[c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

Alexander Bochmann ab at lists.gxis.de
Tue Feb 16 05:45:43 EST 2016


...on Tue, Feb 16, 2016 at 10:40:22AM +0100, Jan Gregor wrote:

 > arp-send: arp request built from X.X.X.41 Z for X.X.X.42 at 7212560
 > arp-in: response at DMZ from X.X.X.42 Y for X.X.X.41 Z having smac Y
 > dmac Z\n
 >  arp-in: src ip is same as one of nat mapped address X.X.X.42 .Consuming
 > the packet

I think I've seen this exact same problem on 9.4(2)6, though I didn't 
have the (obvious, in retrospect) idea to do a debug arp on the ASA. As I 
was busy firefighting other problems resulting from ASA software updates, 
my quick workaround was to add a static arp entry for the affected 
addresses on the firewall.


More information about the cisco-nsp mailing list