cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
940
Views
0
Helpful
2
Replies

FPR1010 Drop-reason: (no-route) No route to host

Anoudeth
Level 1
Level 1

I'm a beginner to the firewall configuration using a new FPR 1010. I can't make inside network connect to the internet, except I can ping the ISP gateway ! Is this mean ingress is being blocked?

Attempting TCP_Bypass always failed deployment with these warnings.

WARNING: Pool (0.0.0.0) overlap with existing pool.
WARNING: Pool (0.0.0.0) overlap with existing pool.
WARNING: All traffic destined to the IP address of the outside interface is being redirected
WARNING: Users may not be able to access any service enabled on the outside interface
WARNING: Pool (0.0.0.0) overlap with existing pool.

Here is packet-tracer https bypass cmd result. Is there any common policy that block by default? Am I missed something?

firepower# packet-tracer input inside tcp 10.10.10.1 https 20X.XXX.XXX.XXX https bypass-checks

Phase: 1
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x000056082f3d9311 flow (NA)/NA

I will post show running-config later.

2 Accepted Solutions

Accepted Solutions

you need o NATing from private to public IP.

You need defualt route also

View solution in original post

Thank you for your guidance. It turns out that it is the NAT. The issue is resolved. Here is what I did, just want to share with other beginners.

NAT Rule (Before Auto) - MANUAL STATIC
inside > outside

Original Source Address: dmz-network-192.168.1.0-30
Original Destination Address: any-ipv4
Translated Source Address: Interface
Translated Destination Address: any-ipv4

For Routing: Static Routing 

Network 192.168.2.0/30  - Gateway: 192.168.1.1 (And this 192.168.1.1 will be the WAN of the router)
Network 0.0.0.0/24 - Gateway: 2XX.XXX.XXX.241 (gateway provided by ISP)

Interfaces on the Firewall:

Outside Interface: 2XX.XXX.XXX.246 (IP provided by ISP)
Inside (DMZ) Interface: 192.168.1.2

View solution in original post

2 Replies 2

you need o NATing from private to public IP.

You need defualt route also

Thank you for your guidance. It turns out that it is the NAT. The issue is resolved. Here is what I did, just want to share with other beginners.

NAT Rule (Before Auto) - MANUAL STATIC
inside > outside

Original Source Address: dmz-network-192.168.1.0-30
Original Destination Address: any-ipv4
Translated Source Address: Interface
Translated Destination Address: any-ipv4

For Routing: Static Routing 

Network 192.168.2.0/30  - Gateway: 192.168.1.1 (And this 192.168.1.1 will be the WAN of the router)
Network 0.0.0.0/24 - Gateway: 2XX.XXX.XXX.241 (gateway provided by ISP)

Interfaces on the Firewall:

Outside Interface: 2XX.XXX.XXX.246 (IP provided by ISP)
Inside (DMZ) Interface: 192.168.1.2

Review Cisco Networking for a $25 gift card