So now Cisco calls "documentation bug" to a software regression. It's quite a coincidence that all the versions affected by this behavior, are the ones where CVE-2016-1287 is fixed.
Any ideas on how to configure proxy-arp on an interface then?
Has anyone tested 9.3(3.7) or 9.5(2.2) to see if they are also affected?
I agree that it's a shame that Cisco can't admit this is a bug rather than a feature enhancement. It would also greatly help if the bug details could clarify if this is the new expected behavior for future software releases from 9.1 going forward or if this behavior is temporary and will be reverted to the "old" interpretation in future releases.
We also had some serious issues with this after an upgrade from 9.1(6) to 9.1(7).
After opening a case last week, I received an update today that there is an interim software release in which only the IKE vulnerability is fixed and no other "features" were added.
Release notes can be found here: http://www.cisco.com/web/software/280775065/123352/ASA-916-Interim-Release-Notes.html
I've also asked the engineer to clarify if this is just a bug or expected behaviour in this and future releases. I'll keep you posted if I got an update on this.
Ditto for us, and not just 9.1(6) to 9.1(7) but 8.3 to 8.4(7)30 also.
You wouldn't believe the amount of new expletives that were made up last week.
So it seems like this is the expected behaviour for all the new releases:
In the old releases and in certain conditions, ASA doesn't check the source of the ARP request, please find the following software bug:
This issue is fixed in the new releases, and the resolution of this defect introduces a change in the ASA behavior, which most probably is the reason for our issue in this case. You can avoid this behavior in 9.1.7 by modifying the NAT statements, especially with (any) keyword.
Also, as I mentioned earlier, our development team and in order to make things easier to the customer, they have implemented the fix for the vulnerability in 18.104.22.168 which was released yesterday and keep the same old behavior regarding the proxy arp.
They've just updated the bug report and the bug is supposed to be fixed in 9.1(7.2) and 9.4(2.7).
I'll test them whenever they become available for download.
I appear to have this issue with 9.6(2)3 on a ASA 5525-x . Is this a permanent feature or enhancement? Where is the beef so to speak? Anyone know?