I have a asa as def gw in a DMZ and need let it act as router - redirecting back out of the same interface to another gw (which also is a ASA)
I had expected it to send a icmp redirect but as far as I can see it doesn't - can this be?
I have defined "enabled traffic between two or mores interfaces with same sec level" and "enabled traffic between two or more hosts connected to the same interface" which must be the case here.
def gw (ASA1) = 192.168.1.1
second gw (ASA2) = 192.168.1.254
when I trace on a client on 192.168.1.22 which is going to a nework behind ASA2 I don't see a ICMP redirect - which gives me the problem that f.ex ping works fine but the tcp session I need to establish is not established.
I would really prefer toawoid a router in front - and also I don't want to disable the tcp state handling trough MPF - any suggestions?
yes you are right - I couldn't understand why it didn't send a redirect - but of course - it is not a router but a firewall - I thought it was a way to let it send a redirect to avoid this tcp bypass policy but doesn't look so.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...