asked on

ASA 5505 NAT/Routing

Odd problem on an ASA 5505 running 9.1.1

outside interface address 1.2.245.110 255.255.255.248
internal interface address 192.168.30.1
default gateway 1.2.245.105

The default gateway is a "bonded" ADSL2+ router (Comtrend) on Bethere (UK ISP) it has a primary address of .105 and a secondary of .106

from the ASA I can ping both the .105 and the .106 addresses

from inside I can traceroute out over the ASA and the first hop seen is the .105 address

C:\temp>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  1.2.245.105
  2     *        *        *     Request timed out.
  3   129 ms   133 ms   127 ms  94.195.96.17

Open in new window

from inside I can ping the .106 address

from inside I cannot ping the .105 address

If I use the ASA packet tracer, it can get to the .106 address

asa5505# packet-tracer input inside tcp 192.168.30.3 8080 1.2.245.106 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.245.104   255.255.255.248 ISP

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,ISP) source dynamic PR-30 interface
Additional Information:
Dynamic translate 192.168.30.3/8080 to 1.2.245.110/8080

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,ISP) source dynamic PR-30 interface
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 996698, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: allow

Open in new window

but it can't get to the .105 address

asa5505# packet-tracer input inside tcp 192.168.30.3 8080 1.2.245.105 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.245.104   255.255.255.248 ISP

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Open in new window

To say I'm confused by the "no route to host" is putting it mildly...

sanitized config as per the attached.
5505cleaned.txt

fgasimzade

You subnet mask is incorrect

With 255.255.255.248 mask your ip address on the ASA and on the ADSL modem are in different subnets

With this subnet mask you have 2 separate subnets

1. 1.2.245.0 - 1.2.245.7, where .0 and .7 are network and broadcast addresses, they can not be assigned

2. 1.2.245.8 - 1.2.245.15, where .8 and .15 are network and broadcast addresses, they can not be assigned

This is why it says you have no route to the ADSL modem

I would suggest changing the subnet mask on ASA to 255.255.255.240

ArneLovius

ASKER

I think you have misread the config, possibly mistaking .105 for .005

If the subnet mask was incorrect, I would not be able to traceroute over the ASA, neither would I be able to ping each of the addresses from the ASA.

Just for clarification, it is an ADSL router, not an ADSL modem.

fgasimzade

no mistake here, your asa outside interface and adsl router are in different aubnets

ArneLovius

ASKER

The ADSL router is on 1.2.245.105
The ASA is 1.2.245.110

With a 255.255.255.248 subnet mask (a /29) the network address is 1.2.245.104 and the broadcast is 1.2.245.111

Rather than explain further, here is an online subnet calculator which demonstrates

http://jodies.de/ipcalc?host=1.2.245.110&mask1=29&mask2=

fgasimzade

Try this one

http://www.subnet-calculator.com/subnet.php?net_class=A

fgasimzade

By the way, I think you should be calculating like this:

http://jodies.de/ipcalc?host=1.2.245.0&mask1=29&mask2=

fgasimzade

Can you post your config btw

ArneLovius

ASKER

As per my initial post, the config is attached to the first post.

My subnet mask is correct, as per the link I provided in 39184418

Address:   1.2.245.105           00000001.00000010.11110101.01101 001
Netmask:   255.255.255.248 = 29  11111111.11111111.11111111.11111 000
Network:   1.2.245.104/29        00000001.00000010.11110101.01101 000
Broadcast: 1.2.245.111           00000001.00000010.11110101.01101 111
HostMin:   1.2.245.105           00000001.00000010.11110101.01101 001
HostMax:   1.2.245.110           00000001.00000010.11110101.01101 110

Open in new window

105 and 110 are in the same subnet when used with 255.255.255.248

This is NOT a subnet mask issue.

fgasimzade

You config looks good to me

ArneLovius

ASKER

I'm aware that the config looks good, I'm trying to find out why I'm experiencing this issue, and how to resolve it...

ASKER CERTIFIED SOLUTION

ArneLovius

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ArneLovius

ASKER

With the addition of the specific NAT rule that uses the interface prior to the general NAT rule that uses a different address on the ASA, traffic can flow using the interface to the router address.