DISA STIG Cisco ASA VPN v2r1

Audit Details

Name: DISA STIG Cisco ASA VPN v2r1

Updated: 8/28/2024

Authority: DISA STIG

Plugin: Cisco

Revision: 1.0

Estimated Item Count: 98

File Details

Filename: DISA_STIG_Cisco_ASA_VPN_v2r1.audit

Size: 219 kB

MD5: 06c6384d917896d1b48a00c4d6c37e8c
SHA256: 7c78aa2fd2276e48eba25abb0e1236acb37cf9db45614757bb16a08e2e478ca7

Audit Items

DescriptionCategories
CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - svc

AUDIT AND ACCOUNTABILITY

CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - vpn

AUDIT AND ACCOUNTABILITY

CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - vpnc

AUDIT AND ACCOUNTABILITY

CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - vpnfo

AUDIT AND ACCOUNTABILITY

CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - webfo

AUDIT AND ACCOUNTABILITY

CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - webvpn

AUDIT AND ACCOUNTABILITY

CASA-VN-000020 - The Cisco ASA must be configured to generate log records containing information to establish when the events occurred.

AUDIT AND ACCOUNTABILITY

CASA-VN-000080 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable - logging permit-hostdown

AUDIT AND ACCOUNTABILITY

CASA-VN-000080 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable - logging queue

AUDIT AND ACCOUNTABILITY

CASA-VN-000090 - The Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events - logging host

AUDIT AND ACCOUNTABILITY

CASA-VN-000090 - The Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events - logging trap

AUDIT AND ACCOUNTABILITY

CASA-VN-000120 - The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.

IDENTIFICATION AND AUTHENTICATION

CASA-VN-000130 - The Cisco ASA must be configured to not accept certificates that have been revoked when using PKI for authentication.

CONFIGURATION MANAGEMENT

CASA-VN-000150 - The Cisco ASA must be configured to use Internet Key Exchange (IKE) for all IPsec security associations - Interface

CONFIGURATION MANAGEMENT

CASA-VN-000150 - The Cisco ASA must be configured to use Internet Key Exchange (IKE) for all IPsec security associations - IPsec Phase

CONFIGURATION MANAGEMENT

CASA-VN-000150 - The Cisco ASA must be configured to use Internet Key Exchange (IKE) for all IPsec security associations - Policy

CONFIGURATION MANAGEMENT

CASA-VN-000160 - The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations - Interface

CONFIGURATION MANAGEMENT

CASA-VN-000160 - The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations - IPsec Phase

CONFIGURATION MANAGEMENT

CASA-VN-000160 - The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations - Policy

CONFIGURATION MANAGEMENT

CASA-VN-000170 - The Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1.

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000180 - The Cisco ASA must be configured to specify Perfect Forward Secrecy (PFS) for the IPsec Security Association (SA) during IKE Phase 2 negotiation - ikev2

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000180 - The Cisco ASA must be configured to specify Perfect Forward Secrecy (PFS) for the IPsec Security Association (SA) during IKE Phase 2 negotiation - peer

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000180 - The Cisco ASA must be configured to specify Perfect Forward Secrecy (PFS) for the IPsec Security Association (SA) during IKE Phase 2 negotiation - pfs

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000190 - The Cisco ASA must be configured to use a FIPS-validated cryptographic module to generate cryptographic hashes - IKE Phase 1

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000190 - The Cisco ASA must be configured to use a FIPS-validated cryptographic module to generate cryptographic hashes - IPsec SA

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000200 - The Cisco ASA must be configured to use a FIPS-validated cryptographic module to implement IPsec encryption services.

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000210 - The Cisco ASA must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1 - IKE Phase 1.

ACCESS CONTROL

CASA-VN-000230 - The Cisco ASA must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE) Phase 1 - IKE Phase 1.

IDENTIFICATION AND AUTHENTICATION

CASA-VN-000240 - The Cisco ASA must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE) Phase 2 - IKE Phase 2

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000240 - The Cisco ASA must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE) Phase 2 - proposal

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000300 - The Cisco ASA VPN gateway must be configured to restrict what traffic is transported via the IPsec tunnel according to flow control policies - ACL

ACCESS CONTROL

CASA-VN-000300 - The Cisco ASA VPN gateway must be configured to restrict what traffic is transported via the IPsec tunnel according to flow control policies - crypto map

ACCESS CONTROL

CASA-VN-000310 - The Cisco ASA VPN gateway must be configured to identify all peers before establishing a connection - ipsec-121

IDENTIFICATION AND AUTHENTICATION

CASA-VN-000310 - The Cisco ASA VPN gateway must be configured to identify all peers before establishing a connection - local-authentication

IDENTIFICATION AND AUTHENTICATION

CASA-VN-000310 - The Cisco ASA VPN gateway must be configured to identify all peers before establishing a connection - remote-authentication

IDENTIFICATION AND AUTHENTICATION

CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - crypto map

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - encryption

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - group

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - integrity

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - ipsec-proposal

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - prf

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000350 - The Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less.

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000360 - The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-VN-000390 - The Cisco ASA remote access VPN server must be configured to use a separate authentication server than that used for administrative access.

IDENTIFICATION AND AUTHENTICATION

CASA-VN-000400 - The Cisco ASA remote access VPN server must be configured to use LDAP over SSL to determine authorization for granting access to the network - authorization-required

ACCESS CONTROL

CASA-VN-000400 - The Cisco ASA remote access VPN server must be configured to use LDAP over SSL to determine authorization for granting access to the network - authorization-server-group

ACCESS CONTROL

CASA-VN-000400 - The Cisco ASA remote access VPN server must be configured to use LDAP over SSL to determine authorization for granting access to the network - ldap

ACCESS CONTROL

CASA-VN-000400 - The Cisco ASA remote access VPN server must be configured to use LDAP over SSL to determine authorization for granting access to the network - ldap-over-ssl

ACCESS CONTROL

CASA-VN-000410 - The Cisco ASA remote access VPN server must be configured to identify and authenticate users before granting access to the network.

IDENTIFICATION AND AUTHENTICATION

CASA-VN-000440 - The Cisco ASA remote access VPN server must be configured to enforce certificate-based authentication before granting access to the network.

IDENTIFICATION AND AUTHENTICATION