show route
Displays the current IP routing table on the Cisco ASA Firewall, showing known routes and their metrics.
Overview
The 'show route' command is a fundamental troubleshooting and verification tool on Cisco ASA Firewalls. It displays the IP routing table, which contains all known routes to destination networks. The routing table is built from directly connected networks, static routes, and dynamic routing protocols such as OSPF, EIGRP, RIP, or BGP. Each route entry includes the destination network prefix, the next-hop IP address, the outgoing interface, and administrative distance/metric. Understanding the routing table is crucial for diagnosing connectivity issues, as traffic forwarding decisions are based on the longest prefix match among these routes. On ASA platforms, the routing table behaves similarly to Cisco IOS, but with some platform-specific nuances, such as the use of security contexts and the fact that the ASA does not support all routing protocols (e.g., EIGRP is not supported in some versions). The command is typically used in privileged EXEC mode and can be filtered by protocol or specific network to narrow down results. In troubleshooting workflows, 'show route' is often the first step after verifying interface status, to ensure the ASA knows how to reach destination networks. It helps identify missing routes, incorrect next-hops, or suboptimal routing due to administrative distance conflicts.
show route [connected | static | ospf | eigrp | rip | bgp | <network> [<mask>] | summary | protocol <protocol>]When to Use This Command
- Verify that a specific route exists in the routing table after configuring static or dynamic routing.
- Troubleshoot connectivity issues by checking if the ASA has a route to a destination network.
- Confirm the next-hop IP address for traffic destined to a particular subnet.
- Check the administrative distance and metric of routes to determine which route is preferred.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| connected | show route connected | Displays only directly connected routes. Useful for verifying interface IP configurations. |
| static | show route static | Shows only static routes. Helps confirm manually configured routes are present. |
| ospf | show route ospf | Displays routes learned via OSPF. Useful for OSPF troubleshooting. |
| summary | show route summary | Provides a summary of the routing table, including route counts per protocol. |
| network mask | show route <network> <mask> | Shows detailed information for a specific route. Helpful for examining a particular prefix. |
Command Examples
Display all routes
show routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside
C 10.0.0.0 255.255.255.0 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
S 192.168.2.0 255.255.255.0 [1/0] via 192.168.1.2, insideThe output shows the routing table. 'S*' indicates a static default route via 10.0.0.1 on the outside interface. 'C' marks directly connected networks. The static route to 192.168.2.0/24 has an administrative distance of 1 and metric 0, pointing to next-hop 192.168.1.2.
Display routes for a specific network
show route 192.168.2.0 255.255.255.0Routing entry for 192.168.2.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.1.2, via inside
Route metric is 0, traffic share count is 1This shows detailed information for the specific route: it is a static route with AD 1, metric 0, next-hop 192.168.1.2 via the inside interface.
Understanding the Output
The 'show route' command output begins with a legend of route source codes (C, S, O, etc.) indicating how each route was learned. Each route entry includes the destination network and mask, followed by brackets containing administrative distance and metric (e.g., [1/0]). The next-hop IP address and outgoing interface are listed after 'via'. The 'Gateway of last resort' line shows the default route if present. A healthy routing table should have routes for all expected networks, with no missing or flapping routes. Problematic signs include missing routes, high metrics, or routes pointing to unreachable next-hops. The administrative distance helps determine route preference; lower values are preferred. For example, a static route (AD 1) is preferred over an OSPF route (AD 110) to the same destination.
Configuration Scenarios
Configuring a Static Default Route
An ASA needs internet access via an upstream router at 10.0.0.1 on the outside interface.
Topology
Internet --- [Outside: 10.0.0.2/24] ASA [Inside: 192.168.1.1/24] --- LANSteps
- 1.Configure the outside interface IP and nameif.
- 2.Add a static default route pointing to the upstream router.
- 3.Verify the route appears in the routing table.
! Configure interface interface gigabitethernet0/0 nameif outside security-level 0 ip address 10.0.0.2 255.255.255.0 no shutdown ! Configure default route route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
Verify: Use 'show route' to confirm the default route (S* 0.0.0.0/0) is present with next-hop 10.0.0.1.
Watch out: Ensure the next-hop IP is reachable (directly connected); otherwise the route will not be installed.
Configuring OSPF on ASA
An ASA is part of an OSPF area 0 with a neighbor router at 10.0.1.1.
Topology
RouterA (10.0.1.1) --- [Outside: 10.0.1.2/24] ASA [Inside: 192.168.1.1/24]Steps
- 1.Enable OSPF process and configure router ID.
- 2.Advertise the inside network.
- 3.Verify OSPF neighbor and routes.
! Enable OSPF router ospf 1 router-id 10.0.1.2 network 10.0.1.0 255.255.255.0 area 0 network 192.168.1.0 255.255.255.0 area 0 ! Verify show ospf neighbor show route ospf
Verify: Use 'show route ospf' to see OSPF-learned routes. Check that the inside network is advertised and routes from RouterA appear.
Watch out: OSPF on ASA requires the network to be configured under the OSPF process; also ensure interfaces are in the correct security zones.
Troubleshooting with This Command
When troubleshooting connectivity issues on a Cisco ASA, the 'show route' command is indispensable. Start by checking if the destination network appears in the routing table. If it is missing, verify that the route is configured (static) or that the dynamic routing protocol is functioning. For static routes, ensure the next-hop IP is reachable; if the next-hop is not directly connected, the route will not be installed. For dynamic routes, check the routing protocol neighbor adjacency (e.g., 'show ospf neighbor') and ensure the route is being advertised. If a route exists but traffic is not flowing, examine the administrative distance: if multiple routes to the same destination exist, the one with the lowest AD is used. Use 'show route <network>' to see detailed information, including the active next-hop. Also, verify that the outgoing interface is up/up. If the route points to an interface that is down, the route may be removed or inactive. Another common issue is the presence of a default route that is not pointing to the correct gateway. Use 'show route 0.0.0.0' to inspect the default route. Additionally, the ASA's routing table can be affected by features like policy-based routing (PBR) or route maps; check if any such policies are applied. Finally, use 'show route summary' to get an overview of route counts; a sudden drop in routes may indicate a routing protocol failure.
CCNA Exam Tips
Memorize the default administrative distances: connected (0), static (1), EIGRP (90), OSPF (110), RIP (120).
Understand that the 'S*' code indicates a candidate default route (0.0.0.0/0).
Be able to interpret the bracket notation [AD/metric] and know which route is preferred when multiple routes exist.
Common Mistakes
Confusing administrative distance with metric; AD is a trustworthiness value, metric is a cost.
Forgetting that a route must have a valid next-hop; if the next-hop is unreachable, the route is not installed.
Assuming 'show route' shows only active routes; it shows all routes in the table, including those that may be inactive due to administrative distance.
Platform Notes
On Cisco ASA, the 'show route' command behaves similarly to Cisco IOS, but there are key differences. ASA does not support EIGRP in many versions (though some newer models do). The ASA also uses security contexts (virtual firewalls) in multiple-context mode; each context has its own routing table, and 'show route' displays the table for the current context. In single-context mode, it behaves like a standard router. The ASA also supports transparent firewall mode, where routing is layer-2; in that mode, 'show route' may show only management routes. Additionally, the ASA uses a different syntax for some parameters; for example, 'show route static' works, but 'show ip route' is not valid (use 'show route'). The output format is similar to IOS, but the ASA may include additional fields like 'tracked' for static routes with tracking. For equivalent commands on other platforms, on Cisco IOS the command is 'show ip route', and on Juniper JunOS it is 'show route'. Version differences: ASA 9.x supports OSPFv3 for IPv6, and 'show route' can display IPv6 routes with the 'ipv6' keyword (e.g., 'show route ipv6').
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions