ATN: Cisco. ASA not passing IP header to SSM for ICMP BUG
Scenario: NAT is configured on ASA between the inside and outside interfaces. IPS policy is applied to the outside interface or globally.
BUG details: for ICMP attacks (such as 2150), going from the inside to the outside, the alert contains public (NATed) IP address as the Src IP, which is not correct. For TCP (such as 5081) the alert contains private IP address as the Src IP, which is correct. Note: this may depend on signature engine, not the protocol (ICMP/TCP, etc.) This probably happens because the ASA doesn't pass pre-NAT packet IP header to the SSM along with the actual data packet. The data packet itself always contains post-NAT IP header (i.e. public IP address).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...