In previous release 9.1(6) this line was ok: nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32 destination static obj-1.0.0.36_32 obj-1.0.0.36_32
In 9.1.(7) wasn't working anymore, so the solution was to add *no-proxy-arp *at the end: nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32 destination static obj-1.0.0.36_32 obj-1.0.0.36_32 *no-proxy-arp* On Mon, Feb 15, 2016 at 1:48 PM, Roberto <robe...@ipnetworks.it> wrote: > Hello, > > > > excuse me for this direct email: but about the > https://www.reddit.com/r/networking/comments/433kqx/cisco_asa_not_recording_an_arp_entry/ > > > > " > > upgraded from 9.0(5) to 9.1(7) > > " > > > > Solved ! > > "Disable Proxy ARP" must be checked on NAT bypass rules (former nat 0). > > > > > > > > are you indicating for example > > that previously on 9.0(5) was: > > nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32 > destination static obj-1.0.0.36_32 obj-1.0.0.36_32 route-lookup > > > > and now on 9.1(7) is: > > nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32 > destination static obj-1.0.0.36_32 obj-1.0.0.36_32 *no-proxy-arp* > route-lookup > > > > > > > > > > > > > > Best Regards, > > _________________________________ > > Roberto Taccon > > > > e-mail: robe...@ipnetworks.it > > mobile: +39 340 4751352 > > fax: +39 045 4850850 > > skype: roberto.taccon > > > > -----Messaggio originale----- > Da: NANOG [mailto:nanog-boun...@nanog.org] Per conto di Adrian M > Inviato: lunedì 15 febbraio 2016 10.06 > A: nanog@nanog.org > Oggetto: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and > IKEv2 Buffer Overflow Vulnerability > > > > Solved ! > > "Disable Proxy ARP" must be checked on NAT bypass rules (former nat 0). > > > > On Thu, Feb 11, 2016 at 3:53 PM, Adrian M <adrian.mi...@gmail.com> wrote: > > > > > Be careful, It appears that something is broken with ARP on this release. > > > We have no ARP on lan interface, and somebody else has a similar problem: > > > > > > https://www.reddit.com/r/networking/comments/433kqx/cisco_asa_not_reco > > > rding_an_arp_entry/ > > > > > > > > > > > > On Wed, Feb 10, 2016 at 10:36 PM, Sadiq Saif <li...@sadiqs.com> wrote: > > > > > >> Update your ASAs folks, this is a critical one. > > >> > > >> > > >> -------- Forwarded Message -------- > > >> Subject: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 > > >> and > > >> IKEv2 Buffer Overflow Vulnerability > > >> Date: Wed, 10 Feb 2016 08:06:51 -0800 > > >> From: Cisco Systems Product Security Incident Response Team > > >> <ps...@cisco.com> > > >> Reply-To: ps...@cisco.com > > >> To: cisco-...@puck.nether.net > > >> CC: ps...@cisco.com > > >> > > >> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer > > >> Overflow Vulnerability > > >> > > >> Advisory ID: cisco-sa-20160210-asa-ike > > >> > > >> Revision 1.0 > > >> > > >> For Public Release 2016 February 10 16:00 GMT (UTC) > > >> > > >> +-------------------------------------------------------------------- > > >> +- > > >> > > >> > > >> Summary > > >> ======= > > >> > > >> A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and > > >> IKE version 2 (v2) code of Cisco ASA Software could allow an > > >> unauthenticated, remote attacker to cause a reload of the affected > > >> system or to remotely execute code. > > >> > > >> The vulnerability is due to a buffer overflow in the affected code area. > > >> An attacker could exploit this vulnerability by sending crafted UDP > > >> packets to the affected system. An exploit could allow the attacker > > >> to execute arbitrary code and obtain full control of the system or to > > >> cause a reload of the affected system. > > >> > > >> Note: Only traffic directed to the affected system can be used to > > >> exploit this vulnerability. This vulnerability affects systems > > >> configured in routed firewall mode only and in single or multiple > > >> context mode. This vulnerability can be triggered by IPv4 and IPv6 > > >> traffic. > > >> > > >> Cisco has released software updates that address this vulnerability. > > >> This advisory is available at the following link: > > >> > > >> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ > > >> cisco-sa-20160210-asa-ike > > >> > > >> > > >> > > >> _______________________________________________ > > >> cisco-nsp mailing list cisco-...@puck.nether.net > > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >> > > >> > > >> > > > >
