[c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
Jan Gregor
jan.gregor at chronix.org
Tue Feb 16 14:21:03 EST 2016
Hi David,
yeah, that fixed it, but it seems that there is some issue there after
all. The thing is I had "sysopt noproxyarp DMZ" in my configuration ,
which should have prevented this behaviour. Apparently it did not.
I am already working on this with your colleague from TAC .
Best regards,
Jan
On 02/16/2016 03:57 PM, David White, Jr. (dwhitejr) wrote:
> Hi Jan,
>
> The 'solution' to the below issue is to add the keyword no-proxy-arp to
> the nat rule.
>
> Due to the fix for bug CSCuc11186
> <https://tools.cisco.com/bugsearch/bug/CSCuc11186>, if the ASA receives
> an ARP packet from an IP which is in your nat rule, then it will not
> reply to it. This happens with overly broad NAT rules. Adding the
> "no-proxy-arp" keyword to the nat rule will fix this issue.
>
> Hope it helps,
>
> David.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20160216/29eef7dd/attachment.sig>
More information about the cisco-nsp
mailing list