Search This Blog

Monday, May 6, 2019

ICMP redirect

In the middle of migration from one firewall to another you may discover that you need to point a specific migrated IP to new firewall, while default gateway remains as old firewall.


Then in the old firewall you will specify a route to forward to new firewall.

When a user will ping that IP, the old firewall as default route will respond with ICMP redirect message.  This message will most problably be ingored by your user PC.

Check if the registry Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect   is 1

and that Firewall allows ICMP Redirect messages (the best is to enable a custom Windows firewall rules to let this to be accepted in trusted networks, but not in public as example.


Then when you ping you will see ICMP redirect message in Wireshark, then after a while that your PC starts sending it to new Firewall.


Note that "route print" will not show this new route.





No comments: