Static and Default Routes

This chapter describes how to configure static and default routes on the Cisco ASA.

About Static and Default Routes

To route traffic to a non-connected host or network, you must define a route to the host or network, either using static or dynamic routing. Generally, you must configure at least one static route: a default route for all traffic that is not routed by other means to a default network gateway, typically the next hop router.

Default Route

The simplest option is to configure a default static route to send all traffic to an upstream router, relying on the router to route the traffic for you. A default route identifies the gateway IP address to which the ASA sends all IP packets for which it does not have a learned or static route. A default static route is simply a static route with 0.0.0.0/0 (IPv4) or ::/0 (IPv6) as the destination IP address.

You should always define a default route.

Because the ASA uses separate routing tables for data traffic and for management traffic, you can optionally configure a default route for data traffic and another default route for management traffic. Note that from-the-device traffic uses either the management-only or data routing table by default depending on the type (see Routing Table for Management Traffic), but will fall back to the other routing table if a route is not found. Default routes will always match traffic, and will prevent a fall back to the other routing table. In this case, you must specify the interface you want to use for egress traffic if that interface is not in the default routing table.

Static Routes

You might want to use static routes in the following cases:

Your networks use an unsupported router discovery protocol.
Your network is small and you can easily manage static routes.
You do not want the traffic or CPU overhead associated with routing protocols.
In some cases, a default route is not enough. The default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is outside, then the default route cannot direct traffic to any inside networks that are not directly connected to the ASA.
You are using a feature that does not support dynamic routing protocols.

Route to null0 Interface to Drop Unwanted Traffic

Access rules let you filter packets based on the information contained in their headers. A static route to the null0 interface is a complementary solution to access rules. You can use a null0 route to forward unwanted or undesirable traffic so the traffic is dropped.

Static null0 routes have a favorable performance profile. You can also use static null0 routes to prevent routing loops. BGP can leverage the static null0 route for Remotely Triggered Black Hole routing.

Route Priorities

Routes that identify a specific destination take precedence over the default route.
When multiple routes exist to the same destination (either static or dynamic), then the administrative distance for the route determines priority. Static routes are set to 1, so they typically are the highest priority routes.
When you have multiple static routes to the same destination with the same administrative distance, see Equal-Cost Multi-Path (ECMP) Routing.
For traffic emerging from a tunnel with the Tunneled option, this route overrides any other configured or learned default routes.

Transparent Firewall Mode and Bridge Group Routes

For traffic that originates on the ASA and is destined through a bridge group member interface for a non-directly connected network, you need to configure either a default route or static routes so the ASA knows out of which bridge group member interface to send traffic. Traffic that originates on the ASA might include communications to a syslog server or SNMP server. If you have servers that cannot all be reached through a single default route, then you must configure static routes. For transparent mode, you cannot specify the BVI as the gateway interface; only member interfaces can be used. For bridge groups in routed mode, you must specify the BVI in a static route; you cannot specify a member interface. See for more information.

Static Route Tracking

One of the problems with static routes is that there is no inherent mechanism for determining if the route is up or down. They remain in the routing table even if the next hop gateway becomes unavailable. Static routes are only removed from the routing table if the associated interface on the ASA goes down.

The static route tracking feature provides a method for tracking the availability of a static route and installing a backup route if the primary route should fail. For example, you can define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable.

The ASA implements static route tracking by associating a static route with a monitoring target host on the destination network that the ASA monitors using ICMP echo requests. If an echo reply is not received within a specified time period, the host is considered down, and the associated route is removed from the routing table. An untracked backup route with a higher metric is used in place of the removed route.

When selecting a monitoring target, you need to make sure that it can respond to ICMP echo requests. The target can be any network object that you choose, but you should consider using the following:

The ISP gateway (for dual ISP support) address
The next hop gateway address (if you are concerned about the availability of the gateway)
A server on the target network, such as a syslog server, that the ASA needs to communicate with
A persistent network object on the destination network

Note

A PC that may be shut down at night is not a good choice.

