Which four types of VPN are supported using Cisco ISRs and Cisco ASA appliances? (Choose four.)
A.
SSL clientless remote-access VPNs
B.
SSL full-tunnel client remote-access VPNs
C.
SSL site-to-site VPNs
D.
IPsec site-to-site VPNs
E.
IPsec client remote-access VPNs
F.
IPsec clientless remote-access VPNs
Explanation:
https://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/securi
ty_manager/4.1/user/guide/ravpnbas.pdf
SSL VPN Access Modes
SSL VPN provides three modes of remote access on IOS routers: Clientless, Thin Client and Full
Client. On ASA devices, there are two modes: Clientless (which includes Clientless and Thin Client
port forwarding) and AnyConnect Client (a full client).
Clientless Access Mode
In Clientless mode, the remote user accesses the internal or corporate network using a Web browser
on the client machine. No applet downloading is required. Clientless mode is useful for accessing
most content that you would expect in a Web browser, such as Internet access, databases, and
online tools that employ a Web interface. It supports Web browsing (using HTTP and HTTPS), file
sharing using Common Internet File System (CIFS), and Outlook Web Access (OWA) email. For
Clientless mode to work successfully, the remote user’s PC must be running Windows 2000,
Windows XP, or Linux operating systems. Browser-based SSL VPN users
connecting from Windows operating systems can browse shared file systems and perform the
following operations: view folders, view folder and file properties, create, move, copy, copy from the
local host to the remote host, copy from the remote host to the local host, and delete. Internet
Explorer indicates when a Web folder is accessible. Accessing this folder launches another window,
providing a view of the shared folder, on which users can perform web folder functions, assuming
the properties of the folders and documents permit them.
Thin Client Access Mode
Thin Client mode, also called TCP port forwarding, assumes that the client application uses TCP to
connect to a well-known server and port. In this mode, the remote user downloads a Java applet by
clicking the link provided on the portal page. The Java applet acts as a TCP proxy on the client
machine for the services configured on the SSL VPN gateway. The Java applet starts a new SSL
connection for every client connection. The Java applet initiates an HTTP request from the remote
user client to the SSL VPN gateway. The name and port number of the internal email server is
included in the HTTP request. The SSL VPN gateway creates a TCP connection to that internal email
server and port. Thin Client mode extends the capability of the cryptographic
functions of the Web browser to enable remote access to TCP-based applications such as Post Office
Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access protocol
(IMAP), Telnet, and Secure Shell (SSH).
Note
The TCP port-forwarding proxy works only with Sun’s Java Runtime Environment (JRE) version 1.4 or
later. A Java applet is loaded through the browser that verifies the JRE version. The Java applet
refuses to run if a compatible JRE version is not detected. When using Thin Client mode, you should
be aware of the following:
•The remote user must allow the Java applet to download and install.•For TCP port-forwarding applications to work seamlessly, administrative privileges must be enabled
for remote users.
•You cannot use Thin Client mode for applications such as FTP, where the ports are negotiated
dynamically.
That is, you can use TCP port forwarding only with static ports.
Full Tunnel Client Access Mode
Full Tunnel Client mode enables access to the corporate network completely over an SSL VPN tunnel,
which is used to move data at the network (IP) layer. This mode supports most IP-based applications,
such as Microsoft Outlook, Microsoft Exchange, Lotus Notes E-mail, and Telnet. Being part of the SSL
VPN is completely transparent to the applications run on the client. A Java applet is downloaded to
handle the tunneling between the client host and the SSL VPN gateway. The user can use any
application as if the client host was in the internal network.
The tunnel connection is determined by the group policy configuration. The SSL VPN client (SVC) or
AnyConnect client is downloaded and installed to the remote client, and the tunnel connection is
established when the remote user logs in to the SSL VPN gateway. By default, the client software is
removed from the remote client after the connection is closed, but you can keep it installed, if
required. https://learningnetwork.cisco.com/servlet/JiveServlet/downloadBody/12870-102-1-
48375/Cisco%20VPN%20(5).pdf
LAN-to-LAN IPsec Implementations
LAN-to-LAN IPsec is a term often used to describe an IPsec tunnel created between two LANs. These
are also called site to site IPsec VPNs. LAN-to-LAN VPNs are created when two private networks are
merged across a public network such that the users on either of these networks can access
resources on the other network as if they were on their own private network.
Remote-Access Client IPsec Implementations
Remote-access client IPsec VPNs are created when a remote user connects to an IPsec router or
access server using an IPsec client installed on the remote user’s machine. Generally, these remoteaccess machines connect to the public network or the Internet using dialup or some other similar
means of connectivity. As soon as basic connectivity to the Internet is established, the IPsec client
can set up an encrypted tunnel across the pubic network or the Internet to an IPsec termination
device located at the edge of the private network to which the client wants to connect and be a part
of. These IPsec termination devices are also known as IPsec remoteaccess concentrators.