Default Route
Configuring multiple routes can be a time-consuming task, especially for the traffic bound
for the Internet. Therefore, you can create a special route known as a default route. This
route is automatically used for any traffic that does not match any other routes on the system.
When configuring the default route, you use a destination IP address of 0.0.0.0 and a
netmask of 0.0.0.0.
Instead of using the address of a gateway router when you are configuring a static route, you
can specify the IP address of one of the Security Appliance’s own interfaces. When you create
a route in this manner, the Security Appliance does not have a destination IP address to which
to send the traffic. Therefore, the Security Appliance broadcasts an ARP request on the
specified interface to determine the address to which to send the traffic. Any router that has
a route to the destination address can generate a proxy ARP (using its own interface’s
Ethernet address), enabling the Security Appliance to update its ARP cache with an entry for
the IP address of the traffic. The Security Appliance uses this proxy ARP to then send the
traffic to the router that has a route to the destination IP address.
gateway The IP address of the gateway to which the routed traffic will be
sent.
metric The administrative distance of the route. Normally, this indicates
the number of hops to the destination network. When routing,
this value is used to choose the best route when multiple routes
exist.
Table 11-7 route Command Parameters (Continued)
Parameter Description
280 Chapter 11: Routing and the Cisco Security Appliance
Static routes are stored in your Security Appliance configuration and restored when your
Security Appliance is reloaded. To view the routes on your Security Appliance, you use the
show route command. This command displays all the routes in the Security Appliance’s
routing table, such as shown in Example 11-1.
The static routes with the keyword CONNECT indicate routes that are automatically
created when you define the IP address for an interface. The routes with the OTHER
keyword indicate static routes that have been manually entered.
Sometimes, you may want to remove the static routes that you have already configured. You
can do this using the clear route command.
Dynamic Routes
Besides creating static routes manually, the Cisco Security Appliance also supports some
dynamic routing functionality. Dynamic routes are created based on routing protocols that
automatically add entries into the Security Appliance’s routing table. The Security Appliance
supports the following two different routing protocols, but only one can be active on a single
Security Appliance:
■ RIP
■ OSPF
NOTE Although you can configure the Security Appliance to generate an ARP request to
determine the destination address to which to send traffic, this configuration is not
recommended. ARP is an unauthenticated protocol and this configuration can pose a
security risk.
Example 11-1 Output of the show route Command
pix515a# show route
intf5 0.0.0.0 0.0.0.0 10.89.141.1 1 OTHER static