CASA-VN-000550 - The Cisco ASA remote access VPN server must be configured to use TLS 1.2 or higher to protect the confidentiality of remote access connections.

Information

Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.

NIST SP 800-52 provides guidance for client negotiation on either DoD-only or public-facing servers.

Solution

Configure the ASA to use TLS 1.2 or higher as shown in the example below.

ASA1(config)# ssl server-version tlsv1.2 dtlsv1.2

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y24M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|I, CCI|CCI-000068, Rule-ID|SV-239975r666331_rule, STIG-ID|CASA-VN-000550, Vuln-ID|V-239975

Plugin: Cisco

Control ID: eeedc5f6b2d4ec4d3ab02cb3bee0184f5da2c71ca6f1aa4c6339543afe794ab5