cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1135
Views
0
Helpful
23
Replies

110001: No route to

fredericmoitie
Level 1
Level 1

Hello,

first time, sorry for my english.

so i explain my problem.

i have An ipsec vpn with 2 pix 515 and a router on 1 of this site.

lan_a-->Pix_a--ISP--Pix_b<--Lan_b<--router<--Lan_b2

traffic for lan_a and lan_b, no problem.

traffic for lan_b and lan_b2, no problem

but traffic lan_b2 and lan_a don't work,

i have a route inside in my pix_b.

but i have a stange comportement, because ping was work,

but other traffic don't work, example, when i want telnet on port 25 in lan_a since lan_b2, i have an error in pix_b log

anyone can help me ?

tahnks

23 Replies 23

fredericmoitie
Level 1
Level 1

hello

more detail

in pix log, i have an error

110001 no route to x.x.x.x from y.y.y.

x was in lan_b2

y was in lan_a

thanks

Which pix is this error message showing up on, is it pixb ?

If so can you

1) post output of "sh route" from pixb

AND

2) specify the IP subnet of lan_b2

Jon

Hello jon

Thanks for your reply.

yes, error message on pixb

see sh route on pixb

pixb# sh route

outside 0.0.0.0 0.0.0.0 217.108.xx.xx 1 OTHER static

DMZ 10.10.10.0 255.255.255.0 10.10.10.254 1 CONNECT static

inside 10.10.30.0 255.255.255.0 172.22.56.1 1 OTHER static

inside 172.22.56.0 255.255.255.0 172.22.56.8 1 CONNECT static

outside 217.108.xx.xx 255.255.255.240 217.108.xx.xx 1 CONNECT static

pixb#

subnet of lanb_2 as 10.10.30.0/24

subnet of lanb as 172.22.56.0/24

subnet of lana (remote vpn) as 172.22.57.0/24

error message as :

no route to 10.10.10.38 from 172.22.57.16

thanks

fred

Hello,

Someone help me, please.

Thanks

Frederic

Fred

Apologies for the delay in getting back to you.

Could you just clarify ie.

from your routing table -

inside 10.10.30.0 255.255.255.0 172.22.56.1 1 OTHER static

error message -

no route to 10.10.10.38 from 172.22.57.16

which is the correct subnet ie.

your route is for 10.10.30.x but the error message is about 10.10.10.x ?

Jon

Jon,

Oups, sorry, that an error when i write this post.

the real error message as :

no route to 10.10.30.38 from 172.22.57.16

sorry,

thanks

Frederic

Fred

which device is 172.22.57.16 ?

Can you post configs of both firewalls ?

Jon

Hello

172.22.57.16 as a mail server

in attachement :

Config of firewall pix a

Config of firewall pix b

Config of router b

in same file

"Conf Pix A, Pix B, Router B .txt"

and Network map

i have delete all information you don't need in config (password, IP public, etc..)

Many thanks for your help.

Frederic

Hello Jon,

As you can see my problem ?

Thanks,

Frederic

Frederic

From pix b can you ping 10.10.30.38 ?

Jon

Jon,

Yes i can.

Pix_b# ping 10.10.30.38

10.10.30.38 response received -- 0ms

10.10.30.38 response received -- 0ms

10.10.30.38 response received -- 0ms

Pix_b#

and since pix_a too (that strange)

Pix_a# ping inside 10.10.30.38

10.10.30.38 response received -- 40ms

10.10.30.38 response received -- 30ms

10.10.30.38 response received -- 40ms

Pix_a#

but when i want make an telnet (for example) since 10.10.30.38 to 172.22.57.xx (Lan_a), don't work

i don't understand, because there are no acl was block this traffic, and ip route are ok

Frederic

Frederic

Could you clarify. Are you trying to telnet to 172.22.57.x from 10.10.30.38 ?

If so there may be an issue with your config on pix b. You have this applied to your inside interface on pix b -

access-list inside_access_in permit ip 172.22.56.0 255.255.255.0 any

access-list inside_access_in permit ip 172.22.56.0 255.255.255.0 any

is this a typo as you have the same line twice. You will need the following line in that acl as well

access-list inside_access_in permit ip 10.10.30.0 255.255.255.0 any

Jon

Jon,

exactly, i try telnet 172.22.57.16 (it's a mail server) from 10.10.30.38

yes, is a typo.

my real acl as :

access-list inside_access_in permit ip All-Lan 255.255.255.0 any

object-group network All-Lan

network-object 172.22.56.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

Frederic

Frederic

Can you run some tests -

1) From mail server 172.22.57.16 can you ping 10.10.30.38 ?

2) From 10.10.30.38 can you ping 172.22.57.16 ?

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: