29-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter29 Managing Remote Access VPNs: The Basics
Understanding Remote Access VPNs
Note SSL VPN is supported on ASA 5500 devices running software version 8.0 and later, running in
single-context and router modes, on Cisco 870, 880, 890, 1800, 2800, 3700, 3800, 7200, and 7301 Series
routers running software version 12.4(6)T and later, and on Cisco 1900, 2900, and 3900 Series routers
running software version 15.0(1)M and later. For the 880 Series routers, the minimum software version
is 12.4(15)XZ, which is mapped to 12.4(20)T in Security Manager.
On IOS devices, remote access is provided through an SSL-enabled VPN gateway. Using an
SSL-enabled Web browser, the remote user establishes a connection to the SSL VPN gateway. After the
remote user is authenticated to the secure gateway via the Web browser, an SSL VPN session is
established and the user can access the internal corporate network. A portal page lets users access all the
resources available on the SSL VPN networks.
On ASA devices, remote users establish a secure, remote access VPN tunnel to the security appliance
using the Web browser. The SSL protocol provides the secure connection between remote users and
specific, supported internal resources that you configure at a central site. The security appliance
recognizes connections that need to be proxied, and the HTTP server interacts with the authentication
subsystem to authenticate users.
User authentication can be done using usernames and passwords, certificates, or both.
Note Network administrators provide user access to SSL VPN resources on a group basis instead of on an
individual user basis.
This section contains the following topics:
Remote Access SSL VPN Example, page 29-3
SSL VPN Access Modes, page 29-4
Understanding and Managing SSL VPN Support Files, page 29-5
Prerequisites for Configuring SSL VPNs, page 29-7
SSL VPN Limitations, page 29-7
Remote Access SSL VPN Example
The following illustration shows how a mobile worker can access protected resources from the main
office and branch offices. Site-to-site IPsec connectivity between the main and remote sites is unaltered.
The mobile worker needs only Internet access and supported software (Web browser and operating
system) to securely access the corporate network.