In addition to IPSEc VPN support, Cisco firewalls support also the SSL Web VPN technology for providing access to resources for remote users. The main difference between IPSEc VPN and SSL VPN is that the first one requires a VPN client installed on the user’s computer while the SSL VPN requires only a secure browser (HTTPs). Another difference is that IPSEc VPN provides full network connectivity to the central site for the remote user with the ability for the user to have full access to applications just like local LAN access. On the other hand, SSL VPN provides limited application access compared with IPSEc VPN. The applications that can be accessed by SSL VPN include Internal websites, Web-enabled applications, NT/Active Directory file shares, E-mail proxies, including POP3S, IMAP4S, and SMTPS, MS Outlook Web Access, and port forwarding access to some other TCP-based applications.
The diagram below shows a high level network topology for SSL VPN connectivity:

As you can see, the remote users can establish a secure SSL tunnel over the Internet and access application resources located in their central Enterprise LAN using a web browser (HTTPs).

Next we will describe how to enable SSL VPN on the firewall, and discuss how you can avoid a port conflict with ASDM (Web GUI management) when both are enabled on the same firewall interface.

Both SSL VPN and ASDM use the HTTPs protocol for communication which uses port 443 by default. If we need to enable ASDM management access on the same interface as SSL VPN (usually the “outside” interface), then we must change the listening port of either the SSL VPN or the ASDM. In our example below we will describe both scenarios.

A. Change the port of ASDM

ASA(config)# http server enable 444
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# enable outside

For the above scenario, ASDM listens on port 444 while SSL VPN uses the default port 443. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https://<Outside-Address>:444 in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>

B. Change the port of SSL VPN

ASA(config)# http server enable
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# port 444
ASA(config-webvpn)# enable outside

For the above scenario, ASDM listens on default port 443 while SSL VPN uses port 444. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https://<Outside-Address> in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>:444

The Cisco VPN Software Client is the most popular “Remote Access tool” for teleworkers and for remote mobile employees for any organization. It allows the user to establish a secure IPSec tunnel from any internet connection towards a central location (usually the user’s corporate central network). Once the tunnel is established, the user is attached to the central network and has full connectivity just like as he was connected locally.

The latest release (at the time of writing) is 5.0.03. This release can be installed on the following operating systems: 

• Windows 2000
• Windows XP
• Windows Vista (x86 / 32-bit only)
• Linux (Intel based)
• Mac OS X 10.4
• Solaris UltraSparc (32 and 64-bit)

Furthermore, the Cisco VPN Client is compatible with all Cisco VPN hardware products as listed below:

• Cisco Firewall ASA 5500 Series Software Version 7.0 and higher.
• Cisco Firewall PIX Security Appliance Software Version 6.0 and later.
• Cisco VPN 3000 Series Concentrator Software Version 3.0 and later.
• Cisco Routers with VPN IOS support Software Release 12.2(8)T and later.
• Cisco 6500 / 7600 IPSec VPNSM and VPN SPA IOS Software Release 12.2SX and later.

To obtain the Cisco VPN Client software you need a Cisco SMARTNet support contract and you can download the client from Cisco Software Center. Also, a CD with the VPN software client comes with any purchase of a Cisco ASA 5500 series firewall (except ASA 5505).

A Remote Access VPN (Virtual Private Network) is a connection technology to provide secure and confidential connection of remote users to internal company resources through the Internet. The remote company user needs to have a VPN client software (e.g Cisco VPN client)  installed on his/her laptop plus a normal Internet connection (through Dial-up, broadband ADSL, wifi hotspot etc). Since traffic from the remote user will be passing through the untrusted Internet, it has to be encrypted to keep data confidential. To achieve confidentiality, the IPSEC protocol is used to encrypt and secure the user data.
Cisco VPN client is the most popular software used to provide remote access connectivity to the corporate home network. 

The figure above shows a basic setup for a remote employee using Cisco VPN client to connect securely over the Internet to his corporate network. First, the remote user connects to his public Internet Service Provider. Next, the user starts his Cisco VPN client installed on his laptop and initiates a VPN connection to the company VPN server. This can be a Cisco firewall (PIX or ASA), a Cisco VPN concentrator, or a Cisco Router with IPSEC software. Once the VPN connection has been established, the remote vpn user can communicate with internal company servers and resources just as if it were a local host.