Configuring Cisco ASA SSL Ciphers

28. September 2015 Cisco ASA 2,795

A few of my clients get audited for compliance.  The ASA’s seem to get reported for having faulty or insecure SSL Ciphers.   My first thought was to keep the OS updated.  Although that helps with the audits, they were still getting flagged for having lower ciphers open.

To protect against SSL vulnerabilities it is important to disable SSLv3 and weak ciphers on your cisco ASA device.

To change the supported protocols and ciphers, login to the Cisco ASA via SSH. You can list the current SSL configuration with show ssl and then make the required changes.

You should disable SSLv3 due to the POODLE vulnerability. And you should verify that you are using strong ciphers. I prefer to use ciphers that support PFS, but the Cisco AnyConnect IOS app for the SSL VPN does not support the PFS ciphers so I had to include aes256-sha1 and aes128-sha1.

asa5505(config)# ssl client-version tlsv1-only
asa5505(config)# ssl server-version tlsv1
asa5505(config)# ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1

asa5505# show ssl
Accept connections using SSLv2 or greater and negotiate to TLSv1
Start connections using TLSv1 only and negotiate to TLSv1 only
Enabled cipher order: dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1

Done.

Leave a Reply