Cisco SSL VPN explaination needed

cisco24x7 · ‎12-23-2008

I am hoping someone with extensive Cisco SSL VPN experiences can offer

advices on Cisco SSL VPN technologies? Most of my SSL VPN experiences come

from Checkpoint Connectra and F5 Firepass technologies and their concepts

are easy to understand but not Cisco. I

am having a hard time how SSL VPN work

with Cisco

I understand how Clientless SSL VPN (WebVPN), Thin-Client SSL VPN (Port Forwarding)

and SSL VPN Client (SVC Full Tunnel Mode) work, or at least I think I do. Here

are some of my questions:

1) The way I understand it, clientless, thin-client and SVC are supported

in both Cisco IOS and ASA products. Is that true?

2) ASA can support SSL VPN in clustering. In other words, it can do load-sharing

the SSL VPN connections. Is load-sharing SSL VPN on Cisco IOS VPN possible?

3) What are the advantages of terminating SSL VPN on Cisco IOS versus the

advantages of terminating SSL VPN on the ASA? I know that IOS can also do

GRE/IPSec and VTI and things that ASA can not do. However, if I just use the IOS

strictly for SSL VPN, what are the advantages of using IOS versus ASA?

4) On IOS SSL VPN, where do you configure it to check on the remote host

to see if the remote has the proper Anti-virus and latestest OS patches prior

to allowing to be connected into the network? In other words, what I want to do

is this: remote hostX wants to connect, the IOS will check to see if the remote

host is a company "issue" machine. If it is, it will get SVC Full tunnel mode.

If the remote machine is a "home" machine, it will get thin-client mode. If the

remote machine is a air-port Kiosk machine, it will get WebVPN mode. How do I go

about doing it with IOS SSL VPN?

5) Last but not least, there is an option called Cisco Secure Desktop (CSD). What

is the function of CSD and how is it integrated with Clientless, thin-client and Full

tunnel mode?

Can someone shed some lights on these questions? I am not interested in links. I've

spent the past seven days looking over lot of links from Cisco but all of them are

very confusing. I am hoping some experts in this forum can shed some lights on this?

Many thanks.

sushilmenon · ‎01-01-2009

Hi answer to ur first query is yes all the 3 modes of cisco ssl vpns are supported on cisco asa as well as on cisco ios routers.

2)yes ssl vpn load-sharing is supported on asa but it is as of now not supported on cisco ios routers.

3)using ssl vpn on asa is advantageous over ios routers in terms of failover of the ssl connections, u are getting stateful firewalling of the ssl connections , u can integrate anti-virus and ips scanning of packets coming in by the ssl connections.

4)the answer to ur fourth query is about posture validation and remediation. u want to enforce policies on the hosts depending whether they are coming from a secure connection or not. for this u will need the cisoc nac solution for the vpn users. where the users will the validated and checked for the company policies and allow them that of access.

5)the cisco secure desktop is a software which is either installed on the ssl clients or they are downloaded into them once they are connnected and authenticated to ssl vpn gateway. with the cisco secure desktop all the activities the user is doing after connected to the ssl gateway will be stored in a virtual drive created by the software and all the cookies and other information realted to the ssl connection will be stored in there. and once the connection is terminated it will be erased as per DOD standards . so it makes very much sense to use them when users are connecting from public places like cyber cafes and free wifi spots.

i hope i am able to answer ur queries to knowledge i have on these domains.

rate it if it helps

regards

Sushil