Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1074
Views
0
Helpful
5
Replies

Remote access VPN: IPSec or SSL

gauravshar
Level 2
Level 2

‎09-21-2010 11:25 AM - edited ‎02-21-2020 04:51 PM

Hi There,

This is more like a pre-sales question:

My client is proceeding to upgrade all the users' windows OS's to windows-7 and they want us to figure out which option would be cheaper and better between IPSec based (Client based) remote access VPN or SSL based remote access VPN (Client based or clientless-webVPN).

Currently we have two ASA's as VPN devices to which the remote users connect using the Cisco VPN client of some version. We will need to upgrade to some other version of VPN Client, in order to make it compatible for windows-7 (Cost X).

If we choose to upgrade our ASA's softwares to make it compatible for SSL based client/clientless VPNs + Licesnses fees, we will need ot pay for it (Cost Y).

I wish to know what would be the better choice between upgrading the existing scenario to supporting version of VPN Client OR upgrading the IOS' + Licenses for SSL which is going to be altogether a new change in the way the users access the company resources remotely, in short: which would higher and easier X or Y.

Thanks,

Gaurav

Labels:
0 Helpful
5 Replies 5

mvsheik123
Level 7
Level 7

‎09-21-2010 12:37 PM

I would stick with IPSec. More control and secure. Also, with Cisco released 64bit client version for IPsec, no need to spend for SSL licensing. Also, incase if you decide to upgrade IOS on ASAs to a newer version like 8.3,  I read postings about some complex 'nat' statements. IPsec would be my choice.

Lets see what gurus say.

thanks

MS

0 Helpful

hdashnau
Cisco Employee
Cisco Employee

‎09-21-2010 12:39 PM

If you go with SSL, stick with the ASA. In my personal opinion the SSL code on the ASA is way easier to use (and I think even developed/supported better) than the SSL code on the IOS platforms at this time.

-heather

0 Helpful

stan.pushkin
Level 1
Level 1

‎09-22-2010 01:47 PM

Also keep in mind that clientless-webVPN (if you mean it right) is not full vpn client, it's just aaplication proxy, you'll be stuck with Cisco propietary plug-ins to access internal resources (RDP, CISF, FTP, etc.), even some java/flash based web sites are not working properly through that gateway.

If you meant Anyconnect SSL VPN clietn then yes - it's full vpn tunnel, but you need to buy additional licenses for that.

0 Helpful

gauravshar
Level 2
Level 2
In response to stan.pushkin

‎09-23-2010 07:43 AM

Thanks for the valuable feedback so far, buddies..

One question still remians: If my client stick to client VPN (may be SSL, on ASA's), would they need to pay licensing amount to Cisco for getting the 64-bit version (for windows7) of the client (AnyConnect) to be used for the users (some 2000 users) OR is it free to be used and downloadable for everyone. I know I can download it with CCO login, but would it be fine for the whole company to use the same software?

Thanks again,

Gaurav

0 Helpful

stan.pushkin
Level 1
Level 1
In response to stan.pushkin

‎09-23-2010 07:46 AM

Anyconnect client is free for all versions, you need to buy only SSL VPN licenses for ASA55XX to support connections. By default you have 2 SSL VPN licenses installed for testing purpuses

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents