SSL on Cisco ASA5510

We have 2 * Cisco ASA5510 firewalls - the main one is set up to failover to a second 5510, and is using the management port for that purpose. All of the other LAN ports are in use.
 
Currently we can manage the ASA using ASDM5.2 from a device on the LAN.
 
We are now going through PCI Compliance, and one of the vunerability scans has picked up the fact that the firewall appears to accept connections on SSL v2. However, if I try to set SSL to use v3 or TLS v1 only (as we don't use webVPN), I get a message that I will no longer be able to use ASDM to manage the firewall as changing to SSL v3 will 'prevent ASDM from establishing a secure connection with the ASA'

So does this mean that the ASA DOES use / accept SSL v2? The help files say that it will accept 'hellos' in v2 but will then try to negotiate to SSLv3 or TLS v1. It doesn't give more details about what happens next, but I would have assumed that if it can't negotiate to one of the later protocols it will drop the connection - is this correct? If that's the case I may be able to get the PCI QSA to accept it.

However, if this is not acceptiable and I have to switch to SSL v3 (and therefore lose ASDM), what options do I now have of administering the ASA through a GUI?
Michael986Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Garry GlendownConsulting and Network/Security SpecialistCommented:
Not too sure about the older versions (ASA 7.x / ASDM 5.2 is "somewhat" outdated), but more current version (tested on ASA 8.2/ASDM 6.4) have no problem with switching to SSL V3 only ... no warning, and no problems connecting with ASDM afterwards ...
We did not experience any problems on customer boxes after upgrading to 8.2 versions, maybe you should think about getting an update ... (is your version still supported by Cisco at all? As for compliance testing, this should have been one of the checks, as if there are no more bug fixes/updates, you could run into problems ...)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael986Author Commented:
These devices were only installed 6 months ago so I'm suprised to see that they're so out of date software-wise. I'll definately be taking it up with the supplier.

Thanks for the answer - it's nice to get a response from someone who's actually taken the time to read and understand the question!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.