Cisco ASA 1000V ASDM Configuration Guide, 6.7
Configuring Static and Default Routes
Downloads: This chapterpdf (PDF - 157.0KB) The complete bookPDF (PDF - 11.09MB) | Feedback

Configuring Static and Default Routes

Table Of Contents

Configuring Static and Default Routes

Information About Routing

Switching

Information About Static and Default Routes

How Routing Behaves Within the ASA 1000V

Egress Interface Selection Process

Next Hop Selection Process

Information About the Routing Table

Displaying the Routing Table

How Forwarding Decisions Are Made

Configuring Static and Default Routes

Configuring a Default Static Route

Configuring a Static Route

Adding or Editing a Static Route

Configuring Static Route Tracking

Deleting Static Routes

Disabling Proxy ARPs

Monitoring a Static or Default Route

Configuration Examples for Static or Default Routes


Configuring Static and Default Routes


This chapter describes how to configure static and default routes on the ASA 1000V and includes the following sections:

Information About Routing

Configuring Static and Default Routes

Disabling Proxy ARPs

Monitoring a Static or Default Route

Configuration Examples for Static or Default Routes

Information About Routing

Routing is the act of moving information across an internetwork from a source to a destination. Along the way, at least one intermediate node typically is encountered. Routing involves two basic activities: determining optimal routing paths and transporting information groups (typically called packets) through an internetwork. In the context of the routing process, the latter of these is referred to as packet switching. Although packet switching is relatively straightforward, path determination can be very complex.

The ASA 1000V only supports static routing.

This section includes the following topics:

Switching

How Routing Behaves Within the ASA 1000V

Switching

Switching algorithms is relatively simple; it is the same for most routing protocols. In most cases, a host determines that it must send a packet to another host. Having acquired a router address by some means, the source host sends a packet addressed specifically to a router physical (Media Access Control (MAC)-layer) address, this time with the protocol (network layer) address of the destination host.

As it examines the packet destination protocol address, the router determines that it either knows or does not know how to forward the packet to the next hop. If the router does not know how to forward the packet, it typically drops the packet. If the router knows how to forward the packet, however, it changes the destination physical address to that of the next hop and transmits the packet.

The next hop may be the ultimate destination host. If not, the next hop is usually another router, which executes the same switching decision process. As the packet moves through the internetwork, its physical address changes, but its protocol address remains constant.

Information About Static and Default Routes

To route traffic to a nonconnected host or network, you must define a static route to the host or network or, at a minimum, a default route for any networks to which the ASA 1000V is not directly connected; for example, when there is a router between a network and the ASA 1000V.

Without a static or default route defined, traffic to nonconnected hosts or networks generates the following syslog message:

%ASA-6-110001: No route to dest_address from source_address
 
   

The simplest option is to configure a default route to send all traffic to an upstream router, relying on the router to route the traffic for you. However, in some cases the default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is outside, then the default route cannot direct traffic to any inside networks that are not directly connected to the ASA 1000V.

How Routing Behaves Within the ASA 1000V

The ASA 1000V uses both the routing table and XLATE tables for routing decisions. To handle destination IP translated traffic, that is, untranslated traffic, the ASA 1000V searches for existing XLATE tables, or static translation to select the egress interface.

This section includes the following topics:

Egress Interface Selection Process

Next Hop Selection Process

Egress Interface Selection Process

The selection process follows these steps:

1. If a destination IP translating XLATE already exists, the egress interface for the packet is determined from the XLATE table, but not from the routing table.

2. If a destination IP translating XLATE does not exist, but a matching static translation exists, then the egress interface is determined from the static route and an XLATE is created, and the routing table is not used.

3. If a destination IP translating XLATE does not exist and no matching static translation exists, the packet is not destination IP translated. The ASA 1000V processes this packet by looking up the route to select the egress interface, then source IP translation is performed (if necessary).

For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and then the XLATE is created. Incoming return packets are forwarded using an existing XLATE only. For static NAT, destination translated incoming packets are always forwarded using existing XLATE or static translation rules.

Next Hop Selection Process

After selecting the egress interface using any method described previously, an additional route lookup is performed to find out suitable next hop(s) that belong to a previously selected egress interface. If there are no routes in the routing table that explicitly belong to a selected interface, the packet is dropped with a level 6 syslog message 110001 generated (no route to host), even if there is another route for a given destination network that belongs to a different egress interface. If the route that belongs to a selected egress interface is found, the packet is forwarded to the corresponding next hop.

Load sharing on the ASA 1000V is possible only for multiple next hops available using a single egress interface. Load sharing cannot share multiple egress interfaces.

