cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4661
Views
0
Helpful
8
Replies

Routing issue

SuburbanHealth
Level 1
Level 1

When I try doing a packet trace from an inside IP to an outside IP it says that there isn't a route. Although, I do have the following line in my config:

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

xxx.xxx.xxx.xxx is the next hop to the outgoing router.

Thank you,

Travis

1 Accepted Solution

Accepted Solutions

Hi Travis,

Ah okay, I see. Yes, the route will not show up in the routing table unless the interface is actually up. Once you plug a cable in to the outside interface and bring it up, that route will show up in the table and the packet-tracer will work as expected. Good catch.

-Mike

View solution in original post

8 Replies 8

Hi Travis,

Can you sanitize and post the packet trace command you are using and its output? I'm not sure we really have enough information to go on to provide you with a very good answer.

-Mike

Actually, I was using the packet tracer in ASDM. I set the interface to inside, the packet type to TCP and the source/destination ports to 80. I set the source IP to an inside IP and the destination IP to an outside IP. When ran it says: No route to host.

If you have an equivilent command you would like me to try at the command line, please post it.

Thank you,

Travis

Hi Travis,

I tried this on an ASA but was unable to reproduce your results. I had the following config:

Outside interface IP = 1.1.1.1

Inside interface IP = 10.1.1.1

route outside 0 0 1.1.1.2 1

Then, I ran the following packet-tracer command:

packet-tracer input inside tcp 192.168.0.1 1024 2.2.2.2 80 detail

This worked fine and the packet was allowed. I then removed my default route and tried it again and the packet-tracer failed.

Try this command on your ASA and see if any strange lines jump out at you:

packet-tracer input inside tcp detail

If possible, sanitize that output and post it here. Also, take a look at the output of 'show route' and make sure that you can find an entry in that table that should match the packet you are tracing with.

-Mike

Here's the command output:

ciscoasa# packet-tracer input inside tcp 192.168.9.1 1024 2.2.2.2 80 detail

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: drop

Drop-reason: (no-route) No route to host

Here's what I get when I run show route:

Gateway of last resort is not set

Although I do have:

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1

do I need something else?

Thanks,

Travis

Hi Travis,

That is odd. My gateway of last resort shows as set. I tried adjusting it various ways but no matter what I tried, adding the 'route outside 0 0' command set my gateway of last resort.

In the output of 'show route', do you at least see something like:

S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.129, outside

Also, what version of code are you running?

-Mike

no, there are other static routes listed that I have setup, but not the default. I am running the latest 8.0.4.

And just to be clear there isn't a cable plugged in to the outside port. I'm assuming that it shouldn't matter, but am starting to wonder if it has to be plugged in for the route to show up? Unfortunately, the firewall is at a remote location, so it will be a week or so before I will be up there again.

Thank you,

Travis

Hi Travis,

Ah okay, I see. Yes, the route will not show up in the routing table unless the interface is actually up. Once you plug a cable in to the outside interface and bring it up, that route will show up in the table and the packet-tracer will work as expected. Good catch.

-Mike

ok, good to know.

Thank you for your help on this.

-- Travis

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: