SSL on Cisco ASA5510

Posted on 2011-10-10
Medium Priority
Last Modified: 2012-05-12
We have 2 * Cisco ASA5510 firewalls - the main one is set up to failover to a second 5510, and is using the management port for that purpose. All of the other LAN ports are in use.
Currently we can manage the ASA using ASDM5.2 from a device on the LAN.
We are now going through PCI Compliance, and one of the vunerability scans has picked up the fact that the firewall appears to accept connections on SSL v2. However, if I try to set SSL to use v3 or TLS v1 only (as we don't use webVPN), I get a message that I will no longer be able to use ASDM to manage the firewall as changing to SSL v3 will 'prevent ASDM from establishing a secure connection with the ASA'

So does this mean that the ASA DOES use / accept SSL v2? The help files say that it will accept 'hellos' in v2 but will then try to negotiate to SSLv3 or TLS v1. It doesn't give more details about what happens next, but I would have assumed that if it can't negotiate to one of the later protocols it will drop the connection - is this correct? If that's the case I may be able to get the PCI QSA to accept it.

However, if this is not acceptiable and I have to switch to SSL v3 (and therefore lose ASDM), what options do I now have of administering the ASA through a GUI?
Question by:Michael986
LVL 18

Accepted Solution

Garry Glendown earned 2000 total points
ID: 36947064
Not too sure about the older versions (ASA 7.x / ASDM 5.2 is "somewhat" outdated), but more current version (tested on ASA 8.2/ASDM 6.4) have no problem with switching to SSL V3 only ... no warning, and no problems connecting with ASDM afterwards ...
We did not experience any problems on customer boxes after upgrading to 8.2 versions, maybe you should think about getting an update ... (is your version still supported by Cisco at all? As for compliance testing, this should have been one of the checks, as if there are no more bug fixes/updates, you could run into problems ...)

Author Closing Comment

ID: 36952738
These devices were only installed 6 months ago so I'm suprised to see that they're so out of date software-wise. I'll definately be taking it up with the supplier.

Thanks for the answer - it's nice to get a response from someone who's actually taken the time to read and understand the question!

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question