Solved

ASA 5505 NAT/Routing

Posted on 2013-05-21
12
1,875 Views
Last Modified: 2013-06-03
Odd problem on an ASA 5505 running 9.1.1

outside interface address 1.2.245.110 255.255.255.248
internal interface address 192.168.30.1
default gateway 1.2.245.105

The default gateway is a "bonded" ADSL2+ router (Comtrend) on Bethere (UK ISP) it has a primary address of .105 and a secondary of .106

from the ASA I can ping both the .105 and the .106 addresses

from inside I can traceroute out over the ASA and the first hop seen is the .105 address

C:\temp>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  1.2.245.105
  2     *        *        *     Request timed out.
  3   129 ms   133 ms   127 ms  94.195.96.17

Open in new window


from inside I can ping the .106 address

from inside I cannot ping the .105 address

If I use the ASA packet tracer, it can get to the .106 address

asa5505# packet-tracer input inside tcp 192.168.30.3 8080 1.2.245.106 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.245.104   255.255.255.248 ISP

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,ISP) source dynamic PR-30 interface
Additional Information:
Dynamic translate 192.168.30.3/8080 to 1.2.245.110/8080

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,ISP) source dynamic PR-30 interface
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 996698, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: allow

Open in new window


but it can't get to the .105 address

asa5505# packet-tracer input inside tcp 192.168.30.3 8080 1.2.245.105 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.245.104   255.255.255.248 ISP

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Open in new window


To say I'm confused by the "no route to host" is putting it mildly...

sanitized config as per the attached.
5505cleaned.txt
0
Comment
Question by:ArneLovius
  • 6
  • 6
12 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39184029
You subnet mask is incorrect

With 255.255.255.248 mask your ip address on the ASA and on the ADSL modem are in different subnets

With this subnet mask you have 2 separate subnets

1. 1.2.245.0 - 1.2.245.7, where .0 and .7 are network and broadcast addresses, they can not be assigned

2. 1.2.245.8 - 1.2.245.15, where .8 and .15 are network and broadcast addresses, they can not be assigned

This is why it says you have no route to the ADSL modem

I would suggest changing the subnet mask on ASA to 255.255.255.240
0
 
LVL 36

Author Comment

by:ArneLovius
ID: 39184368
I think you have misread the config, possibly mistaking .105 for .005

If the subnet mask was incorrect, I would not be able to traceroute over the ASA, neither would I be able to ping each of the addresses from the ASA.

Just for clarification, it is an ADSL router, not an ADSL modem.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39184375
no mistake here, your asa outside interface and adsl router are in different aubnets
0
 
LVL 36

Author Comment

by:ArneLovius
ID: 39184418
The ADSL router is on 1.2.245.105
The ASA is 1.2.245.110

With a 255.255.255.248 subnet mask (a /29) the network address is 1.2.245.104 and the broadcast is 1.2.245.111

Rather than explain further, here is an online subnet calculator which demonstrates

http://jodies.de/ipcalc?host=1.2.245.110&mask1=29&mask2=
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187147
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187161
By the way, I think you should be calculating like this:

http://jodies.de/ipcalc?host=1.2.245.0&mask1=29&mask2=
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187164
Can you post your config btw
0
 
LVL 36

Author Comment

by:ArneLovius
ID: 39187269
As per my initial post, the config is attached to the first post.

My subnet mask is correct, as per the link I provided in 39184418
Address:   1.2.245.105           00000001.00000010.11110101.01101 001
Netmask:   255.255.255.248 = 29  11111111.11111111.11111111.11111 000
Network:   1.2.245.104/29        00000001.00000010.11110101.01101 000
Broadcast: 1.2.245.111           00000001.00000010.11110101.01101 111
HostMin:   1.2.245.105           00000001.00000010.11110101.01101 001
HostMax:   1.2.245.110           00000001.00000010.11110101.01101 110

Open in new window

105 and 110 are in the same subnet when used with 255.255.255.248

This is NOT a subnet mask issue.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187376
You config looks good to me
0
 
LVL 36

Author Comment

by:ArneLovius
ID: 39188185
I'm aware that the config looks good, I'm trying to find out why I'm experiencing this issue, and how to resolve it...
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 0 total points
ID: 39204125
There was an error in the config, the NAT ordering needed changing

nat (inside,ISP) 3 source dynamic PR-30 interface destination static BeBox BeBox

Open in new window

0
 
LVL 36

Author Closing Comment

by:ArneLovius
ID: 39215594
With the addition of the specific NAT rule that uses the interface prior to the general NAT rule that uses a different address on the ASA, traffic can flow using the interface to the router address.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now