Licenses are not interchangeable between the ISRs and NGX Series ISRs.



Similar documents
Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Managing Enterprise Security with Cisco Security Manager

CCNA Security 1.1 Instructional Resource

SSL-Based Remote-Access VPN Solution

SSECMGT: CManaging Enterprise Security with Cisco Security Manager v4.x

SSL VPN Technical Primer

Managing Enterprise Security with Cisco Security Manager

Remote-Access VPNs: Business Productivity, Deployment, and Security Considerations

To participate in the hands-on labs in this class, you need to bring a laptop computer with the following:

Cisco Virtual Office Express

Cisco VPN Internal Service Module for Cisco ISR G2

Cisco Which VPN Solution is Right for You?

Cisco IPsec and SSL VPN Solutions Portfolio

AnyConnect VPN Client FAQ

Connecting an Android to a FortiGate with SSL VPN

VPN Modules for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

Cisco Integrated Services Routers Performance Overview

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

How To Understand The Architecture Of An Ulteo Virtual Desktop Server Farm

VPN_2: Deploying Cisco ASA VPN Solutions

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Cisco Easy VPN on Cisco IOS Software-Based Routers

SSL SSL VPN

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Cisco ASA 5500 Series SSL / IPsec VPN Edition for the Enterprise

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

athenahealth Interface Connectivity SSH Implementation Guide

Cisco IOS Secure Sockets Layer (SSL) VPN Technology Overview

If you have questions or find errors in the guide, please, contact us under the following address:

Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN

OS/390 Firewall Technology Overview

Implementing Core Cisco ASA Security (SASAC)

Novell Access Manager SSL Virtual Private Network

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

For Sales Kathy Hall

Cisco Virtual Office Flexibility and Productivity for the Remote Workforce

Cisco QuickVPN Installation Tips for Windows Operating Systems

Integrated Services Router with the "AIM-VPN/SSL" Module

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

Integrated Services Router with the "AIM-VPN/SSL" Module

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

Cisco ASA 5500 Series VPN Edition for the Enterprise

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Securing Networks with Cisco Routers and Switches 1.0 (SECURE)

Virtual Data Centre. User Guide

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Cisco Certified Security Professional (CCSP)

(d-5273) CCIE Security v3.0 Written Exam Topics

Network Configuration Settings

M2M Series Routers. Port Forwarding / DMZ Setup

Endpoint Security VPN for Mac

VPN. Date: 4/15/2004 By: Heena Patel

Campus VPN. Version 1.0 September 22, 2008

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Using a Firewall General Configuration Guide

Easy and Secure Remote Access with Cisco QuickVPN

Scenario: IPsec Remote-Access VPN Configuration

Web Authentication Application Note

Cisco WAAS Express. Product Overview. Cisco WAAS Express Benefits. The Cisco WAAS Express Advantage

LifeSize Transit Deployment Guide June 2011

For more information refer: UTM - FAQ: What are the basics of SSLVPN setup on Gen5 UTM appliances running SonicOS Enhanced 5.2?

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Cisco Small Business ISA500 Series Integrated Security Appliances

Technical White Paper

Cisco AnyConnect Secure Mobility Solution Guide

Chapter 1 The Principles of Auditing 1

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Remote Access Clients for Windows

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Table of Contents. Introduction

Using a VPN with Niagara Systems. v0.3 6, July 2013

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access.

Implementing PCoIP Proxy as a Security Server/Access Point Alternative

vcloud Director User's Guide

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

How To Configure Apple ipad for Cyberoam L2TP

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Monitoring Remote Access VPN Services

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

USB etoken and USB Flash Features Support

BUY ONLINE AT:

Cisco Adaptive Security Device Manager Version 5.2F for Cisco Firewall Services Module Software Version 3.2

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Introduction to Mobile Access Gateway Installation

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Cisco Router and Security Device Manager (SDM)

This topic discusses Cisco Easy VPN, its two components, and its modes of operation. Cisco VPN Client > 3.x

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

SSL VPN. Virtual Private Networks based on Secure Socket Layer. Mario Baldi. Politecnico di Torino. Dipartimento di Automatica e Informatica

Understanding the Cisco VPN Client

Transcription:

