cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15835
Views
10
Helpful
7
Replies

Types of VPN in asa

The_guroo_2
Level 2
Level 2

Guys a vert broad topic but can someone narrow it down...

I want to know how we decide what to have interims of VPN...as there are many choices when we use LAN to LAN when we use SSL based and when we used remote vpn (where client use ezyvpn etc)...i need to know the deciding factor and is there any difference amoung all of them

7 Replies 7

ajay chauhan
Level 7
Level 7

LAN to LAN - When you want to connect two remote locations (LAN).

SSL/WEB/EZYVPN basically here is the choice and this is for remote access for mobile users- ezyvpn does need client installed on machine pcf file (a profile) is required to access vpn.WEBVPN- no client required just access thru webpages and the links will be there on webpage. SSL/ANYconnect-both options are avilable client installed or client less.

Thanks

Ajay

Vishnu Sharma
Level 1
Level 1

Hi Guroo,

Yes the options that is offered by ASA for VPN are:

1. Site to Site (IPSec)

2. IPSec Remote Access using VPN clients (ver 4.x and 5.x)

3. EZY VPN (It uses IPSec protocol too)

4. Anyconnect (SSL Based VPN)

5. Clientless or WebVPN (Browser based VPN)

The first three options uses IPSec Protocol. Now alll of them are secure however it totally depends upon your requirement.

For instance, if you have many users at one location (lets say remote office) who need access to many machines at HQ location, then site to site will be a better option because if you create multiple sessions using remote access then it will not only consume the CPU but will also consume the VPN license. So site to site is used for allowing a complete subnet/subnets to talk to multiple subnets.

Same is the case with EZY VPN. It has two modes. Client Mode and Network Extention modes.

If your requirement is that you have a mobile user who stays out of office most of the time but he needs access to company resources then you need to go for Remote access VPN. You can use IPSec VPN as well as Anyconnect or Clientless VPN.

IPSec is older VPN client which is being rolled out by cisco and the new client is Anyconnect. Anyconnect offers you more security and more features however it is expensive as compared to the IPSec VPN licenses.

If your requirement is to allow user to access some of the server at HQ location and the user is out of office and does not have client installed, then you can offer him a clientless VPN access.

Please let me know if this answers your question.

Thanks,

Vishnu Sharma

Thanks for the explanation...

what abt LAN to LAN tunnel is it the same.....secondly how can i tell that which VPN is being setup on the asa

Hi,

Site to Site and Lan to Lan are the same thing. People call it by different names. :-)

Thanks,

Vishnu Sharma

Vishnu I would submit that IPSec and AnyConnect are not mutually exclusive as of ASA 8.4(1) and AnyConnect 3.x which support IKEv2 IPSec remote access VPN.

The_guroo_2
Level 2
Level 2

That's right but the really confusion is that we have asa in that we have VPN with conventional IPSec crypto etc peer addressing and matching acl ......sexondly we have tunnel groups with l2l and ip pool .....both are different to different clients so wht is that I am trying to differentiate between the two

Sent from Cisco Technical Support iPhone App

There is no single deciding factor, guroo. One nice thing about the ASA is that you have these many options which can be used to solve various connectivity requirements. Vishnu summarized them nicely above.

There is overlap between what they do; so a decision as to which is best in a given situation requires some analysis of your current and anticiapted future requirements. Then you can choose and implement an ASA-based VPN solution.