VPN choices

Answered Question

ASA 5505. Need to setup remote access for home users, and really need some help deciding which method to implement. CSD, WebVPN, Citrix, Cisco VPN client??? With 25 IPSec VPN peers and 2 SSL VPN peers, are there limitations to which method I choose?

Thanks for any responses, Bill

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)


It would depend on what services you have to supply for the remote users? Also what your IT security policy dictates on remote access?

CSD - that is tied into the WebVPN, you only have 2 licenses as standard so you would need to by more.

Citrix - are you talking about the Java Plugin, if so - that is also tied into WebVPN...license!

WebVPN - yep, been there!

VPN Client - for me a good all round solution, depends on what you want it to do.

Overall we use the Cisco Client, it's granular - we have internal people using it, we have external 3rd parties using it.


Well, we are looking to provide remote desktop to about 10 users. Pretty much free to do what ever I want as far as the policies go.

My thoughts were to either use the VPN client, then an internal IP to a citrix box (that is what we do now with Checkpoint), or use WebVPN and citrix web client with a public IP. With only two SSL licenses, does that mean only two users can connect? Not sure exactly how the SSL licenses work.

As far as the VPN client; having to setup IP pools - how would I handle users that travel?

Thanks for your time, Bill


Lucky you!!

You get 2 SSL licenses free of charge - and yes only 2 users can connect at anyone time. You also have to wait for the session to timeout/clear when one of the users disconnects - not great. You buy them in 10,25,50,100 packs - not sure of the pricing!

You can setup IP pools for the VPN users, you would handle them the same way. They get and internet connection and fire up the VPn client and connect. They don't do anything different.

To give you an idea - I have 2500 remote users, at anyone time I have 250 people connected into my core ASA in London. I have Avaya remote VPN phones, that are deployed all over the world - they also connect into my core - sperate IP pools for sperate VPN profiles. I have a VPN phone that is in Boston/US - that connects into London :o)


Thanks for the insight. I think I was misunderstanding what the IP pool does. I thought it was a list of IP address that are allowed to connect to the VPN, but I think that I understand now that the IP pool is just the (private) IP address that are assinged to a client once a VPN connection is established?

Thanks again for your time, Bill

Actually my statement:-

"You also have to wait for the session to timeout/clear when one of the users disconnects - not great" got me thinking - so I went back to my WebVPN config and found this little nugget:-

default-idle-timeout ##


No more waiting for 30mins for the session to time out!


This Discussion