Q&A Cisco IOS SSL VPN Q. What is Cisco IOS SSL VPN or SSL VPN? A. Secure Sockets Layer (SSL)-based VPN is an emerging technology that provides remote-access connectivity from almost any Internet-enabled location using a Web browser and its native SSL encryption. SSL VPN provides the flexibility to support secure access for all users, regardless of the endpoint host from which they are establishing the connection. Cisco IOS SSL VPN does not require a VPN client to be preinstalled on the endpoint host. Q. How does the licensing work for Cisco IOS SSL VPN? A. There are two types of licencing schemes for Cisco IOS SSL VPN. For the Cisco 870, 1800, 2800, 3800, and 7200 series routers, licenses are cost-effective paper licenses just like CCME or SRST licenses. There s no software key to enable the feature hence there is no support issue with using Cisco IOS SSL VPN once you have the Advanced Security or higher Cisco IOS image loaded on the Router. You can purchase the Feature license as a spare in packs of 10, 25 and 100 simultaneous users directly from Cisco.com configuration tool. If you already have a router, use the spare SKUs as follows: FL-WEBVPN-10-K9= FL-WEBVPN-25-K9= FL-WEBVPN-100-K9= depending upon the number of supported users for your platform. For the Cisco 890, 1900, 2900, and 3900 NGX series ISRs, licensing will be enforced through the Cisco Product Licensing Registration Portal. The next generation of ISRs will also use a new set of SKUs as follows: FL-SSLVPN10-K9(=), FL-SSLVPN25-K9(=), and FL-SSLVPN100-K9(=). For more details on licensing, please visit http://www.cisco.com/en/us/products/ps9677/products_ios_technology_home.html. Licenses are not interchangeable between the ISRs and NGX Series ISRs. Q. Is it reasonable to implement both IP Security (IPsec) and SSL VPN in my network? A. In many cases, IPsec and SSL VPN are complementary, because they solve different problems. This complementary approach allows a single device to address all remote-access user requirements (Figure 1). Figure 1. Best Usage for IPsec and SSL VPN Solutions Q. What are my options if IPsec ports are being blocked at the hotel firewall? Will SSL VPN help me? A. Most users have success with IPsec from hotels, especially with the TCP or User Datagram Protocol (UDP) tunneling options. SSL VPN should work from these locations, as TCP port 443 (port used by SSL VPN) is already allowed for access to other secure Web servers. Q. Are there problems in establishing an SSL VPN tunnel through firewalls? A. Generally, ports required for Web traffic are open on firewalls, and SSL VPN uses these same ports, so it should not be a problem. If the firewall is blocking everything, then you would need to allow HTTPS traffic (TCP port 443 and UDP port 443 for DTLS) to allow SSL VPN traffic. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 6

Q. Do companies require both SSL VPN and IPsec, and will most companies need to deploy both at some point? A. Many customers have expressed interest in simultaneously supporting SSL VPN and IPsec connectivity. Cisco Systems helps you support all your remote-access needs on a single platform at the same time. Q. Are SSL VPN and IPsec VPN mutually exclusive, or can both solutions be offered from one location? A. Customers can use both SSL VPN and IPsec VPNs simultaneously on Cisco routers. Deploying SSL VPN and IPsec VPN solutions on the same box reduces the cost of operations and simplifies the network design. Q. With the support of SSL VPN for remote access, why would I need IPsec? A. These technologies are complementary. SSL allows you to secure clients independently, but remote sites with multiple PCs can use Cisco Easy VPN technology, taking advantage of IPsec. Q. Can I use Dynamic Multipoint VPN (DMVPN), Easy VPN, and SSL VPN on the same Cisco IOS Software router? A. Yes. This scenario lets customers run all security services, including Cisco IOS Firewall, Cisco IOS IPS, IPsec VPNs, quality of service (QoS), Network Address Translation (NAT), and routing along with SSL VPN on a single integrated services router. Q. How do I determine when to use the Cisco IOS Software routers for SSL VPN versus using an appliancebased solution? A. The Cisco IOS Software VPN security routers are the most widely deployed and most diverse family of VPN solutions in the industry today. Cisco VPN security routers represent the best options for customers of all sizes who want to integrate network and security services in a single device. Using the Cisco IOS Advanced Security feature set-a security-specific option for Cisco IOS Software-customers can combine the richest VPN feature set available for site-to-site and remote-access VPNs, with state-of-the-art firewall, intrusion prevention, and extensive Cisco IOS Software capabilities, including QoS, NAT, multicast, extensive WAN interface support, wireless support, dial backup, and advanced routing support. Customers who prefer a standalone security device should use the appliance-based solution. Q. Is SSL VPN the same as SSL offloading? A. No, SSL-based VPN is different from SSL offloading. SSL VPN works by tunneling the application traffic through an encrypted SSL VPN tunnel, whereas SSL offloading works by SSL acceleration for packets going to the inside Web servers. Supported Software and Hardware Q. What platforms does Cisco IOS SSL VPN support? A. The Cisco IOS SSL VPN is supported on the Cisco ISR Series Routers, NGX Series ISR Routers, 7200, and 7301 routers running Advanced security images of Cisco IOS Software Release 12.4(6)T. Table 1 gives the maximum concurrent number of users supported per platform. Table 1. Recommended Concurrent Number of Users Supported per Platform Platform Licenses Included with High Performance Security (HSEC) Bundles Maximum Number of Users Without Advanced Integration Module Cisco UC/SR500, 870, 880, and 890 Series Routers - 10 users - Cisco 1800 and 1900 Fixed Routers - 25 licensed users - With Advanced Integration Module Cisco 1841 and 2801 Routers 10 free users - 75 licensed users Cisco 1941 and 2901 Routers - 75 licensed users N/A 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 6

