PIX7.x/ASA and icmp redirects

Discussion in 'Cisco' started by Tosh, Apr 19, 2006.

  1. Tosh

    Tosh Guest

    Anyone knows if cisco has added the capability of sending icmp redirects to
    internal users in Pix7.x and asa appliances?
    Bye,
    Tosh.
     
    Tosh, Apr 19, 2006
    #1
    1. Advertisements

  2. I'm not certain, but for the PIX at least, I would find it quite
    unlikely. The PIX is designed not to allow packets to go back out
    the same interface they came in on [*], and the RFC requirements that
    go with support for ICMP Redirect require that the packet be
    passed along (though the Redirect message itself need not always
    be sent.)

    [*] Exception: in PIX 7.x, there is an option to allow the
    packet through provided that at least one component of the path
    is a VPN tunnel... in which case it would never be the -same- packet
    that went back out on the interface.
     
    Walter Roberson, Apr 19, 2006
    #2
    1. Advertisements

  3. Tosh

    Tosh Guest

    I'm not certain, but for the PIX at least, I would find it quite
    I'm not sure too, but I feel you are right since I cannot find any new
    command or option that can accomplish that task, even the reference manual
    doesn't mention it.
    I'm asking myself which security issues may cause a feature like that if
    applied only at the inside interface, providing that this is a choice made
    with security in mind.
    Tnx,
    Tosh.
     
    Tosh, Apr 19, 2006
    #3
  4. "bounce attacks".

    If you can reach (and control) A but not B, and B is set to have its
    gateway be the PIX, then if you can "bounce" the packets off of the
    inside of the PIX, you can send A -> B forging the PIX's MAC; the reply
    will go to the PIX which will redirect it back to A. This allows you
    to bypass MAC-based filters at B.
     
    Walter Roberson, Apr 19, 2006
    #4
  5. Tosh

    Tosh Guest

    "bounce attacks".
    Right, but in (not so) complex environments you need to bounce traffic among
    the variuos devices and/or to use redirects, as long as you don't want
    manually fill the hosts routing tables.....this way you only move the
    problem to another device.
    Bye,
    Tosh.
     
    Tosh, Apr 19, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.