STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 13 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Cisco ASA Firewall Security Technical Implementation Guide

Version

V2R1

Release Date

Jun 6, 2024

SCAP Benchmark ID

Cisco_ASA_FW_STIG

Total Checks

21

Tags

network
CAT I: 2CAT II: 19CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (21)

V-239852HIGHThe Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services.V-239853MEDIUMThe Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.V-239854MEDIUMThe Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules.V-239855MEDIUMThe Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred.V-239856MEDIUMThe Cisco ASA must be configured to generate traffic log entries containing information to establish when (date and time) the events occurred.V-239857MEDIUMThe Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable.V-239858MEDIUMThe Cisco ASA must be configured to use TCP when sending log records to the central audit server.V-239859MEDIUMThe Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.V-239860MEDIUMThe Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.V-239861MEDIUMThe Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.V-239862MEDIUMThe Cisco ASA must be configured to send log data of denied traffic to a central audit server for analysis.V-239863MEDIUMThe Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost.V-239864HIGHThe Cisco ASA must be configured to implement scanning threat detection.V-239865MEDIUMThe Cisco ASA must be configured to filter inbound traffic on all external interfaces.V-239866MEDIUMThe Cisco ASA must be configured to filter outbound traffic on all internal interfaces.V-239867MEDIUMThe Cisco ASA perimeter firewall must be configured to block all outbound management traffic.V-239868MEDIUMThe Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel.V-239869MEDIUMThe Cisco ASA must be configured to inspect all inbound and outbound traffic at the application layer.V-239870MEDIUMThe Cisco ASA must be configured to inspect all inbound and outbound IPv6 traffic for unknown or out-of-order extension headers.V-239871MEDIUMThe Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).V-239872MEDIUMThe Cisco ASA must be configured to generate an alert that can be forwarded to organization-defined personnel and/or the firewall administrator when denial-of-service (DoS) incidents are detected.