You can configure static route tracking for statically defined routes or default routes obtained through DHCP or PPPoE. You can only enable PPPoE clients on multiple interfaces with route tracking configured.

Guidelines for Static and Default Routes

Firewall Mode and Bridge Groups

In transparent mode, static routes must use the bridge group member interface as the gateway; you cannot specify the BVI.
In routed mode, you must specify the BVI as the gateway; you cannot specify the member interface.
Static route tracking is not supported for bridge group member interfaces or on the BVI.

IPv6

Static route tracking is not supported for IPv6.

Clustering and Multiple Context Mode

In clustering, static route tracking is only supported on the primary unit.
Static route tracking is not supported in multiple context mode.

Configure Default and Static Routes

At a minimum, you should configure a default route. You may need to configure static routes as well. In this section we will configure a default route, configure a static route and track a static route.

Configure a Default Route

A default route is simply a static route with 0.0.0.0/0 as the destination IP address. You should always have a default route, either configured manually with this procedure, or derived from a DHCP server or other routing protocol.

Before you begin

See the following guidelines for the Tunneled option:

Do not enable unicast RPF on the egress interface of a tunneled route, because this setting causes the session to fail.
Do not enable TCP intercept on the egress interface of the tunneled route, because this setting causes the session to fail.
Do not use the VoIP inspection engines (CTIQBE, H.323, GTP, MGCP, RTSP, SIP, SKINNY), the DNS inspection engine, or the DCE RPC inspection engine with tunneled routes, because these inspection engines ignore the tunneled route.
You cannot define more than one default route with the tunneled option.
ECMP for tunneled traffic is not supported.
Tunneled routes are not supported for bridge groups, which do not support VPN termination for through traffic.

Procedure

Step 1	Choose Configuration > Device Setup > Routing > Static Routes, and click Add.
Step 2	Choose the IP Address Type, IPv4 or IPv6.
Step 3	Choose the Interface through which you want to send the traffic. For transparent mode, specify a bridge group member interface name. For routed mode with bridge groups, specify the BVI name.
Step 4	For the Network, type any4 or any6, depending on the type.
Step 5	Enter the Gateway IP where you want to send the traffic.
Step 6	Set the Metric to set the administrative distance for the route. The default is 1. Administrative distance is a parameter used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes. The default administrative distance for routes discovered by OSPF is 110. If a static route has the same administrative distance as a dynamic route, the static routes take precedence. Connected routes always take precedence over static or dynamically discovered routes.
Step 7	(Optional) In the Options area, set the following: Tunneled—You can define a separate default route for VPN traffic if you want your VPN traffic to use a different default route than your non VPN traffic. For example, traffic incoming from VPN connections can be easily directed towards internal networks, while traffic from internal networks can be directed towards the outside. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes, is sent to this route. This option is not supported for bridge groups. Tracked—(IPv4 only) For information about tracking routes, see Configure Static Route Tracking.
Step 8	Click OK.

Configure a Static Route

A static route defines where to send traffic for specific destination networks.

Procedure

Step 1	Choose Configuration > Device Setup > Routing > Static Routes, and click Add.
Step 2	Choose the IP Address Type, IPv4 or IPv6.
Step 3	Choose the Interface through which you want to send the traffic. To drop unwanted traffic, choose the Null0 interface. For transparent mode, specify a bridge group member interface name. For routed mode with bridge groups, specify the BVI name.
Step 4	For the Network, enter the destination network for which you want to route traffic.
Step 5	Enter the Gateway IP where you want to send the traffic.
Step 6	Set the Metric to set the administrative distance for the route. The default is 1. Administrative distance is a parameter used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes. The default administrative distance for routes discovered by OSPF is 110. If a static route has the same administrative distance as a dynamic route, the static routes take precedence. Connected routes always take precedence over static or dynamically discovered routes.
Step 7	(Optional) In the Options area, set the following: Tunneled—You can define a separate default route for VPN traffic if you want your VPN traffic to use a different default route than your non VPN traffic. For example, traffic incoming from VPN connections can be easily directed towards internal networks, while traffic from internal networks can be directed towards the outside. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes, is sent to this route. Tracked—(IPv4 only) For information about tracking routes, see Configure Static Route Tracking.
Step 8	Click OK.

Configure Static Route Tracking

To configure static route tracking, complete the following steps.

Procedure

Step 1

Choose Configuration > Device Setup > Routing > Static Routes and add or edit a static route according to Configure a Static Route.

Step 2

Click the Tracked radio button in the Options area.

Step 3

In the Track ID field, enter a unique identifier for the route tracking process.

Step 4

In the Track IP Address/DNS Name field, enter the IP address or hostname of the target being tracked. Typically, this would be the IP address of the next hop gateway for the route, but it could be any network object available from that interface.

Step 5

In the SLA ID field, enter a unique identifier for the SLA monitoring process.

Step 6

(Optional) Click Monitoring Options.

The Route Monitoring Options dialog box appears. From here, change the following tracking object monitoring properties:

Frequency—Sets how often, in seconds, the ASA should test for the presence of the tracking target. Valid values range from 1 to 604800 seconds. The default value is 60 seconds.
Threshold—Sets the amount of time, in milliseconds, that indicates an over-threshold event. This value cannot be more than the timeout value.
Timeout—Sets the amount of time, in milliseconds, that the route monitoring operation should wait for a response from the request packets. Valid values range from 0 to 604800000 milliseconds. The default value is 5000 milliseconds.

Data Size—Sets the size of data payload to use in the echo request packets. The default value is 28. Valid values range from 0 to 16384.

Note

This setting specifies the size of the payload only; it does not specify the size of the entire packet.

ToS—Sets a value for the type of service byte in the IP header of the echo request. Valid values are from 0 to 255. The default value is 0.
Number of Packets—Sets the number of echo requests to send for each test. Valid values range from 1 to 100. The default value is 1.

Click OK.

Step 7

Click OK to save your route, and then click Apply.

The monitoring process begins as soon as you apply the tracked route.

Step 8

Create an untracked backup route.

The backup route is a static route to the same destination as the tracked route, but through a different interface or gateway. You must assign this route a higher administrative distance (metric) than your tracked route.

Monitoring a Static or Default Route

Monitoring > Routing > Routes.

In the Routes pane, each row represents one route. You can filter by IPv4 connections, IPv6 connections, or both. The routing information includes the protocol, the route type, the destination IP address, the netmask or prefix length, the gateway IP address, the interface through which the route is connected, and the administrative distance.

Examples for Static or Default Routes

The following example shows how to create a static route that sends all traffic destined for 10.1.1.0/24 to the router 10.1.2.45, which is connected to the inside interface, defines three equal cost static routes that direct traffic to three different gateways on the dmz interface, and adds a default route for tunneled traffic and one for regular traffic.


route inside 10.1.1.0 255.255.255.0 10.1.2.45
route dmz 10.10.10.0 255.255.255.0 192.168.2.1
route dmz 10.10.10.0 255.255.255.0 192.168.2.2
route dmz 10.10.10.0 255.255.255.0 192.168.2.3
route outside 0 0 209.165.201.1
route inside 0 0 10.1.2.45 tunneled

History for Static and Default Routes

Table 1. Feature History for Static and Default Routes
Feature Name	Platform Releases	Feature Information
Static Route Tracking	7.2(1)	The static route tracking feature provides a method for tracking the availability of a static route and installing a backup route if the primary route should fail. We introduced or modified the following screens: Configuration > Device Setup > Routing > Static Routes > Add Static Route Configuration > Device Setup > Routing > Static Routes > Add Static Route > Route Monitoring Options
Static null0 route to drop traffic	9.2(1)	Sending traffic to a null0 interface results in dropping the packets destined to the specified network. This feature is useful in configuring Remotely Triggered Black Hole (RTBH) for BGP. We modified the following screen: Configuration > Device Setup > Routing > Static Routes > Add Static Route

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.9

Bias-Free Language

Book Title

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.9

Chapter Title