No route to...error message, Cisco PIX

mhum · ‎05-30-2007

Hi,

I'm trying to setup a firewall rule on a Cisco PIX 506e (6.35) to permit inbound ftp traffic to two internal ftp servers. I can successfully connect once, and each subsequent connection produces a 110001 error code, "no route to..." message in the firewall logs. Here's the message in the log:

302013: Built inbound TCP connection 208 for outside:192.168.219.19/1065 (192.16

8.219.19/1065) to inside:172.16.5.182/21 (172.16.5.182/21)

110001: No route to 192.168.219.11 from 192.168.219.19

Here's the config

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname xxxx

domain-name xxxx

clock timezone EST -5

clock summer-time EDT recurring 1 Sun Apr 2:00 4 Sun Oct 2:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.8.0

name 192.168.8.19

name 192.168.219.20 RTMWINCLTEST

object-group service 6785-tcp tcp

port-object range 6785 6785

access-list acl_out permit tcp host 192.168.219.19 object-group 6785-tcp any object-group 6785-tcp

access-list acl_out permit tcp host RTMWINCLTEST object-group 6785-tcp any object-group 6785-tcp

access-list acl_out permit tcp host 192.168.219.19 host 192.168.219.11 eq ftp

access-list acl_out permit tcp host 192.168.219.19 host 192.168.219.11 eq ftp-data

access-list acl_out permit tcp host RTMWINCLTEST host 192.168.219.12 eq ftp

access-list acl_out permit tcp host RTMWINCLTEST host 192.168.219.12 eq ftp-data

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside 192.168.219.10 255.255.255.248

ip address inside 172.16.1.29 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.219.19 255.255.255.255 outside

pdm location RTMWINCLTEST 255.255.255.255 outside

pdm location 192.168.197.0 255.255.255.0 inside

pdm history enable

arp timeout 14400

nat (inside) 0 192.168.197.0 255.255.255.0 0 0

nat (inside) 0 172.16.0.0 255.255.0.0 0 0

static (inside,outside) tcp 192.168.219.11 ftp 172.16.5.182 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.219.11 ftp-data 172.16.5.182 ftp-data netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.219.12 ftp 172.16.5.112 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.219.12 ftp-data 172.16.5.112 ftp-data netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.219.9 1

route inside 192.168.197.0 255.255.255.0 172.16.1.4 1

route outside 192.168.219.11 255.255.255.255 192.168.219.10 1

route outside 192.168.219.12 255.255.255.255 192.168.219.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 172.16.0.0 255.255.0.0 inside

snmp-server host inside 172.16.33.96 poll

no snmp-server location

no snmp-server contact

snmp-server community xxxxx

no snmp-server enable traps

floodguard enable

telnet 172.16.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

srue · ‎05-30-2007

what do these commands accomplish for you?

route outside 192.168.219.11 255.255.255.255 192.168.219.10 1

route outside 192.168.219.12 255.255.255.255 192.168.219.10 1

static (inside,outside) tcp 192.168.219.11 ftp 172.16.5.182 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.219.11 ftp-data 172.16.5.182 ftp-data netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.219.12 ftp 172.16.5.112 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.219.12 ftp-data 172.16.5.112 ftp-data netmask 255.255.255.255 0 0

you're pointing the firewall to take a specific route (or just the outside interface) for 192.168.219.11/192.168.219.12 but yet you're statically nat'ing them to the outside interface? take those route statements out and test it.

Also, to be sure, can you ping RTMWINCLTEST and 192.168.219.19 from the PIX in question?

mhum · ‎05-30-2007

Hi,

The two internal ftp servers are:

172.16.5.182

172.16.5.112

They correspond to two nat'ed addresses on our outside PIX interface:

192.168.219.11

192.168.219.12

The two external hosts that need access to the ftp servers are:

192.168.219.19 needs access to 192.168.219.11

RTMWINCLITEST needs access to 192.168.219.12

The other side of the connection (at our vendor with addresses 192.168.219.19 and RTMWINCLITEST), does not permit echo-replies.

I'm using the static to map the external addresses to the two internal ftp servers. The two route commands were an attempt to correct the "no route error". However, I do realise the 192.168.219.11, 192.168.219.12 are on the same subnet as the outside interface on our PIX.

Strangely, the vendor can connect (establish and ftp session) once (to both the 192.168.219.11 and 192.168.219.12). The next session fails with the "no route" error.

mhum · ‎05-30-2007

Someone mentioned to me that he read somewhere, that this was a very common error, and it was related to nat'ting? I'm baffled.

mhum · ‎06-04-2007

It was NAT vs STATIC order problem. I removed the NAT 0 (172.16.0.0) line and this solved the problem. The "no route to" error message in the PIX log is misleading, if taken literally. I should have read the Cisco PIX online docs describing the NAT, GLOBAL and STATIC commands.