Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Routing


I have a few public facing interfaces on an ASA and have found that when a connection comes in through an interface that isn't the default route for the ASA, I get an error stating that no route to x.x.x.x from x.x.x.x (interface).

When I add in a static route on the ASA to the destination and route it out over the public interface the traffic came in on, the connections work.

I don't want to go down the road of static routes and know this works on other firewalls.

I have come across "trombone" to force traffic back out the same interface it came in on and would really appreciate some help with this.

I have an ASA 5510 7.2


Re: ASA Routing

is the following command enabled:

ip verify reverse-path

it's disabled by default.

Re: ASA Routing

Is it possible to route the return traffic coming from an interface say management 0/0 back via the same interface without applying a route ?


inside ip

mgmt ip is

default inside route is via INSIDE interface

route inside 192.168..1

i want packets that come to management interface back via management interface

( THis is for management traffic )

New Member

Re: ASA Routing

Answering Anand's question above, it is not possible to route back the same interface if route is missing. Correct routing rules still need to be present. However, it's a different thing if the destination IP address is on directly connected interface.


Coming to the original issue, do you get the syslog message "110001"? If this is the case, then it simply means that you are missing route for the destination network.

Does it happen for all the traffic (except the traffic that enters the default route interface)? I don't think that would be the case.

Could you please confirm if you are trying to do "u-turning" on ASA meaning that traffic needs to enter and exit the same interface? If that's the case, we need to have correct nat/global/static/route statements along with the command "same-security-traffic permit intra-interface"

New Member

Re: ASA Routing

HI Thanks for the response.

It happens when ftp traffic is coming in-bound and the same for rdp over the extra public interface. I also tried ssl and it comes up with the no route error.

It looks like u-turning will only work to get the ftp and rdp established and they only worked when I added in the static routes back to the sites that were coming in over the interface.

I am using pat from the internal to the outside and my static translations work when the routes are added in. I already have the same-security-traffic permit.

I will check out the logging message tomorrow.

On the previous Sonicwall you could add in default gateways per interface so when traffic came in that interface it knew to send responses back out to the gateway you had set on the interface.

The routing table on the Sonicwall had a secondary default gateway and handled the traffic that way.

New Member

Re: ASA Routing

I am still not 100% clear with what exactly are we trying to do, but let me give you an example of what is needed on PIX if we need to do u-turning:


In the above diagram, network directly connected to PIX is and network behind the inside router is Default Gateway for is - PIX's inside interface needs to access

Here are the commands we need to put on PIX in such case:

route inside

nat (inside) 1 0 0

global (inside) 1 interface

static (inside,inside) netmask

same-security-traffic permit intra-interface

However, even with above commands, u-turning will work only one-way i.e will be able to initiate communication to but will not be able to initiate communication to

I hope that helps..

New Member

Re: ASA Routing

If you have an inside router you don't need to do all that. The default gateway for any host in should be the inside router, then in the inside router you will have a default route pointing to the PIX inside interface In the PIX you will have a route for network pointing to No NAT for inside hosts.

New Member

Re: ASA Routing

rigoberto is correct above and that would be a better option (to change the default gateway to router). However, there can be cases where customer does not have the option of changing the default gateway to point it to the router if it's a big inside network. If that's the case (i.e the default gateway for inside network has to be PIX), then we need the above mentioned commands. Also, make sure you are running code 7.2.1 or above on ASA, otherwise, u-turning for clear-text traffic will not work.

Re: ASA Routing

I already have an inside router. IP is

the default route inside is pointing to

The inside ip

The mgmt ip is

But the issue is have other networks inside .....

like,, etc

when i try to accesss the management ip network, the outgoing packet hits the management directly via my LAN router. But the return packet tries to come via the inside interface due to the default

route inside ..

i want the return packet for management traffic alone from etc to come back via the management interface. is this possible ?

If i try to access the management interface from my LAN

New Member

Re: ASA Routing

You have more or less the same issue as me...the asa will send traffic out its default gateway when it doesn't know a route to the destination which is fair enough but not great when the likes of Sonicwall give you the option to put a gateway on an interface and that would solve both our problems.

When your mgt pc connects to the mgt interface the default route on the interface would send the reply back to where ever you specify.

There has to be someway of doing this on the ASA????