?
Solved

ASA 5505 NAT/Routing

Posted on 2013-05-21
12
Medium Priority
?
2,177 Views
Last Modified: 2013-06-03
Odd problem on an ASA 5505 running 9.1.1

outside interface address 1.2.245.110 255.255.255.248
internal interface address 192.168.30.1
default gateway 1.2.245.105

The default gateway is a "bonded" ADSL2+ router (Comtrend) on Bethere (UK ISP) it has a primary address of .105 and a secondary of .106

from the ASA I can ping both the .105 and the .106 addresses

from inside I can traceroute out over the ASA and the first hop seen is the .105 address

C:\temp>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  1.2.245.105
  2     *        *        *     Request timed out.
  3   129 ms   133 ms   127 ms  94.195.96.17

Open in new window


from inside I can ping the .106 address

from inside I cannot ping the .105 address

If I use the ASA packet tracer, it can get to the .106 address

asa5505# packet-tracer input inside tcp 192.168.30.3 8080 1.2.245.106 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.245.104   255.255.255.248 ISP

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,ISP) source dynamic PR-30 interface
Additional Information:
Dynamic translate 192.168.30.3/8080 to 1.2.245.110/8080

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,ISP) source dynamic PR-30 interface
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 996698, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: allow

Open in new window


but it can't get to the .105 address

asa5505# packet-tracer input inside tcp 192.168.30.3 8080 1.2.245.105 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.245.104   255.255.255.248 ISP

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Open in new window


To say I'm confused by the "no route to host" is putting it mildly...

sanitized config as per the attached.
5505cleaned.txt
0
Comment
Question by:ArneLovius
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39184029
You subnet mask is incorrect

With 255.255.255.248 mask your ip address on the ASA and on the ADSL modem are in different subnets

With this subnet mask you have 2 separate subnets

1. 1.2.245.0 - 1.2.245.7, where .0 and .7 are network and broadcast addresses, they can not be assigned

2. 1.2.245.8 - 1.2.245.15, where .8 and .15 are network and broadcast addresses, they can not be assigned

This is why it says you have no route to the ADSL modem

I would suggest changing the subnet mask on ASA to 255.255.255.240
0
 
LVL 37

Author Comment

by:ArneLovius
ID: 39184368
I think you have misread the config, possibly mistaking .105 for .005

If the subnet mask was incorrect, I would not be able to traceroute over the ASA, neither would I be able to ping each of the addresses from the ASA.

Just for clarification, it is an ADSL router, not an ADSL modem.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39184375
no mistake here, your asa outside interface and adsl router are in different aubnets
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 37

Author Comment

by:ArneLovius
ID: 39184418
The ADSL router is on 1.2.245.105
The ASA is 1.2.245.110

With a 255.255.255.248 subnet mask (a /29) the network address is 1.2.245.104 and the broadcast is 1.2.245.111

Rather than explain further, here is an online subnet calculator which demonstrates

http://jodies.de/ipcalc?host=1.2.245.110&mask1=29&mask2=
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187147
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187161
By the way, I think you should be calculating like this:

http://jodies.de/ipcalc?host=1.2.245.0&mask1=29&mask2=
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187164
Can you post your config btw
0
 
LVL 37

Author Comment

by:ArneLovius
ID: 39187269
As per my initial post, the config is attached to the first post.

My subnet mask is correct, as per the link I provided in 39184418
Address:   1.2.245.105           00000001.00000010.11110101.01101 001
Netmask:   255.255.255.248 = 29  11111111.11111111.11111111.11111 000
Network:   1.2.245.104/29        00000001.00000010.11110101.01101 000
Broadcast: 1.2.245.111           00000001.00000010.11110101.01101 111
HostMin:   1.2.245.105           00000001.00000010.11110101.01101 001
HostMax:   1.2.245.110           00000001.00000010.11110101.01101 110

Open in new window

105 and 110 are in the same subnet when used with 255.255.255.248

This is NOT a subnet mask issue.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187376
You config looks good to me
0
 
LVL 37

Author Comment

by:ArneLovius
ID: 39188185
I'm aware that the config looks good, I'm trying to find out why I'm experiencing this issue, and how to resolve it...
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 0 total points
ID: 39204125
There was an error in the config, the NAT ordering needed changing

nat (inside,ISP) 3 source dynamic PR-30 interface destination static BeBox BeBox

Open in new window

0
 
LVL 37

Author Closing Comment

by:ArneLovius
ID: 39215594
With the addition of the specific NAT rule that uses the interface prior to the general NAT rule that uses a different address on the ASA, traffic can flow using the interface to the router address.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question