Evaluated Product - Details

Return to the EPL index

Cisco Adaptive Security Appliances, version 9.4(1)

Product type: Network and Network Related Devices and Systems
Product Status: Completed
Assurance Level: Protection Profile

Version: ASA 9.4(1) and ASDM 7.4
Components: ASA 5500-X Series (5512-X, 5515-X, 5525-X, 5545-X, 5555-X), ASA 5585-X Series (5585-X SSP-10, 5585-X SSP-20, 5585-X SSP-40, 5585-X SSP-60) ASA Services Module (ASA-SM) on Catalyst 6500 series switches including 6503-E, 6504-E, 6509-E, and 6513-E.

Product Details

Product Description

Certification Country: AUSTRALIA/NEW ZEALAND (2015)
Certification Method: CC

PP Compliance: NDPP v1.1 (with Errata#3), TFFWEP v1.0 and VPNGWEPv1.1

Evaluation Facility: CSC
Manufacturer/Vendor/Distributor: Cisco Systems

Cisco Systems

Product Website: http://www.cisco.com


Cisco Systems Inc.
Eileen Miller
CC Project Manager

Phone: +00 11 1 310944 5347
Email: eimiller@cisco.com


Certification Report
Security Target
Maintenance Report - Maintenance Report - 16 Dec 16
Security Target - Updated ST - 16 Dec 2016

The Cisco ASA is a combined firewall, VPN Gateway and router.

It provides stateful traffic firewall functionality including IP address-based filtering (for IPv4 and IPv6) to address the issues associated with unauthorized disclosure of information, inappropriate access to services, misuse of services, disruption or denial of services, and network-based reconnaissance. Address filtering can be configured to restrict the flow of network traffic between protected networks and other attached networks based on source and/or destination IP addresses. Port filtering can be configured to restrict the flow of network traffic between protected networks and other attached networks based on the originating (source) and/or receiving (destination) port (service). Stateful packet inspection is used to aid in the performance of packet flow through the TOE and to ensure that only packets are only forwarded when they’re part of a properly established session. System monitoring functionality includes the ability to generate audit messages for any explicitly defined (permitted or denied) traffic flow. TOE administrators have the ability to configure permitted and denied traffic flows, including adjusting the sequence in which flow control rules will be applied, and to apply rules to any network interface of the TOE.

The TOE also provides packet filtering and secure IPsec tunneling. The tunnels can be established between two trusted VPN peers as well as between remote VPN clients and the TOE. More accurately, these tunnels are sets of security associations (SAs). The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying material to be used. SAs are unidirectional and are established per the ESP security protocol.


Assurance Maintenance: 11 Oct 2016: Minor bug fixes. See Maintenance Report 11 Oct 2016 

16 Dec 2016: Minor update to STv3.1