thetraveler359
asked on
Cisco VPN alternatives
Hi experts,
I found some previous questions that are informative, but want to ask mine individually. I have a small company of about 50 folks, about half of which either work from home or travel a lot. For the home users, I have Cisco boxes setup with always on VPN connections terminating to my ASA5510. For everyone else, they use the Cisco client, or sometimes Anyconnect when Cisco has issues. The bossman has asked that I look into alternatives because he tends to have connectivity issues with his VPN when he travels/works remotely. The only thing that might make sense to me is to go to SSL VPN, but I don't know how to set that up. I have been working on setting up DirectAccess as he was ok with as an option, but I'm having a LOT of difficulty getting that job done. I'm ready to give up on trying to setup DirectAccess and look at other options (NOBODY out there seems to know anything about setting up DirectAccess, so finding assistance there is impossible). So a few questions....
Beyond SSL VPN, what other reasonable easy to setup options are there for VPN connections (I could use my DirectAccess server for other uses if needed) that might be more stable?
And secondly, if it's SSL VPN, anyone know of a good guide for setup?
Would SSL VPN be any more stable? It seems to me that connectivity issues are predominately based on bandwidth and other factors out of my control, but though he understands that, he still wants to see if we can improve it any.
What do big companies use? I've always worked for small shops, so I don't know what the big boys use to securely connect remote employees. Probably something not feasible for me, but curious nonetheless.
THANK YOU!
I found some previous questions that are informative, but want to ask mine individually. I have a small company of about 50 folks, about half of which either work from home or travel a lot. For the home users, I have Cisco boxes setup with always on VPN connections terminating to my ASA5510. For everyone else, they use the Cisco client, or sometimes Anyconnect when Cisco has issues. The bossman has asked that I look into alternatives because he tends to have connectivity issues with his VPN when he travels/works remotely. The only thing that might make sense to me is to go to SSL VPN, but I don't know how to set that up. I have been working on setting up DirectAccess as he was ok with as an option, but I'm having a LOT of difficulty getting that job done. I'm ready to give up on trying to setup DirectAccess and look at other options (NOBODY out there seems to know anything about setting up DirectAccess, so finding assistance there is impossible). So a few questions....
Beyond SSL VPN, what other reasonable easy to setup options are there for VPN connections (I could use my DirectAccess server for other uses if needed) that might be more stable?
And secondly, if it's SSL VPN, anyone know of a good guide for setup?
Would SSL VPN be any more stable? It seems to me that connectivity issues are predominately based on bandwidth and other factors out of my control, but though he understands that, he still wants to see if we can improve it any.
What do big companies use? I've always worked for small shops, so I don't know what the big boys use to securely connect remote employees. Probably something not feasible for me, but curious nonetheless.
THANK YOU!
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Usually the issues are that the Local IP and the Office LAN IPs are overlaping.
i.e. the person at a conference with Wifi and their IPs are 172.16.16.0/23
while your office LAN is 172.16.17.0/24 or vice versa.
The 172.16.17.0/24 segment will not see traffic going to the remote side since it is seens as local on the local system.
Not sure whether using any VPN will resolve the IP overlap.
I'd start by enabling logging on the individuals system to collect information on their connection when they are having issues.
IP/netmask, etc.
i.e. the person at a conference with Wifi and their IPs are 172.16.16.0/23
while your office LAN is 172.16.17.0/24 or vice versa.
The 172.16.17.0/24 segment will not see traffic going to the remote side since it is seens as local on the local system.
Not sure whether using any VPN will resolve the IP overlap.
I'd start by enabling logging on the individuals system to collect information on their connection when they are having issues.
IP/netmask, etc.
Agreed, if there are IP overlap issues, changing to a different VPN mechanism isn't going to solve that problem.
ASKER
Thanks for the comments all!
jmeggers - I will look into AnyConnect Essentials, thank you. That should work fine as all I need is file/intranet app/email access and we are fine using a client.
InteraX - Agreed, I figure this is mostly on their end, but the main "complainer" is two of the owners, thus time to act! :) Though if IPSec gets throttled in cases, then a move to SSL could help.
arnold - pretty sure we're fine there. VPN is getting 10.0.3.0 and internal is 10.0.1.0 and I think most times, you don't see 10.0. addresses in public locations, or am I thinking about this wrong?
Thanks all!
jmeggers - I will look into AnyConnect Essentials, thank you. That should work fine as all I need is file/intranet app/email access and we are fine using a client.
InteraX - Agreed, I figure this is mostly on their end, but the main "complainer" is two of the owners, thus time to act! :) Though if IPSec gets throttled in cases, then a move to SSL could help.
arnold - pretty sure we're fine there. VPN is getting 10.0.3.0 and internal is 10.0.1.0 and I think most times, you don't see 10.0. addresses in public locations, or am I thinking about this wrong?
Thanks all!
I'm not sure a move to SSL will help a great deal. I think it's mostly due to certain authorities not liking encrypted traffic that they can't read. Any SSL session that lasts for more than 30 seconds would not be normal for standard web browsing and could be throtled. Basically, it's the encryption they don't like.
I have seen plenty of places where 10.0.x.y are used locally, but this shouldn't affect the VPN client. I have this type of setup in use without a problem. The only issue you may find is that any local IP ranges used on the VPN may not be accessible by host applications whilst the VPN is up.
I am assuming you have split tunnelling setup.
I have seen plenty of places where 10.0.x.y are used locally, but this shouldn't affect the VPN client. I have this type of setup in use without a problem. The only issue you may find is that any local IP ranges used on the VPN may not be accessible by host applications whilst the VPN is up.
I am assuming you have split tunnelling setup.
ASKER
Yes, I have split tunneling setup.
Should I be able to run both my current VPN and AnyConnect Essentials at the same time to my ASA5510?
Should I be able to run both my current VPN and AnyConnect Essentials at the same time to my ASA5510?
what is the netmask of the VPN IP you are assigning 10.0.3.0 versus the LAN IP range 10.0.1.0?
Some locations use 10. It all depends on the scope of the enterprise.
I.e. many would often mean they use a 10.x.x.x large scope network.
Often VPN IP should use a segment different from the one used on the LAN
i.e. if you have 10.0.0.0 one would use an uncommon 192.168. network (not 0,1,2 as those are common in the retail routers)
At this point we are guessing at the cause. Identifying the issue/cause would clear things up and possibly provide a solution.
i.e. using 192.168.151.x for the VPN connection pool might be what could solve this issue. etc.
Some locations use 10. It all depends on the scope of the enterprise.
I.e. many would often mean they use a 10.x.x.x large scope network.
Often VPN IP should use a segment different from the one used on the LAN
i.e. if you have 10.0.0.0 one would use an uncommon 192.168. network (not 0,1,2 as those are common in the retail routers)
At this point we are guessing at the cause. Identifying the issue/cause would clear things up and possibly provide a solution.
i.e. using 192.168.151.x for the VPN connection pool might be what could solve this issue. etc.
ASKER
I'm somewhat avoiding the notion that it's an issue with the VPN pool or anything else because most users see very little or no issues with connectivity. Or could the issue still only manifest with the one user (who as mentioned is the CEO, so thus why I'm trying to appease with a new VPN type)?
Netmask is 255.255.255.0
Netmask is 255.255.255.0
The other users may only use remote access from their residences where the Local LAN IP is in the 192.168.x.0/24 range while the CEO that travels uses the system where the Local LAN ips overlap with the office IPs.
If enabling logging on the VPN client is not an option, create a batch file that the person can run when they have an issue.
@echo off
echo %date% %time% >> c:\somedirectory\datacolle ctionfile. txt
ipconfig /all >> c:\somedirectory\datacolle ctionfile. txt
This may help you narrow down the issue.
If enabling logging on the VPN client is not an option, create a batch file that the person can run when they have an issue.
@echo off
echo %date% %time% >> c:\somedirectory\datacolle
ipconfig /all >> c:\somedirectory\datacolle
This may help you narrow down the issue.
I am sure someone has already said this but I strongly strongly suggest pfsense.
IPSec and SSL VPN's (clientless and anyconnect client based) can all be setup and used concurrently on the ASA. If you are only looking to use this for a couple of users, the ASA comes with 2 concurrent SSL licenses. If you are running 8.3 in a failover pair, you will get 4 concurrent users as they are cumulative across the failover pair.
ASKER
rbgCODE, I've never heard of it, looks like it's a software based open source firewall you suggest putting on client machines, right? Thanks for the info.
no it is a firewall that you would run on a server that supports vpn but you can use windows built in software for the vpn connections.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Interesting. To the main point of why I'm researching, would either of those solutions tend to be more stable?
If the issue is IP overlap or the location where the person is denies/blocks VPN traffic, SSL VPN would often be the only choice since access to the secure web 443 is rarely blocked.
But it would not deal with the IP overlap.
But it would not deal with the IP overlap.
Currently we are using the Cisco VPN Client. The only time we have had problems is due to issues with the local connection or issues on the internet. We have seen some hardware issues cause problems, but usually it is to do with the users connection and available bandwidth. I have seen it where some local connections have IPSec traffic throttled.