Skip to main content

 

 

Cisco Defense Orchestrator

Configure Static and Default Routes for Firepower Devices

Define static routes on the Firepower firewall so it knows where to send packets bound for networks not directly connected to the interfaces on the system.

Consider creating a default route. This is the route for network 0.0.0.0/0. This route defines where to send packets whose egress interface cannot be determined by existing NAT translations, static NAT rules, or other static routes.

You might need other static routes if the default gateway cannot be used to get to all networks. For example, the default route is usually an upstream router on the outside interface. If there are additional inside networks that are not directly connected to the device, and they cannot be accessed through the default gateway, you need static routes for each of those inside networks.

You cannot define static routes for the networks that are directly connected to system interfaces. The system automatically creates these routes.

Procedure

  1. Click Devices & Services in the navigation bar.
  2. Select the Firepower Threat Defense (FTD) device on which you want to define static routes. 
  3. In the Management pane at the right, click routing_icon.png Routing
  4. On the Static Routing page, do one of the following:
  • To add a new static route, click the plus button blue_cross_button.png.
  • Click the edit icon for the route you want to edit.

If you no longer need a route, click the trash can icon for the route to delete it.

  1. Configure the route properties
  • Protocol-Select whether the route is for an IPv4 or IPv6 address.
  • Interface-Select the interface through which you want to send traffic. The gateway address needs to be accessible through this interface.
  • Gateway-Select the network object that identifies the IP address for the gateway to the destination network. Traffic is sent to this address.
  • Metric-The administrative distance for the route, between 1 and 254. The default is for static routes is 1. If there are additional routers between the interface and the gateway, enter the number of hops as the administrative distance.

Administrative distance is a parameter used to compare routes. The lower the number, the higher precedence the route is given. Connected routes (networks directly connected to an interface on the device) always take precedence over static routes.

  • Network-Select the network object(s), that identifies the destination network, that contains the host(s), that uses the gateway in this route.

To define a default route, use the pre-defined any-ipv4 or any-ipv6 network objects, or create an object for the 0.0.0.0/0 (IPv4) or ::/0 (IPv6) network.

  1. Click OK
  2. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Static Route Example

See the Static Route Network Diagram for the addresses used in this example.

The goal is to create a static route that allows return traffic to the host at 20.30.1.2 in destination network 20.30.1.0/24.

The packet can take any path to reach the destination. When a network receives a packet on an interface, it determines where to forward the packet for the best route to a destination.

Note: The DMZ does not have a static route as it is connected directly to the interface. 

For example, consider the following two routes for reaching the destination.

Route 1:

  1. Packets come back to the outside interface, 209.165.201.0/27, looking for 20.30.1.2.
  2. We direct the packets to use the inside interface to get to the gateway 192.168.1.2, which is on the same network as the destination. 
  3. From there, we identify the destination network by the gateway address for that network, 20.30.1.1.
  4. The IP address 20.30.1.2 is on the same subnet as 20.30.1.1. The router forwards the packet to the switch, the switch forwards the packet to 20.30.1.2. 

Interface:Inside Destination_N/W:20.30.1.0/24  Gateway: 192.168.1.2 Metric: 1

Route 2:

  1. Packets come back to the outside interface, 209.165.201.0/27, looking for 20.30.1.2.
  2. We direct the packets to use the internal interface to get to the gateway 192.168.50.20, which is multiple hops away from the destination network. 
  3. From there, we identify the destination network by the gateway address for that network, 20.30.1.1.
  4. The IP address 20.30.1.2 is on the same subnet as 20.30.1.0. The router forwards the packet to the switch, the switch forwards the packet to 20.30.1.2. 

Interface:Inside Destination_N/W:20.30.1.0/24  Gateway: 192.168.50.20 Metric: 100

Here is what the completed Add Static Route table would like for these routes.

static_route_table.jpg

  • Was this article helpful?