08-09-2018 11:05 PM - edited 02-21-2020 08:05 AM
Dear All,
I have been running webvpn and other services on my Cisco ASA 5510 from a long time. Recently one of the bodies that inspect network security came up with different result concerning week points in my firewall which includes
1. Remote access service detected.
2. Weak diffie-hellman groups identified on vpn devices (currently using group 2)
3. Weak encryption ciphers identified on vpn devices
What should i need to do in order to resolve these week points in my firewall. These are my current crypto configurations.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
Solved! Go to Solution.
08-10-2018 08:18 AM
Here is a pretty good document concerning next generation cryptography settings from Cisco:
https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html
Here are the issues in the current crypto config:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
encryption des
hash md5
group 2
You should probably switch from 3DES and MD5 to AES-256 and SHA512, as for the DH here are the groups related to the document I linked, I wouldn't use anything below group 14.
08-10-2018 08:18 AM
Here is a pretty good document concerning next generation cryptography settings from Cisco:
https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html
Here are the issues in the current crypto config:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
encryption des
hash md5
group 2
You should probably switch from 3DES and MD5 to AES-256 and SHA512, as for the DH here are the groups related to the document I linked, I wouldn't use anything below group 14.
08-10-2018 09:41 AM
08-20-2018 10:46 AM
Thanks a lot Ben and RJI. It was very helpful what you people suggested.
Regards,
Talha
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: