Most Cisco customers would naturally recognize that the ASA Security appliance is THE platform on which to implement SSL VPN types of any sort (clientless or using the AnyConnect® client). The ASA has been a replacement for the VPN Concentrator in this technology area since its introduction in mid-2005.
What is not widely known however, is that the Cisco IOS® has been “catching up” to the ASA in functionality. This article will address some of the recent enhancements made starting in release 15.0.
To begin with, support for the AnyConnect® client began with IOS® version 12.4(15)T; before that only the old SSL VPN Client (SVC) could be used. Version 15.0(1)M introduced support for client-side certificate based authentication, a feature which provides several benefits.
- For organizations which require double authentication, this can be combined with another AAA (Authentication, Authorization & Accounting) method for additional secure identification.
- This also makes a pre-login tunnel-group association possible. By using certificate matching rules, a network administrator can map a field such as the Organizational Unit (OU) to a group policy, either static or dynamic.
Version 15.0(1)M also supports a licensing model in a manner similar to that on the ASA appliance. The difference, however, is that the IOSuses a node-associated (vs. a user-associated) approach. The license can be installed using the CLI or the Cisco License Manager GUI. License validation becomes part of the user login process. Cisco provides four basic licensing types:
The last of these could be used in a disaster recovery scenario where a grace period is required while a machine is being repaired or restored.
Version 15.1(1)M adds two major feature areas worthy of mention:
- SSL VPN Phase-4 support– adds support for the use of split-tunnel access-lists, a capability frequently utilized when an outside user requires access to a limited number of usually local networks while the tunnel is up. Phase-4 also provides user-based session statistics as well as a Start Before Login option.
- SSL VPN DVTI (Dynamic Virtual Tunnel Interface) support– is interoperable with configurations using Network Address Translation (NAT), interface access-lists, and zone-based firewall (ZBF). The last of these items caused problems with VPN tunnels terminated on physical interfaces.
SSL VPN – Cisco Configuration Guide – Secure Connectivity – Release 15.1