05-24-2012 04:17 AM
Guys a vert broad topic but can someone narrow it down...
I want to know how we decide what to have interims of VPN...as there are many choices when we use LAN to LAN when we use SSL based and when we used remote vpn (where client use ezyvpn etc)...i need to know the deciding factor and is there any difference amoung all of them
05-24-2012 06:03 AM
LAN to LAN - When you want to connect two remote locations (LAN).
SSL/WEB/EZYVPN basically here is the choice and this is for remote access for mobile users- ezyvpn does need client installed on machine pcf file (a profile) is required to access vpn.WEBVPN- no client required just access thru webpages and the links will be there on webpage. SSL/ANYconnect-both options are avilable client installed or client less.
Thanks
Ajay
05-24-2012 07:28 AM
Hi Guroo,
Yes the options that is offered by ASA for VPN are:
1. Site to Site (IPSec)
2. IPSec Remote Access using VPN clients (ver 4.x and 5.x)
3. EZY VPN (It uses IPSec protocol too)
4. Anyconnect (SSL Based VPN)
5. Clientless or WebVPN (Browser based VPN)
The first three options uses IPSec Protocol. Now alll of them are secure however it totally depends upon your requirement.
For instance, if you have many users at one location (lets say remote office) who need access to many machines at HQ location, then site to site will be a better option because if you create multiple sessions using remote access then it will not only consume the CPU but will also consume the VPN license. So site to site is used for allowing a complete subnet/subnets to talk to multiple subnets.
Same is the case with EZY VPN. It has two modes. Client Mode and Network Extention modes.
If your requirement is that you have a mobile user who stays out of office most of the time but he needs access to company resources then you need to go for Remote access VPN. You can use IPSec VPN as well as Anyconnect or Clientless VPN.
IPSec is older VPN client which is being rolled out by cisco and the new client is Anyconnect. Anyconnect offers you more security and more features however it is expensive as compared to the IPSec VPN licenses.
If your requirement is to allow user to access some of the server at HQ location and the user is out of office and does not have client installed, then you can offer him a clientless VPN access.
Please let me know if this answers your question.
Thanks,
Vishnu Sharma
05-26-2012 01:50 AM
Thanks for the explanation...
what abt LAN to LAN tunnel is it the same.....secondly how can i tell that which VPN is being setup on the asa
05-26-2012 09:55 AM
Hi,
Site to Site and Lan to Lan are the same thing. People call it by different names. :-)
Thanks,
Vishnu Sharma
05-27-2012 08:19 AM
Vishnu I would submit that IPSec and AnyConnect are not mutually exclusive as of ASA 8.4(1) and AnyConnect 3.x which support IKEv2 IPSec remote access VPN.
05-26-2012 11:49 PM
That's right but the really confusion is that we have asa in that we have VPN with conventional IPSec crypto etc peer addressing and matching acl ......sexondly we have tunnel groups with l2l and ip pool .....both are different to different clients so wht is that I am trying to differentiate between the two
Sent from Cisco Technical Support iPhone App
05-27-2012 08:23 AM
There is no single deciding factor, guroo. One nice thing about the ASA is that you have these many options which can be used to solve various connectivity requirements. Vishnu summarized them nicely above.
There is overlap between what they do; so a decision as to which is best in a given situation requires some analysis of your current and anticiapted future requirements. Then you can choose and implement an ASA-based VPN solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide