| CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - svc | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - vpn | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - vpnc | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - vpnfo | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - webfo | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred - webvpn | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000020 - The Cisco ASA must be configured to generate log records containing information to establish when the events occurred. | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000080 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable - logging permit-hostdown | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000080 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable - logging queue | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000090 - The Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events - logging host | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000090 - The Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events - logging trap | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000120 - The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000130 - The Cisco ASA must be configured to not accept certificates that have been revoked when using PKI for authentication. | CONFIGURATION MANAGEMENT |
| CASA-VN-000150 - The Cisco ASA must be configured to use Internet Key Exchange (IKE) for all IPsec security associations - Interface | CONFIGURATION MANAGEMENT |
| CASA-VN-000150 - The Cisco ASA must be configured to use Internet Key Exchange (IKE) for all IPsec security associations - IPsec Phase | CONFIGURATION MANAGEMENT |
| CASA-VN-000150 - The Cisco ASA must be configured to use Internet Key Exchange (IKE) for all IPsec security associations - Policy | CONFIGURATION MANAGEMENT |
| CASA-VN-000160 - The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations - Interface | CONFIGURATION MANAGEMENT |
| CASA-VN-000160 - The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations - IPsec Phase | CONFIGURATION MANAGEMENT |
| CASA-VN-000160 - The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations - Policy | CONFIGURATION MANAGEMENT |
| CASA-VN-000170 - The Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000180 - The Cisco ASA must be configured to specify Perfect Forward Secrecy (PFS) for the IPsec Security Association (SA) during IKE Phase 2 negotiation - ikev2 | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000180 - The Cisco ASA must be configured to specify Perfect Forward Secrecy (PFS) for the IPsec Security Association (SA) during IKE Phase 2 negotiation - peer | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000180 - The Cisco ASA must be configured to specify Perfect Forward Secrecy (PFS) for the IPsec Security Association (SA) during IKE Phase 2 negotiation - pfs | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000190 - The Cisco ASA must be configured to use a FIPS-validated cryptographic module to generate cryptographic hashes - IKE Phase 1 | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000190 - The Cisco ASA must be configured to use a FIPS-validated cryptographic module to generate cryptographic hashes - IPsec SA | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000200 - The Cisco ASA must be configured to use a FIPS-validated cryptographic module to implement IPsec encryption services. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000210 - The Cisco ASA must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1 - IKE Phase 1. | ACCESS CONTROL |
| CASA-VN-000230 - The Cisco ASA must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE) Phase 1 - IKE Phase 1. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000240 - The Cisco ASA must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE) Phase 2 - IKE Phase 2 | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000240 - The Cisco ASA must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE) Phase 2 - proposal | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000300 - The Cisco ASA VPN gateway must be configured to restrict what traffic is transported via the IPsec tunnel according to flow control policies - ACL | ACCESS CONTROL |
| CASA-VN-000300 - The Cisco ASA VPN gateway must be configured to restrict what traffic is transported via the IPsec tunnel according to flow control policies - crypto map | ACCESS CONTROL |
| CASA-VN-000310 - The Cisco ASA VPN gateway must be configured to identify all peers before establishing a connection - ipsec-121 | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000310 - The Cisco ASA VPN gateway must be configured to identify all peers before establishing a connection - local-authentication | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000310 - The Cisco ASA VPN gateway must be configured to identify all peers before establishing a connection - remote-authentication | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - crypto map | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - encryption | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - group | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - integrity | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - ipsec-proposal | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network - prf | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000350 - The Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000360 - The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000390 - The Cisco ASA remote access VPN server must be configured to use a separate authentication server than that used for administrative access. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000400 - The Cisco ASA remote access VPN server must be configured to use LDAP over SSL to determine authorization for granting access to the network - authorization-required | ACCESS CONTROL |
| CASA-VN-000400 - The Cisco ASA remote access VPN server must be configured to use LDAP over SSL to determine authorization for granting access to the network - authorization-server-group | ACCESS CONTROL |
| CASA-VN-000400 - The Cisco ASA remote access VPN server must be configured to use LDAP over SSL to determine authorization for granting access to the network - ldap | ACCESS CONTROL |
| CASA-VN-000400 - The Cisco ASA remote access VPN server must be configured to use LDAP over SSL to determine authorization for granting access to the network - ldap-over-ssl | ACCESS CONTROL |
| CASA-VN-000410 - The Cisco ASA remote access VPN server must be configured to identify and authenticate users before granting access to the network. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000440 - The Cisco ASA remote access VPN server must be configured to enforce certificate-based authentication before granting access to the network. | IDENTIFICATION AND AUTHENTICATION |
