Configuring Static Routes

Deployment and configuration of static routes is appropriate when the Cisco ASAs cannot dynamically build a route to a specific destination. The device to which the Cisco ASA is forwarding the packets might not support any dynamic routing protocols or the deployment is basic and uncomplicated. Dynamic routing protocols, such as RIP and OSPF, must be considered if the network is fairly large and complex. Static routes are easy to configure. However, they do not scale well in large environments.

It is strongly recommended that you have a complete understanding of your network topology before configuring routing in your Cisco ASA. A best practice is to have a network topology diagram on hand that you can refer to when configuring your Cisco ASA.

Static routes are configured using the route command, as shown in the following syntax:

 route interface network mask gateway metric [tunneled]

Table 6-1 details the options available within the route command.

Table 6-1. route Command Options




The specific interface name for which the route will apply. It must match the interface name configured by the nameif command under the specific interface configuration section.


The address of the remote network or host. If configuring a default route, use or just 0.


The subnet mask of the remote network. If configuring a default route, use or just 0 as the subnet mask.


The gateway to which the ASA will forward the packets.


The number of hops between the ASA and the destination network or host.


This option is used to configure a tunnel default gateway. This option can be used only with default gateways.

Figure 6-1 shows a simple static route topology that includes a Cisco ASA with two interfaces configured (outside and inside).

Figure 6-1. Basic IP Routing Configuration Using Static Routes

In the example shown in Figure 6-1, a static default route is configured for the Cisco ASA to be able to forward packets to the Internet through the Internet router. The route statement will look like this:

 route outside 1


You can configure up to three default routes for traffic load-balancing. They should all point to the same interface.

A separate static route needs to be configured for the Cisco ASA to be able to reach the private network This route entry must be configured as follows:

 route inside 1

The show route command can be used to view the Cisco ASA's routing table and verify the configuration. Here is an example of the output of the show route command after configuring the previously mentioned static route statements:

Chicago# show route

S [1/0] via, outside

C is directly connected, inside

S [1/0] via, inside

C is directly connected, outside

The letter S by each route statement indicates that it is a statically configured route entry. The letter C indicates that it is a directly connected route. The first number in the brackets is the administrative distance of the information source; the second number is the metric for the route. Administrative distance is the feature used by routing devices to select the best path when there are two or more different routes to the same destination from two different routing protocols.


The show route command is useful when troubleshooting any routing problems. It provides not only the gateway's IP address for each route entry, but also the interface that is connected to that gateway.

The show route command can be used with an interface name to display only the routes going out of the specified interface.

Figure 6-2 shows another simple static route topology with the addition of a demilitarized zone (DMZ).

Figure 6-2. IP Routing Configuration Using Static Routes to a Network on a DMZ Interface

To forward IP packets to the network, a static route must be configured as follows (assuming that the DMZ interface is labeled dmz1):

 route dmz1 1

Earlier, the tunneled keyword on a default gateway was mentioned. This option configures a tunnel default gateway. When configured, the Cisco ASA forwards all tunnel (decrypted) traffic to the specified device. This is similar to the tunnel default gateway option on the Cisco VPN 3000 Series Concentrators. Chapter 15, "Site-to-Site IPSec VPNs," covers the use of the tunnel default gateway feature.


Dynamic routing protocols are not supported when the security Cisco ASA is running in multimode. Cisco ASA has the ability to create multiple security contexts (virtual firewalls), as covered in Chapter 9, "Security Contexts."

A Cisco ASA configured with dynamic routing protocols can advertise configured static routes to its neighbors or peers. This process is called redistribution of static routes. This methodology is discussed later in this chapter under the "Configuring the Cisco ASA as an ASBR" section.

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231 © 2008-2020.
If you may any questions please contact us: