I have been looking for a concentrator for remote access (not site-to-site) for our users. We currently are using a 5508 that is getting long in the tooth and expensive to purchase support on. We want something simple that will allow users to remote in to the network when they are off campus. Ease of use for our users is priority and the ability for them to access the network via iPhone/iPad is essential. Does anyone have any recommendations for what they are using? I would reach out to a vendor but I want to be vendor-agnostic and just get the best solution available.
Do you mean a ASA 5508? If so, I guess you do not need a huge number of concurrent remote VPN, right? Do you need IPSEC OR SSL Remote VPN?
The major firewall Vendors are all providing decent VPN feature, some asking for extra license but some just give you for free…
Plus if remote VPN from iOS device is a requirement, I guess you would stuck with the IPSec remote VPN…So really depends on your preference…PAN, Fortinet, Juniper, Cisco, SonicWALL, PFSense and others.
Honestly, Cisco AnyConnect is a very good remote access product. Support on a 5508 isn’t going to be any more expensive than any other remote access solution.
Other options are Palo Alto GlobalProtect and Pulse (formerly Juniper).
Frankly, neither of the three is head and shoulders above either of the other two. If you already have one, there is little reason to switch.
you could have a look at https://pritunl.com/
Its a nice out-of-the-Box OpenVPN based Solution.
They have a client for iOS and Android. Although I think the config sync feature is currently only available in the Windows/Linux/OSX version.
We are replacing our old Cisco ASAs with … new Cisco ASAs. There just wasn’t a product out there that covered as many platforms & devices and met our needs as good as they did.
Apple iOS devices include a built-in IPSec client that’s compatible with the old Cisco IPSec client feature in the ASA and it works very well. Also, the IPSec client support is included with the ASA, but AnyConnect support is a licensed feature (you get two clients for free). If your user base is just iOS, then I’d use the built-in client with your existing ASA 5508. It’s easy to configure with the ASDM Wizard and it’ll probably “just work”. However, the actual IPSec client software is end-of-support by Cisco, so if you have PC users that need a VPN solution the only option from Cisco is AnyConnect. I’ve heard of lots of folks using the free “Shrew Soft” IPSec client so you could try that, but there’d be no support.
with old ASA, you’re screwed with old ikev1 cisco style remote access vpn. it works allright, but don’t be so sure newer devices will support it. we’ve had issues with win10 (old vpn client compatibility) and android devices. but ios generally works.
anyconnect/ssl will cost you additional licenses (and not that little).
tbh, if you don’t really care about super-duper security, then by country mile, the easiest to setup and use and works on every imaginable platform, is Meraki. It’s L2TP, so it has it’s own quirks (like windows not liking it when both sides are behind NAT, unless static 1:1 NAT). So it’s preferred to have a VPN box with direct public IP.
But it’s just downright unfair how easy it’s to setup. you’ll have to be a MS admin (or have one) to setup auth against AD with ASA (with it’s CN=sxx;;OU=asdas;; crap forest-tree stuff that has to be precice to a character), but for meraki, it’s like kindergarden stuff. just works.
you have radius tied to user database (ad, ldap, whatever)? literally just fill 3 blanks: server IP, port and secret.
you want to auth againt AD directly? well, it’s now 4 blanks!
even local user (against meraki cloud) is bonkers easy. it even autogenerates passwords, and sends e-mails for you so your user can verify itself.
many manufacturers will say you “you can configure your remote access in minutes”, but in actual world, only meraki can actually back this claim (hell, you can do it seconds actually, it’s that easy).
The 5508 is really there because it was our old firewall and it was also doing VPN. We only have a max of about 10 concurrent sessions. Nothing crazy. We kept it around to JUST do VPN when we bought a Juniper SRX3600. The SRX is a branch device and therefore has no VPN option. Juniper was my first choice but they sold off their concentrators to Pulse (which u/KodamaBE recommended below). Is it true that I have to go with ipsec for iOS devices? I was not aware of that.
As far as I know, apple has tight restriction on vendor implemented SSL remote VPN. So IPSec remote VPN will be your best/safe bet…
I personally never worked on a dedicated concentrator before and I do not believe I need to actually…You could potentially (For example) get a Fortigate 50E bare minimum box to support 250 IPsec remote VPN users for about 600$. You also got the potential to fully utilize it as a UTM in the future if needed.
edit: I would highly recommend the Pulse platform. I’ve used it on and off for many years. At heart I am a Checkpoint and F5 guy, who both have pretty good SSL VPN offerings (Mobile Access Blade for Checkpoint and APM for F5), and most of the time I would recommend using a Pulse appliance.
As /u/Djinjja-Ninja says, it supports almost every platform. For iOS and Android there are apps. On iOS/Android the app makes a VPN profile for the user, which makes central management easier. The clients from the Pulse Secure and SRX are the same. Junos Pulse => Pulse Secure. However, the “server” side configuration is totally different. Much more granular on the Pulse Secure. I also agree with /u/m1xed0s a dedicated VPN appliance is not so common anymore. Most companies just opt for a (ssl)VPN license on their gateway firewall.
I completely agree and would jump all over it if the SRX wasn’t considered “branch” and therefore missing any VPN solution. The lower end SRXs can do it, not the 3600.