Cisco supports several types of VPN implementations on the ASA but they are generally categorized as either “IPSec Based VPNs” or “SSL Based VPNs“. The first category uses the IPSec protocol for secure communications while the second category uses SSL. SSL Based VPNs are also called WebVPN in Cisco terminology. The two general VPN categories supported by Cisco ASA are further divided into the following VPN technologies.

IPSec Based VPNs:

• Lan-to-Lan IPSec VPN: Used to connect remote LAN networks over unsecure media (e.g Internet). It runs between ASA-to-ASA or ASA-to-Cisco Router.
• Remote Access with IPSec VPN Client: A VPN client software is installed on user’s PC to provide remote access to the central network. Uses the IPSec protocol and provides full network connectivity to the remote user. The users use their applications at the central site as they normally would without a VPN in place.

SSL Based VPNs (WebVPN):

• Clientless Mode WebVPN: This is the first implementation of SSL WebVPN supported from ASA version 7.0 and later. It lets users establish a secure remote access VPN tunnel using just a Web browser. There is no need for a software or hardware VPN client. However, only limited applications can be accessed remotely.
• AnyConnect WebVPN: A special Java based client is installed on the user’s computer providing an SSL secure tunnel to the central site. Provides full network connectivity (similar with IPSec remote access client). All applications at the central site can be accessed remotely.

From the description above you can understand that the AnyConnect WebVPN technology combines the best from both IPSec based VPNs and SSL based VPNs. It offers full network connectivity to the remote user without having to install a dedicated VPN software like the IPSec remote access client. The AnyConnect VPN client is a lightweight Java client (around 3MB) which can be installed or uninstalled from the remote user’s PC dynamically.

For most network engineers, one of the most difficult and tricky features to configure on Cisco equipment is to properly setup a VPN communication network. I have realized that from the numerous emails and questions I get almost every day from readers of my blog and in my workplace as well.

Cisco is one of the leaders in VPN technologies. This is good for enterprises and companies which can use the flexible Cisco VPN features to meet their business goals (such as low cost in connectivity and communication between branches, flexibility in communication, security etc).

On the other hand, VPN is a pain for network administrators who are required to know how to configure and design several different VPN technologies supported by Cisco, such as Site-to-Site IPSEC VPN, remote access IPSEC VPN using vpn client software, Easy VPN, GRE VPN Tunnels, GRE over IPSEC, DMVPN (Dynamic Multipoint VPN), Virtual Tunnels configuration etc etc. In addition to the above VPN technologies, a network administrator is also required to know how to configure them on different networking platforms, such as Firewalls (ASA, PIX) and IOS Routers.

Recently I have stumbled upon a really useful software tool which will be of great value for Cisco network engineers. The VPN Config Generator tool from configureterminal.com. As the website states, with VPN Config Generator you can “Create Complicated VPNs in seconds at the click of a button!“.

As you can see from the pictures above, you first select the platform that you want to configure VPN on (i.e Router or ASA/PIX Firewall), and then select the type of VPN that you want to configure. The tool supports almost all Cisco VPN technologies and also supports configurations between different platforms (e.g ASA to ASA, ASA to Router etc). After you specify the required parameters, the tool will generate a working configuration (in text format) which you can just copy and paste onto the Router or Firewall (ASA/PIX) via the command line terminal and you will be up and running. So basically you are working offline first and then upload the generated config onto the live device.

I highly recommend this tool as it will save you from a lot of hassle and problems. Check it out from the official website HERE.

Both iPhone software versions 2.x and 3.x support three types of remote access VPN connectivity: L2TP, PPTP and IPSec (see picture below). The IPSec option is actually a Cisco VPN client software for communicating securely with Cisco Adaptive Security Appliance (ASA 5500 Series Firewalls).

Cisco states that only ASA and PIX firewalls support the iPhone Remote Access VPN. Cisco IOS routers with IPSec capability and the older VPN3000 Concentrators DO NOT support the iPhone VPN feature.

This feature enables teleworkers to connect remotely to their Enterprise central network via secure VPN tunnel using their Apple iPhone. The VPN can use both Wi-Fi and Cellular Mobile Data networks for setting up the tunnel. The authentication methods supported for establishing the secure remote VPN tunnel are:

• Password
• RSA SecurID
• CRYPTOCard
• Certificate

Regarding the configuration on Cisco ASA appliance, this is exactly the same configuration as a normal Cisco IPSec VPN client software. You need to configure an IP Pool for the iPhone to receive IP address from. This pool range will then have access to the internal network behind the ASA.

In addition to IPSEc VPN support, Cisco firewalls support also the SSL Web VPN technology for providing access to resources for remote users. The main difference between IPSEc VPN and SSL VPN is that the first one requires a VPN client installed on the user’s computer while the SSL VPN requires only a secure browser (HTTPs). Another difference is that IPSEc VPN provides full network connectivity to the central site for the remote user with the ability for the user to have full access to applications just like local LAN access. On the other hand, SSL VPN provides limited application access compared with IPSEc VPN. The applications that can be accessed by SSL VPN include Internal websites, Web-enabled applications, NT/Active Directory file shares, E-mail proxies, including POP3S, IMAP4S, and SMTPS, MS Outlook Web Access, and port forwarding access to some other TCP-based applications.
The diagram below shows a high level network topology for SSL VPN connectivity:

As you can see, the remote users can establish a secure SSL tunnel over the Internet and access application resources located in their central Enterprise LAN using a web browser (HTTPs).

Next we will describe how to enable SSL VPN on the firewall, and discuss how you can avoid a port conflict with ASDM (Web GUI management) when both are enabled on the same firewall interface.

Both SSL VPN and ASDM use the HTTPs protocol for communication which uses port 443 by default. If we need to enable ASDM management access on the same interface as SSL VPN (usually the “outside” interface), then we must change the listening port of either the SSL VPN or the ASDM. In our example below we will describe both scenarios.

A. Change the port of ASDM

ASA(config)# http server enable 444
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# enable outside

For the above scenario, ASDM listens on port 444 while SSL VPN uses the default port 443. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https://<Outside-Address>:444 in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>

B. Change the port of SSL VPN

ASA(config)# http server enable
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# port 444
ASA(config-webvpn)# enable outside

For the above scenario, ASDM listens on default port 443 while SSL VPN uses port 444. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https://<Outside-Address> in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>:444