BrochureCisco IPsec and SSL VPN Solutions PortfolioCisco ASA 5500 Series Adaptive Security Appliances, Cisco Integrated Services Routers,Cisco ASR 1000 Series Aggregation Services Routers, Cisco 7200 Series and 7301Routers, Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers.VPNs allow organizations to securely connect remote offices and remote users using costeffective, third-party Internet access rather than expensive dedicated WAN links or long-distanceremote dial links. Using high-bandwidth Internet connectivity—such as DSL, Ethernet, and cable—and securing it with encrypted VPN tunnels enables organizations to reduce WAN bandwidth costswhile increasing connectivity speeds.VPNs provide high levels of security through encryption and authentication technologies thatprotect data from unauthorized access. VPNs provide more flexibility and scalability than FrameRelay, leased lines, or dialup remote-access connections by enabling the quick addition of newsites or users through the easy-to-provision Internet infrastructure within ISPs. As a result,organizations can dramatically increase the reach of their networks without significantly expandingtheir infrastructures.There are two types of encrypted VPNs: site-to-site and remote-access. Site-to-site VPNs are analternative to Frame Relay or leased-line WANs, which allow businesses to extend networkresources to branch offices, home offices, and business partner sites. All traffic between sites isencrypted using IP Security (IPsec). Routing, quality of service (QoS), and other network featureshelp ensure the reliability and quality of VPN traffic. Site-to-site VPNs are also used to increase thesecurity of other WAN technologies such as Multiprotocol Label Switching (MPLS) and FrameRelay through data encryption and authentication.Remote-access VPNs are a flexible and cost-effective alternative to private dialup solutions; infact, VPNs have become the primary solution for remote-access connectivity. Remote-accessVPNs extend almost any data, voice, or video application to remote working locations, helping tocreate a user experience that emulates working in the main office location. All traffic between theuser desktop and the office site is encrypted. Remote-access VPNs may be deployed usingSecure Sockets Layer (SSL) VPN, IPsec, or both, depending on deployment requirements.Cisco VPN Solutions The extensive portfolio of Cisco VPN solutions includes Cisco ASA 5500 Series Adaptive SecurityAppliances, Cisco Integrated Services Routers, Cisco ASR 1000 Series Aggregation Services Routers, Cisco 7200 Series and 7301 Routers, Cisco Catalyst 6500 Series Switches, Cisco 7600Series Routers, and Cisico ASA 5500 Series Adaptive Security Appliances. These solutionsinclude mission-specific feature sets based on IPsec and SSL VPN technologies to provide themost suitable technologies for diverse network environments and requirements.Site-to-Site VPNCisco’s site-to-site VPN solutions integrate advanced network intelligence and routing to deliverreliable transport for complex mission-critical traffic, such as voice and client-server applications,without compromising communications quality. Site-to-site VPN technologies such as Dynamic 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 1 of 11

BrochureMultipoint VPN (DMVPN), Easy VPN, Routed Generic Routing Encapsulation (GRE), and tunnelless Group Encrypted Transport VPN (GET VPN) deliver customized solutions for network designsranging from traditional hub-and-spoke to networks with “any-to-any” intersite connectivity. Thesetechnologies also help streamline provisioning and minimize ongoing operational tasks. Integratednetwork features such as routing, QoS, and multicast support deliver any traffic type—includinglatency-sensitive voice/video and terminal services—while preserving transport reliability andquality over the Internet-based VPN.Remote-Access VPNsRemote-access VPNs extend almost any data, voice, or video application available in the office toremote working locations, helping to create a user experience that emulates working in the mainoffice location. There are two primary methods for deploying remote-access VPNs: IPsec and SSL.Each method has its advantages based on the access requirements of your users and yourorganization’s IT processes. Many remote-access VPN solutions offer either IPsec or SSL, butCisco solutions integrate both technologies on a single platform with unified management. Havingboth IPsec and SSL technologies enables customization of remote-access VPN deploymentswithout any additional hardware or management complexity.SSL VPNsSSL-based VPNs provide remote-access connectivity from