topic Downgraded to 9.1(4) again - in Network Security

ASA 5512X - Ping into DMZ not possible after update (9.1(4) to 9.1(7))

Christian Balzereit — Tue, 12 Mar 2019 07:21:44 GMT

Hey all,

after I update from 9.1(4) to 9.1(7) I'm not able to access DMZ devices from my internal network.

What are the changes where do I have to look?

Do you need further information?

Thanks in advance.

Hi,

Michael Braun — Sat, 20 Feb 2016 12:30:42 GMT

Hi,

if you have the old config, prior to your upgrade, you may want to compare the nat rules line by line if anything changed.

But, we also have a problem after the upgrade with a destination nat rule, it seems it does not catch it anymore. I did compare our config and nothing changed so i am betting on a bug.

Yeah, same here. He seems to

Christian Balzereit — Sat, 20 Feb 2016 12:38:48 GMT

Yeah, same here. He seems to route the ICMP packets to the outside interface.

Have you tried to disable

Michael Braun — Sat, 20 Feb 2016 12:54:41 GMT

Have you tried to disable proxy arp? This seems to be causing issues by many others after upgrading due to the ike vulnerability.. If not needed, it should be disabled.

On the other issue, i have just downgraded back to 911, NAT works again, back to 917, NAT does not work. So my problem seems to be a bug.

Disabling Proxy ARP did not

Christian Balzereit — Sat, 20 Feb 2016 13:06:13 GMT

Disabling Proxy ARP did not help 😞

It was a try i guess. Have

Michael Braun — Sat, 20 Feb 2016 13:14:36 GMT

It was a try i guess. Have you downgraded back to the old version, just to see if it will work again?

i am checking if there is in interim release and try it - tried it, problem remains, so it is going to be a case at Cisco.

I've found in some cases I

David99 — Sat, 20 Feb 2016 13:22:14 GMT

I've found in some cases I have had to add no-proxy-arp AND add route-lookup onto the NAT statements themeselves

If it's feasible for you to try this then give it a shot

Downgraded to 9.1(4) again -

Christian Balzereit — Sat, 20 Feb 2016 13:36:49 GMT

Downgraded to 9.1(4) again - No problems.

No I have the problem with the IKE vuln 😞

It may be another issue

Michael Braun — Sat, 20 Feb 2016 13:43:13 GMT

It may be another issue entirely. The image above does NAT from DMZ to outside, so this is correct. For LAN/DMZ you should use NAT BEFORE Object NAT, unless there is a specific reason not to.... So it may be that with the upgrade, the ASA is a little bit more picky about NAT rules. Do you see any error messages in the log? Usually the ASA is very chatty if there is a problem.

Interface security Level is another this to keep in mind with NAT, and do you realy NAT from LAN to DMZ or is it just identity NAT, so no translation is done?

You could also try 9.1(6.11)

David99 — Sat, 20 Feb 2016 13:48:46 GMT

You could also try 9.1(6.11) - Cisco update the recommended upgrade to this version per this page:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Where d I find the 9.1(6.11)?

Christian Balzereit — Sat, 20 Feb 2016 13:58:37 GMT

Where d I find the 9.1(6.11)?

I can downoad 9.1.6.SMP

Check under all releases,

Michael Braun — Sat, 20 Feb 2016 14:04:39 GMT

Check under all releases,"interim", there it is. If the ike bug is fixed in that one, it may be ok too. But the recommended release is still 917...

Hey Michael,

David99 — Sat, 20 Feb 2016 14:11:49 GMT

Hey Michael,

I was under the same impression, but I read that due to reported issues with 9.1(7) Cisco changed the recommendation

That of course may just be hear say, and I had read that 9.1.(7.1) was coming but if you see in the official vulnerability page link that it recommends now 9.1(6.11) or later

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Thanks for the hint, although

Michael Braun — Sat, 20 Feb 2016 14:15:20 GMT

Thanks for the hint, although, all our 5512s are on 9.4.2.6 without issues, i did not bother with 917, which i only use on non X series (5505, 5510 etc)

OK, short update, i have

Michael Braun — Sat, 20 Feb 2016 14:26:24 GMT

OK, short update, i have tried 916-11, it did not fix our issue with destination nat. bummer... (btw. interim 917.4, same problem)

I replied earlier but the

David99 — Sat, 20 Feb 2016 14:34:08 GMT

I replied earlier but the comment keeps going to the very bottom (noob error on my part, no doubt)

Have you tried 'no-proxy-arp route-lookup' in your NAT configuration?

You don't have something which hiterto didn't cause a problem such as same security levels on interfaces or anything like that, do you?

Without seeing the specific rule it's hard to say exactly what's going on but I think also there were some reports of the ordering being broken so could always be worth trying to remove and re-add this rule.

Other than that, I'm all out!

Thx again.

Christian Balzereit — Sat, 20 Feb 2016 14:42:24 GMT

Thx again.

Same errors with the Interim build 😞

Same here, even tried latest

Michael Braun — Sat, 20 Feb 2016 14:47:59 GMT

Same here, even tried latest 9.2.x.x interim, no change, NAT keeps failing. I have a case open with Cisco because of that, once i get some infos, i will be posting.

Cheers everyone, (off to some other problem)

Markus

Cisco ID CSCO11583512
CCDA, CCNA, CCNA Security, CCNP Security
ASA Specialist, Firewall Security Specialist, IOS Security Specialist,
IPS Specialist, VPN Security Specialist, NSA CNSS 4011 and 4013 Recognition, INFOSEC

Amideo Networks

Ringeisenstrasse 2, 86836 Graben / GT Lagerlechfeld
Phone: +49 8232 956 9197 , Fax: +49 8232 959 4031

Amideo Networks Public IPv6 Address Range: 2003:44:2010::/48 ipv6.amideo.de
IPv6 DNS Deutsche Telekom: 2003:40:2000::53, 2003:56::53, 2003:40:4000::53

Hello Michael,

Christian Balzereit — Mon, 22 Feb 2016 09:13:57 GMT

Hello Michael,

Intern -> DMZ = No NAT

DMZ -> outside = Static NAT

NAT for VPN

EDIT: When I access my intern LAN via VPN I'm able to access my DMZ

Have you debugged at the

Michael Braun — Mon, 22 Feb 2016 10:34:56 GMT

Have you debugged at the console ?

Debug trace icmp

and you see if and what happens to the packets.

But you may want to stop Nagius/Solarwinds etc. for this or you will get a ton of messages.

Alternatively logg debug to syslog and filter it out.