topic Re: FPR1010 Drop-reason: (no-route) No route to host in Network Security

FPR1010 Drop-reason: (no-route) No route to host

Anoudeth — Fri, 16 Jun 2023 09:29:16 GMT

I'm a beginner to the firewall configuration using a new FPR 1010. I can't make inside network connect to the internet, except I can ping the ISP gateway ! Is this mean ingress is being blocked?

Attempting TCP_Bypass always failed deployment with these warnings.

WARNING: Pool (0.0.0.0) overlap with existing pool.
WARNING: Pool (0.0.0.0) overlap with existing pool.
WARNING: All traffic destined to the IP address of the outside interface is being redirected
WARNING: Users may not be able to access any service enabled on the outside interface
WARNING: Pool (0.0.0.0) overlap with existing pool.

Here is packet-tracer https bypass cmd result. Is there any common policy that block by default? Am I missed something?

firepower# packet-tracer input inside tcp 10.10.10.1 https 20X.XXX.XXX.XXX https bypass-checks

Phase: 1
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x000056082f3d9311 flow (NA)/NA

I will post show running-config later.

Re: FPR1010 Drop-reason: (no-route) No route to host

MHM Cisco World — Fri, 16 Jun 2023 09:51:06 GMT

you need o NATing from private to public IP.

You need defualt route also

Re: FPR1010 Drop-reason: (no-route) No route to host

Anoudeth — Tue, 20 Jun 2023 06:14:57 GMT

Thank you for your guidance. It turns out that it is the NAT. The issue is resolved. Here is what I did, just want to share with other beginners.

NAT Rule (Before Auto) - MANUAL STATIC
inside > outside

Original Source Address: dmz-network-192.168.1.0-30
Original Destination Address: any-ipv4
Translated Source Address: Interface
Translated Destination Address: any-ipv4

For Routing: Static Routing

Network 192.168.2.0/30 - Gateway: 192.168.1.1 (And this 192.168.1.1 will be the WAN of the router)
Network 0.0.0.0/24 - Gateway: 2XX.XXX.XXX.241 (gateway provided by ISP)

Interfaces on the Firewall:

Outside Interface: 2XX.XXX.XXX.246 (IP provided by ISP)
Inside (DMZ) Interface: 192.168.1.2