Skip to main content

 

 

Cisco Defense Orchestrator

Configure Static and Default Routes for Firepower Devices

Define static routes to tell the system where to send packets that are not bound for networks that are directly connected to the interfaces on the system.

Consider creating a default route. This is the route for network 0.0.0.0/0. This route defines where to send packets whose egress interface cannot be determined by existing NAT xlates (translations), static NAT rules, or other static routes.

You might need other static routes if the default gateway cannot be used to get to all networks. For example, the default route is usually an upstream router on the outside interface. If there are additional inside networks that are not directly connected to the device, and they cannot be accessed through the default gateway, you need static routes for each of those inside networks.

You cannot define static routes for the networks that are directly connected to system interfaces. The system automatically creates these routes.

Procedure

  1. Click Devices & Services in the navigation bar.
  2. Select the Firepower Threat Defense (FTD) device on which you want to define static routes. 
  3. In the Management pane, click routing_icon.png Routing
  4. On the Static Routing page, do one of the following:
  • To add a new static route, click the plus button blue_cross_button.png.
  • Click the edit icon for the route you want to edit.

If you no longer need a route, click the trash can icon for the route to delete it.

  1. Configure the route properties
  • Protocol-Select whether the route is for an IPv4 or IPv6 address.
  • Interface-Select the interface through which you want to send traffic. The gateway address needs to be accessible through this interface.
  • Gateway-Select the network object that identifies the IP address for the gateway to the destination network. Traffic is sent to this address.
  • Metric-The administrative distance for the route, between 1 and 254. The default is for static routes is 1. If there are additional routers between the interface and the gateway, enter the number of hops as the administrative distance.

Administrative distance is a parameter used to compare routes. The lower the number, the higher precedence the route is given. Connected routes (networks directly connected to an interface on the device) always take precedence over static routes.

  • Network-Select the network object(s), that identifies the destination network, that contain the host(s), that uses the gateway in this route.

To define a default route, use the pre-defined any-ipv4 or any-ipv6 network objects, or create an object for the 0.0.0.0/0 (IPv4) or ::/0 (IPv6) network.

  1. Click OK
  2. Deploy Configuration Changes from Defense Orchestrator to FTD.

Static Route Example

See the Static Route Network Diagram for the addresses used in this example.

The goal is to create a static route that allows return traffic to the host at 10.10.1.2.

This is the packet flow we want the static route to define.

  1. Packets come back to the outside interface, 209.165.201.0/27, looking for 10.10.1.2.
  2. We direct the packets to use the the inside interface to get to the gateway 192.168.1.2. 
  3. From there, we identify the destination network by the gateway address for that network, 10.10.1.1.
  4. The IP address 10.10.1.1 is on the same subnet as 10.10.1.2. The router forwards the packet to the switch, the switch forwards the packet to 10.10.1.2. 

Here is what the completed Add Static Route dialog box would like for this route.

add_static_route_dialog.png

  • Was this article helpful?