet tracer, it can get to the .106 address
but it can't get to the .105 address
To say I'm confused by the "no route to host" is putting it mildly...
sanitized config as per the attached.
5505cleaned.txt
outside interface address 1.2.245.110 255.255.255.248
internal interface address 192.168.30.1
default gateway 1.2.245.105
The default gateway is a "bonded" ADSL2+ router (Comtrend) on Bethere (UK ISP) it has a primary address of .105 and a secondary of .106
from the ASA I can ping both the .105 and the .106 addresses
from inside I can traceroute out over the ASA and the first hop seen is the .105 address
C:\temp>tracert -d 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 1.2.245.105
2 * * * Request timed out.
3 129 ms 133 ms 127 ms 94.195.96.17
from inside I can ping the .106 address
from inside I cannot ping the .105 address
If I use the ASA packet tracer, it can get to the .106 address
asa5505# packet-tracer input inside tcp 192.168.30.3 8080 1.2.245.106 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 1.2.245.104 255.255.255.248 ISP
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,ISP) source dynamic PR-30 interface
Additional Information:
Dynamic translate 192.168.30.3/8080 to 1.2.245.110/8080
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,ISP) source dynamic PR-30 interface
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 996698, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: allow
but it can't get to the .105 address
asa5505# packet-tracer input inside tcp 192.168.30.3 8080 1.2.245.105 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 1.2.245.104 255.255.255.248 ISP
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
To say I'm confused by the "no route to host" is putting it mildly...
sanitized config as per the attached.
5505cleaned.txt
ASKER
I think you have misread the config, possibly mistaking .105 for .005
If the subnet mask was incorrect, I would not be able to traceroute over the ASA, neither would I be able to ping each of the addresses from the ASA.
Just for clarification, it is an ADSL router, not an ADSL modem.
If the subnet mask was incorrect, I would not be able to traceroute over the ASA, neither would I be able to ping each of the addresses from the ASA.
Just for clarification, it is an ADSL router, not an ADSL modem.
no mistake here, your asa outside interface and adsl router are in different aubnets
ASKER
The ADSL router is on 1.2.245.105
The ASA is 1.2.245.110
With a 255.255.255.248 subnet mask (a /29) the network address is 1.2.245.104 and the broadcast is 1.2.245.111
Rather than explain further, here is an online subnet calculator which demonstrates
http://jodies.de/ipcalc?host=1.2.245.110&mask1=29&mask2=
The ASA is 1.2.245.110
With a 255.255.255.248 subnet mask (a /29) the network address is 1.2.245.104 and the broadcast is 1.2.245.111
Rather than explain further, here is an online subnet calculator which demonstrates
http://jodies.de/ipcalc?host=1.2.245.110&mask1=29&mask2=
By the way, I think you should be calculating like this:
http://jodies.de/ipcalc?host=1.2.245.0&mask1=29&mask2=
http://jodies.de/ipcalc?host=1.2.245.0&mask1=29&mask2=
Can you post your config btw
ASKER
As per my initial post, the config is attached to the first post.
My subnet mask is correct, as per the link I provided in 39184418
This is NOT a subnet mask issue.
My subnet mask is correct, as per the link I provided in 39184418
Address: 1.2.245.105 00000001.00000010.11110101.01101 001
Netmask: 255.255.255.248 = 29 11111111.11111111.11111111.11111 000
Network: 1.2.245.104/29 00000001.00000010.11110101.01101 000
Broadcast: 1.2.245.111 00000001.00000010.11110101.01101 111
HostMin: 1.2.245.105 00000001.00000010.11110101.01101 001
HostMax: 1.2.245.110 00000001.00000010.11110101.01101 110
105 and 110 are in the same subnet when used with 255.255.255.248This is NOT a subnet mask issue.
You config looks good to me
ASKER
I'm aware that the config looks good, I'm trying to find out why I'm experiencing this issue, and how to resolve it...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
With the addition of the specific NAT rule that uses the interface prior to the general NAT rule that uses a different address on the ASA, traffic can flow using the interface to the router address.
With 255.255.255.248 mask your ip address on the ASA and on the ADSL modem are in different subnets
With this subnet mask you have 2 separate subnets
1. 1.2.245.0 - 1.2.245.7, where .0 and .7 are network and broadcast addresses, they can not be assigned
2. 1.2.245.8 - 1.2.245.15, where .8 and .15 are network and broadcast addresses, they can not be assigned
This is why it says you have no route to the ADSL modem
I would suggest changing the subnet mask on ASA to 255.255.255.240