athukral Sun, 08/22/2010 - 08:30

Well both have there own pros and cons....

Could you please elaborate what kind of functionality you are looking for?

BTW , ipsec is easy to implement, manage and more user friendly, plus much easy to troubleshoot, but there are couple of features that can not be implement in ipsec and hence we need ssl that ways.... Please let me know your exact requirement.



suthomas1 Sun, 08/22/2010 - 10:10

this user group needs remote connection to be established for external parties on a different region to the HQ. The end application at HQ is sort of heavy in terms of usage as it has graphic contents. Users at remote sites are greater than 13 in no.

vpn was selected to keep cost low and use existing infrastructure.

Please let me know if this is still insufficient info.


athukral Sun, 08/22/2010 - 11:24

Thanks for the reply!

well cisco IPSEC remote vpn client setup will be good for you....easy to deploy and performance will be nice too.....lemme know in case u need the help with deployment , i will help you out with that..

Once decide then lemme know and i can help with implementation part of it...depending on the device you will use.

PS: Its late night here, i will reply to ur next post tommorow.

Appreciate your time.



suthomas1 Mon, 08/23/2010 - 19:36

Thanks Ankur for your kind help.

I will let you know for help when implementation starts for ipsec.

Thanks again.

suthomas1 Wed, 09/01/2010 - 03:48

for routes when configuring vpn, remote lan network is identified by putting route to my next hop ( internet ). is that wrong

also, i have heard many configure ipsec by creating tunnel. is it necessary that way.

if we just configure it with basic parameters and apply to main interface, should it be ok.


suthomas1 Mon, 09/06/2010 - 17:21

I have 2 asa's on which ipsec is being configured. asa-2 is also used as another application firewall.temporary ipsec configuration is done on asa-2 to check its working with asa-1.

out of some restrictions, we cant connect any test machine on asa-2 physically for this. If we were to do a ping from asa-2 to asa-1's lan interface ip, will it respond via ipsec.

this is to test ipsec connectivity before further production cuts.

thank you.

athukral Mon, 09/06/2010 - 17:26

Thanks for the question!!

Well yes you can ping the ASA 1 lan side interface  by configuring the following command on ASA 1

From configuration prompt, pls  put the following command----




suthomas1 Mon, 09/06/2010 - 17:38

thank you for replying.

I see now, so i can indeed test ipsec connection being established by icmp between lan interface ip's of each asa & i should be able to see ipsec tunnel up status.

so i can use management-access inside , if inside is used for defining lan.


This Discussion