Have you tried to disable

Christian Balzereit · ‎02-20-2016

Hey all,

after I update from 9.1(4) to 9.1(7) I'm not able to access DMZ devices from my internal network.

What are the changes where do I have to look?

Do you need further information?

Thanks in advance.

Michael Braun · ‎02-20-2016

Hi,

if you have the old config, prior to your upgrade, you may want to compare the nat rules line by line if anything changed.

But, we also have a problem after the upgrade with a destination nat rule, it seems it does not catch it anymore. I did compare our config and nothing changed so i am betting on a bug.

Christian Balzereit · ‎02-20-2016

Yeah, same here. He seems to route the ICMP packets to the outside interface.

Michael Braun · ‎02-20-2016

Have you tried to disable proxy arp? This seems to be causing issues by many others after upgrading due to the ike vulnerability.. If not needed, it should be disabled.

On the other issue, i have just downgraded back to 911, NAT works again, back to 917, NAT does not work. So my problem seems to be a bug.

Christian Balzereit · ‎02-20-2016

Disabling Proxy ARP did not help :(

Michael Braun · ‎02-20-2016

It was a try i guess. Have you downgraded back to the old version, just to see if it will work again?

i am checking if there is in interim release and try it - tried it, problem remains, so it is going to be a case at Cisco.

David99 · ‎02-20-2016

I've found in some cases I have had to add no-proxy-arp AND add route-lookup onto the NAT statements themeselves

If it's feasible for you to try this then give it a shot

Christian Balzereit · ‎02-20-2016

Downgraded to 9.1(4) again - No problems.

No I have the problem with the IKE vuln :(

David99 · ‎02-20-2016

You could also try 9.1(6.11) - Cisco update the recommended upgrade to this version per this page:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Christian Balzereit · ‎02-20-2016

Where d I find the 9.1(6.11)?

I can downoad 9.1.6.SMP

Michael Braun · ‎02-20-2016

Check under all releases,"interim", there it is. If the ike bug is fixed in that one, it may be ok too. But the recommended release is still 917...

David99 · ‎02-20-2016

Hey Michael,

I was under the same impression, but I read that due to reported issues with 9.1(7) Cisco changed the recommendation

That of course may just be hear say, and I had read that 9.1.(7.1) was coming but if you see in the official vulnerability page link that it recommends now 9.1(6.11) or later

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Michael Braun · ‎02-20-2016

Thanks for the hint, although, all our 5512s are on 9.4.2.6 without issues, i did not bother with 917, which i only use on non X series (5505, 5510 etc)

Michael Braun · ‎02-20-2016

OK, short update, i have tried 916-11, it did not fix our issue with destination nat. bummer... (btw. interim 917.4, same problem)

David99 · ‎02-20-2016

I replied earlier but the comment keeps going to the very bottom (noob error on my part, no doubt)

Have you tried 'no-proxy-arp route-lookup' in your NAT configuration?

You don't have something which hiterto didn't cause a problem such as same security levels on interfaces or anything like that, do you?

Without seeing the specific rule it's hard to say exactly what's going on but I think also there were some reports of the ordering being broken so could always be worth trying to remove and re-add this rule.

Other than that, I'm all out!

ASA 5512X - Ping into DMZ not possible after update (9.1(4) to 9.1(7))