Static routing on the Cisco ASA is the core of every routed-mode deployment. Default route to the ISP, internal static routes pointing at downstream Layer 3 switches, redundant routes with administrative distance to fail over to a backup link. The ASA does support OSPF, EIGRP, and BGP, but most production firewalls run all-static routing for the simple reason that the firewall is a security device, not a router, and you usually do not want it forming dynamic adjacencies with neighbors you have not fully audited. This article covers the static-routing syntax, default routes, administrative distance, route tracking with SLA monitors for multi-WAN failover, and how to read show route output from the lab.
For where this fits in the cluster: see the Cisco ASA pillar. Static routing usually sits between the initial setup and any per-zone build like inside/outside/DMZ.
Static Route Syntax
One command, four fields plus optional bits:
route INTERFACE NETWORK MASK NEXT-HOP [DISTANCE] [tunneled] [track ID]
| Field | Required | Notes |
|---|---|---|
INTERFACE | yes | The egress nameif (outside, inside, etc.). Tells the ASA which interface this route resolves through. |
NETWORK MASK | yes | Destination network and mask in classful (255.255.255.0) form. Use 0.0.0.0 0.0.0.0 for the default route. |
NEXT-HOP | yes | The IP of the next-hop router. Must be in a directly connected subnet on the named interface. |
DISTANCE | no | Administrative distance, 1-255. Default is 1. Higher values become floating routes. |
tunneled | no | Special flag for traffic that arrives via VPN tunnels. Used to override default-route behavior for VPN-decapped traffic. |
track ID | no | Bind the route to an SLA track object. Route is removed from the table if the track goes down. |
The simplest possible default route:
ASA-PERIM(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.1 1
An internal static for a downstream subnet:
ASA-PERIM(config)# route inside 10.10.10.0 255.255.255.0 10.10.0.1 1
That second line tells the ASA: "to reach 10.10.10.0/24, hand the packet to 10.10.0.1 over the inside interface." 10.10.0.1 is presumably the inside Layer 3 switch.
Reading the Output: show route
From the lab's ASA-PERIM after the inside/outside/DMZ build:
ASA-PERIM# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is 203.0.113.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 203.0.113.1, outside
C 10.10.0.0 255.255.255.0 is directly connected, inside
L 10.10.0.254 255.255.255.255 is directly connected, inside
S 10.10.10.0 255.255.255.0 [1/0] via 10.10.0.1, inside
C 192.168.50.0 255.255.255.0 is directly connected, dmz
L 192.168.50.1 255.255.255.255 is directly connected, dmz
C 203.0.113.0 255.255.255.252 is directly connected, outside
L 203.0.113.2 255.255.255.255 is directly connected, outside
Read the codes column on the left. C is connected (a subnet directly attached to a configured interface). L is local (the ASA's own /32 IP on each interface). S is a static route. S* with the asterisk means "candidate default" - this is the gateway-of-last-resort.
The [1/0] bracketed pair is administrative distance / metric. Distance 1 is the default for static routes. Metric 0 because static routes do not have a meaningful metric.
Default Route Patterns
Three common shapes:
| Pattern | Command | Use case |
|---|---|---|
| Single ISP | route outside 0.0.0.0 0.0.0.0 203.0.113.1 1 | The 95% case. One ISP, one default route. |
| Primary + floating backup | + route outside-backup 0.0.0.0 0.0.0.0 198.51.100.1 200 | Backup route at distance 200 sits dormant; only installed if the primary disappears. |
| Primary + tracked failover | Add SLA + track + track on the primary route | Active failover when the primary's next-hop becomes unreachable, even though the interface stays up. |
| Per-tunnel default | route outside 0.0.0.0 0.0.0.0 203.0.113.1 1 tunneled | Override the default for traffic decapsulated from a VPN tunnel. |
The tunneled keyword is worth a quick explanation. By default, traffic that arrives via a VPN tunnel and is destined for an unknown network follows the regular default route, which usually points back to the same outside interface and creates an asymmetric path. tunneled creates an alternate default specifically for VPN-arriving traffic, useful in hub-and-spoke designs where decapped traffic should go somewhere else.
Administrative Distance and Floating Static Routes
The ASA, like IOS, picks the route with the lowest administrative distance when multiple routes exist for the same prefix. Default distances:
| Source | Distance |
|---|---|
| Connected | 0 |
| Static | 1 |
| EIGRP internal | 90 |
| OSPF (any type) | 110 |
| RIP | 120 |
| EIGRP external | 170 |
| iBGP | 200 |
Floating static routes use this to create a backup. Two static defaults at different distances:
ASA-PERIM(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.1 1
ASA-PERIM(config)# route outside-bak 0.0.0.0 0.0.0.0 198.51.100.1 200
The first wins because 1 < 200. The second sits in the configuration but is not in the routing table. If the first interface goes down (line protocol drops), the ASA removes its routes, the floating backup gets installed, and traffic shifts to the secondary path. When the primary comes back, the static reinstates and the backup goes dormant.
The catch: floating routes only respond to interface-down events. If the link stays up but the next-hop becomes unreachable (an ISP CE that quietly stops forwarding while the L1 link looks fine), the floating route never installs. For that case, you need active route tracking with SLA monitors.
Route Tracking with IP SLA
Route tracking is a small state machine: an IP SLA probe regularly tests reachability to a chosen target. A track object watches the SLA's reachability state. A static route bound to the track is installed only while the track is up.
ASA-PERIM(config)# sla monitor 1
ASA-PERIM(config-sla-monitor)# type echo protocol ipIcmpEcho 8.8.8.8 interface outside
ASA-PERIM(config-sla-monitor-echo)# frequency 10
ASA-PERIM(config-sla-monitor-echo)# exit
ASA-PERIM(config)# sla monitor schedule 1 life forever start-time now
!
ASA-PERIM(config)# track 1 rtr 1 reachability
!
ASA-PERIM(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.1 1 track 1
ASA-PERIM(config)# route outside-bak 0.0.0.0 0.0.0.0 198.51.100.1 200
What that does, in order:
sla monitor 1defines an ICMP echo probe to8.8.8.8, sourced out the outside interface, every 10 seconds.sla monitor scheduletells the ASA to start running the probe immediately and keep running it forever.track 1 rtr 1 reachabilitycreates a track object that follows SLA 1's "reachable" state.- The primary default route is bound to
track 1. While the track is up, the route is installed at distance 1. When the track goes down, the route is withdrawn. - The backup route at distance 200 has no track and is always available; it gets installed automatically when the tracked primary disappears.
Verify:
ASA-PERIM# show track 1
Track 1
Response Time Reporter 1 reachability
Reachability is Up
4 changes, last change 02:14:31
Latest operation return code: OK
Latest RTT (millisecs) 12
Tracked by:
STATIC-IP-ROUTING 0
ASA-PERIM# show sla monitor operational-state
Entry number: 1
Modification time: 03:21:08.999 UTC Sun May 10 2026
Number of operations attempted: 142
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 12
Latest operation start time: 03:24:41.999 UTC Sun May 10 2026
Latest operation return code: OK
RTT Values:
RTTAvg: 12 RTTMin: 8 RTTMax: 23
NumOfRTT: 1 RTTSum: 12 RTTSum2: 144
"Reachability is Up" + 4 changes (a small number suggests stable history, not flapping) is the healthy steady state. If it flips up/down repeatedly, your probe target is too aggressive (frequency too low) or the target is itself flaky; pick a reliable target like a public anycast DNS or your ISP's loopback.
Removing and Replacing Routes
The remove syntax is no route ... with the same arguments as the add. Tab completion helps. Routes are removed instantly from the table; in-flight flows that depended on them break.
Replacing a static route in place is two commands - remove the old, add the new. Always do the add first if you can:
ASA-PERIM(config)# route inside 10.10.10.0 255.255.255.0 10.10.0.2 1
ASA-PERIM(config)# no route inside 10.10.10.0 255.255.255.0 10.10.0.1 1
That gives you a brief window where both routes are in the table (the ASA will deduplicate by next-hop) and then a clean removal of the old one. Doing it the other way - no route first, then route - leaves a window where there is no route at all and traffic for that prefix gets asp-drop'd as (no-route).
Static Routes and Dynamic Routing Coexistence
If the ASA also runs OSPF or BGP, statics and dynamics coexist by administrative distance. A static at distance 1 always beats an OSPF route at distance 110 for the same prefix. To redistribute a static into OSPF (so downstream OSPF neighbors learn it from the ASA), use redistribute static under the OSPF process. To advertise the static default into OSPF, use default-information originate.
ASA-PERIM(config)# router ospf 1
ASA-PERIM(config-router)# network 10.10.0.0 255.255.255.0 area 0
ASA-PERIM(config-router)# default-information originate
ASA-PERIM(config-router)# redistribute static subnets
Most static-only deployments do not need either. The downstream layer-3 switch usually has its own static back to the ASA's inside IP, and dynamic protocols on a perimeter firewall are rare for security reasons.
Diagnostic Commands
| Command | What it tells you |
|---|---|
show route | Full RIB. Code in the first column tells you the source. |
show route summary | Counts per source. Useful for "did I lose 200 statics?" |
show route DEST | Best-match lookup for one destination. Confirms which route the ASA would use. |
show route static | Just the static routes (no connected, no learned). |
show running-config route | The configured static routes, in the order they appear in the config. |
packet-tracer | Walks a packet through the pipeline including the ROUTE-LOOKUP phase, telling you what the ASA picked. |
For "I changed a route and now traffic is broken," packet-tracer for the failing flow is the fastest path to the actual decision the ASA is making. The output names the route table entry it matched.
Common Traps
Wrong egress interface. The named interface in route INTERFACE ... must be the interface you can reach the next-hop on. route outside 10.10.10.0 255.255.255.0 10.10.0.1 fails (next-hop is inside, not outside). The ASA accepts the command but the route is invalid; it shows up in show route with no neighbor and silently drops traffic for that prefix.
Floating distance too low. If your floating backup is at distance 50 and you also run OSPF (distance 110), the floating beats OSPF and you get unexpected paths. Always pick a floating distance higher than every dynamic protocol the ASA might learn the same prefix from. Distance 200 is a safe choice for most deployments.
Forgetting to track the primary. If the primary default and the floating backup both exist, but the primary has no track, only an interface-down event triggers failover. A blackhole upstream (link up, next-hop dead) is invisible. Always pair production multi-WAN with route tracking.
Tracking the wrong target. Probing your ISP's first-hop only tests the first hop. If that is reachable but the rest of the internet is not, your track stays up. Probe a target deeper in the path (a public DNS root, your second-hop ISP router) to detect upstream failures, not just last-mile failures.
Key Takeaways
Static routing on the ASA covers most production needs: a default to the ISP, internal statics to downstream L3 switches, and floating or tracked routes for multi-WAN. Administrative distance picks the winner when two routes overlap; pair floating routes with IP SLA tracking to catch blackholes that interface state alone misses.
show route with its code legend tells you where every route came from. packet-tracer is the diagnostic when the routing decision itself is in question.
Next: Cisco ASA Management Plane Hardening for SSH, AAA, banners, and the rest of the controls that turn a freshly bootstrapped ASA into something safe to expose to operations staff. Or for the broader picture, see the Cisco ASA pillar reading order.
