topic Re: icmp redirects in Firewall and Security Management

icmp redirects

Nima_Chogyal — Wed, 25 Jan 2023 13:33:54 GMT

The customer has SAP servers in a remote site. The p2p connection coming from remote site is connected to the coreswitch.The inbound and outbound traffic to reach the remote site from the local LAN is the same interface.I configured ICMP redirects on the gateway and is persistent after reboots. Also configured Nat policies and also the routes are in place. And its working. heres the funny part, its working on few of the laptops and not working for others.I have uploaded the screenshots of both working and not working nodes. What could be the issue? I tried no-NAT and inside NAT and the situation remains the same.The gateways OS is r80.10 and im thinking of upgrading it to r81.10 on a 3200 appliance with 8gb RAM. i dont know if thats a wise move.

Re: icmp redirects

Lloyd_Braun — Wed, 25 Jan 2023 18:16:43 GMT

You really don't want to build in a dependency on ICMP redirects as they are unreliable.

1. add interface to firewall and hang p2p connection off of that instead of core switch, so the default gateway of laptops gets you to remote site

2. add static routes to laptops

3. hairpin double NAT on firewall

#2 not great but cleaner than relying on ICMP redirects for operation

#3 i think you could make work, but pretty kludgy