Solved

Enforce encryption strength on Cisco ASA VPN

Posted on 2014-01-21
3
2,560 Views
Last Modified: 2014-02-19
Hello

My client has an ASA 5505 firewall using the classic VPN client software. Cisco are dropping support for this client so we want to move to Anyconnect Essentials client software and we will upgrade the ASA to the latest versions of the OS (asa914-k8.bin) and ASDM (asdm-715-100.bin).
We would like to enforce a key length of 256 bits AES and 2048 RSA and the ASA should drop connection requests not meeting these standards. Is it possible to enforce this using the software mentioned?

My understanding of encryption is not the best.

Many thanks,

Alasdair Barclay
0
Comment
Question by:Alasdairb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39798062
you can set SSL settings for SSL VPN/ASDM. This is not for AnyConnect though:

http://epubbud_uploads.s3.amazonaws.com/13749785/MZ39X7RW/03fig02.jpg

http://www.epubbud.com/read.php?g=MZ39X7RW&tocp=10

ciscoasa(config)#ssl trust-point TEST-CA outside
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)#ssl server-version tlsv1
ciscoasa(config-webvpn)#ssl encryption aes128-sha1 aes256-sha1 3des-sha1 des-sha1
0
 

Author Comment

by:Alasdairb
ID: 39800497
Hello Henk,

thanks for the links, I did not come across these. I guess the line then would be
ciscoasa(config-webvpn)#ssl encryption aes256-sha1

and leave out the other options. It will either negotiate the aes256-sha1 or it won't connect.

I hope to have a proper read of your lined document tomorrow and will report back.

Thanks.
0
 

Author Closing Comment

by:Alasdairb
ID: 39871158
Hello Henk,

sorry I've been away so long, many projects to pay with. It's not sorted yet, at least the enforcement, but at least the Anyconnect is working.

I'll award the points as you were the only person to help, and you gave me good reading tips I didn't find myself.

Thanks.

Alasdair
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
no PBR recursive or PBR 9 24
Clientless VPN Access 23 56
EFS Setup 9 64
Problem to VirtualBox Internet connection 1 49
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question