An SSL VPN provides three modes of remote access on Cisco IOS routers: clientless, thin client, and full client. ASA devices have two modes: clientless (which includes clientless and thin client port forwarding) and AnyConnect client (which replaces full tunnel).
Clientless access requires no specialized VPN software or applet on the user desktop. All VPN traffic is transmitted and delivered through a standard web browser.
Thin client mode, sometimes called TCP port forwarding, assumes that the client application uses TCP to connect to a well-known server and port. In this mode, the remote user downloads a Java applet by clicking the link provided on the portal page. The Java applet acts as a TCP proxy on the client machine for the services configured on the SSL VPN gateway.
Full client mode enables complete access to the corporate network over an SSL VPN tunnel, which is used to move data at the Network (IP) Layer.
Establishing an SSL session involves five steps:
Step 1. The user makes an outbound connection to TCP port 443.
Step 2. The router responds with a digital certificate, which contains a public key that is digitally signed by a trusted certificate authority (CA).
Step 3. The user’s computer generates a shared secret key that both parties use.
Step 4. The shared secret is encrypted with the public key of the router and transmitted to the router. The router software is able to easily decrypt the packet using its private key. Now both participants in the session know the shared secret key.
Step 5. The key is used to encrypt the SSL session.
SSL utilizes encryption algorithms with key lengths from 40 to 256 bits.
The Cisco Easy VPN solution feature offers flexibility, scalability, and ease of use for site-to-site and remote-access VPNs. It consists of three components:
Cisco Easy VPN Server – A Cisco IOS router or Cisco ASA Firewall acting as the VPN head-end device in site-to-site or remote-access VPNs.
Cisco Easy VPN Remote – A Cisco IOS router or Cisco ASA Firewall acting as a remote VPN client.
Cisco VPN Client – An application supported on a PC used to access a Cisco VPN server.
The reverse route injection (RRI) process is initiated. RRI ensures that a static route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client.