PIX7.x/ASA and icmp redirects

I'm not certain, but for the PIX at least, I would find it quite unlikely. The PIX is designed not to allow packets to go back out the same interface they came in on [*], and the RFC requirements that go with support for ICMP Redirect require that the packet be passed along (though the Redirect message itself need not always be sent.)

[*] Exception: in PIX 7.x, there is an option to allow the packet through provided that at least one component of the path is a VPN tunnel... in which case it would never be the -same- packet that went back out on the interface.

I'm not sure too, but I feel you are right since I cannot find any new command or option that can accomplish that task, even the reference manual doesn't mention it. I'm asking myself which security issues may cause a feature like that if applied only at the inside interface, providing that this is a choice made with security in mind. Tnx, Tosh.

"bounce attacks".

If you can reach (and control) A but not B, and B is set to have its gateway be the PIX, then if you can "bounce" the packets off of the inside of the PIX, you can send A -> B forging the PIX's MAC; the reply will go to the PIX which will redirect it back to A. This allows you to bypass MAC-based filters at B.

Right, but in (not so) complex environments you need to bounce traffic among the variuos devices and/or to use redirects, as long as you don't want manually fill the hosts routing tables.....this way you only move the problem to another device. Bye, Tosh.