Showing results for 
Search instead for 
Did you mean: 

ASA 5512X - Ping into DMZ not possible after update (9.1(4) to 9.1(7))

Hey all,

after I update from 9.1(4) to 9.1(7) I'm not able to access DMZ devices from my internal network.

What are the changes where do I have to look?

Do you need further information?

Thanks in advance.

26 Replies 26

Michael Braun


if you have the old config, prior to your upgrade, you may want to compare the nat rules line by line if anything changed.

But, we also have a problem after the upgrade with a destination nat rule, it seems it does not catch it anymore. I did compare our config and nothing changed so i am betting on a bug.

Yeah, same here. He seems to route the ICMP packets to the outside interface.

Have you tried to disable proxy arp? This seems to be causing issues by many others after upgrading due to the ike vulnerability.. If not needed, it should be disabled.

On the other issue, i have just downgraded back to 911, NAT works again, back to 917, NAT does not work. So my problem seems to be a bug.

Disabling Proxy ARP did not help :(

It was a try i guess. Have you downgraded back to the old version, just to see if it will work again?

i am checking if there is in interim release and try it - tried it, problem remains, so it is going to be a case at Cisco.

I've found in some cases I have had to add no-proxy-arp AND add route-lookup onto the NAT statements themeselves

If it's feasible for you to try this then give it a shot

Downgraded to 9.1(4) again - No problems.

No I have the problem with the IKE vuln :(

You could also try 9.1(6.11) - Cisco update the recommended upgrade to this version per this page:

Where d I find the 9.1(6.11)?

I can downoad 9.1.6.SMP

Check under all releases,"interim", there it is. If the ike bug is fixed in that one, it may be ok too. But the recommended release is still 917...

Hey Michael,

I was under the same impression, but I read that due to reported issues with 9.1(7) Cisco changed the recommendation

That of course may just be hear say, and I had read that 9.1.(7.1) was coming but if you see in the official vulnerability page link that it recommends now 9.1(6.11) or later

Thanks for the hint, although, all our 5512s are on without issues, i did not bother with 917, which i only use on non X series (5505, 5510 etc)

OK, short update, i have tried 916-11, it did not fix our issue with destination nat. bummer... (btw. interim 917.4, same problem)

I replied earlier but the comment keeps going to the very bottom (noob error on my part, no doubt)

Have you tried 'no-proxy-arp route-lookup' in your NAT configuration?

You don't have something which hiterto didn't cause a problem such as same security levels on interfaces or anything like that, do you?

Without seeing the specific rule it's hard to say exactly what's going on but I think also there were some reports of the ordering being broken so could always be worth trying to remove and re-add this rule.

Other than that, I'm all out!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers