RoutingGlobal Config

route [intf] [network] [mask] [gateway]

Configures a static route on the Cisco ASA Firewall to define the next-hop gateway for a destination network.

Overview

The 'route' command on Cisco ASA Firewall is used to configure static routes, which are manually entered into the routing table. Static routes are essential for directing traffic to networks not directly connected to the ASA. Unlike dynamic routing protocols, static routes do not change unless manually updated, making them predictable and secure. The command syntax requires the interface name, destination network, netmask, and next-hop gateway. Optionally, a metric can be specified to create floating static routes for redundancy. On the ASA, static routes have an administrative distance of 1 by default, but the metric field adjusts the distance (e.g., metric 200 sets AD to 200). The ASA supports both IPv4 and IPv6 static routes. This command is typically used in global configuration mode. It is important to note that the ASA does not support the 'ip route' command found on Cisco IOS routers; instead, the 'route' command is used. Static routes are commonly used for default routes to the internet, directing traffic to specific internal subnets, or routing traffic over VPN tunnels. In troubleshooting, verifying static routes with 'show route' helps identify missing or misconfigured routes that could cause connectivity issues. The ASA also supports route tracking with the 'sla monitor' feature to dynamically remove static routes if the next-hop becomes unreachable.

Syntax·Global Config
route [interface_name] [destination_network] [netmask] [gateway_ip] [metric] [tunneled]

When to Use This Command

  • Directing traffic from an inside network to an external network through a specific next-hop router.
  • Configuring a default route (0.0.0.0 0.0.0.0) to send all non-local traffic to the internet gateway.
  • Adding a static route for a specific subnet to reach a remote site over a VPN tunnel.
  • Creating a floating static route with a higher metric for backup connectivity.

Parameters

ParameterSyntaxDescription
interface_nameinterface_nameThe name of the interface through which the destination network is reachable. Must match a configured interface name (e.g., inside, outside, dmz).
destination_networknetwork_addressThe IP address of the destination network. Use 0.0.0.0 for the default route.
netmasksubnet_maskThe subnet mask for the destination network in dotted decimal format (e.g., 255.255.255.0). Use 0.0.0.0 for the default route.
gateway_ipnext_hop_addressThe IP address of the next-hop router that can reach the destination network. Must be reachable from the specified interface.
metricadministrative_distanceOptional administrative distance value (1-254). Default is 1. Higher values create floating static routes that are less preferred.
tunneledtunneledOptional keyword to specify that the route is for tunneled traffic (e.g., VPN). Used with certain features like VTI.

Command Examples

Default Route to Internet Gateway

route outside 0.0.0.0 0.0.0.0 203.0.113.1

No output is displayed upon successful configuration. Use 'show route' to verify.

Static Route for Internal Subnet

route inside 10.10.10.0 255.255.255.0 192.168.1.1

Adds a static route for the 10.10.10.0/24 network via gateway 192.168.1.1 on the inside interface.

Floating Static Route with Metric

route outside 0.0.0.0 0.0.0.0 198.51.100.1 200

Adds a default route with metric 200, making it a backup route if a lower-metric route exists.

Understanding the Output

The 'route' command itself does not produce output. To verify the configured routes, use 'show route' or 'show running-config | include route'. The 'show route' output displays the routing table with fields: codes (C=connected, S=static, O=OSPF, etc.), network, netmask, next-hop, interface, and metric. A healthy static route shows 'S' code with correct next-hop and interface. Problematic routes may show 'S' but with incorrect next-hop or interface, or be missing entirely. If a route is not appearing, check that the interface is up and the next-hop is reachable.

Configuration Scenarios

Default Route to Internet

An ASA with inside (192.168.1.0/24) and outside (203.0.113.0/24) interfaces. The outside gateway is 203.0.113.1.

Topology

Internet --- [203.0.113.1] --- ASA (outside) --- (inside) --- 192.168.1.0/24

Steps

  1. 1.Configure the outside interface with IP 203.0.113.2.
  2. 2.Add a default route via 203.0.113.1 on the outside interface.
Configuration
interface gigabitethernet0/0
 nameif outside
 ip address 203.0.113.2 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 203.0.113.1

Verify: Use 'show route' to verify the default route (S* 0.0.0.0 0.0.0.0 [1/0] via 203.0.113.1, outside).

Watch out: Ensure the outside interface is named 'outside' and the gateway is reachable; otherwise, the route will not be installed.

Static Route for Remote Subnet via VPN

An ASA with a site-to-site VPN to a remote office (10.10.10.0/24). The VPN peer is 198.51.100.1.

Topology

Remote Office (10.10.10.0/24) --- VPN --- ASA (outside) --- Inside (192.168.1.0/24)

Steps

  1. 1.Configure the VPN tunnel (not shown).
  2. 2.Add a static route for the remote subnet via the VPN peer IP.
Configuration
route outside 10.10.10.0 255.255.255.0 198.51.100.1

Verify: Ping from inside host to 10.10.10.1; use 'show route' to confirm the route.

Watch out: The next-hop must be the VPN peer IP, not the local interface. Ensure the VPN tunnel is up.

Troubleshooting with This Command

When troubleshooting static routes on the ASA, start with 'show route' to view the routing table. Look for the 'S' code indicating static routes. If a static route is missing, verify the command syntax and that the interface is up/up. Use 'ping' from the ASA to test reachability to the next-hop gateway. If the route is present but traffic is not flowing, check the ASA's routing decision with 'packet-tracer'. For example, 'packet-tracer input inside tcp 192.168.1.100 12345 10.10.10.1 80' will show the routing lookup and any drops. Common issues include incorrect netmask, wrong interface, or the next-hop being unreachable. The ASA also supports 'show route static' to display only static routes. If using floating static routes, ensure the metric is higher than the primary route's administrative distance. For route tracking, use 'sla monitor' to automatically remove the route if the next-hop fails. Check 'show sla monitor' for tracking status. Additionally, verify that the ASA's routing table does not have a more specific route that overrides the static route. Use 'show running-config | include route' to review all configured static routes.

CCNA Exam Tips

1.

Remember that the ASA uses 'route' command, not 'ip route' like IOS.

2.

Static routes on ASA have an administrative distance of 1 by default; metric can be used for floating static routes.

3.

For default routes, use 0.0.0.0 0.0.0.0; the ASA does not support 'ip route 0.0.0.0 0.0.0.0' syntax.

Common Mistakes

Using 'ip route' instead of 'route' – ASA uses 'route' command.

Forgetting to specify the interface name – the ASA requires an interface parameter.

Using incorrect netmask format – must be in dotted decimal (e.g., 255.255.255.0).

Platform Notes

On Cisco ASA, the 'route' command differs from Cisco IOS's 'ip route' command. The ASA requires the interface name as the first parameter, whereas IOS does not. Additionally, the ASA uses the term 'metric' for administrative distance, while IOS uses 'distance'. The ASA does not support 'ip route' syntax; using it will result in an error. For IPv6, the ASA uses 'ipv6 route' command. On other platforms like Cisco IOS-XE, static routes are configured with 'ip route' and can be redistributed into dynamic protocols. The ASA also supports 'route' commands for management-only routes. In ASA version 9.x and later, the command syntax remains consistent. For multi-context mode, static routes are configured per context. The ASA also supports 'route' with the 'tunneled' keyword for VTI-based VPNs. When migrating from IOS to ASA, remember to adjust the command syntax accordingly.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions