Manualsbrain.com
  1. Manuales
  2. Marcas
  3. Cisco
  4. Cisco ASA 5550 Adaptive Security Appliance
  5. Manual Técnica

Cisco Cisco ASA 5550 Adaptive Security Appliance Manual Técnica

Descargar
Página de 9
of failure of the TACACS+ or RADIUS services. A device can also have other password information present within its configuration, such as an
NTP key, SNMP community string, or Routing Protocol key.
ASA uses Message Digest 5 (MD5) for password hashing. This algorithm has had considerable public review and is not known to be reversible.
However, the algorithm is subject to dictionary attacks. In a dictionary attack, an attacker tries every word in a dictionary or other list of
candidate passwords in order to find a match. Therefore, configuration files must be securely stored and only shared with trusted individuals.
Enable HTTP Service
To use ASDM, you need to enable the HTTPS server, and allow HTTPS connections to the ASA. The security appliance allows a maximum of 5
concurrent ASDM instances per context, if available, with a maximum of 32 ASDM instances between all contexts. To configure ASDM access
use:
http server enable <port>
Allow only the IP's which are needed in the ACL list. Allowing a wide access is a wrong practise.
http 0.0.0.0 0.0.0.0 <interface>
Configure ASDM Access Control :
http <remote_ip_address> <remote_subnet_mask> <interface_name>
Starting with ASA software release 9.1(2),8.4(4.1), The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL cipher suites.
DHE-AES128-SHA1
DHE-AES256-SHA1
These cipher suites are specified in RFC 3268, Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS ).
When supported by the client, DHE is the preferred cipher because it provides Perfect Forward Secrecy. See the following limitations:
DHE is not supported on SSL 3.0 connections, so make sure to also enable TLS 1.0 for the SSL server.
// Set server version
ASA(config)# ssl server-version tlsv1 sslv3
// Set client version
ASA(config) # ssl client-version any
Some popular applications do not support DHE, so include at least one other SSL encryption method to ensure that a cipher suite common to
both the SSL client and server can be used. Some clients may not support DHE, including AnyConnect 2.5 and 3.0, Cisco Secure Desktop, and
Internet Explorer 9.0.
The ASA has below ciphers enabled in the order as below by default.
ASA(config)#ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl server-version any (default)
The ASA by default uses a Temporary Self-signed certificate which changes on every reboot. If you are looking for a single certificate, you can
follow the below link to generate a Permanent Self-signed certificate.
Now ASA supports TLS version 1.2 startig from software version 9.3.1for secure message transmission for ASDM, Clientless SSVPN, and
AnyConnect VPN. Following commands have been introduced or modified commands:  ssl client-version ssl server-version ssl cipher ssl
trust-point ssl dh-group show ssl show ssl cipher show vpn-sessiondb
ASA-1/act(config)# ssl server-version ?
configure mode commands/options:
 tlsv1    Enter this keyword to accept SSLv2 ClientHellos and negotiate TLSv1
          (or greater)
 tlsv1.1  Enter this keyword to accept SSLv2 ClientHellos and negotiate
          TLSv1.1 (or greater)
 tlsv1.2  Enter this keyword to accept SSLv2 ClientHellos and negotiate
          TLSv1.2 (or greater)
ASA-1/act(config)# ssl cipher ?
configure mode commands/options:
 default  Specify the set of ciphers for outbound connections