Platform Licenses Included with High Performance Security (HSEC) Bundles Maximum Number of Users Without Advanced Integration Module With Advanced Integration Module Cisco 2811 and 2821 Routers 10 free users - 100 licensed users Cisco 2911 and 2921 Routers - 100 licensed users N/A Cisco 2851 Routers 10 free users - 150 licensed users Cisco 2951 Routers - 150 licensed users N/A Cisco 3800 Series Routers 25 free users - 200 licensed users Cisco 3900 Series Routers - 200 licensed users N/A Cisco 7200 Series and Cisco 7301 Routers - 200 licensed users - Q. Is there hardware support for Cisco IOS SSL VPN encryption? A. Cisco modular ISR Routers (1800, 2800, 3800) require SSL VPN hardware acceleration with the AIM modules (AIM-VPN/SSL). For more details on these hardware AIM modules please visit: http://www.cisco.com/en/us/products/ps6657/products_data_sheet0900aecd804ff58a.html. Platform Onboard Crypto Engine VPN-ISM 8xx Y N 1921 N N 1941 N Y 2901 N Y 2911 N Y 2921 N Y 2951 Y Y 3925 Y Y 3945 Y Y 3925E Y N 3945E Y N Q. Note: ISM does not support DTLSWhat features are available in Cisco IOS Software Release 12.4 (6)T for Cisco IOS SSL VPN? A. The SSL VPN in Cisco IOS Software Release 12.4(6)T supports the SSL VPN client (SVC) along with Cisco Secure Desktop and virtualization support: SSL VPN Client (full network client Cisco IOS SSL VPN) - Full network client mode offers extensive application support through its dynamically downloaded SSL VPN client for Cisco IOS SSL VPN. With the Full Network Client for Cisco IOS SSL VPN, Cisco delivers a lightweight, centrally configured and easy-tosupport SSL VPN tunneling client (AnyConnect Client) that allows network-layer connectivity access to virtually any application. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 6

Virtualization and VRF support - VPN routing and forwarding (VRF), which creates virtualization, can be used to create various customer or departmental contexts that can have different configuration, while still using overlapping address space. Q. What are some of the latest features available as part of the Cisco IOS Software Release 12.4(24)T for Cisco IOS SSL VPN? A. The SSL VPN in Cisco IOS Software Release 12.4(24)T has enhanced the existing SSL VPN capability highlighted above to support the following features. Table 2. Cisco IOS SSL VPN Feature Support in 12.4(15)T Feature Cisco AnyConnect Localization Client side certificate support Support for 64-bit AnyConnect client Sesson Resumption Description Support for AnyConnect in localized language. Authentication of clients through the use of digital certificates. AnyConnect support for 64-bit Windows Operating systems. Session resumption allows pseudo ip mobility for clients that roam between networks. When the client moves from one network to another, the VPN connection will automatically renegotiate without the need for the user to resupply their credentials. Feature Details Q. What SSL VPN offering is available with Cisco IOS Software? A. Cisco s IOS SSL VPN feature is focused on full tunnel connectivity based on either the SVC or AnyConnect clients. Q. What is the level of encryption for Cisco IOS SSL VPN? A. Most standard Web browsers support Triple Data Encryption Standard (3DES), DES, Rivest Cipher 4-128 (RC4-128), and 40-bit encryption. Cisco IOS SSL VPN by default selects the RC4-128 encryption, and all other encryption levels are configurable options. Q. Do SSL VPN solutions use digital certificates, or something else? A. A Cisco router configured as a Cisco IOS SSL VPN gateway requires a digital certificate like any other HTTPS (SSL) Web server. A client accesses the https://router_ip to start the SSL VPN connection and is authenticated with a username and password (no client-side certificate is required). Q. Is it necessary to install a digital certificate in the Cisco IOS Software routers for SSL VPN? A. Yes, a certificate is required for browser-based access. You can use either the router command-line interface (CLI) or Cisco Configuration Professional(CCP) to generate a self-signed certificate on the router (setup does not require any certificate-authority server) or you can set up an external certificate-authority server to provide the required certificate. For small- and midsized-business (SMB) and commercial customers without an external certificate server, Cisco recommends using the persistent self-signed certificate. Details about persistent self-signed certificates are available at http://www.cisco.com/en/us/products/sw/iosswrel/ps5207/products_feature_guide09186a008040adf0.html. Q. How can I use SSL or IPsec certificates on my Cisco VPN for authentication? A. Certificates for IPsec can be loaded into the VPN client native certificate manager or the Microsoft Common Application Programming Interface (CAPI) store (accessible from Internet Explorer). For SSL VPN, you can download the certificate from the SSL VPN gateway and install it in your Web browser. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 6

