Cisco ASA VPN STIG Version Comparison

There are 10 differences between versions v1 r1 (July 15, 2021) (the "left" version) and v1 r3 (Oct. 25, 2023) (the "right" version).

Check CASA-VN-000170 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1.

Check Content

Verify the ASA uses a NIST FIPS-validated cryptography for IKE Phase 1 as shown in the example below. crypto ikev2 policy 1 encryption aes-192 If aes-256 If the ASA is not configured to use NIST FIPS-validated cryptography for IKE Phase 1, this is a finding.

Discussion

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Fix

Configure the ASA to use NIST FIPS-validated cryptography for IKE Phase 1. ASA1(config)# crypto ikev2 policy 1 ASA1(config-ikev2-policy)# encryption aes-192 aes-256