Check: CASA-FW-000260
Cisco ASA Firewall STIG:
CASA-FW-000260
(in versions v1 r4 through v1 r1)
Title
The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel. (Cat II impact)
Discussion
When the production network is managed in-band, the management network could be housed at a NOC that is located remotely at single or multiple interconnected sites. NOC interconnectivity, as well as connectivity between the NOC and the managed network, must be enabled using IPsec tunnels to provide the separation and integrity of the managed traffic.
Check Content
Step 1: Verify that an IPsec crypto map has been configured and bound to the outside interface as shown in the example below. crypto ipsec ikev1 transform-set IPSEC_TRANSFORM esp-aes-192 esp-sha-hmac crypto map IPSEC_CRYPTO_MAP 1 match address MANAGEMENT_TRAFFIC crypto map IPSEC_CRYPTO_MAP 1 set peer 10.3.1.1 crypto map IPSEC_CRYPTO_MAP 1 set ikev1 transform-set IPSEC_TRANSFORM crypto map IPSEC_CRYPTO_MAP 1 set security-association lifetime seconds 3600 crypto map IPSEC_CRYPTO_MAP interface OUTSIDE Step 2: Verify the there is a tunnel group configured for the peer defined in the crypto map as shown in the example below. tunnel-group 10.3.1.1 type ipsec-l2l tunnel-group 10.3.1.1 ipsec-attributes ikev1 pre-shared-key ***** Step 3: Verify that an ISAKMP policy for IKE connections has been configured and bound to the outside interface as shown in the example. crypto isakmp identity address crypto ikev1 enable OUTSIDE crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 3600 Step 4: Verify that the ACL referenced in the IPsec crypto map includes all applicable management traffic. access-list MANAGEMENT_TRAFFIC extended permit udp any eq snmp 10.2.2.0 255.255.255.0 access-list MANAGEMENT_TRAFFIC extended permit udp any eq 10.2.2.0 255.255.255.0 snmptrap access-list MANAGEMENT_TRAFFIC extended permit udp any eq syslog 10.2.2.0 255.255.255.0 access-list MANAGEMENT_TRAFFIC extended permit tcp any eq ssh 10.2.2.0 255.255.255.0 Note: Exception would be allowed for management traffic to and from managed perimeter devices. If the ASA is not configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel, this is a finding.
Fix Text
Step 1: Configure an ISAKMP policy for IKE connection as shown in the example. ASA1(config)# crypto ikev1 policy 10 ASA1(config-ikev1-policy)# authentication pre-share ASA1(config-ikev1-policy)# encryption aes-256 ASA1(config-ikev1-policy)# hash sha ASA1(config-ikev1-policy)# group 5 ASA1(config-ikev1-policy)# lifetime 3600 ASA1(config-ikev1-policy)# exit Step 2: Enable the IKEv1 policy on the outside interface and identify itself with its IP address. ASA1(config)# crypto ikev1 enable OUTSIDE ASA1(config)# crypto isakmp identity address Step 3: Configure the tunnel group as shown in the example below. ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key xxxxxxxxxxxxx Step 4: Configure a transform set for encryption and authentication. crypto ipsec ikev1 transform-set IPSEC_TRANSFORM esp-aes-192 esp-sha-hmac Step 5: Configure the ACL to define the management traffic that will traverse the tunnel. ASA1(config)# access-list MANAGEMENT_TRAFFIC extended permit udp any eq snmp 10.2.2.0 255.255.255.0 ASA1(config)# access-list MANAGEMENT_TRAFFIC extended permit udp any eq 10.2.2.0 255.255.255.0 snmptrap ASA1(config)# access-list MANAGEMENT_TRAFFIC extended permit udp any eq syslog 10.2.2.0 255.255.255.0 ASA1(config)# access-list MANAGEMENT_TRAFFIC extended permit tcp any eq ssh 10.2.2.0 255.255.255.0 Step 6: Configure crypto map and bind to the outside interface as shown in the example below. ASA1(config)# crypto map IPSEC_CRYPTO_MAP 1 match address MANAGEMENT_TRAFFIC ASA1(config)# crypto map IPSEC_CRYPTO_MAP 1 set peer 10.10.10.2 ASA1(config)# crypto map IPSEC_CRYPTO_MAP 1 set ikev1 transform-set MY_TRANSFORM_SET ASA1(config)# crypto map IPSEC_CRYPTO_MAP 1 set security-association lifetime seconds 3600 ASA1(config)# crypto map IPSEC_CRYPTO_MAP interface OUTSIDE
Additional Identifiers
Rule ID: SV-239868r855810_rule
Vulnerability ID: V-239868
Group Title: SRG-NET-000364-FW-000036
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002403 |
The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. |
Controls
Number | Title |
---|---|
SC-7 (11) |
Restrict Incoming Communications Traffic |