[c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
Alexander Bochmann
ab at lists.gxis.de
Tue Feb 16 05:45:43 EST 2016
Hello,
...on Tue, Feb 16, 2016 at 10:40:22AM +0100, Jan Gregor wrote:
> arp-send: arp request built from X.X.X.41 Z for X.X.X.42 at 7212560
> arp-in: response at DMZ from X.X.X.42 Y for X.X.X.41 Z having smac Y
> dmac Z\n
> arp-in: src ip is same as one of nat mapped address X.X.X.42 .Consuming
> the packet
I think I've seen this exact same problem on 9.4(2)6, though I didn't
have the (obvious, in retrospect) idea to do a debug arp on the ASA. As I
was busy firefighting other problems resulting from ASA software updates,
my quick workaround was to add a static arp entry for the affected
addresses on the firewall.
Alex.
More information about the cisco-nsp
mailing list