ATN: Cisco. ASA not passing IP header to SSM for ICMP BUG

Unanswered Question

Scenario: NAT is configured on ASA between the inside and outside interfaces. IPS policy is applied to the outside interface or globally.

BUG details: for ICMP attacks (such as 2150), going from the inside to the outside, the alert contains public (NATed) IP address as the Src IP, which is not correct. For TCP (such as 5081) the alert contains private IP address as the Src IP, which is correct. Note: this may depend on signature engine, not the protocol (ICMP/TCP, etc.) This probably happens because the ASA doesn't pass pre-NAT packet IP header to the SSM along with the actual data packet. The data packet itself always contains post-NAT IP header (i.e. public IP address).

Question: When will this bug be fixed by Cisco?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion