cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5533
Views
5
Helpful
2
Replies

ASA 9.1 not sending ICMP redirects?

tiwang
Level 3
Level 3

hi out there

 

I have a asa as def gw in a DMZ and need let it act as router - redirecting back out of the same interface to another gw (which also is a ASA)

I had expected it to send a icmp redirect but as far as I can see it doesn't - can this be?

I have defined "enabled traffic between two or mores interfaces with same sec level" and "enabled traffic between two or more hosts connected to the same interface" which must be the case here.

 

def gw (ASA1) = 192.168.1.1

second gw (ASA2) = 192.168.1.254

 

when I trace on a client on 192.168.1.22 which is going to a nework behind ASA2 I don't see a ICMP redirect - which gives me the problem that f.ex ping works fine but the tcp session I need to establish is not established.

 

I would really prefer toawoid a router in front - and also I don't want to disable the tcp state handling trough MPF - any suggestions?

 

best regards /ti

1 Accepted Solution

Accepted Solutions

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

ICMP redirect would not be sent by the ASA device.

For U Turn of the Traffic from your Default GW ASA 1 , you might have to disable the TCP state check to get this traffic working in the current setup.

Please check this for more information:-

https://supportforums.cisco.com/document/69261/hairpinu-turn-traffic-interface-asa-running-83-or-later

Thanks and Regards,

Vibhor Amrodia

View solution in original post

2 Replies 2

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

ICMP redirect would not be sent by the ASA device.

For U Turn of the Traffic from your Default GW ASA 1 , you might have to disable the TCP state check to get this traffic working in the current setup.

Please check this for more information:-

https://supportforums.cisco.com/document/69261/hairpinu-turn-traffic-interface-asa-running-83-or-later

Thanks and Regards,

Vibhor Amrodia

hi again

yes you are right - I couldn't understand why it didn't send a redirect - but of course - it is not a router but a firewall - I thought it was a way to let it send a redirect to avoid this tcp bypass policy but doesn't look so.

best regards /ti

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: