STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

STIGs updated 13 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Cisco ASA VPN Security Technical Implementation Guide

Version

V2R2

Release Date

Aug 22, 2024

SCAP Benchmark ID

Cisco_ASA_VPN_STIG

Total Checks

41

Tags

network

CAT I: 10CAT II: 28CAT III: 3

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (41)

V-239945LOWThe Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred.V-239946LOWThe Cisco ASA must be configured to generate log records containing information to establish when the events occurred.V-239947MEDIUMThe Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable.V-239948MEDIUMThe Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events.V-239949MEDIUMThe Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.V-239951HIGHThe Cisco ASA must be configured to use Internet Key Exchange (IKE) for all IPsec security associations.V-239952MEDIUMThe Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.V-239953MEDIUMThe Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1.V-239954MEDIUMThe Cisco ASA must be configured to specify Perfect Forward Secrecy (PFS) for the IPsec Security Association (SA) during IKE Phase 2 negotiation.V-239955MEDIUMThe Cisco ASA must be configured to use a FIPS-validated cryptographic module to generate cryptographic hashes.V-239956MEDIUMThe Cisco ASA must be configured to use a FIPS-validated cryptographic module to implement IPsec encryption services.V-239957HIGHThe Cisco ASA must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.V-239958MEDIUMThe Cisco ASA must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE) Phase 1.V-239959HIGHThe Cisco ASA must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE) Phase 2.V-239960MEDIUMThe Cisco ASA VPN gateway must be configured to restrict what traffic is transported via the IPsec tunnel according to flow control policies.V-239961MEDIUMThe Cisco ASA VPN gateway must be configured to identify all peers before establishing a connection.V-239962HIGHThe Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.V-239963MEDIUMThe Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less.V-239964MEDIUMThe Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.V-239965MEDIUMThe Cisco ASA remote access VPN server must be configured to use a separate authentication server than that used for administrative access.V-239966MEDIUMThe Cisco ASA remote access VPN server must be configured to use LDAP over SSL to determine authorization for granting access to the network.V-239967MEDIUMThe Cisco ASA remote access VPN server must be configured to identify and authenticate users before granting access to the network.V-239968HIGHThe Cisco ASA remote access VPN server must be configured to enforce certificate-based authentication before granting access to the network.V-239969MEDIUMThe Cisco ASA remote access VPN server must be configured to map the distinguished name (DN) from the client’s certificate to entries in the authentication server to determine authorization to access the network.V-239970MEDIUMThe Cisco ASA remote access VPN server must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the network.V-239971MEDIUMThe Cisco ASA remote access VPN server must be configured to generate log records containing information that establishes the identity of any individual or process associated with the event.V-239972MEDIUMThe Cisco ASA remote access VPN server must be configured to generate log records containing information to establish where the events occurred.V-239973LOWThe Cisco ASA remote access VPN server must be configured to generate log records containing information to establish the source of the events.V-239974MEDIUMThe Cisco ASA remote access VPN server must be configured to produce log records containing information to establish the outcome of the events.V-239975HIGHThe Cisco ASA remote access VPN server must be configured to use TLS 1.2 or higher to protect the confidentiality of remote access connections.V-239976MEDIUMThe Cisco ASA remote access VPN server must be configured to use a FIPS-validated algorithm and hash function to protect the integrity of TLS remote access sessions.V-239977MEDIUMThe Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.V-239978MEDIUMThe Cisco ASA remote access VPN server must be configured to use SHA-2 at 384 bits or greater for hashing to protect the integrity of IPsec remote access sessions.V-239979HIGHThe Cisco VPN remote access server must be configured to use AES256 or greater encryption for the Internet Key Exchange (IKE) Phase 1 to protect confidentiality of remote access sessions.V-239980HIGHThe Cisco ASA VPN remote access server must be configured to use AES256 or greater encryption for the IPsec security association to protect the confidentiality of remote access sessions.V-239981MEDIUMThe Cisco VPN remote access server must be configured to accept Common Access Card (CAC) credential credentials.V-239982MEDIUMThe Cisco ASA VPN remote access server must be configured to disable split-tunneling for remote clients.V-239983MEDIUMThe Cisco ASA VPN remote access server must be configured to generate log records when successful and/or unsuccessful VPN connection attempts occur.V-239984MEDIUMThe Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.V-239985HIGHThe Cisco ASA VPN remote access server must be configured to use an approved High Assurance Commercial Solution for Classified (CSfC) cryptographic algorithm for remote access to a classified network.V-268314HIGHThe Cisco ASA must be configured to not accept certificates that have been revoked when using PKI for authentication.