topic ICMP redirect in Network Security

ICMP redirect

beaujoire — Mon, 11 Mar 2019 20:53:18 GMT

Hi,

I would like how I can allow the ICMP Redirect ( type 5 ) on my ASA LAN Interface.

PC from LAN have ASA LAN interface as gateway and have to join another Router behind.

I need to allow this traffic.

Thank you

ICMP redirect

p.charalambous1 — Thu, 30 Jun 2011 11:02:43 GMT

From the old times, icmp redirect is blocked by default on the ASA. I think you can not allow it. You can put as default gateway the other inside Router, and then have a default route on this router to point back to the ASA inside interface.

ICMP redirect

beaujoire — Thu, 30 Jun 2011 13:10:37 GMT

Client Must have ASA interface as default Gateway,I can't change it with default gateway of the inside Router.

This is my topology :

Server (192.168.4.20) ---- (4.229) Router (.1.229) ----- (1.254)(IN) ASA (OUT)

PC - 192.168.1.108

Gw : 192.168.1.254

I've just read this Post : https://supportforums.cisco.com/message/3290683#3290683

Its seems to be similar to my Problem.

I don't understand the solution to split the network in two and add routes to the inside router.

However I will try the TCP bypass Solution.

Or Maybe I can add a batch script on the Client,it would be someting like that:

192.168.4.0 255.255.255.0 192.168.1.229 1 By this way,I could keep the default Gateway and traffic will avoid to access trought the ASA interface.isn't it ?

Thank You

ICMP redirect

beaujoire — Tue, 05 Jul 2011 13:51:48 GMT

No one?

Re: ICMP redirect

vmilanov — Tue, 05 Jul 2011 16:33:42 GMT

Hello Thomas,

Try this from global config mode:

icmp permit any 5

route 192.168.4.0 255.255.255.0 192.168.1.229

end

Or, if it a matter of just that single PC, you can install a permanent route on it to the 192.168.4.0/24 network:

- If it is a Win machine: route -p add 192.168.4.0 mask 255.255.255.0 192.168.1.229

- If Linux or other *NIX: /sbin/route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.1.229

both commands would require either Administrative or su privileges.

HTH/Regards,

Vasil

Re: ICMP redirect

beaujoire — Wed, 06 Jul 2011 08:40:31 GMT

I' ve add the command. It's still the same,the packet is denied. I joined the Packet Tracert Log.

I need to access network 4.0 from different clients in the LAN.I will test the TCP Bypass Option or add the route in the Logon script if the ICMP redirect cann't work with ASA .