route [intf] [network] [mask] [gateway]
Configures a static route on the Cisco ASA Firewall to define the next-hop gateway for a destination network.
Overview
The 'route' command on Cisco ASA Firewall is used to configure static routes, which are manually entered into the routing table. Static routes are essential for directing traffic to networks not directly connected to the ASA. Unlike dynamic routing protocols, static routes do not change unless manually updated, making them predictable and secure. The command syntax requires the interface name, destination network, netmask, and next-hop gateway. Optionally, a metric can be specified to create floating static routes for redundancy. On the ASA, static routes have an administrative distance of 1 by default, but the metric field adjusts the distance (e.g., metric 200 sets AD to 200). The ASA supports both IPv4 and IPv6 static routes. This command is typically used in global configuration mode. It is important to note that the ASA does not support the 'ip route' command found on Cisco IOS routers; instead, the 'route' command is used. Static routes are commonly used for default routes to the internet, directing traffic to specific internal subnets, or routing traffic over VPN tunnels. In troubleshooting, verifying static routes with 'show route' helps identify missing or misconfigured routes that could cause connectivity issues. The ASA also supports route tracking with the 'sla monitor' feature to dynamically remove static routes if the next-hop becomes unreachable.
route [interface_name] [destination_network] [netmask] [gateway_ip] [metric] [tunneled]When to Use This Command
- Directing traffic from an inside network to an external network through a specific next-hop router.
- Configuring a default route (0.0.0.0 0.0.0.0) to send all non-local traffic to the internet gateway.
- Adding a static route for a specific subnet to reach a remote site over a VPN tunnel.
- Creating a floating static route with a higher metric for backup connectivity.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| interface_name | interface_name | The name of the interface through which the destination network is reachable. Must match a configured interface name (e.g., inside, outside, dmz). |
| destination_network | network_address | The IP address of the destination network. Use 0.0.0.0 for the default route. |
| netmask | subnet_mask | The subnet mask for the destination network in dotted decimal format (e.g., 255.255.255.0). Use 0.0.0.0 for the default route. |
| gateway_ip | next_hop_address | The IP address of the next-hop router that can reach the destination network. Must be reachable from the specified interface. |
| metric | administrative_distance | Optional administrative distance value (1-254). Default is 1. Higher values create floating static routes that are less preferred. |
| tunneled | tunneled | Optional keyword to specify that the route is for tunneled traffic (e.g., VPN). Used with certain features like VTI. |
Command Examples
Default Route to Internet Gateway
route outside 0.0.0.0 0.0.0.0 203.0.113.1No output is displayed upon successful configuration. Use 'show route' to verify.
Static Route for Internal Subnet
route inside 10.10.10.0 255.255.255.0 192.168.1.1Adds a static route for the 10.10.10.0/24 network via gateway 192.168.1.1 on the inside interface.
Floating Static Route with Metric
route outside 0.0.0.0 0.0.0.0 198.51.100.1 200Adds a default route with metric 200, making it a backup route if a lower-metric route exists.
Understanding the Output
The 'route' command itself does not produce output. To verify the configured routes, use 'show route' or 'show running-config | include route'. The 'show route' output displays the routing table with fields: codes (C=connected, S=static, O=OSPF, etc.), network, netmask, next-hop, interface, and metric. A healthy static route shows 'S' code with correct next-hop and interface. Problematic routes may show 'S' but with incorrect next-hop or interface, or be missing entirely. If a route is not appearing, check that the interface is up and the next-hop is reachable.
Configuration Scenarios
Default Route to Internet
An ASA with inside (192.168.1.0/24) and outside (203.0.113.0/24) interfaces. The outside gateway is 203.0.113.1.
Topology
Internet --- [203.0.113.1] --- ASA (outside) --- (inside) --- 192.168.1.0/24Steps
- 1.Configure the outside interface with IP 203.0.113.2.
- 2.Add a default route via 203.0.113.1 on the outside interface.
interface gigabitethernet0/0 nameif outside ip address 203.0.113.2 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 203.0.113.1
Verify: Use 'show route' to verify the default route (S* 0.0.0.0 0.0.0.0 [1/0] via 203.0.113.1, outside).
Watch out: Ensure the outside interface is named 'outside' and the gateway is reachable; otherwise, the route will not be installed.
Static Route for Remote Subnet via VPN
An ASA with a site-to-site VPN to a remote office (10.10.10.0/24). The VPN peer is 198.51.100.1.
Topology
Remote Office (10.10.10.0/24) --- VPN --- ASA (outside) --- Inside (192.168.1.0/24)Steps
- 1.Configure the VPN tunnel (not shown).
- 2.Add a static route for the remote subnet via the VPN peer IP.
route outside 10.10.10.0 255.255.255.0 198.51.100.1
Verify: Ping from inside host to 10.10.10.1; use 'show route' to confirm the route.
Watch out: The next-hop must be the VPN peer IP, not the local interface. Ensure the VPN tunnel is up.
Troubleshooting with This Command
When troubleshooting static routes on the ASA, start with 'show route' to view the routing table. Look for the 'S' code indicating static routes. If a static route is missing, verify the command syntax and that the interface is up/up. Use 'ping' from the ASA to test reachability to the next-hop gateway. If the route is present but traffic is not flowing, check the ASA's routing decision with 'packet-tracer'. For example, 'packet-tracer input inside tcp 192.168.1.100 12345 10.10.10.1 80' will show the routing lookup and any drops. Common issues include incorrect netmask, wrong interface, or the next-hop being unreachable. The ASA also supports 'show route static' to display only static routes. If using floating static routes, ensure the metric is higher than the primary route's administrative distance. For route tracking, use 'sla monitor' to automatically remove the route if the next-hop fails. Check 'show sla monitor' for tracking status. Additionally, verify that the ASA's routing table does not have a more specific route that overrides the static route. Use 'show running-config | include route' to review all configured static routes.
CCNA Exam Tips
Remember that the ASA uses 'route' command, not 'ip route' like IOS.
Static routes on ASA have an administrative distance of 1 by default; metric can be used for floating static routes.
For default routes, use 0.0.0.0 0.0.0.0; the ASA does not support 'ip route 0.0.0.0 0.0.0.0' syntax.
Common Mistakes
Using 'ip route' instead of 'route' – ASA uses 'route' command.
Forgetting to specify the interface name – the ASA requires an interface parameter.
Using incorrect netmask format – must be in dotted decimal (e.g., 255.255.255.0).
Platform Notes
On Cisco ASA, the 'route' command differs from Cisco IOS's 'ip route' command. The ASA requires the interface name as the first parameter, whereas IOS does not. Additionally, the ASA uses the term 'metric' for administrative distance, while IOS uses 'distance'. The ASA does not support 'ip route' syntax; using it will result in an error. For IPv6, the ASA uses 'ipv6 route' command. On other platforms like Cisco IOS-XE, static routes are configured with 'ip route' and can be redistributed into dynamic protocols. The ASA also supports 'route' commands for management-only routes. In ASA version 9.x and later, the command syntax remains consistent. For multi-context mode, static routes are configured per context. The ASA also supports 'route' with the 'tunneled' keyword for VTI-based VPNs. When migrating from IOS to ASA, remember to adjust the command syntax accordingly.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions