Default Routing

A default route of a computer that is participating in computer networking is the packet forwarding rule (route) taking effect when no other route can be determined for a givenInternet Protocol (IP) destination address. All packets for destinations not established in the routing table are sent via the default route. This route generally points to another router, which treats the packet the same way: If a route matches, the packet is forwarded accordingly, otherwise the packet is forwarded to the default route of that router. The process repeats until a packet is delivered to the destination. Each router traversal counts as one hop in the distance calculation for the transmission path.

The route evaluation process in each router uses the longest prefix match method to obtain the most specific route. The network with the longest subnet mask that matches the destination IP address is the next-hop network gateway.

The default route in Internet Protocol Version 4 (IPv4) is designated as the zero-address 0.0.0.0/0 in CIDR notation,^[1] often called the quad-zero route. The subnet mask is given as /0, which effectively specifies all networks, and is the shortest match possible. A route lookup that does not match any other route, falls back to this route. Similarly, inIPv6, the default route is specified by ::/0.

In the highest-level segment of a network, administrators generally point the default route for a given host towards the router that has a connection to a network service provider. Therefore, packets with destinations outside the organization's local area network, typically destinations on the Internet or a wide area network, are forwarded to the router with the connection to that provider.

The device to which the default route points is often called the default gateway, and it often carries out other functions such as packet filtering, firewalling, or proxy serveroperations.

Configuring a Default Static Route

A default route identifies the gateway IP address to which the ASA sends all IP packets for which it does not have a learned or static route. A default static route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route. In ASA software Versions 7.0 and later, if you have two default routes configured on different interfaces that have different metrics, the connection to the ASA firewall that is made from the higher metric interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected.

You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry.

If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you receive the following message:

"ERROR: Cannot add route entry, possible conflict with existing routes." 

You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes, is sent to this route. For traffic emerging from a tunnel, this route overrides over any other configured or learned default routes.

Limitations on Configuring a Default Static Route

The following restrictions apply to default routes with the tunneled option:

•Do not enable unicast RPF (ip verify reverse-path) on the egress interface of tunneled route. Enabling Unicast RPF on the egress interface of a tunneled route causes the session to fail.

•Do not enable TCP intercept on the egress interface of the tunneled route. Doing so causes the session to fail.

•Do not use the VoIP inspection engines (CTIQBE, H.323, GTP, MGCP, RTSP, SIP, SKINNY), the DNS inspect engine, or the DCE RPC inspection engine with tunneled routes. These inspection engines ignore the tunneled route.

You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is not supported.

To define a tunneled default route, enter the following command:

Detailed Steps

Command

Purpose

route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance | tunneled] Example: hostname(config)# route outside 0 0 192.168.2.4 tunneled

This enables you to add a static route. The dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of the next-hop router. The addresses you specify for the static route are the addresses that are in the packet before entering the ASA and performing NAT. The distance is the administrative distance for the route. The default is 1 if you do not specify a value. Administrative distance is a parameter used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes. The default administrative distance for routes discovered by OSPF is 110. If a static route has the same administrative distance as a dynamic route, the static routes take precedence. Connected routes always take precedence over static or dynamically discovered routes.

You can enter 0 0 instead of 0.0.0.0 0.0.0.0 for the destination network address and mask, for example:hostname(config)# route outside 0 0 192.168.1 1

Configuring IPv6 Default 

The ASA automatically routes IPv6 traffic between directly connected hosts if the interfaces to which the hosts are attached are enabled for IPv6 and the IPv6 ACLs allow the traffic.

To configure an IPv6 default route and static routes, perform the following steps:

Detailed Steps

	Command	Purpose
Step 1	ipv6 route if_name ::/0 next_hop_ipv6_addr Example: hostname(config)#ipv6 route inside 7fff::0/32 3FFE:1100:0:CC00::1	This step adds a default IPv6 route. This example routes packets for network 7fff::0/32 to a networking device on the inside interface at 3FFE:1100:0:CC00::1 The address ::/0 is the IPv6 equivalent of "any."
Step 2	ipv6 route if_name destination  next_hop_ipv6_addr [admin_distance] Example: hostname(config)# ipv6 route inside 7fff::0/32 3FFE:1100:0:CC00::1 [110]	This step adds an IPv6 static route to the IPv6 routing table. This example routes packets for network 7fff::0/32 to a networking device on the inside interface at 3FFE:1100:0:CC00::1 , and with an administrative distance of 110.