Deployment and configuration of static routes is appropriate when the Cisco ASAs cannot dynamically build a route to a specific destination. The device to which the Cisco ASA is forwarding the packets might not support any dynamic routing protocols or the deployment is basic and uncomplicated. Dynamic routing protocols, such as RIP and OSPF, must be considered if the network is fairly large and complex. Static routes are easy to configure. However, they do not scale well in large environments.
It is strongly recommended that you have a complete understanding of your network topology before configuring routing in your Cisco ASA. A best practice is to have a network topology diagram on hand that you can refer to when configuring your Cisco ASA.
Static routes are configured using the route command, as shown in the following syntax:
route interface network mask gateway metric [tunneled]
Table 6-1 details the options available within the route command.
The specific interface name for which the route will apply. It must match the interface name configured by the nameif command under the specific interface configuration section.
The address of the remote network or host. If configuring a default route, use 0.0.0.0 or just 0.
The subnet mask of the remote network. If configuring a default route, use 0.0.0.0 or just 0 as the subnet mask.
The gateway to which the ASA will forward the packets.
The number of hops between the ASA and the destination network or host.
This option is used to configure a tunnel default gateway. This option can be used only with default gateways.
Figure 6-1 shows a simple static route topology that includes a Cisco ASA with two interfaces configured (outside and inside).
Figure 6-1. Basic IP Routing Configuration Using Static Routes
In the example shown in Figure 6-1, a static default route is configured for the Cisco ASA to be able to forward packets to the Internet through the Internet router. The route statement will look like this:
route outside 0.0.0.0 0.0.0.0 188.8.131.52 1
You can configure up to three default routes for traffic load-balancing. They should all point to the same interface.
A separate static route needs to be configured for the Cisco ASA to be able to reach the private network 192.168.20.0/24. This route entry must be configured as follows:
route inside 192.168.20.0 255.255.255.0 192.168.10.2 1
The show route command can be used to view the Cisco ASA's routing table and verify the configuration. Here is an example of the output of the show route command after configuring the previously mentioned static route statements:
Chicago# show route S 0.0.0.0 0.0.0.0 [1/0] via 184.108.40.206, outside C 192.168.10.0 255.255.255.0 is directly connected, inside S 192.168.20.0 255.255.255.0 [1/0] via 192.168.10.2, inside C 220.127.116.11 255.255.255.224 is directly connected, outside
The letter S by each route statement indicates that it is a statically configured route entry. The letter C indicates that it is a directly connected route. The first number in the brackets is the administrative distance of the information source; the second number is the metric for the route. Administrative distance is the feature used by routing devices to select the best path when there are two or more different routes to the same destination from two different routing protocols.
The show route command is useful when troubleshooting any routing problems. It provides not only the gateway's IP address for each route entry, but also the interface that is connected to that gateway.
The show route command can be used with an interface name to display only the routes going out of the specified interface.
Figure 6-2 shows another simple static route topology with the addition of a demilitarized zone (DMZ).
Figure 6-2. IP Routing Configuration Using Static Routes to a Network on a DMZ Interface
To forward IP packets to the 192.168.4.0/24 network, a static route must be configured as follows (assuming that the DMZ interface is labeled dmz1):
route dmz1 192.168.4.0 255.255.255.0 192.168.3.2 1
Earlier, the tunneled keyword on a default gateway was mentioned. This option configures a tunnel default gateway. When configured, the Cisco ASA forwards all tunnel (decrypted) traffic to the specified device. This is similar to the tunnel default gateway option on the Cisco VPN 3000 Series Concentrators. Chapter 15, "Site-to-Site IPSec VPNs," covers the use of the tunnel default gateway feature.
Dynamic routing protocols are not supported when the security Cisco ASA is running in multimode. Cisco ASA has the ability to create multiple security contexts (virtual firewalls), as covered in Chapter 9, "Security Contexts."
A Cisco ASA configured with dynamic routing protocols can advertise configured static routes to its neighbors or peers. This process is called redistribution of static routes. This methodology is discussed later in this chapter under the "Configuring the Cisco ASA as an ASBR" section.
Part I: Product Overview
Introduction to Network Security
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
Authentication, Authorization, and Accounting (AAA)
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM