Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ovt Bronze
Bronze

ATN: Cisco. ASA not passing IP header to SSM for ICMP BUG

Scenario: NAT is configured on ASA between the inside and outside interfaces. IPS policy is applied to the outside interface or globally.

BUG details: for ICMP attacks (such as 2150), going from the inside to the outside, the alert contains public (NATed) IP address as the Src IP, which is not correct. For TCP (such as 5081) the alert contains private IP address as the Src IP, which is correct. Note: this may depend on signature engine, not the protocol (ICMP/TCP, etc.) This probably happens because the ASA doesn't pass pre-NAT packet IP header to the SSM along with the actual data packet. The data packet itself always contains post-NAT IP header (i.e. public IP address).

Question: When will this bug be fixed by Cisco?

219
Views
0
Helpful
0
Replies