Routing failed to locate next hop

Answered Question
Jan 24th, 2009
User Badges:

Hello All,


When trying to access my web server inside the dmz I'm getting the following message in the syslog and the connection fails:


Routing failed to locate next hop for TCP from outside:174.39.117.157/1341 to dmz:97.166.121.101/80


Appreciate any help with this.....

Correct Answer by Tshi M about 8 years 6 months ago

could you please post relevant config?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Mohamed Sobair Sat, 01/24/2009 - 08:16
User Badges:
  • Gold, 750 points or more


What is your IOS Software version and release?


I am not exactly sure Prior to which version , but in some software releases you should add static routes for the Hosted Webserver in the DMZ pointed to the DMZ Interface besides OFFcourse having your Nat correctly Configured with the appropriate Interface Access-list to permit the traffic from Outside to DMZ.


HTH

Mohamed

Correct Answer
Tshi M Sat, 01/24/2009 - 08:37
User Badges:
  • Silver, 250 points or more

could you please post relevant config?

vbdotnetman Sat, 01/24/2009 - 14:19
User Badges:

IU was able to fix that prior problem but maybe you can help with this one.


If I use outlook to send or receive email from inside vlan through outside vlan I get the folling syslog message:



6 Jan 24 2009 16:32:36 106015 75.180.132.77 98.122.121.101 Deny TCP (no connection) from 75.180.132.77/110 to xx.yyy.121.101/1502 flags RST ACK on interface outside


xx.yyy.121.101 is my outside IP address


75.180.132.77 is the roadrunner mail provider which I send mail through.


If I send mail from outside It is received by my mail server in the dmz vlan.


My Config:



ciscoasa> ena

Password:

ciscoasa# show run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name my.domain.com

enable password :*** Removed by me ***encrypted

passwd :*** Removed by me ***.:*** Removed by me ***encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.8.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name my.domain.com

access-list outside_access_in extended permit tcp any host xx.yyy.121.101

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface www 192.168.8.2 www netmask 255.255.255.255

static (dmz,outside) tcp interface smtp 192.168.8.2 smtp netmask 255.255.255.255


static (dmz,outside) tcp interface pop3 192.168.8.2 pop3 netmask 255.255.255.255


static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (dmz,inside) 192.168.8.2 98.122.121.101 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.yyy.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:*** Removed by me ***

: end


Thanks in advance.....

Tshi M Sat, 01/24/2009 - 17:27
User Badges:
  • Silver, 250 points or more

Is 98.122.121.101 your outside address? If so, I was able to access www, smtp and pop3.


regards,

Actions

This Discussion