almost any Internet-enabled locationusing a standard Web browser and its native SSL encryption. They do not require any specialpurpose client software to be pre-installed on the system. Thus, SSL VPNs are capable of“anywhere” connectivity from company-managed desktops and non-company-managed desktops,such as employee-owned PCs, contractor or business partner desktops, and Internet kiosks. Allsoftware required for application access across the SSL VPN connection is dynamicallydownloaded on an as-needed basis, thereby minimizing desktop software maintenance.SSL VPNs provide two different types of access: clientless access and full network access.Clientless access requires no specialized VPN software on the user desktop; all VPN traffic istransmitted and delivered through a standard Web browser. Because all applications and networkresources are accessed through a browser, only Web-enabled and some client-serverapplications—such as intranets, applications with Web interfaces, e-mail, calendaring, and fileservers—can be accessed using a clientless connection. This limited access is suitable forpartners or contractors that should be provided access to a limited set of resources on thenetwork. And because no special-purpose VPN software has to be delivered to the user desktop,provisioning and support concerns are minimized.Full network access enables access to virtually any application, server, or resource available onthe network. Access is delivered through a lightweight VPN client that is dynamically downloadedto the user desktop (through a browser) upon connection to the SSL VPN gateway. This VPNclient, because it is dynamically downloaded and updated without any manual software distributionor interaction from the end user, requires little or no desktop support by IT staff, thereby minimizingdeployment and operations costs. Like clientless access, full network access offers fullycustomized access control based on the access privileges of the end user. Full network access isa natural choice for employees who need remote access to the same applications and networkresources they use when in the office or for any client-server application that cannot be deliveredacross a Web-based clientless connection. 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 2 of 11

BrochureIPsec VPNsIPsec-based VPNs are the deployment-proven remote-access technology used by mostorganizations today. Connections are established using VPN client software preinstalled on theuser desktop, making it primarily useful on company-managed desktops. The client software canalso be extensively modified through its APIs for use in special applications such as unattendedkiosks and to provide integration with other desktop applications.Working TogetherSSL VPNs and IPsec VPNs are complementary technologies that can be deployed together tobetter address the unique access requirements of diverse user communities. Both offer access tovirtually any network application or resource. SSL VPNs offer additional features such as easyconnectivity from desktops outside your company’s management, little or no desktop softwaremaintenance, and user-customized Web portals upon login.Cisco offers remote-access VPN solutions on the Cisco ASA 5500 Series VPN Edition and CiscoIntegrated Services Routers, and Cisco ASR 1000 Series Aggregation Services Router. Featuresinclude Web-based clientless access and full network access without preinstalled desktop VPNsoftware, a threat-protected VPN to guard against malware and hackers, and single-devicesolutions for both SSL- and IPsec-based VPNs. In addition, the innovative Cisco Easy VPN andCisco VPN Client auto-update capabilities found in Cisco remote-access VPN solutions deliver auniquely scalable, cost-effective, and easy-to-manage remote-access VPN architecture. With afoundation of dynamic policy distribution and effortless provisioning, Cisco Easy VPN and CiscoVPN Client auto-update features make it easy to maintain remote-device and VPN clientconfigurations typically required by IPsec remote-access VPN solutions.Table 1 shows Cisco products and feature benefits for site-to-site and remote-access VPNs.Table 1.Cisco Product Matrix and Feature Benefits for Site-to-Site and Remote-Access VPNSite-to-Site VPNIPsec Remote-Access VPNSSL Remote-Access VPNCisco Routers orCisco Catalyst SwitchesMost feature-richYesYes (routers only)Cisco ASR 1000 SeriesRouterMost feature-richYesNoCisco ASA 5500 SeriesAppliancesYesMost feature-richMost feature-richCisco ASA 5500 Series Adaptive Security AppliancesCisco ASA 5500 Series all-in-one adaptive security appliances deliver enterprise-class securityand VPN capabilities to small and medium-sized businesses and large enterprise networks in amodular, purpose-built appliance (Figure 1). The Cisco ASA 5500 Series incorporates a widerange of integrated security services, including firewall, intrusion prevention system (IPS), andAnti-X services with SSL and IPsec VPN services in an easy-to-deploy, high-performance solution.By integrating VPN and security services, the Cisco ASA 5500 Series protects the VPNdeployment from becoming a conduit for network attacks such as worms, viruses, malware, orhacking. Detailed application and access control policy is applied to VPN traffic, so legitimateusers have access to services and resources. 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 3 of 11

BrochureThe Cisco ASA 5500 Series is Cisco’s most feature-rich solution for SSL and IPsec-based remoteaccess, supporting robust site-to-site connectivity. The series provides higher scalability andgreater throughput capabilities than the widely deployed Cisco VPN 3000 Series Concentratorsand can integrate easily into any Cisco VPN 3000 Series load-balancing cluster.Figure 1.The Cisco ASA 5500 Series PortfolioTable 2 summarizes the VPN performance of each Cisco ASA 5500 Series model.Table 2.Cisco ASA 5500 Series Appliance VPN Performance.ModelSSL/IPsec ScalabilityMaximum VPN ThroughputCisco ASA 550525 simultaneous VPN connections100 MbpsCisco ASA 5510250 simultaneous VPN connections170 MbpsCisco ASA 5520750 simultaneous VPN connections225 MbpsCisco ASA 55402500/5000 simultaneous VPN connections325 MbpsCisco ASA 55505000 simultaneous VPN connections425 MbpsCisco ASA 5580-20 and 5580-4010,000 simultaneous VPN connections1 GbpsRemote-access and site-to-site IPsec VPN services are included as a base feature of all CiscoASA 5500 Series models. SSL VPN features are available on the Cisco ASA 5500 Series VPNEdition or as a licensed feature set that can be added to any Cisco ASA 5500 Series model.Please see the product data sheet for more details.The Cisco ASA 5500 Series offers flexible technologies that deliver tailored solutions to suitconnectivity requirements. It provides employees with company-managed desktops robust,customizable remote access through an IPsec VPN. For endpoints that are not companymanaged, such as extranets, Internet kiosks, or employee-owned desktops, the Cisco ASA 5500Series delivers SSL-based remote-access VPN services. Organizations can take advantage ofCisco’s remote-access expertise to deploy a single integrated platform with broad support for allnetworked applications.Benefits of the Cisco ASA 5500 Series include: Flexible platform: Providing both IPsec and SSL VPN on a single platform eliminates theinefficiency and added cost of deploying separate platforms. Superior clientless network access: Clientless SSL VPN-based remote access does notrequire desktop client software. Superior content rewriting capabilities help ensure reliablerendering of complex applications or Webpages with Java, JavaScript, and ActiveX content. 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 4 of 11

Brochure Advanced client-based full network access: Customizable connectivity is providedthrough the dynamically downloaded Cisco SSL VPN Client or Cisco IPsec VPN Client. ForIPsec deployments, Cisco Easy VPN dynamically pushes the latest VPN security policies toremote VPN devices and clients, providing flexibility, scalability, and ease of use. Resilient clustering: Remote-access deployments can scale cost-effectively by evenlydistributing VPN sessions across all Cisco ASA 5500 Series and Cisco VPN 3000 Seriesdevices without user intervention or external load-balancing equipment. This highly resilientcapability eliminates any single point of failure and helps to protect network investments. Threat-protected VPN: VPNs are a primary source of entry for malware, such as worms,viruses, spyware, keyloggers, Trojan horses, and rootkits, into organizations' networks. TheCisco ASA 5500 Series’ deep intrusion prevention, antivirus, application-aware firewall, andVPN endpoint security capabilities help ensure that VPN connections do not become aconduit for security threats.Cisco ASA 5500 Series Adaptive Security Appliances are managed through the integrated Webbased Cisco Adaptive Security Device Manager (ASDM). Cisco ASDM manages all security andVPN functions of the appliances.Cisco Routers and Cisco Catalyst SwitchesCisco Integrated Services Routers, Cisco Aggregation Services Routers, and Cisco Catalyst switches (Figure 2) use Cisco IOS Software to easily deploy and scale site-to-site VPNs of anytopology, from hub-and-spoke to the more complex fully meshed VPNs. In addition, the