| CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred. | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000020 - The Cisco ASA must be configured to generate log records containing information to establish when the events occurred. | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000080 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable. | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000090 - The Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events. | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000120 - The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000130 - The Cisco ASA must be configured to not accept certificates that have been revoked when using PKI for authentication. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000150 - The Cisco ASA must be configured to use Internet Key Exchange (IKE) for all IPsec security associations. | CONFIGURATION MANAGEMENT |
| CASA-VN-000160 - The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations. | CONFIGURATION MANAGEMENT |
| CASA-VN-000170 - The Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000180 - The Cisco ASA must be configured to specify Perfect Forward Secrecy (PFS) for the IPsec Security Association (SA) during IKE Phase 2 negotiation. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000190 - The Cisco ASA must be configured to use a FIPS-validated cryptographic module to generate cryptographic hashes. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000200 - The Cisco ASA must be configured to use a FIPS-validated cryptographic module to implement IPsec encryption services. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000210 - The Cisco ASA must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1 - IKE Phase 1. | ACCESS CONTROL |
| CASA-VN-000230 - The Cisco ASA must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE) Phase 1 - IKE Phase 1. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000240 - The Cisco ASA must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE) Phase 2. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000300 - The Cisco ASA VPN gateway must be configured to restrict what traffic is transported via the IPsec tunnel according to flow control policies. | ACCESS CONTROL |
| CASA-VN-000310 - The Cisco ASA VPN gateway must be configured to identify all peers before establishing a connection. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000340 - The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000350 - The Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000360 - The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000390 - The Cisco ASA remote access VPN server must be configured to use a separate authentication server than that used for administrative access. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000400 - The Cisco ASA remote access VPN server must be configured to use LDAP over SSL to determine authorization for granting access to the network. | ACCESS CONTROL |
| CASA-VN-000410 - The Cisco ASA remote access VPN server must be configured to identify and authenticate users before granting access to the network. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000440 - The Cisco ASA remote access VPN server must be configured to enforce certificate-based authentication before granting access to the network. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000450 - The Cisco ASA remote access VPN server must be configured to map the distinguished name (DN) from the client's certificate to entries in the authentication server to determine authorization to access the network. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000460 - The Cisco ASA remote access VPN server must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the network. | ACCESS CONTROL |
| CASA-VN-000500 - The Cisco ASA remote access VPN server must be configured to generate log records containing information that establishes the identity of any individual or process associated with the event. | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000510 - The Cisco ASA remote access VPN server must be configured to generate log records containing information to establish where the events occurred. | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000520 - The Cisco ASA remote access VPN server must be configured to generate log records containing information to establish the source of the events. | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000530 - The Cisco ASA remote access VPN server must be configured to produce log records containing information to establish the outcome of the events. | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000550 - The Cisco ASA remote access VPN server must be configured to use TLS 1.2 or higher to protect the confidentiality of remote access connections. | ACCESS CONTROL |
| CASA-VN-000560 - The Cisco ASA remote access VPN server must be configured to use a FIPS-validated algorithm and hash function to protect the integrity of TLS remote access sessions. | ACCESS CONTROL |
| CASA-VN-000610 - The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000630 - The Cisco ASA remote access VPN server must be configured to use SHA-2 at 384 bits or greater for hashing to protect the integrity of IPsec remote access sessions. | ACCESS CONTROL |
| CASA-VN-000640 - The Cisco VPN remote access server must be configured to use AES256 or greater encryption for the Internet Key Exchange (IKE) Phase 1 to protect confidentiality of remote access sessions - IKE Phase 1 to protect confidentiality of remote access sessions. | ACCESS CONTROL |
| CASA-VN-000650 - The Cisco ASA VPN remote access server must be configured to use AES256 or greater encryption for the IPsec security association to protect the confidentiality of remote access sessions - AES encryption for the IPsec security association to protect the confidentiality of remote access sessions. | ACCESS CONTROL |
| CASA-VN-000660 - The Cisco VPN remote access server must be configured to accept Common Access Card (CAC) credential credentials. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000700 - The Cisco ASA VPN remote access server must be configured to disable split-tunneling for remote clients. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000720 - The Cisco ASA VPN remote access server must be configured to generate log records when successful and/or unsuccessful VPN connection attempts occur. | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000730 - The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation. | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000760 - The Cisco ASA VPN remote access server must be configured to use an approved High Assurance Commercial Solution for Classified (CSfC) cryptographic algorithm for remote access to a classified network. | SYSTEM AND COMMUNICATIONS PROTECTION |
| DISA_STIG_Cisco_ASA_VPN_v2r2.audit from DISA Cisco ASA VPN v2r2 STIG | |
