https://community.cisco.com/t5/network-security/no-route-to-error-message-cisco-pix/m-p/818459#M979784 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P> The two internal ftp servers are:</P><P>172.16.5.182</P><P>172.16.5.112</P><P></P><P>They correspond to two nat'ed addresses on our outside PIX interface:</P><P>192.168.219.11</P><P>192.168.219.12</P><P></P><P>The two external hosts that need access to the ftp servers are:</P><P>192.168.219.19 needs access to 192.168.219.11</P><P>RTMWINCLITEST needs access to 192.168.219.12</P><P></P><P>The other side of the connection (at our vendor with addresses 192.168.219.19 and RTMWINCLITEST), does not permit echo-replies. </P><P></P><P>I'm using the static to map the external addresses to the two internal ftp servers. The two route commands were an attempt to correct the "no route error". However, I do realise the 192.168.219.11, 192.168.219.12 are on the same subnet as the outside interface on our PIX.</P><P></P><P>Strangely, the vendor can connect (establish and ftp session) once (to both the 192.168.219.11 and 192.168.219.12). The next session fails with the "no route" error. </P><P></P></BODY></HTML> Wed, 30 May 2007 15:06:24 GMT mhum 2007-05-30T15:06:24Z https://community.cisco.com/t5/network-security/no-route-to-error-message-cisco-pix/m-p/818457#M979782 <P>Hi,</P><P> I'm trying to setup a firewall rule on a Cisco PIX 506e (6.35) to permit inbound ftp traffic to two internal ftp servers. I can successfully connect once, and each subsequent connection produces a 110001 error code, "no route to..." message in the firewall logs. Here's the message in the log:</P><P>302013: Built inbound TCP connection 208 for outside:192.168.219.19/1065 (192.16</P><P>8.219.19/1065) to inside:172.16.5.182/21 (172.16.5.182/21)</P><P>110001: No route to 192.168.219.11 from 192.168.219.19</P><P></P><P>Here's the config</P><P></P><P>PIX Version 6.3(5)</P><P>interface ethernet0 auto</P><P>interface ethernet1 auto</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>enable password xxxx</P><P>passwd xxxx</P><P>hostname xxxx</P><P>domain-name xxxx</P><P>clock timezone EST -5</P><P>clock summer-time EDT recurring 1 Sun Apr 2:00 4 Sun Oct 2:00</P><P>fixup protocol dns maximum-length 512</P><P>fixup protocol ftp 21</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol http 80</P><P>fixup protocol ils 389</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol sip 5060</P><P>fixup protocol sip udp 5060</P><P>fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol tftp 69</P><P>names</P><P>name 192.168.8.0 </P><P>name 192.168.8.19 </P><P>name 192.168.219.20 RTMWINCLTEST</P><P></P><P></P><P>object-group service 6785-tcp tcp</P><P> port-object range 6785 6785</P><P></P><P>access-list acl_out permit tcp host 192.168.219.19 object-group 6785-tcp any object-group 6785-tcp</P><P>access-list acl_out permit tcp host RTMWINCLTEST object-group 6785-tcp any object-group 6785-tcp</P><P>access-list acl_out permit tcp host 192.168.219.19 host 192.168.219.11 eq ftp</P><P>access-list acl_out permit tcp host 192.168.219.19 host 192.168.219.11 eq ftp-data</P><P>access-list acl_out permit tcp host RTMWINCLTEST host 192.168.219.12 eq ftp</P><P>access-list acl_out permit tcp host RTMWINCLTEST host 192.168.219.12 eq ftp-data</P><P></P><P>pager lines 24</P><P>logging on</P><P>logging buffered debugging</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>ip address outside 192.168.219.10 255.255.255.248</P><P>ip address inside 172.16.1.29 255.255.0.0</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>pdm location 192.168.219.19 255.255.255.255 outside</P><P>pdm location RTMWINCLTEST 255.255.255.255 outside</P><P>pdm location 192.168.197.0 255.255.255.0 inside</P><P>pdm history enable</P><P>arp timeout 14400</P><P>nat (inside) 0 192.168.197.0 255.255.255.0 0 0</P><P>nat (inside) 0 172.16.0.0 255.255.0.0 0 0</P><P>static (inside,outside) tcp 192.168.219.11 ftp 172.16.5.182 ftp netmask 255.255.255.255 0 0</P><P>static (inside,outside) tcp 192.168.219.11 ftp-data 172.16.5.182 ftp-data netmask 255.255.255.255 0 0</P><P>static (inside,outside) tcp 192.168.219.12 ftp 172.16.5.112 ftp netmask 255.255.255.255 0 0</P><P>static (inside,outside) tcp 192.168.219.12 ftp-data 172.16.5.112 ftp-data netmask 255.255.255.255 0 0</P><P>access-group acl_out in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 192.168.219.9 1</P><P>route inside 192.168.197.0 255.255.255.0 172.16.1.4 1</P><P>route outside 192.168.219.11 255.255.255.255 192.168.219.10 1</P><P>route outside 192.168.219.12 255.255.255.255 192.168.219.10 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout sip-disconnect 0:02:00 sip-invite 0:03:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server TACACS+ max-failed-attempts 3</P><P>aaa-server TACACS+ deadtime 10</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server RADIUS max-failed-attempts 3</P><P>aaa-server RADIUS deadtime 10</P><P>aaa-server LOCAL protocol local</P><P>http server enable</P><P>http 172.16.0.0 255.255.0.0 inside</P><P>snmp-server host inside 172.16.33.96 poll</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community xxxxx</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>telnet 172.16.0.0 255.255.0.0 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>terminal width 80 </P> Mon, 11 Mar 2019 10:22:47 GMT https://community.cisco.com/t5/network-security/no-route-to-error-message-cisco-pix/m-p/818457#M979782 mhum 2019-03-11T10:22:47Z https://community.cisco.com/t5/network-security/no-route-to-error-message-cisco-pix/m-p/818458#M979783 <HTML><HEAD></HEAD><BODY><P>what do these commands accomplish for you?</P><P></P><P>route outside 192.168.219.11 255.255.255.255 192.168.219.10 1</P><P>route outside 192.168.219.12 255.255.255.255 192.168.219.10 1 </P><P>static (inside,outside) tcp 192.168.219.11 ftp 172.16.5.182 ftp netmask 255.255.255.255 0 0</P><P>static (inside,outside) tcp 192.168.219.11 ftp-data 172.16.5.182 ftp-data netmask 255.255.255.255 0 0</P><P>static (inside,outside) tcp 192.168.219.12 ftp 172.16.5.112 ftp netmask 255.255.255.255 0 0</P><P>static (inside,outside) tcp 192.168.219.12 ftp-data 172.16.5.112 ftp-data netmask 255.255.255.255 0 0 </P><P></P><P>you're pointing the firewall to take a specific route (or just the outside interface) for 192.168.219.11/192.168.219.12 but yet you're statically nat'ing them to the outside interface? take those route statements out and test it.</P><P></P><P>Also, to be sure, can you ping RTMWINCLTEST and 192.168.219.19 from the PIX in question?</P></BODY></HTML> Wed, 30 May 2007 14:22:08 GMT https://community.cisco.com/t5/network-security/no-route-to-error-message-cisco-pix/m-p/818458#M979783 srue 2007-05-30T14:22:08Z https://community.cisco.com/t5/network-security/no-route-to-error-message-cisco-pix/m-p/818459#M979784 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P> The two internal ftp servers are:</P><P>172.16.5.182</P><P>172.16.5.112</P><P></P><P>They correspond to two nat'ed addresses on our outside PIX interface:</P><P>192.168.219.11</P><P>192.168.219.12</P><P></P><P>The two external hosts that need access to the ftp servers are:</P><P>192.168.219.19 needs access to 192.168.219.11</P><P>RTMWINCLITEST needs access to 192.168.219.12</P><P></P><P>The other side of the connection (at our vendor with addresses 192.168.219.19 and RTMWINCLITEST), does not permit echo-replies. </P><P></P><P>I'm using the static to map the external addresses to the two internal ftp servers. The two route commands were an attempt to correct the "no route error". However, I do realise the 192.168.219.11, 192.168.219.12 are on the same subnet as the outside interface on our PIX.</P><P></P><P>Strangely, the vendor can connect (establish and ftp session) once (to both the 192.168.219.11 and 192.168.219.12). The next session fails with the "no route" error. </P><P></P></BODY></HTML> Wed, 30 May 2007 15:06:24 GMT https://community.cisco.com/t5/network-security/no-route-to-error-message-cisco-pix/m-p/818459#M979784 mhum 2007-05-30T15:06:24Z https://community.cisco.com/t5/network-security/no-route-to-error-message-cisco-pix/m-p/818460#M979785 <HTML><HEAD></HEAD><BODY><P>Someone mentioned to me that he read somewhere, that this was a very common error, and it was related to nat'ting? I'm baffled.</P></BODY></HTML> Thu, 31 May 2007 04:07:13 GMT https://community.cisco.com/t5/network-security/no-route-to-error-message-cisco-pix/m-p/818460#M979785 mhum 2007-05-31T04:07:13Z https://community.cisco.com/t5/network-security/no-route-to-error-message-cisco-pix/m-p/818461#M979786 <HTML><HEAD></HEAD><BODY><P>It was NAT vs STATIC order problem. I removed the NAT 0 (172.16.0.0) line and this solved the problem. The "no route to" error message in the PIX log is misleading, if taken literally. I should have read the Cisco PIX online docs describing the NAT, GLOBAL and STATIC commands.</P></BODY></HTML> Mon, 04 Jun 2007 14:44:45 GMT https://community.cisco.com/t5/network-security/no-route-to-error-message-cisco-pix/m-p/818461#M979786 mhum 2007-06-04T14:44:45Z