Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2807
Views
10
Helpful
3
Replies

SSL connections through an ASA to a SSL/TLS Server - Can I enforce TLS versions ?

Go to solution
gp1200x
Level 2
Level 2

‎11-12-2015 06:34 PM - edited ‎03-11-2019 11:52 PM

I am running code 8.2.5. If I allow an SSL/TLS connection to a new server inside can I enforce the use of TLS 1.1. or 1.2 in case the server is not? Or do I not have any control over that within the ASA command set?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shivapramod M
Level 1
Level 1

‎11-12-2015 10:58 PM

Hi,

As per my understanding you are having a server inside and you are allowing HTTPS traffic through ASA . So the ASA acts as passthrough device. please correct me if I am wrong.

If it is passthrough traffic for ASA then you need to make the changes on the server or on the clients. Since it is not possible to make the changes on every client you have to enforce the ssl settings on the server itself. Since SSLv3 is obsolete the browsers usually send the TLS1.2 as the SSL version. 

You do not have to make any changes on the ASA if the ASA is a passthrough device.  Commands which are present on the ASA for SSL is for if the ASA acting as SSL client or server.

P.S. Please rate helpful posts.

Thanks,

Shivapramod M

View solution in original post

3 Replies 3

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎11-12-2015 07:12 PM

Hi gp1200x,

Available options on ASA 8.2 code are either SSLv3 only , TSLv1 only or any:

ssl client-version [any | sslv3-only | tlsv1-only]

any

The adaptive security appliance sends SSL version3 hellos, and negotiates either SSL version 3 or TLS version 1.

sslv3-only

The security appliance sends SSL version 3 hellos, and accepts only SSL version 3.

tlsv1-only

The security appliance sends TLSv1 client hellos, and accepts only TLS version 1.


Refer command reference:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s8.html#wp1366107

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
Shivapramod M
Level 1
Level 1

‎11-12-2015 10:58 PM

Hi,

As per my understanding you are having a server inside and you are allowing HTTPS traffic through ASA . So the ASA acts as passthrough device. please correct me if I am wrong.

If it is passthrough traffic for ASA then you need to make the changes on the server or on the clients. Since it is not possible to make the changes on every client you have to enforce the ssl settings on the server itself. Since SSLv3 is obsolete the browsers usually send the TLS1.2 as the SSL version. 

You do not have to make any changes on the ASA if the ASA is a passthrough device.  Commands which are present on the ASA for SSL is for if the ASA acting as SSL client or server.

P.S. Please rate helpful posts.

Thanks,

Shivapramod M

Go to solution
Karsten Iwen
VIP
VIP

‎11-12-2015 11:37 PM

As already mentioned it's not possible with your ASA. If you want to control that on a firewall and not directly on a server or reverse-proxy (I would use a reverse-proxy like NGINX in a DMZ), then one option is the newest generation of ASA with FirePOWER where you can control on SSL-versions. But that would be a completely new device, nothing that you can upgrade your ASA to use.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card