Cisco 3000 Concentrator and VPN client question

We are planning on deploying a Cisco 3005 VPN concentrator on our network for remote access VPN

a. I was planning on using the Cisco VPN client but have been asked why we shouldn't use the built-in Windows client. Should we use the buit-in VPN clients on XP/2000 workstations (PPTP/L2TP) or the Cisco VPN client. What would be the advantages (if any) to using either (MS or Cisco) client?

b. Should the concentrator be depoyed behind the (NATed) router or in parallel?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

a. There are many, many advantages of the Cisco client over the Microsoft client. YOU control the client 100% from the concentrator, your users control their Microsoft client.
You decide if you want to allow split tunneling
You decide if you want to enforce client firewall rules (Cisco client has built in firewall)
You decide if your client can access their local lan while connected to the VPN tunnel
You decide what level encryption to use - DES, 3DES, AES, all of which are much more secure than PPTP
You have the option to use SSL clientless VPN - for those cases where a user only has access to a hotel lobby kiosk, or maybe an internet cafe, but needs access to data on the corp network.

b. My personal preference is behind a nat firewall, but in a dmz with a 1-1 public IP address. This protects the public IP of the 3005, taking advantage of any IDS capabilities of the firewall.

   Internet ---> router---->Firewall---->Inside LAN
                                        3005 ----->Inside LAN

That only works if there is another router inside the LAN. If no router inside the LAN because of potential routing issues using a different ip sunbet for vpn clients, then this is prefered:
      Internet ---> router--swich-->Firewall---->Inside LAN
                                          |            |
                                          |            |DMZ
                                        3005 ----->

If you use a true parallel placement, you may have routing issues from inside LAN to VPN client IP subnet, same as in my first example.

     Internet ---> router--swich-->Firewall---->Inside LAN
                                        3005 -------------->Inside LAN

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
netman70Author Commented:
"You decide what level encryption to use - DES, 3DES, AES, all of which are much more secure than PPTP"

What encryption does L2TP over IPSEC provide? Does it provide for DES or 3DES?

Microsoft PPTP does not use DES at all, it uses RC4 MPPE
Here's a definitive study that shows the inherent weaknesses of PPTP

Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

netman70Author Commented:
I was talking about the built-in L2TP IPSEc VPN client that is built-in to Windows XP?
In that case, then yes, it can use either DES or 3DES, both of which have been replaced by AES, but Microsoft is way behind the power curve on supporting the latest standards, even after a couple of years.
All other comments are still valid regarding the Cisco VPN client vs Microsoft IPSEC policies (they have their place, but not as a VPN client). Here's a link that shows how to setup IPSEC between a Microsoft client and a Cisco device (Server is used in the example, but it can be an XP client as well).

The VPN client was designed ground up to be the ultimate client connecting to the VPN3000 series VPN end points. The two products, designed to work together, can produce a much more secure client/server combo than anything Microsoft can do alone. Yes, the concentrator is versatile enough to support most any standards based client, but when you have such a powerful duo, why not take full advantage of it?
netman70Author Commented:

Do I then take it that L2TP IPSEc client in XP will support DES or 3DES but WILL NOT support AES? Also, with a Cisco VPN client and a 3000 concentrator I can enable AES? (more secure?)
Yes to both questions..
Correct - Microsoft client WILL NOT support AES
Yes - Cisco VPN client with the Cisco VPN concentrator both can take advantage of AES. AES is both much more secure and less processor intensive making it more efficient than 3DES.
netman70Author Commented:
Thanks a bunch...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.