Cisco Systems pix no route to host, but there is a route
Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
pix no route to host, but there is a route Karnov 02-02-06
Posted by Karnov on February 2, 2006, 11:08 am
Please log in for more thread options
Hi all,

I've got a PIX 506e which has the following config:

PIX Version 6.3(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname chqpix
domain-name example.com
names
name 192.168.4.0 mitelnet
name 10.20.6.0 globixnet
name 10.0.2.0 chqnet
object-group service web tcp
description HTTP and HTTPS
port-object eq www
port-object eq https
access-list inside_outbound_nat0_acl permit ip chqnet 255.255.255.0 globixnet
255.255.255.0
access-list inside_outbound_nat0_acl permit ip mitelnet 255.255.255.0 globixnet
255.255.255.0
access-list outside_cryptomap_20 permit ip chqnet 255.255.255.0 globixnet
255.255.255.0
access-list outside_cryptomap_20 permit ip mitelnet 255.255.255.0 globixnet
255.255.255.0
access-list outside_access_in permit tcp any host 1.1.25.227 object-group web
access-list outside_access_in permit icmp any any
mtu outside 1500
mtu inside 1500
ip address outside 1.1.202.218 255.255.255.252
ip address inside 10.0.2.2 255.255.255.0
ip verify reverse-path interface outside
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.1.25.227 10.0.2.11 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.25.226 10.0.2.50 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.202.217 1
route inside mitelnet 255.255.255.0 10.0.2.1 1
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group5
crypto map outside_map 20 set peer 1.1.152.18
crypto map outside_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.152.18 netmask 255.255.255.255 no-xauth
isakmp keepalive 60 10
isakmp nat-traversal 15
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash sha
isakmp policy 60 group 5
isakmp policy 60 lifetime 86400

chqpix# show route
outside 0.0.0.0 0.0.0.0 1.1.202.217 1 OTHER static
inside chqnet 255.255.255.0 10.0.2.2 1 CONNECT static
inside mitelnet 255.255.255.0 10.0.2.1 1 OTHER static
outside 1.1.202.216 255.255.255.252 1.1.202.218 1 CONNECT static

There's clearly a static route for 192.168.4.0 255.255.255.0 to 10.0.2.1.

The problem is, if I try to connect from 10.0.2.0/24 (chqnet) to 192.168.4.0 I
get a no route to host error on the PIX:

110001: No route to 192.168.4.2 from 10.0.2.23

But I can connect from the outside VPN 10.20.6.0/24 (globixnet) to 192.168.4.0.

Does anyone see why this could be happening?

thanks
Karnov


Posted by Andrey Tarasov on February 2, 2006, 12:50 pm
Please log in for more thread options
Hello, Karnov!
You wrote on 2 Feb 2006 08:08:57 -0800:

K> chqpix# show route
K> outside 0.0.0.0 0.0.0.0 1.1.202.217 1 OTHER static
K> inside chqnet 255.255.255.0 10.0.2.2 1 CONNECT static
K> inside mitelnet 255.255.255.0 10.0.2.1 1 OTHER static
K> outside 1.1.202.216 255.255.255.252 1.1.202.218 1 CONNECT
K> static

K> There's clearly a static route for 192.168.4.0 255.255.255.0 to
K> 10.0.2.1.

K> The problem is, if I try to connect from 10.0.2.0/24 (chqnet) to
K> 192.168.4.0 I get a no route to host error on the PIX:

K> 110001: No route to 192.168.4.2 from 10.0.2.23

K> But I can connect from the outside VPN 10.20.6.0/24 (globixnet) to
K> 192.168.4.0.

K> Does anyone see why this could be happening?

PIX is not a router. Traffic has to cross PIX from one interface to another. In
your case traffic is entering on inside interface and suppose to exit on the
same inside interface. Can't do.

With best regards,
Andrey.


Posted by Karnov on February 2, 2006, 2:41 pm
Please log in for more thread options
>
>Hello, Karnov!
>You wrote on 2 Feb 2006 08:08:57 -0800:
>
> K> chqpix# show route
> K> outside 0.0.0.0 0.0.0.0 1.1.202.217 1 OTHER static
> K> inside chqnet 255.255.255.0 10.0.2.2 1 CONNECT static
> K> inside mitelnet 255.255.255.0 10.0.2.1 1 OTHER static
> K> outside 1.1.202.216 255.255.255.252 1.1.202.218 1 CONNECT
> K> static
>
> K> There's clearly a static route for 192.168.4.0 255.255.255.0 to
> K> 10.0.2.1.
>
> K> The problem is, if I try to connect from 10.0.2.0/24 (chqnet) to
> K> 192.168.4.0 I get a no route to host error on the PIX:
>
> K> 110001: No route to 192.168.4.2 from 10.0.2.23
>
> K> But I can connect from the outside VPN 10.20.6.0/24 (globixnet) to
> K> 192.168.4.0.
>
> K> Does anyone see why this could be happening?
>
>PIX is not a router. Traffic has to cross PIX from one interface to another. In
>your case traffic is entering on inside interface and suppose to exit on the
>same inside interface. Can't do.

Andrey,

Thanks for your input, but I forgot to add that this did work yesterday, and
among some config changes it no longer works. I'm not asking the PIX to route,
I'm asking it to do an ICMP redirect to tell clients to connect to 10.0.2.1 to
talk to 192.168.4.0.

Karnov


Posted by Walter Roberson on February 2, 2006, 4:03 pm
Please log in for more thread options
>I'm not asking the PIX to route,
>I'm asking it to do an ICMP redirect to tell clients to connect to 10.0.2.1 to
>talk to 192.168.4.0.

PIX 6.x never does ICMP redirects. PIX 6 is specifically designed to
drop all traffic except that which is directed to the PIX itself and
that which traverses between interfaces with different security levels.


Similar ThreadsPosted
pix no route to host, but there is a route February 2, 2006, 11:08 am
What is the default precedence: local-route, static-route, OSPF-route? August 4, 2008, 3:00 am
Pix - "No route to host" September 10, 2007, 7:16 am
NAT: default host to route incoming calls to ? August 24, 2009, 3:12 pm
Need to route SMTP traffic through static interface (not default route) March 27, 2007, 5:19 pm
route-map question (how to policy route for all destinations except few subnets?) August 13, 2005, 2:05 am
Can netwrok run static route and dynamic route the same time? December 1, 2005, 1:18 pm
Using route-map to route packets coming from different networks. July 24, 2005, 8:59 am
question for static route -- default route April 1, 2009, 12:03 am
question for static route -- default route April 1, 2009, 12:04 am
Remove IP Route from Route T March 28, 2007, 6:10 pm
Ip NAT outside vs. IP route. August 2, 2005, 2:30 pm
PIX no route April 7, 2006, 4:46 am
No sh ip route ? July 17, 2006, 8:17 pm
Route-Map WEB for example.. January 18, 2007, 5:30 pm
Residential Cabling Guide

Home Cabling Guide

Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language!

Learn More