Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
15
Helpful
4
Replies

SSL VPN Gateway and its licensing

Fazal E Rasool Khan
Level 1
Level 1

‎02-22-2016 10:10 PM

Hello Everyone,

We are in a stage of designing for one project and requirement is to deploy SSL VPN Gateway. I am aware that either Router or ASA firewall can work as SSL VPN gateway but preferable is ASA firewall.

1. I need the support from the experts whether perimeter firewalls will server as SSL VPN gateway or there must be a separate set of firewalls (redundant) in this case. 

2. Perimeter firewall will connect to ISP routers, so where SSL VPN Gateway should be placed.

3. What licensing will be require on ASA firewall inorder to get this work? Is there a limit of users who can connect SSL VPN gateway based on licensing.

4. Can same SSL VPN gateway be used for Remote VPN/Any Connect VPN  and Site to Site IPSEC vpn termination. What type of licensing is required for Any Connect VPN?

5.Is there any further type of SSL VPN's which need to be considered in this scenario like SSL portal VPN and SSL Tunnel VPN

Scenario

For SSL VPN remote user will connect via browser to SSL VPN gateway Public IP and based on privilege they will be allowed services.

Also there are 500+ remote sites which may also need to connect via site to site vpn (considering DMVPN) and may be some user with anyconnect vpn.


We are also looking for DDOS protection and i am aware about the other vendor like arbor but is there any devices from cisco which can be used here.

Please advise on the above. 

Many Thanks in Advance.






Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-23-2016 01:05 AM

1. You don't normally need a separate set of firewalls for this.

2.  You want the SSL VPN enabled on the firewalls that connect to the inside of your network.

3. You need either an "Apex" licence or a "Plus" licence depending on weather you just want to use AnyConnect or if you want to use clientless access.  Here is the ordering guide:

http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf

4. Yes.  Refer above for AnyConnect licencing.

5. Refer ordering guide.

Personally, I think you should deploy ASA's for the user to site VPN (because they are better at that), and routers for the site to site VPNs (ASA doesn't do DMVPN) (because routers are better at site to site).  I have done this many times.  When you have a large number of VPNs to do it gets tricky using only one platform and being handicapped.

Fazal E Rasool Khan
Level 1
Level 1
In response to Philip D'Ath

‎02-24-2016 04:33 AM

Many Thanks Philip for your reply and detailed explanation.

I was browsing to Cisco docs  and old Cisco Community threads and found that Clientless SSL VPN does not require any connect client. URL and services can be provided via port forwarding.

If remote client require full access to the network then anyconnect SSL VPN should be used. Once the user get authenticated anyconnect client will be downloaded and full internal access will be provided.

In case Clientless SSL VPN meet the requirements then will it be logical to consider anyconnect client.

For IPSEC or DMVPN sure it should be on cisco router instead of ASA.



0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Fazal E Rasool Khan

‎02-24-2016 10:34 AM

It would be great if you could rate and mark answers that you think are helpful.  :-)

Customers Also Viewed These Support Documents