I'm trying to setup a firewall rule on a Cisco PIX 506e (6.35) to permit inbound ftp traffic to two internal ftp servers. I can successfully connect once, and each subsequent connection produces a 110001 error code, "no route to..." message in the firewall logs. Here's the message in the log:
302013: Built inbound TCP connection 208 for outside:192.168.219.19/1065 (192.16
8.219.19/1065) to inside:172.16.5.182/21 (172.16.5.182/21)
110001: No route to 192.168.219.11 from 192.168.219.19
Here's the config
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 4 Sun Oct 2:00
you're pointing the firewall to take a specific route (or just the outside interface) for 192.168.219.11/192.168.219.12 but yet you're statically nat'ing them to the outside interface? take those route statements out and test it.
Also, to be sure, can you ping RTMWINCLTEST and 192.168.219.19 from the PIX in question?
They correspond to two nat'ed addresses on our outside PIX interface:
The two external hosts that need access to the ftp servers are:
192.168.219.19 needs access to 192.168.219.11
RTMWINCLITEST needs access to 192.168.219.12
The other side of the connection (at our vendor with addresses 192.168.219.19 and RTMWINCLITEST), does not permit echo-replies.
I'm using the static to map the external addresses to the two internal ftp servers. The two route commands were an attempt to correct the "no route error". However, I do realise the 192.168.219.11, 192.168.219.12 are on the same subnet as the outside interface on our PIX.
Strangely, the vendor can connect (establish and ftp session) once (to both the 192.168.219.11 and 192.168.219.12). The next session fails with the "no route" error.
It was NAT vs STATIC order problem. I removed the NAT 0 (172.16.0.0) line and this solved the problem. The "no route to" error message in the PIX log is misleading, if taken literally. I should have read the Cisco PIX online docs describing the NAT, GLOBAL and STATIC commands.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :