08-21-2023 07:57 AM - last edited on 08-24-2023 04:49 AM by Translator
Hello.
(obfuscated)
ASA1100#sh route static
Gateway of last resort is 63.229.172.2 to network 0.0.0.0
S 172.16.0.0 255.255.0.0 [1/0] via 172.16.99.1, inside
S 0.0.0.0 0.0.0.0 [255/0] via 172.16.99.1, inside tunneled
---
# sh route 0.0.0.0 0.0.0.0
Routing entry for 0.0.0.0 0.0.0.0, supernet
Known via "eigrp 1", distance 170, metric 51712, candidate default path
type external
Redistributing via eigrp 1
Last update from 63.229.172.2 on outside1, 782:33:53 ago
Routing Descriptor Blocks:
* 63.229.172.2, from 63.229.172.2, 782:33:53 ago, via outside
Loading 1/255, Hops 1
S 0.0.0.0 0.0.0.0 [255/0] via 172.16.99.1, inside tunneled
QUESTIONS:
Why are there two routes to 0.0.0.0?
Which route is used for non-tunneled traffic?
Which route is used for L2L tunneled traffic?
Thank you.
Solved! Go to Solution.
08-22-2023 06:05 AM - last edited on 08-24-2023 05:05 AM by Translator
@Giuseppe Larosa >>> The floating static route with AD 255 is strange <<<
look at this post: Solved: Routes with a 255 administrative distance are considered unreachable? - Cisco Community
ASA behaves differently and considers an administrative distance (AD) of 255 as the worst AD, but still considers it as valid.
@jmaxwellUSAF look at the same post as above
This different ASA behavior only applies to the ASA
tunneled default route
feature. The behavior is exactly the same as IOS if the administrative distance is set to 255 on any other route.
08-21-2023 08:36 AM - last edited on 08-24-2023 05:01 AM by Translator
Hello @jmaxwellUSAF ,
interesting question
>> Routing entry for 0.0.0.0 0.0.0.0, supernet
Known via "eigrp 1", distance 170, metric 51712, candidate default path
the
EIGRP D EX 0.0.0.0/0
is the used one.
The floating static route with AD 255 is strange: in a Cisco router AD 255 is not usable the last usable value is 254, here we see 255 and it appears in the routing table with the attribute inside tunneled.
What is sent over the IPSec tunnel depends on your configuration of crypto map if you are using Policy Based VPN .
If you are using a static VTI logical interface , it becomes a route based VPN and the tunnel is used for destination routes pointing to the VTI peer address ( I suppose so)
From FDM 7.0 admin guide
"Type—How you will identify which traffic should be sent through the VPN tunnel. Select one of the
following:
• Route Based (VTI)—You will use the routing table, primarily static routes, to define the local and
remote networks that should participate in the tunnel. If you select this option, you must select a
Virtual Tunnel Interface (VTI) as the local VPN access interface. You must also use a static IP
address for the remote end of the tunnel. Ensure that you configure the appropriate static routes and
access control rules for the VTI after you create the VPN connection profile.
• Policy Based—You will specify the local and remote networks directly in the site-to-site VPN
connection profile. This is the classic approach to defining which traffic should be protected by the
VPN tunnel.
"
Hope to help
Giuseppe
08-22-2023 06:05 AM - last edited on 08-24-2023 05:05 AM by Translator
@Giuseppe Larosa >>> The floating static route with AD 255 is strange <<<
look at this post: Solved: Routes with a 255 administrative distance are considered unreachable? - Cisco Community
ASA behaves differently and considers an administrative distance (AD) of 255 as the worst AD, but still considers it as valid.
@jmaxwellUSAF look at the same post as above
This different ASA behavior only applies to the ASA
tunneled default route
feature. The behavior is exactly the same as IOS if the administrative distance is set to 255 on any other route.
08-22-2023 07:22 AM
Hello @pieterh ,
thanks for your contribute in this thread, I guessed that AD 255 in ASA could be treated in a different manner.
but the mentioned thread was originated by the same OP @jmaxwellUSAF !
Best Regards
Giuseppe
08-21-2023 08:37 AM - last edited on 08-24-2023 05:09 AM by Translator
I see only one route. You ran two different command
show ip route static
and
show ip route 0.0.0.0
But the route you see is the same. Same administrative distance, same gateway, same route.
08-21-2023 11:16 AM - last edited on 08-24-2023 05:18 AM by Translator
" I see only one route. You ran two different command
show ip route static
and
show ip route 0.0.0.0
--
ASA1100#sh route static
Gateway of last resort is 63.229.172.2 to network 0.0.0.0
S 172.16.0.0 255.255.0.0 [1/0] via 172.16.99.1, inside
S 0.0.0.0 0.0.0.0 [255/0] via 172.16.99.1, inside tunneled
--
The green text states that to get to 0.0.0.0, the path is 63.229.172.2
The red text states that to get to 0.0.0.0, the path is 172.16.99.1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide