[c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

Jan Gregor jan.gregor at chronix.org
Tue Feb 16 14:21:03 EST 2016

Hi David,

yeah, that fixed it, but it seems that there is some issue there after
all. The thing is I had "sysopt noproxyarp DMZ" in my configuration ,
which should have prevented this behaviour. Apparently it did not.

I am already working on this with your colleague from TAC .

Best regards,


On 02/16/2016 03:57 PM, David White, Jr. (dwhitejr) wrote:
> Hi Jan,
> The 'solution' to the below issue is to add the keyword no-proxy-arp to
> the nat rule.
> Due to the fix for bug CSCuc11186
> <https://tools.cisco.com/bugsearch/bug/CSCuc11186>, if the ASA receives
> an ARP packet from an IP which is in your nat rule, then it will not
> reply to it.  This happens with overly broad NAT rules.  Adding the
> "no-proxy-arp" keyword to the nat rule will fix this issue.
> Hope it helps,
> David.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20160216/29eef7dd/attachment.sig>

More information about the cisco-nsp mailing list