Which four types of VPN are supported using Cisco ISRs and Cisco ASA appliances? (Choose
four.)
A.
 SSL clientless remote-access VPNs
B.
 SSL full-tunnel client remote-access VPNs
C.
 SSL site-to-site VPNs
D.
 IPsec site-to-site VPNs
E.
 IPsec client remote-access VPNs
F.
 IPsec clientless remote-access VPNs
Explanation:
https://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/securit
y_manager/4.1/user/guide/ravpnbas.pdf
SSL VPN Access Modes
SSL VPN provides three modes of remote access on IOS routers: Clientless, Thin Client and FullClient. On ASA devices, there are two modes: Clientless (which includes Clientless and Thin
Client port forwarding) and AnyConnect Client (a full client).
Clientless Access Mode
In Clientless mode, the remote user accesses the internal or corporate network using a Web
browser on the client machine. No applet downloading is required. Clientless mode is useful for
accessing most content that you would expect in a Web browser, such as Internet access,
databases, and online tools that employ a Web interface. It supports Web browsing (using HTTP
and HTTPS), file sharing using Common Internet File System (CIFS), and Outlook Web Access
(OWA) email. For Clientless mode to work successfully, the remote user’s PC must be running
Windows 2000, Windows XP, or Linux operating systems. Browser-based SSL VPN users
connecting from Windows operating systems can browse shared file systems and perform the
following operations: view folders, view folder and file properties, create, move, copy, copy from
the local host to the remote host, copy from the remote host to the local host, and delete. Internet
Explorer indicates when a Web folder is accessible. Accessing this folder launches another
window, providing a view of the shared folder, on which users can perform web folder functions,
assuming the properties of the folders and documents permit them.
Thin Client Access Mode
Thin Client mode, also called TCP port forwarding, assumes that the client application uses TCP
to connect to a well-known server and port. In this mode, the remote user downloads a Java
applet by clicking the link provided on the portal page. The Java applet acts as a TCP proxy on the
client machine for the services configured on the SSL VPN gateway. The Java applet starts a new
SSL connection for every client connection. The Java applet initiates an HTTP request from the
remote user client to the SSL VPN gateway. The name and port number of the internal email
server is included in the HTTP request. The SSL VPN gateway creates a TCP connection to that
internal email server and port. Thin Client mode extends the capability of the cryptographic
functions of the Web browser to enable remote access to TCP-based applications such as Post
Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message
Access protocol (IMAP), Telnet, and Secure Shell (SSH).
Note
The TCP port-forwarding proxy works only with Sun’s Java Runtime Environment (JRE) version
1.4 or later. A Java applet is loaded through the browser that verifies the JRE version. The Java
applet refuses to run if a compatible JRE version is not detected. When using Thin Client mode,
you should be aware of the following:
•The remote user must allow the Java applet to download and install.
•For TCP port-forwarding applications to work seamlessly, administrative privileges must be
enabled for remote users.
•You cannot use Thin Client mode for applications such as FTP, where the ports are negotiateddynamically.
That is, you can use TCP port forwarding only with static ports.
Full Tunnel Client Access Mode
Full Tunnel Client mode enables access to the corporate network completely over an SSL VPN
tunnel, which is used to move data at the network (IP) layer. This mode supports most IP-based
applications, such as Microsoft Outlook, Microsoft Exchange, Lotus Notes E-mail, and Telnet.
Being part of the SSL VPN is completely transparent to the applications run on the client. A Java
applet is downloaded to handle the tunneling between the client host and the SSL VPN gateway.
The user can use any application as if the client host was in the internal network.
The tunnel connection is determined by the group policy configuration. The SSL VPN client (SVC)
or AnyConnect client is downloaded and installed to the remote client, and the tunnel connection is
established when the remote user logs in to the SSL VPN gateway. By default, the client software
is removed from the remote client after the connection is closed, but you can keep it installed, if
required. https://learningnetwork.cisco.com/servlet/JiveServlet/downloadBody/12870-102-1-
48375/Cisco%20VPN%20(5).pdf
LAN-to-LAN IPsec Implementations
LAN-to-LAN IPsec is a term often used to describe an IPsec tunnel created between two LANs.
These are also called site to site IPsec VPNs. LAN-to-LAN VPNs are created when two private
networks are merged across a public network such that the users on either of these networks can
access resources on the other network as if they were on their own private network.
Remote-Access Client IPsec Implementations
Remote-access client IPsec VPNs are created when a remote user connects to an IPsec router or
access server using an IPsec client installed on the remote user’s machine. Generally, these
remote-access machines connect to the public network or the Internet using dialup or some other
similar means of connectivity. As soon as basic connectivity to the Internet is established, the
IPsec client can set up an encrypted tunnel across the pubic network or the Internet to an IPsec
termination device located at the edge of the private network to which the client wants to connect
and be a part of. These IPsec termination devices are also known as IPsec remoteaccess
concentrators.