Cisco IOSAdvanced Security feature set combines a rich VPN feature set with advanced firewall, intrusionprevention, and extensive Cisco IOS Software capabilities, including QoS, multiprotocol, multicast,and advanced routing support. Cisco integrated services routers and Cisco Catalyst 6500 Seriesswitches are suitable for deploying VPNs and security on networks of all sizes, integrating allservices in a single device, and featuring a wide selection of WAN and LAN interfaces.Cisco IPsec VPN technology has earned industry evaluations and certifications such as CommonCriteria Evaluation Assurance Level (EAL) 4, and FIPS-140-1, Level 2.Figure 2.Cisco IOS VPN Security Portfolio and Suggested Applications 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 5 of 11

BrochureThese devices incorporate many advanced VPN features: IPsec and SSL VPN services integration enables routers to provide both remote-accessand site-to-site services from a single device. Dynamic Multipoint VPN (DMVPN) enables autoprovisioning of site-to-site IPsec VPNs.DMVPN eases provisioning by dynamically discovering remote locations using standardrouting protocols, then automatically enabling an on-demand IPsec VPN tunnel betweenremote sites for a multipoint meshed design. Group Encrypted Transport VPN (GET VPN) is a new category of VPN that eliminates theneed for traditional VPN tunnels. GET VPN delivers highly scalable and manageableintersite any-to-any VPN connectivity without the complexity typically encountered withmeshed network designs. GET VPN supplements DMVPN by enabling high-scale, alwayson, any-to-any site connectivity that is critical for maintaining the transmission quality oflatency-sensitive traffic such as voice, video, and terminal services. Voice and Video Enabled VPN (V3PN) integrates IP telephony, QoS, and IPsec, providingan end-to-end VPN service that helps ensure the timely delivery of latency-sensitiveapplications such as voice and video. IPsec stateful failover provides fast and scalable network resiliency for VPN sessionsbetween remote and central sites. With both stateless and stateful failover solutionsavailable, options such as Dead Peer Detection (DPD), Hot Standby Router Protocol(HSRP), Reverse Route Injection (RRI), and Stateful Switchover (SSO) help ensure uptimeof mission-critical applications. IPsec and MPLS integration enables service providers to map IPsec sessions directly intoan MPLS VPN or use GET VPN to accomplish this without traditional tunnels. This solutioncan be deployed on colocated edge routers that are connected to a Cisco IOS Softwarebased MPLS provider-edge network, which can include Cisco 7200, 7500, 10000, or 12000Series Routers or Cisco 7301 Routers. This approach enables service providers to securelyextend VPN service beyond the MPLS network by using the public IP infrastructure toconnect enterprise customers’ remote offices, telecommuters, and mobile users to thecorporate network. Cisco further extends the MPLS solution with support of multi-VirtualRoute Forwarding (VRF) in a single router, enabling customer-edge routers to maintain 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 6 of 11

Brochureseparate VRF tables to extend an MPLS VPN beyond the provider-edge router node to abranch office. VPN hardware modules for Cisco routers provide up to 10 times the performance ofsoftware-only encryption by offloading encryption processing from the router CPU. Integrated security features such as firewall and IPS help ensure that VPNs do notbecome a conduit for hackers and malware.Cisco offers VPN security router bundles on most router platforms. (A comprehensive list of routersecurity bundles can be found at All bundles include theselected router platform, a Cisco VPN hardware card and additional memory where required, andthe Cisco IOS Software to run IPsec Triple Data Encryption Standard (3DES) or AdvancedEncryption Standard (AES) encryption and Cisco IOS Firewall with IPS. Options can be added toeach bundle as needed to add capabilities. 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 7 of 11

