|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Tosh
Guest
|
 Posted: Wed Apr 19, 2006 8:30 am Post subject: PIX7.x/ASA and icmp redirects |
 |
|
Anyone knows if cisco has added the capability of sending icmp redirects to
internal users in Pix7.x and asa appliances?
Bye,
Tosh. |
|
| Back to top |
|
 |
|
|
Walter Roberson
Guest
|
| Posted: Wed Apr 19, 2006 9:01 am Post subject: Re: PIX7.x/ASA and icmp redirects |
|
|
In article <4445baab$1@newsgate.x-privat.org>,
Tosh <mbasc@despammed.com> wrote:
| Quote: | Anyone knows if cisco has added the capability of sending icmp redirects to
internal users in Pix7.x and asa appliances?
|
I'm not certain, but for the PIX at least, I would find it quite
unlikely. The PIX is designed not to allow packets to go back out
the same interface they came in on [*], and the RFC requirements that
go with support for ICMP Redirect require that the packet be
passed along (though the Redirect message itself need not always
be sent.)
[*] Exception: in PIX 7.x, there is an option to allow the
packet through provided that at least one component of the path
is a VPN tunnel... in which case it would never be the -same- packet
that went back out on the interface. |
|
| Back to top |
|
|
Tosh
Guest
|
| Posted: Wed Apr 19, 2006 6:56 pm Post subject: Re: PIX7.x/ASA and icmp redirects |
|
|
| Quote: | I'm not certain, but for the PIX at least, I would find it quite
unlikely. The PIX is designed not to allow packets to go back out
the same interface they came in on [*], and the RFC requirements that
go with support for ICMP Redirect require that the packet be
passed along (though the Redirect message itself need not always
be sent.)
|
I'm not sure too, but I feel you are right since I cannot find any new
command or option that can accomplish that task, even the reference manual
doesn't mention it.
I'm asking myself which security issues may cause a feature like that if
applied only at the inside interface, providing that this is a choice made
with security in mind.
Tnx,
Tosh. |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted: Wed Apr 19, 2006 7:43 pm Post subject: Re: PIX7.x/ASA and icmp redirects |
|
|
In article <44464d56$1@newsgate.x-privat.org>,
Tosh <mbasc@despammed.com> wrote:
| Quote: | The PIX is designed not to allow packets to go back out
the same interface they came in on [*], and the RFC requirements that
go with support for ICMP Redirect require that the packet be
passed along (though the Redirect message itself need not always
be sent.)
I'm asking myself which security issues may cause a feature like that if
applied only at the inside interface, providing that this is a choice made
with security in mind.
|
"bounce attacks".
If you can reach (and control) A but not B, and B is set to have its
gateway be the PIX, then if you can "bounce" the packets off of the
inside of the PIX, you can send A -> B forging the PIX's MAC; the reply
will go to the PIX which will redirect it back to A. This allows you
to bypass MAC-based filters at B. |
|
| Back to top |
|
|
Tosh
Guest
|
| Posted: Wed Apr 19, 2006 9:15 pm Post subject: Re: PIX7.x/ASA and icmp redirects |
|
|
Right, but in (not so) complex environments you need to bounce traffic among
the variuos devices and/or to use redirects, as long as you don't want
manually fill the hosts routing tables.....this way you only move the
problem to another device.
Bye,
Tosh. |
|
| Back to top |
|
|
|
|
