02-20-2016 04:14 AM - edited 03-12-2019 12:21 AM
Hey all,
after I update from 9.1(4) to 9.1(7) I'm not able to access DMZ devices from my internal network.
What are the changes where do I have to look?
Do you need further information?
Thanks in advance.
02-20-2016 04:30 AM
Hi,
if you have the old config, prior to your upgrade, you may want to compare the nat rules line by line if anything changed.
But, we also have a problem after the upgrade with a destination nat rule, it seems it does not catch it anymore. I did compare our config and nothing changed so i am betting on a bug.
02-20-2016 04:38 AM
Yeah, same here. He seems to route the ICMP packets to the outside interface.
02-20-2016 04:54 AM
Have you tried to disable proxy arp? This seems to be causing issues by many others after upgrading due to the ike vulnerability.. If not needed, it should be disabled.
On the other issue, i have just downgraded back to 911, NAT works again, back to 917, NAT does not work. So my problem seems to be a bug.
02-20-2016 05:06 AM
Disabling Proxy ARP did not help :(
02-20-2016 05:14 AM
It was a try i guess. Have you downgraded back to the old version, just to see if it will work again?
i am checking if there is in interim release and try it - tried it, problem remains, so it is going to be a case at Cisco.
02-20-2016 05:22 AM
I've found in some cases I have had to add no-proxy-arp AND add route-lookup onto the NAT statements themeselves
If it's feasible for you to try this then give it a shot
02-20-2016 05:36 AM
Downgraded to 9.1(4) again - No problems.
No I have the problem with the IKE vuln :(
02-20-2016 05:48 AM
You could also try 9.1(6.11) - Cisco update the recommended upgrade to this version per this page:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
02-20-2016 05:58 AM
Where d I find the 9.1(6.11)?
I can downoad 9.1.6.SMP
02-20-2016 06:04 AM
Check under all releases,"interim", there it is. If the ike bug is fixed in that one, it may be ok too. But the recommended release is still 917...
02-20-2016 06:11 AM
Hey Michael,
I was under the same impression, but I read that due to reported issues with 9.1(7) Cisco changed the recommendation
That of course may just be hear say, and I had read that 9.1.(7.1) was coming but if you see in the official vulnerability page link that it recommends now 9.1(6.11) or later
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
02-20-2016 06:15 AM
Thanks for the hint, although, all our 5512s are on 9.4.2.6 without issues, i did not bother with 917, which i only use on non X series (5505, 5510 etc)
02-20-2016 06:26 AM
OK, short update, i have tried 916-11, it did not fix our issue with destination nat. bummer... (btw. interim 917.4, same problem)
02-20-2016 06:34 AM
I replied earlier but the comment keeps going to the very bottom (noob error on my part, no doubt)
Have you tried 'no-proxy-arp route-lookup' in your NAT configuration?
You don't have something which hiterto didn't cause a problem such as same security levels on interfaces or anything like that, do you?
Without seeing the specific rule it's hard to say exactly what's going on but I think also there were some reports of the ordering being broken so could always be worth trying to remove and re-add this rule.
Other than that, I'm all out!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide