05-30-2007 06:49 AM - edited 03-11-2019 03:22 AM
Hi,
I'm trying to setup a firewall rule on a Cisco PIX 506e (6.35) to permit inbound ftp traffic to two internal ftp servers. I can successfully connect once, and each subsequent connection produces a 110001 error code, "no route to..." message in the firewall logs. Here's the message in the log:
302013: Built inbound TCP connection 208 for outside:192.168.219.19/1065 (192.16
8.219.19/1065) to inside:172.16.5.182/21 (172.16.5.182/21)
110001: No route to 192.168.219.11 from 192.168.219.19
Here's the config
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname xxxx
domain-name xxxx
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 4 Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.8.0
name 192.168.8.19
name 192.168.219.20 RTMWINCLTEST
object-group service 6785-tcp tcp
port-object range 6785 6785
access-list acl_out permit tcp host 192.168.219.19 object-group 6785-tcp any object-group 6785-tcp
access-list acl_out permit tcp host RTMWINCLTEST object-group 6785-tcp any object-group 6785-tcp
access-list acl_out permit tcp host 192.168.219.19 host 192.168.219.11 eq ftp
access-list acl_out permit tcp host 192.168.219.19 host 192.168.219.11 eq ftp-data
access-list acl_out permit tcp host RTMWINCLTEST host 192.168.219.12 eq ftp
access-list acl_out permit tcp host RTMWINCLTEST host 192.168.219.12 eq ftp-data
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.219.10 255.255.255.248
ip address inside 172.16.1.29 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.219.19 255.255.255.255 outside
pdm location RTMWINCLTEST 255.255.255.255 outside
pdm location 192.168.197.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
nat (inside) 0 192.168.197.0 255.255.255.0 0 0
nat (inside) 0 172.16.0.0 255.255.0.0 0 0
static (inside,outside) tcp 192.168.219.11 ftp 172.16.5.182 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.219.11 ftp-data 172.16.5.182 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.219.12 ftp 172.16.5.112 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.219.12 ftp-data 172.16.5.112 ftp-data netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.219.9 1
route inside 192.168.197.0 255.255.255.0 172.16.1.4 1
route outside 192.168.219.11 255.255.255.255 192.168.219.10 1
route outside 192.168.219.12 255.255.255.255 192.168.219.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.0.0 255.255.0.0 inside
snmp-server host inside 172.16.33.96 poll
no snmp-server location
no snmp-server contact
snmp-server community xxxxx
no snmp-server enable traps
floodguard enable
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
05-30-2007 07:22 AM
what do these commands accomplish for you?
route outside 192.168.219.11 255.255.255.255 192.168.219.10 1
route outside 192.168.219.12 255.255.255.255 192.168.219.10 1
static (inside,outside) tcp 192.168.219.11 ftp 172.16.5.182 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.219.11 ftp-data 172.16.5.182 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.219.12 ftp 172.16.5.112 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.219.12 ftp-data 172.16.5.112 ftp-data netmask 255.255.255.255 0 0
you're pointing the firewall to take a specific route (or just the outside interface) for 192.168.219.11/192.168.219.12 but yet you're statically nat'ing them to the outside interface? take those route statements out and test it.
Also, to be sure, can you ping RTMWINCLTEST and 192.168.219.19 from the PIX in question?
05-30-2007 08:06 AM
Hi,
The two internal ftp servers are:
172.16.5.182
172.16.5.112
They correspond to two nat'ed addresses on our outside PIX interface:
192.168.219.11
192.168.219.12
The two external hosts that need access to the ftp servers are:
192.168.219.19 needs access to 192.168.219.11
RTMWINCLITEST needs access to 192.168.219.12
The other side of the connection (at our vendor with addresses 192.168.219.19 and RTMWINCLITEST), does not permit echo-replies.
I'm using the static to map the external addresses to the two internal ftp servers. The two route commands were an attempt to correct the "no route error". However, I do realise the 192.168.219.11, 192.168.219.12 are on the same subnet as the outside interface on our PIX.
Strangely, the vendor can connect (establish and ftp session) once (to both the 192.168.219.11 and 192.168.219.12). The next session fails with the "no route" error.
05-30-2007 09:07 PM
Someone mentioned to me that he read somewhere, that this was a very common error, and it was related to nat'ting? I'm baffled.
06-04-2007 07:44 AM
It was NAT vs STATIC order problem. I removed the NAT 0 (172.16.0.0) line and this solved the problem. The "no route to" error message in the PIX log is misleading, if taken literally. I should have read the Cisco PIX online docs describing the NAT, GLOBAL and STATIC commands.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide