09-10-2008 11:46 AM - edited 03-11-2019 06:42 AM
When I try doing a packet trace from an inside IP to an outside IP it says that there isn't a route. Although, I do have the following line in my config:
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
xxx.xxx.xxx.xxx is the next hop to the outgoing router.
Thank you,
Travis
Solved! Go to Solution.
09-12-2008 05:36 AM
Hi Travis,
Ah okay, I see. Yes, the route will not show up in the routing table unless the interface is actually up. Once you plug a cable in to the outside interface and bring it up, that route will show up in the table and the packet-tracer will work as expected. Good catch.
-Mike
09-10-2008 12:49 PM
Hi Travis,
Can you sanitize and post the packet trace command you are using and its output? I'm not sure we really have enough information to go on to provide you with a very good answer.
-Mike
09-11-2008 04:30 AM
Actually, I was using the packet tracer in ASDM. I set the interface to inside, the packet type to TCP and the source/destination ports to 80. I set the source IP to an inside IP and the destination IP to an outside IP. When ran it says: No route to host.
If you have an equivilent command you would like me to try at the command line, please post it.
Thank you,
Travis
09-11-2008 12:42 PM
Hi Travis,
I tried this on an ASA but was unable to reproduce your results. I had the following config:
Outside interface IP = 1.1.1.1
Inside interface IP = 10.1.1.1
route outside 0 0 1.1.1.2 1
Then, I ran the following packet-tracer command:
packet-tracer input inside tcp 192.168.0.1 1024 2.2.2.2 80 detail
This worked fine and the packet was allowed. I then removed my default route and tried it again and the packet-tracer failed.
Try this command on your ASA and see if any strange lines jump out at you:
packet-tracer input inside tcp
If possible, sanitize that output and post it here. Also, take a look at the output of 'show route' and make sure that you can find an entry in that table that should match the packet you are tracing with.
-Mike
09-12-2008 04:24 AM
Here's the command output:
ciscoasa# packet-tracer input inside tcp 192.168.9.1 1024 2.2.2.2 80 detail
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
Here's what I get when I run show route:
Gateway of last resort is not set
Although I do have:
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
do I need something else?
Thanks,
Travis
09-12-2008 05:18 AM
Hi Travis,
That is odd. My gateway of last resort shows as set. I tried adjusting it various ways but no matter what I tried, adding the 'route outside 0 0' command set my gateway of last resort.
In the output of 'show route', do you at least see something like:
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.129, outside
Also, what version of code are you running?
-Mike
09-12-2008 05:29 AM
no, there are other static routes listed that I have setup, but not the default. I am running the latest 8.0.4.
And just to be clear there isn't a cable plugged in to the outside port. I'm assuming that it shouldn't matter, but am starting to wonder if it has to be plugged in for the route to show up? Unfortunately, the firewall is at a remote location, so it will be a week or so before I will be up there again.
Thank you,
Travis
09-12-2008 05:36 AM
Hi Travis,
Ah okay, I see. Yes, the route will not show up in the routing table unless the interface is actually up. Once you plug a cable in to the outside interface and bring it up, that route will show up in the table and the packet-tracer will work as expected. Good catch.
-Mike
09-12-2008 05:38 AM
ok, good to know.
Thank you for your help on this.
-- Travis
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: