06-01-2022 04:11 AM
We are managing customers Cisco firewall with ASA IOS 9.12(4)40 and ASDM 7.17.1. Now customers are asking us to update their ASA firewall ciphers to the latest and recommended version. So my question here is,
1) What is the recommended cipher version for ASA 9.12.(4)40
2) Do we need to disable any existing or outdated SSL ciphers?
3) Can it be done during production hours
4) Does the customer need to update their browsers including Safari, Chrome, Firefox and Explorer, in order to establish a session with the latest encryption and ciphers.
Solved! Go to Solution.
06-01-2022 04:50 AM
@shivunrp the ASA supports TLS 1.2 and DTLS 1.2. If using TLS Remote Access VPN you want to ensure you are using DTLS 1.2 rather than TLS as you get better performance.
Most browsers will support TLS 1.2 nowadays, regardless you'd only need the browser to support TLS 1.2 if using clientless VPN. Which has been depreciated from 9.17.
You'd want to disable the older versions of TLS and specifiy the strongest ciphers - use the cipher security level as "high"
Example here: https://integratingit.wordpress.com/2021/01/27/securing-asa-tls-ciphers/
06-01-2022 04:51 AM
In addition to disabling everything below TLS1.2, I also disable all ciphers that don't support ForwardSecrecy. Typically I only have these enabled:
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
06-01-2022 04:16 AM
TLS 1.2 or higher is suggeted now (TLS 1.3 soon available widely)
anything lower disable is good practice.
9.12X is bit old compare to model you have - what ASA Model is this ?
06-01-2022 07:39 AM
Thanks for the reply..
We have many devices.. all those are Cisco ASA 5500-X Series Firewalls like 5516x, 5545x, 5555x etc.
06-01-2022 04:50 AM
@shivunrp the ASA supports TLS 1.2 and DTLS 1.2. If using TLS Remote Access VPN you want to ensure you are using DTLS 1.2 rather than TLS as you get better performance.
Most browsers will support TLS 1.2 nowadays, regardless you'd only need the browser to support TLS 1.2 if using clientless VPN. Which has been depreciated from 9.17.
You'd want to disable the older versions of TLS and specifiy the strongest ciphers - use the cipher security level as "high"
Example here: https://integratingit.wordpress.com/2021/01/27/securing-asa-tls-ciphers/
06-01-2022 08:30 AM
Thank you so much. Very useful link.
06-01-2022 04:51 AM
In addition to disabling everything below TLS1.2, I also disable all ciphers that don't support ForwardSecrecy. Typically I only have these enabled:
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide