Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Chapter 5. SSL VPNs on Cisco ASA > SSL VPN Design Considerations

SSL VPN Design Considerations

Before you implement the SSL VPN services in Cisco ASA, you have to analyze your current environment and determine which features and modes might be useful in your implementation. Some of the SSL VPN design considerations are as follows:

  • User connectivity: Before designing and implementing the SSL VPN solution for your corporate network, you need to determine whether your users connect to your corporate network from public shared computers, such as workstations made available to guests in a hotel or computers in an Internet kiosk. In this case, using an SSL VPN is the preferred solution to access the protected resources.

  • ASA feature set: A Cisco security appliance can run various features such as IPsec VPN tunnels, routing engines, firewalls, and data inspection engines. Enabling the SSL VPN feature can add further load if your existing appliance is already running a number of features. You must check the CPU, memory, and buffer utilization before enabling an SSL VPN.

  • Infrastructure planning: Because SSL VPN provides network access to remote users, you have to consider the placement of the VPN termination devices. Before implementing the SSL VPN feature, ask the following questions:

    - Should it be placed behind a firewall? If so, what ports should be opened?

    - Should the decrypted traffic be passed through another set of firewalls? If so, what ports should be allowed?

    - Do the inside routers redistribute the pool of IP addresses for SSL VPN clients in a routing protocol so that other routers recognize the subnet?

  • Implementation scope: Network security administrators need to determine the size of the SSL VPN deployment, especially the number of concurrent users that will connect to gain network access. If one Cisco ASA is not enough to support the required number of users, the use of ASA clustering or load balancing must be considered to accommodate all the potential remote users.


You are currently reading a PREVIEW of this book.


Get instant access to over $1 million worth of books and videos.


Start a Free 10-Day Trial

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint