My client is proceeding to upgrade all the users' windows OS's to windows-7 and they want us to figure out which option would be cheaper and better between IPSec based (Client based) remote access VPN or SSL based remote access VPN (Client based or clientless-webVPN).
Currently we have two ASA's as VPN devices to which the remote users connect using the Cisco VPN client of some version. We will need to upgrade to some other version of VPN Client, in order to make it compatible for windows-7 (Cost X).
If we choose to upgrade our ASA's softwares to make it compatible for SSL based client/clientless VPNs + Licesnses fees, we will need ot pay for it (Cost Y).
I wish to know what would be the better choice between upgrading the existing scenario to supporting version of VPN Client OR upgrading the IOS' + Licenses for SSL which is going to be altogether a new change in the way the users access the company resources remotely, in short: which would higher and easier X or Y.
I would stick with IPSec. More control and secure. Also, with Cisco released 64bit client version for IPsec, no need to spend for SSL licensing. Also, incase if you decide to upgrade IOS on ASAs to a newer version like 8.3, I read postings about some complex 'nat' statements. IPsec would be my choice.
If you go with SSL, stick with the ASA. In my personal opinion the SSL code on the ASA is way easier to use (and I think even developed/supported better) than the SSL code on the IOS platforms at this time.
Also keep in mind that clientless-webVPN (if you mean it right) is not full vpn client, it's just aaplication proxy, you'll be stuck with Cisco propietary plug-ins to access internal resources (RDP, CISF, FTP, etc.), even some java/flash based web sites are not working properly through that gateway.
If you meant Anyconnect SSL VPN clietn then yes - it's full vpn tunnel, but you need to buy additional licenses for that.
Thanks for the valuable feedback so far, buddies..
One question still remians: If my client stick to client VPN (may be SSL, on ASA's), would they need to pay licensing amount to Cisco for getting the 64-bit version (for windows7) of the client (AnyConnect) to be used for the users (some 2000 users) OR is it free to be used and downloadable for everyone. I know I can download it with CCO login, but would it be fine for the whole company to use the same software?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...