12-23-2008 07:19 AM
I am hoping someone with extensive Cisco SSL VPN experiences can offer
advices on Cisco SSL VPN technologies? Most of my SSL VPN experiences come
from Checkpoint Connectra and F5 Firepass technologies and their concepts
are easy to understand but not Cisco. I
am having a hard time how SSL VPN work
with Cisco
I understand how Clientless SSL VPN (WebVPN), Thin-Client SSL VPN (Port Forwarding)
and SSL VPN Client (SVC Full Tunnel Mode) work, or at least I think I do. Here
are some of my questions:
1) The way I understand it, clientless, thin-client and SVC are supported
in both Cisco IOS and ASA products. Is that true?
2) ASA can support SSL VPN in clustering. In other words, it can do load-sharing
the SSL VPN connections. Is load-sharing SSL VPN on Cisco IOS VPN possible?
3) What are the advantages of terminating SSL VPN on Cisco IOS versus the
advantages of terminating SSL VPN on the ASA? I know that IOS can also do
GRE/IPSec and VTI and things that ASA can not do. However, if I just use the IOS
strictly for SSL VPN, what are the advantages of using IOS versus ASA?
4) On IOS SSL VPN, where do you configure it to check on the remote host
to see if the remote has the proper Anti-virus and latestest OS patches prior
to allowing to be connected into the network? In other words, what I want to do
is this: remote hostX wants to connect, the IOS will check to see if the remote
host is a company "issue" machine. If it is, it will get SVC Full tunnel mode.
If the remote machine is a "home" machine, it will get thin-client mode. If the
remote machine is a air-port Kiosk machine, it will get WebVPN mode. How do I go
about doing it with IOS SSL VPN?
5) Last but not least, there is an option called Cisco Secure Desktop (CSD). What
is the function of CSD and how is it integrated with Clientless, thin-client and Full
tunnel mode?
Can someone shed some lights on these questions? I am not interested in links. I've
spent the past seven days looking over lot of links from Cisco but all of them are
very confusing. I am hoping some experts in this forum can shed some lights on this?
Many thanks.
01-01-2009 02:16 AM
Hi answer to ur first query is yes all the 3 modes of cisco ssl vpns are supported on cisco asa as well as on cisco ios routers.
2)yes ssl vpn load-sharing is supported on asa but it is as of now not supported on cisco ios routers.
3)using ssl vpn on asa is advantageous over ios routers in terms of failover of the ssl connections, u are getting stateful firewalling of the ssl connections , u can integrate anti-virus and ips scanning of packets coming in by the ssl connections.
4)the answer to ur fourth query is about posture validation and remediation. u want to enforce policies on the hosts depending whether they are coming from a secure connection or not. for this u will need the cisoc nac solution for the vpn users. where the users will the validated and checked for the company policies and allow them that of access.
5)the cisco secure desktop is a software which is either installed on the ssl clients or they are downloaded into them once they are connnected and authenticated to ssl vpn gateway. with the cisco secure desktop all the activities the user is doing after connected to the ssl gateway will be stored in a virtual drive created by the software and all the cookies and other information realted to the ssl connection will be stored in there. and once the connection is terminated it will be erased as per DOD standards . so it makes very much sense to use them when users are connecting from public places like cyber cafes and free wifi spots.
i hope i am able to answer ur queries to knowledge i have on these domains.
rate it if it helps
regards
Sushil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide