SSL on Cisco ASA5510

Posted on 2011-10-10
Last Modified: 2012-05-12
We have 2 * Cisco ASA5510 firewalls - the main one is set up to failover to a second 5510, and is using the management port for that purpose. All of the other LAN ports are in use.
Currently we can manage the ASA using ASDM5.2 from a device on the LAN.
We are now going through PCI Compliance, and one of the vunerability scans has picked up the fact that the firewall appears to accept connections on SSL v2. However, if I try to set SSL to use v3 or TLS v1 only (as we don't use webVPN), I get a message that I will no longer be able to use ASDM to manage the firewall as changing to SSL v3 will 'prevent ASDM from establishing a secure connection with the ASA'

So does this mean that the ASA DOES use / accept SSL v2? The help files say that it will accept 'hellos' in v2 but will then try to negotiate to SSLv3 or TLS v1. It doesn't give more details about what happens next, but I would have assumed that if it can't negotiate to one of the later protocols it will drop the connection - is this correct? If that's the case I may be able to get the PCI QSA to accept it.

However, if this is not acceptiable and I have to switch to SSL v3 (and therefore lose ASDM), what options do I now have of administering the ASA through a GUI?
Question by:Michael986
    LVL 17

    Accepted Solution

    Not too sure about the older versions (ASA 7.x / ASDM 5.2 is "somewhat" outdated), but more current version (tested on ASA 8.2/ASDM 6.4) have no problem with switching to SSL V3 only ... no warning, and no problems connecting with ASDM afterwards ...
    We did not experience any problems on customer boxes after upgrading to 8.2 versions, maybe you should think about getting an update ... (is your version still supported by Cisco at all? As for compliance testing, this should have been one of the checks, as if there are no more bug fixes/updates, you could run into problems ...)

    Author Closing Comment

    These devices were only installed 6 months ago so I'm suprised to see that they're so out of date software-wise. I'll definately be taking it up with the supplier.

    Thanks for the answer - it's nice to get a response from someone who's actually taken the time to read and understand the question!

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now