Solved: Re: ASDM and CLI Show Different Static Routes for ASA 5505

iglablues · ‎02-24-2013

Hi,

I was checking out the config on my ASA and noticed a bunch of static routes configured when I did a show route. With the exception of two that I expect to be there, the remainder point traffic destined for specific internal hosts to the outside interface, i.e.

S private_ip 255.255.255.255 [1/0] via public_ip, outside

I verified that I cannot ping those hosts from the firewall.

I logged in to the ASDM. When I check the Configuration>Device Setup>Routing>Static Routes it only shows two static routes, the ones I expect to see. If I look under Monitoring>Routing>Routes, I see the same output as I did on the CLI. I looked around to see if I was missing a key location for this information, and I was able to see the same static routes output in Monitoring>Routing>Routes. Since this is under monitoring though there's no way to delete these routes, and I still don't know where they were configured originally.

Then I happened to check under Monitoring>VPN>VPN Statistics>Sessions, and I see several of the private IPs used in the static routes being used by VPN users, including my own! I know I didn't assign myself a static IP for VPN use or anything like that.

So, what are these static IP routes? Why do I see them in the CLI and not under the Configuration tab? I mean, I know I can delete them from the CLI but I'm trying to figure out why the info is not synced. Am I seeing dynamically created content based on the VPN connections?

I appreciate your input and help.

Jouni Forss · ‎02-24-2013

Hi,

Both L2L VPN and Client VPN inject their own routes to the firewalls routing table.

So when you have a single VPN Client connected on the "outside" interface of the ASA its IP aquired from the ASA will be added as static route towards the "outside" interface.

Why the output between the CLI and ASDM dont match?

I cant give you a 100% answer to that but I presume this has to do with the "dynamic" nature of these static routes.

In other words they arent permanently added Static Routes (with "route" command) and so they arent actually routes that you have configured and therefore dont show up in the configuration BUT do show in the routing table.

EDIT: To add to the above explanation

Static Routes added because of VPN connections show

In CLI routing table
In ASDM routing table

Static Routes added because of VPN connection dont show

In CLI when issuing "show run route"
In ASDM when checking Configuration -> Routing -> Static Routes

And the reason for them not showing is that they are not configured by the user but are dynamically added to the ASA routing table each time a VPN connection is active.

- Jouni

View solution in original post

Jouni Forss · ‎02-24-2013

Hi,