Q. Can a service provider create multiple SSL VPN contexts and associate VRFs with them for our customers? A. Absolutely. You can create multiple SSL VPN contexts and then have a specific customer VRF be associated with them to keep customers routing information separate. Q. Will the Cisco IOS SSL VPN work with browsers other than Internet Explorer? A. Yes. The Cisco IOS SSL VPN takes a browser-independent approach to SSL VPN, including support for Mozilla (Firefox), Netscape, and Internet Explorer. Full Network Access Q. What protocols can be tunneled through Cisco IOS SSL VPN? A. The IOS SSL VPN clients are agnostic to the type of traffic and tunnels traffic much like the Cisco IPsec VPN clients. The difference of course is that SSL is used. Q. With IPsec VPN, I use the Cisco IPsec VPN client. Can I use the same client with SSL VPN? A. No, you cannot use the IPsec VPN client for SSL VPN connectivity. A Web browser would be used to get the initial SSL VPN tunnel up and in case you require full network access, an SSL VPN Client is automatically downloaded to that end user (using Java or Active X). Q. Do I need to preinstall any VPN client on the client machine to use full-network-access SSL VPN? A. The main advantage of using SSL VPN is that it does not require a preinstalled client on the client machine. Always make your initial connection to the SSL VPN gateway using your Web browser (using https://gateway_address). To obtain full network access through the SSL VPN gateway an SSL VPN client (SVC or AnyConnect) is downloaded to the client PC upon connection. The SSL VPN client is installed either once or upon each connection, depending on your gateway configuration. Q. Do I assign IP address pools for users using SSL VPN client (full network access) as I do for IPsec clients? A. Yes, you do need to assign IP addresses to SSL VPN clients connecting to the router using an SSL VPN client, and you need to make sure the network address is part of the inside network. Q. Do I need administrative privileges on the machine to download the SSL VPN client? A. Yes, administrative privileges are required for a user to download the SSL VPN client on the machine. For users with administrative privileges, the SSL VPN client is downloaded (using Java or Active X) if the client specific configuration is enabled on the Cisco IOS SSL VPN gateway. If the SSL VPN client is installed on a machine permanently (using an installer stub), then administrative rights are required only during the SSL VPN client install time. Nonadministrative users can use the SSL VPN client on the client PC after the client is permanently installed on that PC. Management Q. Does Cisco SDM support Cisco IOS SSL VPN? A. The Cisco IOS SSL VPN is supported by Cisco SDM v2.3 with Cisco IOS Software Release 12.4(6)T, which is included free of charge as part of all router security bundles. Additionally, Cisco SDM can be downloaded for free at http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm. Q. Can I easily configure the Cisco IOS SSL VPN or SSL VPN using the Cisco CCP? A. The Cisco CCP provides wizards for both basic and advanced configurations, making configuration of Cisco IOS SSL VPN very simple. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 6

Q. Where can I find more documentation about Cisco IOS SSL VPN for Cisco IOS Software Release 12.4(24)T? A. You can find additional documentation at http://www.cisco.com/go/iossslvpn. For More Information For more information about the Cisco IOS SSL VPN and SSL VPN solution, visit http://www.cisco.com/go/iossslvpn for the product homepage or contact your local Cisco account representative or Cisco Technical Assistance Center (TAC). Acknowledgement This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. Printed in USA C67-60008-09 04/13 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information