Cisco ASA 5505 Configuration Manual page 371

Chapter 19 Configuring Static and Default Routes
Configuring a Default Static Route
A default route identifies the gateway IP address to which the adaptive security appliance sends all IP
packets for which it does not have a learned or static route. A default static route is simply a static route
with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence
over the default route.
In ASA software Versions 7.0 and later, if you have two default routes configured on different interfaces
Note
that have different metrics, the connection to the ASA firewall that is made from the higher metric
interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected.
You can define up to three equal cost default route entries per device. Defining more than one equal cost
default route entry causes the traffic sent to the default route to be distributed among the specified
gateways. When defining more than one default route, you must specify the same interface for each
entry.
If you attempt to define more than three equal cost default routes, or if you attempt to define a default
route with a different interface than a previously defined default route, you receive the following
message:
"ERROR: Cannot add route entry, possible conflict with existing routes."
You can define a separate default route for tunneled traffic along with the standard default route. When
you create a default route with the tunneled option, all traffic from a tunnel terminating on the adaptive
security appliance that cannot be routed using learned or static routes, is sent to this route. For traffic
emerging from a tunnel, this route overrides over any other configured or learned default routes.
Limitations on Configuring a Default Static Route
The following restrictions apply to default routes with the tunneled option:
•
•
•
You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is
not supported.
To add or edit a tunneled default static route in ASDM, perform the following steps:
On the main ASDM window, choose Configuration > Device Setup > Routing > Static Routes.
Step 1
Click Add or Edit.
Step 2
In the Options area, choose Tunneled.
Step 3
Click OK.
Step 4
OL-20339-01
Do not enable unicast RPF (ip verify reverse-path) on the egress interface of tunneled route.
Enabling Unicast RPF on the egress interface of a tunneled route causes the session to fail.
Do not enable TCP intercept on the egress interface of the tunneled route. Doing so causes the
session to fail.
Do not use the VoIP inspection engines (CTIQBE, H.323, GTP, MGCP, RTSP, SIP, SKINNY), the
DNS inspect engine, or the DCE RPC inspection engine with tunneled routes. These inspection
engines ignore the tunneled route.
Configuring Static and Default Routes
Cisco ASA 5500 Series Configuration Guide using ASDM
19-7