Filter
Top Products
11-41
Cisco ASDM User Guide
OL-16647-01
Chapter 11 Configuring Dynamic And Static Routing
Static Routes
The default route identifies the gateway IP address to which the security appliance sends all IP packets
for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0
as the destination IP address. Routes that identify a specific destination take precedence over the default
route.
You can define up to three equal cost default route entries per device. Defining more than one equal cost
default route entry causes the traffic sent to the default route to be distributed among the specified
gateways. When defining more than one default route, you must specify the same interface for each
entry.
If you attempt to define more than three equal cost default routes, or if you attempt to define a default
route with a different interface than a previously defined default route, you will receive an error message.
You can define a separate default route for tunneled traffic along with the standard default route. When
you create a default route with the tunneled option, all encrypted traffic that arrives on the security
appliance and that cannot be routed using learned or static routes is sent to this route. Otherwise, if the
traffic is not encrypted, the standard default route entry is used. You cannot define more than one default
route with the tunneled option; ECMP for tunneled traffic is not supported.
For more information about viewing and configuring static and default routes with ASDM, see Field
Information for Static Routes, page 11-42.
Static Route Tracking
It is not always possible to use dynamic routing protocols on the security appliance, such as when the
security appliance is in multiple context mode or transparent mode. In these cases, you must use static
routes.
One of the problems with static routes is that there is no inherent mechanism for determining if the route
is up or down. They remain in the routing table even if the next hop gateway goes down. They are only
removed from the routing table if the associated interface on the security appliance goes down.
The static route tracking feature provides a method for tracking the availability of a static route and
installing a backup route if the primary route should fail. This allows you to, for example, define a
default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP
becomes unavailable.
The security appliance does this by associating a static route with a monitoring target that you define. It
monitors the target using ICMP echo requests. If an echo reply is not received within a specified time
period, the object is considered down and the associated route is removed from the routing table. A
previously configured backup route is used in place of the removed route.
When selecting a monitoring target, you need to make sure that it can respond to ICMP echo requests.
The target can be any network object that responds to ICMP echo requests. Consider choosing:
• the ISP gateway (for dual ISP support) address
• the next hop gateway address (if you are concerned about the availability of the gateway)
• a server, such as a AAA server, that the security appliance needs to communicate with
• a persistent network object on the destination network (a desktop or notebook computer that may be
shut down at night is not a good choice)
For more information about configuring static route tracking, see Configuring Static Route Tracking,
page 11-42. To monitor the static route tracking process, see interface connection, page 41-9.