When there are no route flaps on the ASA 1000V itself, but some routing process is flapping around it, then destination translated traffic is still forwarded using the old XLATE, not via the route table, until the XLATE times out. It may be either forwarded to the wrong interface or dropped with a level 6 syslog message 110001 generated (no route to host), if the old route was removed from the old interface and attached to another one by the routing process.

This issue has a high probability in some security traffic configurations, where virtually any traffic may be either source-translated or destination-translated, depending on the direction of the initial packet in the flow. When this issue occurs after a route flap, it can be resolved manually by using the clear xlate command, or automatically resolved by an XLATE timeout. The XLATE timeout may be decreased if necessary. To ensure that this issue rarely occurs, make sure that there are no route flaps on the ASA 1000V and around it. That is, ensure that destination-translated packets that belong to the same flow are always forwarded the same way through the ASA 1000V.

Information About the Routing Table

This section includes the following topics:

Displaying the Routing Table

How Forwarding Decisions Are Made

Displaying the Routing Table

To show all routes in ASDM that are in the routing table, choose Monitoring > Routing > Routes. In this pane, each row represents one route.

How Forwarding Decisions Are Made

Forwarding decisions are made according to the following guidelines:

If the destination does not match an entry in the routing table, the packet is forwarded through the interface specified for the default route. If a default route has not been configured, the packet is discarded.

If the destination matches a single entry in the routing table, the packet is forwarded through the interface associated with that route.

If the destination matches more than one entry in the routing table, and the entries all have the same network prefix length, the packets for that destination are distributed among the interfaces associated with that route.

If the destination matches more than one entry in the routing table, and the entries have different network prefix lengths, then the packet is forwarded out of the interface associated with the route that has the longer network prefix length.

For example, a packet destined for 192.168.32.1 arrives on an Ethernet interface of an ASA 1000V with the following routes in the routing table:

hostname# show route
         ....
         R   192.168.32.0/24 [120/4] via 10.1.1.2
         O   192.168.32.0/19 [110/229840] via 10.1.1.3
         ....
 
   

In this case, a packet destined to 192.168.32.1 is directed toward 10.1.1.2, because 192.168.32.1 falls within the 192.168.32.0/24 network. It also falls within the other route in the routing table, but 192.168.32.0/24 has the longest prefix within the routing table (24 bits compared to 19 bits). Longer prefixes are always preferred over shorter ones when forwarding a packet.

Configuring Static and Default Routes

This section explains how to configure a static route and a static default route and includes the following topics:

Configuring a Default Static Route

Configuring a Static Route

Configuring a Default Static Route

A default route identifies the gateway IP address to which the ASA 1000V sends all IP packets for which it does not have a learned or static route. A default static route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route.


Note If you have two default routes configured on different interfaces that have different metrics, the connection to the ASA 1000V that is made from the higher metric interface fails, but connections to the ASA 1000V from the lower metric interface succeed as expected.


You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry.

If you try to define more than three equal cost default routes or a default route with a different interface than a previously defined default route, you receive the following message:

"ERROR: Cannot add route entry, possible conflict with existing routes." 
 
   

You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA 1000V that cannot be routed using learned or static routes is sent to this route. For traffic emerging from a tunnel, this route overrides any other configured or learned default routes.

Restrictions

The following restrictions apply to default routes with the tunneled option:

Do not enable unicast RPF (ip verify reverse-path command) on the egress interface of a tunneled route, because this setting causes the session to fail.

Do not enable TCP intercept on the egress interface of the tunneled route, because this setting causes the session to fail.

Do not use the VoIP inspection engines (CTIQBE, H.323, GTP, MGCP, RTSP, SIP, SKINNY), the DNS inspect engine, or the DCE RPC inspection engine with tunneled routes, because these inspection engines ignore the tunneled route.

You cannot define more than one default route with the tunneled option.

ECMP routing for tunneled traffic is not supported.

Detailed Steps

To add or edit a tunneled default static route in ASDM, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > Static Routes.

Step 2 Click Add or Edit.

Step 3 In the Options area, choose Tunneled.

Step 4 Click OK.


Configuring a Static Route

Static routing algorithms are basically table mappings established by the network administrator before the beginning of routing. These mappings do not change unless the network administrator alters them. Algorithms that use static routes are simple to design and work well in environments where network traffic is relatively predictable and where network design is relatively simple. As a result, static routing systems cannot react to network changes.

Static routes remain in the routing table even if the specified gateway becomes unavailable. If the specified gateway becomes unavailable, you need to remove the static route from the routing table manually. However, static routes are removed from the routing table if the specified interface goes down, and are reinstated when the interface comes back up.


Note If you create a static route with an administrative distance greater than the administrative distance of the routing protocol running on the ASA 1000V, then a route to the specified destination discovered by the routing protocol takes precedence over the static route. The static route is used only if the dynamically discovered route is removed from the routing table.


