Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 9.1 not sending ICMP redirects?

hi out there

 

I have a asa as def gw in a DMZ and need let it act as router - redirecting back out of the same interface to another gw (which also is a ASA)

I had expected it to send a icmp redirect but as far as I can see it doesn't - can this be?

I have defined "enabled traffic between two or mores interfaces with same sec level" and "enabled traffic between two or more hosts connected to the same interface" which must be the case here.

 

def gw (ASA1) = 192.168.1.1

second gw (ASA2) = 192.168.1.254

 

when I trace on a client on 192.168.1.22 which is going to a nework behind ASA2 I don't see a ICMP redirect - which gives me the problem that f.ex ping works fine but the tcp session I need to establish is not established.

 

I would really prefer toawoid a router in front - and also I don't want to disable the tcp state handling trough MPF - any suggestions?

 

best regards /ti

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,ICMP redirect would not be

Hi,

ICMP redirect would not be sent by the ASA device.

For U Turn of the Traffic from your Default GW ASA 1 , you might have to disable the TCP state check to get this traffic working in the current setup.

Please check this for more information:-

https://supportforums.cisco.com/document/69261/hairpinu-turn-traffic-interface-asa-running-83-or-later

Thanks and Regards,

Vibhor Amrodia

2 REPLIES
Cisco Employee

Hi,ICMP redirect would not be

Hi,

ICMP redirect would not be sent by the ASA device.

For U Turn of the Traffic from your Default GW ASA 1 , you might have to disable the TCP state check to get this traffic working in the current setup.

Please check this for more information:-

https://supportforums.cisco.com/document/69261/hairpinu-turn-traffic-interface-asa-running-83-or-later

Thanks and Regards,

Vibhor Amrodia

New Member

hi againyes you are right - I

hi again

yes you are right - I couldn't understand why it didn't send a redirect - but of course - it is not a router but a firewall - I thought it was a way to let it send a redirect to avoid this tcp bypass policy but doesn't look so.

best regards /ti

1716
Views
0
Helpful
2
Replies