Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3381
Views
15
Helpful
5
Replies

What is Cisco recommended ciphers for cisco ASA

Go to solution
shivunrp
Level 1
Level 1

‎06-01-2022 04:11 AM

We are managing customers Cisco firewall with ASA IOS 9.12(4)40 and ASDM 7.17.1. Now customers are asking us to update their ASA firewall ciphers to the latest and recommended version. So my question here is,

 

1) What is the recommended cipher version for ASA 9.12.(4)40
2) Do we need to disable any existing or outdated SSL ciphers?
3) Can it be done during production hours
4) Does the customer need to update their browsers including Safari, Chrome, Firefox and Explorer, in order to establish a session with the latest encryption and ciphers.

 

 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎06-01-2022 04:50 AM

@shivunrp the ASA supports TLS 1.2 and DTLS 1.2. If using TLS Remote Access VPN you want to ensure you are using DTLS 1.2 rather than TLS as you get better performance.

 

Most browsers will support TLS 1.2 nowadays, regardless you'd only need the browser to support TLS 1.2 if using clientless VPN. Which has been depreciated from 9.17.

 

You'd want to disable the older versions of TLS and specifiy the strongest ciphers - use the cipher security level as "high" 

Example here: https://integratingit.wordpress.com/2021/01/27/securing-asa-tls-ciphers/

 

View solution in original post

Go to solution
Karsten Iwen
VIP
VIP

‎06-01-2022 04:51 AM

In addition to disabling everything below TLS1.2, I also disable all ciphers that don't support ForwardSecrecy. Typically I only have these enabled:

 

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256

 

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-01-2022 04:16 AM

TLS 1.2 or higher is suggeted now (TLS 1.3 soon available widely)

anything lower disable is good practice.

 

9.12X is bit old compare to model you have - what ASA Model is this ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
shivunrp
Level 1
Level 1
In response to balaji.bandi

‎06-01-2022 07:39 AM

Thanks for the reply..

 

We have many devices.. all those are Cisco ASA 5500-X Series Firewalls like 5516x, 5545x, 5555x etc.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎06-01-2022 04:50 AM

@shivunrp the ASA supports TLS 1.2 and DTLS 1.2. If using TLS Remote Access VPN you want to ensure you are using DTLS 1.2 rather than TLS as you get better performance.

 

Most browsers will support TLS 1.2 nowadays, regardless you'd only need the browser to support TLS 1.2 if using clientless VPN. Which has been depreciated from 9.17.

 

You'd want to disable the older versions of TLS and specifiy the strongest ciphers - use the cipher security level as "high" 

Example here: https://integratingit.wordpress.com/2021/01/27/securing-asa-tls-ciphers/

 

Go to solution
shivunrp
Level 1
Level 1
In response to Rob Ingram

‎06-01-2022 08:30 AM

Thank you so much. Very useful link.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎06-01-2022 04:51 AM

In addition to disabling everything below TLS1.2, I also disable all ciphers that don't support ForwardSecrecy. Typically I only have these enabled:

 

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256

 

Customers Also Viewed These Support Documents