You can define up to three equal cost routes to the same destination per interface. Equal-cost multi-path (ECMP) routing is not supported across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes; traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses.

To configure a static route, choose one of the following:

Adding or Editing a Static Route

Configuring Static Route Tracking

Deleting Static Routes

Adding or Editing a Static Route

To add or edit a static route in ASDM, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > Static Routes.

Step 2 Click Add or Edit.

The Add or Edit Static Route dialog box appears.

Step 3 From the Interface drop-down list, choose the internal or external network Ethernet interface name enabled in the Interface field:

management (internal interface)

outside (external interface)

Step 4 In the IP Address field, type an internal or external network IP address for the destination network.

Enter 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0. Optionally, click the ellipsis to browse for an address.

Step 5 In the Gateway IP field, enter the IP address of the gateway router, which is the next hop address for this route.

To enter a default route, set the IP address and mask to 0.0.0.0, or the shortened form of 0.

Optionally, click the ellipsis to browse for an address.


Note If an IP address from one ASA 1000V interface is used as the gateway IP address, the ASA 1000V will ARP the designated IP address in the packet instead of ARPing the gateway IP address.


The addresses you specify for the static route are the addresses that are in the packet before entering the ASA 1000V and performing NAT.

Step 6 Choose the netmask from the drop-down list for the destination network. Enter 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.

Step 7 In the Metric field, type the metric, or administrative distance.

The metric or distance is the administrative distance for the route. The default is 1 if you do not specify a value. Administrative distance is a parameter that is used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols, but not over directly connected routes.

The default administrative distance for routes discovered by OSPF is 110. If a static route has the same administrative distance as a dynamic route, the static routes take precedence. Connected routes always take precedence over static or dynamically discovered routes.

Step 8 (Optional) In the Options area, choose one of the following options for a static route:

None to have no options specified for the static route. This setting is the default.

Tunneled to specify the route as the default tunnel gateway for VPN traffic. This setting is used for the default route only. You can configure only one tunneled route per device.

Tracked to specify that the route is tracked. The tracking object ID and the address of the tracking target also appear. Specify the following settings for the tracked option:

In the Track ID field, enter a unique identifier for the route tracking process.

In the Track IP Address/DNS Name field, enter the IP address or hostname of the target being tracked. Typically, this would be the IP address of the next hop gateway for the route, but it could be any network object available from that interface.

In the SLA ID field, enter a unique identifier for the SLA monitoring process.

Step 9 (Optional) Click Monitoring Options.

The Route Monitoring Options dialog box appears. From here, you change the following tracking object monitoring properties:

Frequency, which allows you to modify how often, in seconds, the ASA 1000V should test for the presence of the tracking target. Valid values range from 1 to 604800 seconds. The default value is 60 seconds.

Threshold, which allows you to enter the amount of time, in milliseconds, that indicates an over-threshold event. This value cannot be more than the timeout value.

Timeout, which allows you to modify the amount of time, in milliseconds, that the route monitoring operation should wait for a response from the request packets. Valid values range from 0 to 604800000 milliseconds. The default value is 5000 milliseconds.

Data Size, which allows you to modify the size of data payload to use in the echo request packets. The default value is 28. Valid values range from 0 to 16384.


Note This setting specifies the size of the payload only; it does not specify the size of the entire packet.


ToS, which allows you to choose a value for the type of service byte in the IP header of the echo request. Valid values are from 0 to 255. The default value is 0.

Number of Packets, which allows you to choose the number of echo requests to send for each test. Valid values range from 1 to 100. The default value is 1.

Step 10 Click OK.

Step 11 Click Apply to save the configuration.

The added or edited route information appears in the Static Routes pane. The monitoring process begins after you save the newly configured route.


Configuring Static Route Tracking

To configure tracking for a static route, perform the following steps:


Note Static route tracking is available for IPv4 routes only.



Step 1 Choose a target of interest. Make sure that the target responds to echo requests.

Step 2 Open the Static Routes pane by choosing Configuration > Device Setup > Routing > Static Routes.

Step 3 Click Add to configure a static route that is to be used based on the availability of your selected target of interest. You must enter the Ethernet Interface, IP Address, Mask, Gateway, and Metric settings for this route.

Step 4 Click the Tracked radio button in the Options area for this route.

Step 5 Configure the tracking properties. You must enter a unique Track ID, a unique SLA ID, and the IP address of your target of interest.

Step 6 (Optional) To configure the monitoring properties, click Monitoring Options in the Add Static Route dialog box.

Step 7 Click OK to save your changes.

The monitoring process begins after you save the tracked route.

Step 8 Create a secondary route by repeating Steps 1 through 7.

The secondary route is a static route to the same destination as the tracked route, but through a different Ethernet interface or gateway. You must assign this route a higher administrative distance (metric) than your tracked route.

Step 9 Click OK to save your changes.


Deleting Static Routes

To delete a static route, perform the following steps:


Step 1 Choose Configuration > Device Setup > Routing > Static Routes.

Step 2 On the Static Routes pane, choose which route to delete.

Step 3 Click Delete.

The deleted route is removed from list of routes on in the main Static Routes pane.

Step 4 Click Apply to save the changes to your configuration.


Disabling Proxy ARPs

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP is used when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The ASA 1000V uses proxy ARP when you configure NAT and specify a mapped address that is on the same network as the ASA 1000V Ethernet interface. The only way traffic can reach the hosts is if the ASA 1000V uses proxy ARP to claim that the MAC address is assigned to destination mapped addresses.

Under rare circumstances, you might want to disable proxy ARP for NAT addresses.

If you have an IPsec site-to-site client address pool that overlaps with an existing network, the ASA 1000V by default sends proxy ARPs on all interfaces. If you have another interface that is on the same Layer 2 domain, it will see the ARP requests and will answer with the MAC address of its interface. The result of this is that the return traffic of the IPsec site-to-site clients towards the internal hosts will go to the wrong interface and will get dropped. In this case, you need to disable proxy ARPs for the interface on which you do not want them.

To disable proxy ARPs,perform the following steps:


Step 1 Choose Configuration > Device Setup > Routing > Proxy ARPs.

The Interface field lists the interface names. The Proxy ARP Enabled field shows whether or not proxy ARP is enabled (Yes) or disabled (No) for NAT global addresses.

Step 2 To enable proxy ARP for the selected interface, click Enable. By default, proxy ARP is enabled for all interfaces.

Step 3 To disable proxy ARP for the selected interface, click Disable.

Step 4 Click Apply to save your settings to the running configuration.


Monitoring a Static or Default Route

One of the problems with static routes is that there is no inherent mechanism for determining if the route is up or down. They remain in the routing table even if the next hop gateway becomes unavailable. Static routes are only removed from the routing table if the associated Ethernet interface on the ASA 1000V goes down.

The static route tracking feature provides a method for tracking the availability of a static route and installing a backup route if the primary route should fail. For example, you can define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable.

The ASA 1000V implements this feature by associating a static route with a monitoring target that you define, and monitors the target using ICMP echo requests. If an echo reply is not received within a specified time period, the object is considered down and the associated route is removed from the routing table. A previously configured backup route is used in place of the removed route.

When selecting a monitoring target, you need to make sure that it can respond to ICMP echo requests. The target can be any network object that you choose, but you should consider using the following:

The ISP gateway (for dual ISP support) address

The next hop gateway address (if you are concerned about the availability of the gateway)

A server on the target network, such as a AAA server, that the ASA 1000V needs to communicate with

A persistent network object on the destination network


Note A desktop or notebook computer that may be shut down at night is not a good choice.


You can configure static route tracking for statically defined routes or default routes obtained through DHCP.

To monitor the state of a route in ASDM, in the main ASDM window, perform the following steps:


Step 1 Choose Monitoring > Routing > Routes.

In the Routes pane, each row represents one route. The routing information includes the protocol, the route type, the destination IP address, the netmask or prefix length, the gateway IP address, the interface through which the route is connected, and the administrative distance.

Step 2 To update the current list, click Refresh.


Configuration Examples for Static or Default Routes

The following example shows how to create a static route that sends all traffic destined for 10.1.1.0/24 to the router 10.1.2.45, which is connected to the inside interface, defines three equal cost static routes that direct traffic to three different gateways on the outside interface, and adds a default route for tunneled traffic. The ASA 1000V then distributes the traffic among the specified gateways:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > Static Routes.

Step 2 Choose Management from the Interfaces drop-down list.

Step 3 Enter 10.1.1.0 in the IP Address field.

Step 4 Choose 255.255.255.0 from the Mask drop-down list.

Step 5 Enter 10.1.2.45 1 in the Gateway IP field.

A static route is created that sends all traffic destined for 10.1.1.0/24 to the router 10.1.2.45, which is connected to the inside interface.

Step 6 Click OK.

Step 7 Choose Configuration > Device Setup > Routing > Static Routes.

Step 8 Click Add.

Step 9 Enter the IP Address in the IP Address field for the destination network.

In this case, the route IP addresses are: 192.168.2.1, 192.168.2.2, 192.168.2.3, and 192.168.2.4. When adding 192.168.2.4, click the Tunneled radio button in the Options area.

Step 10 Enter the Gateway IP Address in the Gateway IP Address field for the address of the next hop router.

The addresses you specify for the static route are the addresses that are in the packet before entering the ASA 1000V and performing NAT.

Step 11 Choose the netmask for the destination network from the NetMask drop-down list.

Step 12 Click OK.