04-24-2017 01:27 AM
Dear All,
Our audit team has observed following vulnerabilities in Cisco ASA (5520) firewall. Please suggest how to fix it.
1) Internet Key Exchange (IKE) Aggressive mode is enable and they asked us to disable the same.
Please let me know what will be the effect if we disable aggressive mode. Will my VPN connections will work in main mode with already shared PSK with users?. Any additional configuration is required with Main mode ?.
2) Need to disable FTP and use FTPS in place of FTP.
Please share steps to configure FTPS.
We are using version 8.4(4)1.
Please suggest.
04-24-2017 04:11 AM
1) If you are using IKEv1 remote access with Cisco VPN client and PSK, disabling aggressive mode will affect these users. If you want to disable aggressive mode on the ASA, then you would need to use the Cisco VPN client with certificate authentication (not PSK). Another option is to migrate to the supported Cisco Anyconnect VPN client, that uses SSL instead of IPsec by default.
2) ASA itself does not act as an FTP server. So when you say disable FTP, it is not clear. If port 21 is open on your outside interface, you can modify your outside-in ACL to block regular FTP requests. You would then need to allow port 990 for FTPS requests from the outside.
04-24-2017 06:27 AM
Dear Rahul,
Thanks for your feedback. I am having one more doubt.
1) Do I need any license or anything else or need to purchase certificate to use certificate based authentication.
2) To allow FTPS, I need to allow only port 990?.
Please suggest.
04-24-2017 07:36 AM
1) You do not need a license for this. But you would need to have a Certificate Authority (Microsoft PKI would be sufficient) to issue certificates for all the users and ASA.
2) If you use implicit FTPS, it means you force clients to use port 990 and run over encrypted channel. That would be the only port you would need to open. If you want to do explicit, you would need both 21 and 990.
http://www.jscape.com/blog/bid/75602/understanding-key-differences-between-ftp-ftps-and-sftp
07-16-2018 12:49 PM
To disable crypto isakmp aggressive-mode disable
Config t
crypto ikev1 am-disable
Cleve-Cloud-IPSEC-Services-NGFW-ASA(config)# sh run | inc crypto ikev1
crypto ikev1 enable outside
crypto ikev1 am-disable
Cleve-VPN-ASA-Cor089b30/pri/act# sh run | inc crypto ikev1
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 am-disable
crypto ikev1 ipsec-over-tcp port 10000
-----------------------------------------------------------------------------------------------------
<< To re-enable if needed >>
Cleve-VPN-ASA-Cor089b30/pri/act(config)# no crypto ikev1 am-disable
Cleve-VPN-ASA-Cor089b30/pri/act(config)# sh run | inc crypto ikev1
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
crypto ikev1 policy 2
crypto ikev1 policy 4
Show crypto isakmp sa
Running in main mode:
1 IKE Peer: 65.201.134.9
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 66.146.133.66
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Running in aggressive mode:
1 IKE Peer: 192.8.217.145
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: 192.8.217.145
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Current Version 9.5.2
Gary Rezabk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide