Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 - Can not change default route.

Hi

My asa is sitting behind a router the next hop from the ASA to the router is 10.0.0.5 I have tried to change the default route to route DMZ 0 0 10.0.0.5  to no availability right now the default route is (S*   0.0.0.0 0.0.0.0 [1/0] via 172.16.8.20, Outside) but even if I were to do a "no route Outside 0 0 172.16.8.20" the default route does not disappear when I do a "sh route" command. ant help would be greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

ASA 5520 - Can not change default route.

Are you or is anyone else connecting to the ASA via VPN?

I ask because there is the chance you may be getting a default route injected via reverse route injection (RRI) or other configuration inthe VPN.Such a route would show up in the routing table but not in the running configuration.

12 REPLIES
Hall of Fame Super Silver

ASA 5520 - Can not change default route.

Your post is unclear. Is your default route out the DMZ or out the Outside interface?

Can you share your configuration or at least "show ip address" and "show route" from your ASA?

New Member

ASA 5520 - Can not change default route.

I apologize for not being clear hopefully this helps. Basically the  default route should be: route DMZ 0.0.0.0 0.0.0.0 10.10.10.5, I had to  add a metric of 2 because otherwise it would conflict with the Gateway  of last resort, the interesting part is if I try to remove the current  gateway of last resort then the error I get is  %No matching route to delete and I try to add the new route I get ERROR: Cannot add route entry, conflict with existing routes.

**"show ip address" output---

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       Outside               172.22.8.166    255.255.252.0   CONFIG

GigabitEthernet0/3       DMZ                   10.10.10.16     255.255.255.0   CONFIG

Management0/0            management      192.168.100.1   255.255.255.0   CONFIG

GigabitEthernet1/0       Inside                 172.16.0.2      255.255.252.0   CONFIG

GigabitEthernet1/1       VPN                    X.X.X.X          255.255.255.240 CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       Outside               172.22.8.166    255.255.252.0   CONFIG

GigabitEthernet0/3       DMZ                   10.10.10.16     255.255.255.0   CONFIG

Management0/0            management      192.168.100.1   255.255.255.0   CONFIG

GigabitEthernet1/0       Inside                 172.16.0.2      255.255.252.0   CONFIG

GigabitEthernet1/1       VPN                    X.X.X.X          255.255.255.240 CONFIG

**"show running-config" output---

!The DMZ route should be the gateway of last resort

route DMZ 0.0.0.0 0.0.0.0 10.10.10.5 2

route Outside 10.0.1.0 255.255.255.252 172.22.8.20 1

route Outside 10.0.2.0 255.255.255.252 172.22.8.20 1

route Outside 10.0.4.0 255.255.255.252 172.22.8.20 1

route Outside 10.0.5.0 255.255.255.240 172.22.8.20 1

route Outside 10.0.6.0 255.255.255.252 172.22.8.20 1

route Outside 10.0.25.0 255.255.255.0 172.22.8.20 1

route Outside 10.0.52.0 255.255.255.0 172.22.8.20 1

route Inside 172.16.0.0 255.255.252.0 172.16.0.3 1

route Outside 172.16.6.0 255.255.255.0 172.16.6.1 1

route Outside 172.22.0.0 255.255.0.0 172.22.8.20 10

route Outside 192.168.0.0 255.255.255.0 172.22.8.20 255

route DMZ 192.168.200.0 255.255.255.0 156.108.124.66 1

**"show route" output ---

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 172.22.8.20 to network 0.0.0.0

S    172.16.6.0 255.255.255.0 [1/0] via 172.16.6.1, Outside

                              [1/0] via 172.22.8.20, Outside

C    172.16.0.0 255.255.252.0 is directly connected, Inside

C    172.22.8.0 255.255.252.0 is directly connected, Outside

S    172.22.0.0 255.255.0.0 [10/0] via 172.22.8.20, Outside

D    192.168.4.8 255.255.255.252 [90/2178816] via 172.16.0.3, 66:37:21, Inside

D    192.168.4.9 255.255.255.255 [90/2178816] via 172.16.0.3, 66:37:21, Inside

S    10.0.2.0 255.255.255.252 [1/0] via 172.22.8.20, Outside

D    10.0.0.0 255.255.255.0 [90/3072] via 172.16.0.3, 66:37:21, Inside

C    10.10.10.0 255.255.255.0 is directly connected, DMZ

S    10.0.1.0 255.255.255.252 [1/0] via 172.22.8.20, Outside

S    10.0.6.0 255.255.255.252 [1/0] via 172.22.8.20, Outside

S    10.0.4.0 255.255.255.252 [1/0] via 172.22.8.20, Outside

S    10.0.5.0 255.255.255.240 [1/0] via 172.22.8.20, Outside

S    10.0.25.0 255.255.255.0 [1/0] via 172.22.8.20, Outside

S    10.0.52.0 255.255.255.0 [1/0] via 172.22.8.20, Outside

S    192.168.0.0 255.255.255.0

           [255/0] via 172.22.8.20, Outside

D    192.168.100.0 255.255.255.0 [90/3072] via 172.16.0.3, 66:37:21, Inside

! I have tried to remove the route below with the command "no  route Outside 0 0 172.22.8.20" but always get the error %No matching  route to delete

S*   0.0.0.0 0.0.0.0 [1/0] via 172.22.8.20, Outside

Hall of Fame Super Silver

ASA 5520 - Can not change default route.

Are you or is anyone else connecting to the ASA via VPN?

I ask because there is the chance you may be getting a default route injected via reverse route injection (RRI) or other configuration inthe VPN.Such a route would show up in the routing table but not in the running configuration.

New Member

Re: ASA 5520 - Can not change default route.

Hi Marvin,

First I want to say thanks for your help... Yes there are 2 L2L vpns connected to this particular device. I did not know what RRI was until you mentioned it. Also OSPF was enabled on this device but disabled it when I was trying to troubleshoot. I have access to one of the two devices involved with the VPN tunnels. Is there a way to verify that RRI is causing the route injection?

Purple

ASA 5520 - Can not change default route.

Hi,

Can you try clear configure route 0 0

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

ASA 5520 - Can not change default route.

Hi,

Can you share your configuration! Then i short out what is the problem.

Regards

Parosh

New Member

ASA 5520 - Can not change default route.

Thanks for your replay alain. "configure" is not an option on my asa.

clear configure route 0 0

Hall of Fame Super Silver

ASA 5520 - Can not change default route.

You need to be in global configuration mode before issuing the "clear configure route 0 0 " command.

Reference.

Again, sharing your configuration (or at least the relevant sections) helps us better understand the problem. If you choose not to do so, our ability and willingness to assist is constrained.

ASA 5520 - Can not change default route.

Does your "Outside" interface have its IP address obtained from DHCP with the "setroute" option?

Hall of Fame Super Silver

Re: ASA 5520 - Can not change default route.

Excellent thought, jjohnston.

That sounds even more likely than the path I was going down with RRI. I hadn't considered that since I so seldom ever see a production ASA with DHCP addressing on its main interface (in fact I've only seen them described here - usually in people's home labs)

New Member

Re: ASA 5520 - Can not change default route.

Thank you everyone for your help with my problem. After Marvin mentioned RRI I started looking at configurations and found this: "crypto map outside_map 1 set reverse-route" on the asa on the branch location. Before Marvin mentioned it I never knew what RRI was but added a few static routes and things are working now. So I think it was RRI after all.

Hall of Fame Super Silver

Re: ASA 5520 - Can not change default route.

Cool. Another one solved. Plus we all learn (or re-learn) something.

Thanks for the rating.

1118
Views
0
Helpful
12
Replies
CreatePlease login to create content