I am getting this message from PIX log "10.17.30.250 %PIX-6-110001: No route to 10.17.50.53 from 10.17.30.11" when I tried pinging 10.17.50.53. Please correct me if i am wrong but I know that PIX is just passing traffic in/out and not routing traffic. Could it be the router sending out this message to the syslog? I am trying to figure out the routing solution.
Any suggestion would be apprecited.
From the pix error message doc:-
Error Message %PIX-6-110001: No route to dest_addr from src_addr
Explanation This message indicates a route lookup failure. A packet is looking for a destination IP address which is not in the routing table.
Recommended Action Check the routing table and make sure there is a route to the destination
The pix still has to do route lookups to work out where you send the traffic. Your pix is saying it doesn't know how to get to 10.17.50.53. Check your routing table on the pix "sh route" and if there isn't a route there you need to add it eg:
route "interface" 10.17.50.0 255.255.255.0 "next-hop"
Thanks for your quick response.
I did try your suggestion by adding routing statement in my 10.17.30.50 pix but to no avail and I am still getting the message. I must be missing something, I'll check the router side and see if I can find something.
Could you send me some more details ie.
1) where is the 10.17.30.50 host in relation to your pix interfaces eg is it on the inside, the outside etc.
2) Could you print off the pix routing table.
I've attached a diag and pix rt that will picture the scenario.
L3 (2 vlan2) vlan1 (24.3/23) vlan2 (50.3/24)
Rtr 1 network(24.0/23) Rtr 2 network (30.0/24)
Pc (vlan2) ip: 50.51/24 gw:50.3/24
pc (vlan1) ip: 25.49/23 gw:24.3/23
I have no problem with 24.0/24 and 50.0/24 routing, both of them can talk to each other and have internet connection. I can ping successfully from 24.0 to 30.0,but when I tried pinging 30.0 network from a pc in 50.0 I got no response and this is where I will get the no route message from the log. I provided also a trace route result from vlan2 pc.
Thanks & Regards
Which firewall are you getting this error message from - fw1 or fw2 ?
Looking at the routing table i'm assuming that 10.17.30.11 is the inside interface on fw2.
These two firewalls are not running in failover mode. On your rtr1 router do you have a route for 10.17.30.0 pointing to fw1 ?
If 10.17.25.254 is your inside interface on rtr1 then i would expect the next hop from your traceroute to be rtr2. You have drawn a connection from rtr1 to rtr2 - is this an actual connection.
1. error message was coming from fw2 per syslog.
2. 10.17.30.250 is the inside interface of fw2 and 30.11 is one of the server in 30.0 network.
3. Two fw (1&2) are not in failover mode.however, fw1 do have a failvover with another pix.
4. Rtr1 has a route for 10.17.30.0 pointing to rtr1 e2/0 interface and pingable from any subnet except 50.0/24.
5. The connection in the drawing is right for rtr1 to rtr2. an isp manage router is in the middle both sides. OSPF was used to redistribute the route.
6. Your right, 10.17.25.254 is inside on rtr1 and next hop should be rtr2.
Hope this won't confuse you.
Can you check your routing table on rtr2. Is there a routing entry that points the 10.17.50.0 network to fw2 instead of back down the link to rtr1 ?
Thank you very much for your time and attention. I finally figured it out. I had to advertised the subnet and applied access-list back to back and now 50.0/24 can ping the 30.0/24. I just have to apply the same concept on the other side so it can see 50.0/24.