06-30-2011 02:16 AM - edited 03-11-2019 01:53 PM
Hi,
I would like how I can allow the ICMP Redirect ( type 5 ) on my ASA LAN Interface.
PC from LAN have ASA LAN interface as gateway and have to join another Router behind.
I need to allow this traffic.
Thank you
06-30-2011 04:02 AM
From the old times, icmp redirect is blocked by default on the ASA. I think you can not allow it. You can put as default gateway the other inside Router, and then have a default route on this router to point back to the ASA inside interface.
06-30-2011 06:10 AM
Client Must have ASA interface as default Gateway,I can't change it with default gateway of the inside Router.
This is my topology :
Server (192.168.4.20) ---- (4.229) Router (.1.229) ----- (1.254)(IN) ASA (OUT)
|
|
PC - 192.168.1.108
Gw : 192.168.1.254
I've just read this Post : https://supportforums.cisco.com/message/3290683#3290683
Its seems to be similar to my Problem.
I don't understand the solution to split the network in two and add routes to the inside router.
However I will try the TCP bypass Solution.
Or Maybe I can add a batch script on the Client,it would be someting like that:
192.168.4.0 255.255.255.0 192.168.1.229 1 By this way,I could keep the default Gateway and traffic will avoid to access trought the ASA interface.isn't it ?
Thank You
07-05-2011 06:51 AM
No one?
07-05-2011 09:33 AM
Hello Thomas,
Try this from global config mode:
icmp permit any 5
route
end
Or, if it a matter of just that single PC, you can install a permanent route on it to the 192.168.4.0/24 network:
- If it is a Win machine: route -p add 192.168.4.0 mask 255.255.255.0 192.168.1.229
- If Linux or other *NIX: /sbin/route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.1.229
both commands would require either Administrative or su privileges.
HTH/Regards,
Vasil
07-06-2011 01:40 AM
I' ve add the command. It's still the same,the packet is denied. I joined the Packet Tracert Log.
I need to access network 4.0 from different clients in the LAN.I will test the TCP Bypass Option or add the route in the Logon script if the ICMP redirect cann't work with ASA .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide