Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco VPN options? 4

Status
Not open for further replies.
hinesjrh

hinesjrh

MIS
Joined
Jan 4, 2005
Messages
260
Location
US
I am about ready to purchase a couple of ASA 5520's and implement the Cisco VPN solutions for my remote / traveling users. Can any of you describe how the different VPN options (SSL from a browser, SSL with AnyConnect client, and IPSec with client) apply to differnt types of users or scenarios? Why would I offer one over the other?
 
Sort by date Sort by votes
Money and ease of connection. The extra SSL licenses cost a lot of money but are a cool feature. They don't require anything but an internet connection from the user so they are very portable from that stand point. I use the two licenses that come with it and they're cool but for the majority I use the VPN client. It's free for as many connections as your device will support.

I haven't use the anyconnect client. So no advice on that one.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Clientless SSL VPN
As the name suggests, the clientless SSL VPN solution just uses the browser. Users connect to the ASA with their browsers and through that session have access to internal HTTP/FTP/CIFS (windows fileshares). With additional plugins you can provide access to Remote Desktop, SSH/Telnet, VNC and Citrix, too.

Some "thick Client" applications are also supported with Smart Tunnels. From Cisco.com: "Smart tunneling allows Microsoft Windows users access to TCP applications without the prerequisite of administrative rights and allows VPN administrators to grant only approved applications access to internal resources."

AnyConnect VPN Client
The AnyConnect VPN client provides a full tunnel experience like the IPSec VPN Client, but does it with SSL and DTLS. This means that getting it through NAT devices or other firewalls is pretty foolproof.

Clients can launch the AnyConnect client in a few ways:

*locally user admin-defined profiles
*connect to the ASA and have it launch automatically
*connect to the ASA, login to a Clientless session and then launch the AnyConnect client.

AnyConnect is also the only way to get a full client for Vista 64-bit PCs.


IPsec VPN Client
The IPSec VPN Client provides a full tunnel experience for the user over IPSec. It is launched on the user's PC.

Unless you enable NAT-T or IPSec over UDP/TCP, users might have a problem connecting to your ASA when traversing NAT or another firewall.

Here's a link to a data sheet on Cisco's SSL VPN solutions.

Here's a link to SSL VPN Config Examples for the ASA:


Matt
CCIE Security
 
Upvote 0 Downvote
I have to give Matt a star for that, as it was one of the most descriptive and concise explanations I have seen in a while.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233
WhosYourDiffie
  • Locked
  • Question Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
424
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question Question
Cisco ISE blank GUI
Replies
0
Views
780
MottoK
MottoK
intel233
  • Locked
  • Question Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
AllenH12
  • Locked
  • Question Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
654
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top