Guest

Cisco IOS SSLVPN

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners Data Sheet

  • Viewing Options

  • PDF (538.1 KB)
  • Feedback

Product Overview

Cisco IOS® SSL VPN is the first router-based solution offering Secure Sockets Layer (SSL) VPN remote-access connectivity integrated with industry-leading security and routing features on a converged data, voice, and wireless platform. SSL VPN is compelling; the security is transparent to the end user and easy for IT to administer.

With Cisco IOS SSL VPN, end users gain access securely from home or any Internet-enabled location such as wireless hotspots. Cisco IOS SSL VPN also enables companies to extend corporate network access to offshore partners and consultants, keeping corporate data protected all the while.

Cisco IOS SSL VPN in conjunction with downloaded Cisco AnyConnect Secure Mobility Client provides remote users with full network access to virtually any corporate application. Cisco IOS SSL VPN features easy-to-use wizards that simplify deployment, and powerful tools to monitor and manage sessions in real time. Cisco IOS SSL VPN is a single-box VPN, security, and routing solution, unlike other vendor products that require multiple devices and management systems (Figure 1).

Figure 1. Cisco Security Routers with Cisco IOS SSL VPN

An integrated solution is easier to learn, deploy, provision, manage, and maintain, and has higher availability. This integrated solution has lower initial capital expenditure, lower deployment costs, and lower ongoing operational costs than competing multiple-device solutions.

Applications

Cisco IOS SSL VPN is useful for small and medium-sized businesses (SMBs) looking to extend remote access to employees and business partners. In addition, enterprises with a large number of small or medium-sized branches can use the Cisco IOS SSL VPN to combine remote access gateway capabilities with branch routers, thereby providing load-distribution functionality and redundancy to central-site VPN gateways. Figure 2 illustrates an application example for Cisco IOS SSL VPN.

Figure 2. Application Example: Regional Law Firm with Multiple Offices

Features and Benefits

Advanced full-network access: The Cisco IOS SSL VPN solution offers extensive application support through AnyConnect Secure Mobility Client, enabling network-layer connectivity to virtually any application.

Ease of deployment and management: Intuitive, Web-based interface with wizards simplifies configuration. Advanced monitoring and management allow zero-touch remote endpoint management.

SSL VPN gateway network integration: Advanced authentication and access-control features pinpoint who gains access to what; virtualization allows efficient segmentation into departments, customers, or other groups of users.

Simple and cost-effective licensing: The simple licensing structure of Cisco IOS SSL VPN (no added licenses for special features), combined with the consolidated technology platform, provides customers with unparalleled cost savings and competitive per-user pricing.

Advanced Full-Network Access: Cisco AnyConnect Secure Mobility Client

The Cisco AnyConnect® Secure Mobility Client consistently raises the bar in remote access technology by making the experience more seamless and secure than ever. The AnyConnect Secure Mobility Client provides a secure connectivity experience across a broad set of PC and mobile devices. As mobile workers roam to different locations, an always-on intelligent VPN enables the AnyConnect Secure Mobility Client to automatically select the optimal network access point and adapt its tunneling protocol to the most efficient method, such as Datagram Transport Layer Security (DTLS) protocol for latency-sensitive traffic - for example, voice over IP (VoIP) traffic, or TCP-based application access.

More about Cisco Anyconnect Secure Mobility client http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-527494.html.

Ease of Deployment and Management

Cisco Configuration Professional (CCP) provides advanced wizards to make it easy to configure Cisco IOS SSL VPN.

Figure 3. Cisco Configuration Professional: Wizard-Based Management

Group-based management features allow administrators to design security policies and authentication methods for each group, a feature that is essential when extending network resources to non-corporate-managed users and endpoints.

In addition, Cisco IOS CLI can also be used to configure and monitor SSL VPN, for users who prefer that option.

For medium-sized or large installations, Cisco Security Manager Version 3.1 or later provides enterprise-class scalable SSL VPN configuration on Cisco routers and adaptive security appliances.

SSL VPN Gateway Network Integration

The Cisco IOS SSL VPN service running on Cisco routers allows the integration of SSL VPN with IP services on the router.

Table 1 lists the primary network integration capabilities.

Table 1. Cisco IOS SSL VPN Gateway Network Integration

Feature

Benefit

User Authentication: RADIUS or Authentication, Authorization, and Accounting (AAA) Server

Ability to require users to authenticate with a username and password

Client Side Certification Authentication

Ability to authenticate the client based on PKI certificates

Network Access Control

Advanced options to control network access based on IP address, Differentiated Services Code Point/type of service (DSCP/ToS), TCP/UDP port, per-user, and per-group

Multiple Contexts

Ability to divide into multiple contexts, each a logical representation of the Cisco IOS SSL VPN service, complete with separate policies and configuration

Virtual Route Forwarding (VRF) Awareness:

VRF mapping
Single IP model (URL-based or login-name-based)
Multiple IP model
Per-VRF AAA server
Per-VRF Domain Name System (DNS) server
Per-VRF gateway
Per-VRF number of users
Ability for service providers to easily integrate the SSL VPN gateway into a shared MPLS network
Increased security by separating specific routes from global routing table
Support for overlapping IP address pools

Simple and Cost-Effective Licensing

Cisco IOS SSL VPN is a feature available on Cisco routers running IOS Advanced Security feature set. There is no additional separate license required. Advanced IOS Security Feature set entitles you to a maximum number of users supported by the platform.

Table 2. Number of Concurrent SSL VPN Users Supported per Platform

Platform

Maximum Number of Users

Cisco UC/SR500, 880, and 890 Series Routers

10 users

Cisco 1900 Fixed Routers

25 licensed users

Cisco 1941 and 2901 Routers

75 licensed users

Cisco 2911 and 2921 Routers

100 licensed users

Cisco 2951 Routers

150 licensed users

Cisco 3900 Series Routers

200 licensed users

Product Specifications

Table 3 provides a listing of product specifications.

Table 3. Product Specifications

End-user operating systems supported

Windows XP, Windows 7, Windows 8, MacOS, Linux, Apple iOS, and Android

Browser Compatibility

Internet Explorer, Firefox, Mozilla, Chrome and Safari

Protocols

SSL 3.0 and 3.1; and Transparent LAN Services (TLS) 1.0 configuration and management

Cypher Suites

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_DES_CSC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_AES_128_SHA
SSL_RSA_WITH_AES_256_SHA

Configuration Management

Console command-line interface (CLI), HTTP, HTTPS, Telnet, Secure Shell (SSH) Protocol, and Cisco CCP

Syslog Support

Console display, external server, and internal buffer

System Requirements

Table 4 lists the hardware and software requirements to install and use Cisco IOS SSL VPN.

Table 4. System Requirements

Hardware

Cisco SR500, 880, 890, 1900, 2900, 3900

Cisco IOS Software Release

Cisco IOS 15.0M or later recommended

Cisco IOS Software Feature Set

Advanced Security or higher

For SSL VPN Hardware Supports on ISR G2 platforms, refer to the table below

Platform

Software

Onboard

ISM

8xx

Y

Y

N

1921

Y

N

N

1941

Y

Y

Y

2901

Y

Y

Y

2911

Y

Y

Y

2921

Y

Y

Y

2951

Y

Y

Y

3925

Y

Y

Y

3945

Y

Y

Y

3925E

Y

Y

N

3945E

Y

Y

N

* ISM doesn’t support DTLS

Cisco and Partner Services for the Branch

Services from Cisco and our certified partners can help you transform the branch experience and accelerate business innovation and growth in the Borderless Network. We have the depth and breadth of expertise to create a clear, replicable, optimized branch footprint across technologies. Planning and design services align technology with business goals and can increase the accuracy, speed, and efficiency of deployment. Technical services help improve operational efficiency, save money, and mitigate risk. Optimization services are designed to continuously improve performance and help your team succeed with new technologies.

For More Information

Visit the Cisco Software Center to download Cisco IOS Software. Cisco IOS Software Release 15.0M or later Advanced Security Image or later is recommended to install and use the Cisco IOS SSL VPN feature set.

For more information about Cisco IOS SSL VPN, visit http://www.cisco.com/go/iossslvpn, contact your local Cisco account representative, or send e-mail to ask-isr-pm@cisco.com and ask-isr-tme@cisco.com.

Acknowledgement

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.