[c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
Jason Lixfeld
jason at lixfeld.ca
Tue Feb 16 14:28:36 EST 2016
There’s also a Severity 1 defect in 9.1.7 around SNMP :|
CSCuy27428
*facepalm*
> On Feb 16, 2016, at 2:21 PM, Jan Gregor <jan.gregor at chronix.org> wrote:
>
> Hi David,
>
> yeah, that fixed it, but it seems that there is some issue there after
> all. The thing is I had "sysopt noproxyarp DMZ" in my configuration ,
> which should have prevented this behaviour. Apparently it did not.
>
> I am already working on this with your colleague from TAC .
>
>
> Best regards,
>
> Jan
>
>
> On 02/16/2016 03:57 PM, David White, Jr. (dwhitejr) wrote:
>> Hi Jan,
>>
>> The 'solution' to the below issue is to add the keyword no-proxy-arp to
>> the nat rule.
>>
>> Due to the fix for bug CSCuc11186
>> <https://tools.cisco.com/bugsearch/bug/CSCuc11186>, if the ASA receives
>> an ARP packet from an IP which is in your nat rule, then it will not
>> reply to it. This happens with overly broad NAT rules. Adding the
>> "no-proxy-arp" keyword to the nat rule will fix this issue.
>>
>> Hope it helps,
>>
>> David.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list