BrochureCisco also offers four IPsec VPN bundles based on Cisco Catalyst 6500 Series Switches. Thebundles include the Cisco IPsec VPN Shared Port Adapter (SPA) and provide flexibility andintegration for data centers, enterprise headends, and distribution points. Integrating the SPA withthe switch creates a flexible, high-performance, 2.5-Gbps VPN solution in campus and WAN edgedeployment scenarios while providing additional flexibility, redundancy, and the addition of highdensity I/O or other service options. The open slots in the switches can accommodate otheradvanced security services modules, such as the Cisco Catalyst 6500 Series Firewall ServicesModule (FWSM), the Cisco Catalyst 6500 Series Intrusion Detection System Module (IDSM-2),and the Cisco Catalyst 6500 Series Network Analysis Module (NAM-1 and NAM-2). This modularapproach allows organizations to take full advantage of their installed switching and routinginfrastructure at a relatively low cost.Cisco ASR 1000 Series: A Powerful New Paradigm for the WAN EdgeThe new Cisco ASR 1000 Series Aggregation Services Router uses the onboard Cisco EmbeddedServices Processor (ESP) to deliver scalable, integrated, and secure connectivity. The routersdeliver multigigabit IPsec VPN aggregation services concurrent with high-speed WAN, Internetedge routing, QoS, and multicast. The Cisco Embedded Services Processor uses the CiscoQuantumFlow Processor—the industry’s first massive parallel processor hardware and softwarearchitecture—as a key subsystem to control packet flow and assure high performance, scalability,service quality, and security.Positioned between the Cisco 7200 Series and the Cisco 7600 and Catalyst 6500 Series, CiscoASR 1000 Series routers make a compelling case for integrating headend IPsec VPN terminationinto enterprise WANs and Internet edge routers. It delivers unparalleled WAN availability in acarrier-class design and with very efficient power consumption. All Cisco ASR 1000 Series Aggregation Services Routers ship with high-speed encryptionacceleration chips (include software developed by Cavium Networks) onboard, in theEmbedded Services Processor. No additional or external crypto engine modules arerequired. The Cisco Embedded Services Processor-20G scales to 7.0 Gbps of IPsec encryptionthroughput, supporting up to 10,000 IPsec tunnels. The balance of total system bandwidth (5,10, 20 Gbps, depending on the EmbeddedServices Processor) is available to route clear-text traffic through the network at highspeeds. Cisco ASR 1000 Series routers provide superior multicast and encryption processing withadvanced packet scheduling and distribution mechanisms between the encryption andforwarding engines. Pre- and post-encryption QoS, scalable to support thousands of spokes, is available andembedded within the Cisco ASR 1000 Series Embedded Services Processor.Cisco IPsec VPN solutions are supported on all Cisco Aggregation Services Routers with theCisco IOS XE ASR 1000 Series RP1 Advanced IP Services and Advanced Enterprise Servicessoftware options.For more information on Cisco ASR 1000 Series solutions, visit 3 summarizes the VPN performance of different Cisco router platforms. 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 8 of 11

BrochureTable 3.VPN Performance of Cisco Routers and SwitchesCisco VPN Security SThroughputCisco 850 Series Integrated Services Router58 Mbps8 MbpsCisco 870 Series Integrated Services Router1030 Mbps30 MbpsCisco 1800 Series Integrated Services Router (FixedConfiguration)5040 Mbps40 MbpsCisco 1841 Integrated Services Router with onboard VPN10045 Mbps45 MbpsCisco 1841 Integrated Services Router with AIM-VPN/SSL-180095 Mbps95 MbpsCisco 2801 Integrated Services Router with onboard VPN15050 Mbps50 MbpsCisco 2801 Integrated Services Router with AIM-VPN/SSL-21500160 Mbps160 MbpsCisco 2811 Integrated Services Router with onboard VPN20055 Mbps55 MbpsCisco 2811 Integrated Services Router with AIM-VPN/SSL-21500130 Mbps130 MbpsCisco 2821 Integrated Services Router with onboard VPN25056 Mbps56 MbpsCisco 2821 Integrated Services Router with AIM-VPN/SSL-21500140 Mbps140 MbpsCisco 2851 Integrated Services Router with onboard VPN30066 Mbps66 MbpsCisco 2851 Integrated Services Router with AIM-VPN/SSL-21500160 Mbps160 MbpsCisco 3825 Integrated Services Router with onboard VPN500170 Mbps170 MbpsCisco 3825 Integrated Services Router with AIM-VPN/SSL-32000185 Mbps185 MbpsCisco 3845 Integrated Services Router with onboard VPN700180 Mbps180 MbpsCisco 3845 Integrated Services Router with AIM-VPN/SSL-32500210 Mbps210 MbpsCisco 7301 Router with SA-VAM2 5000280 Mbps280 MbpsCisco 7200VXR Series Router and NPE-G1 with a single SAVAM2 5000280 Mbps280 MbpsCisco 7200VXR Series Router and NPE-G2 with a single SAVAM2 5000280 Mbps280 MbpsCisco 7200VXR Series Router and NPE-G2 with a single VSA5000950 Mbps950 MbpsCisco ASR 1000 Series Aggregation Services Routers withEmbedded Services Processor-5G5,0001.8 Gbps1.8 GbpsCisco ASR 1000 Series Aggregation Services Routers withEmbedded Services Processor-10G10,0004.0 Gbps4.0 GbpsCisco ASR 1000 Series Aggregation Services Routers withEmbedded Services Processor-20G10,0007.0 Gbps7.0 GbpsCisco Catalyst 6500 Series/Cisco 7600 Series VPN Bundle(includes one or more IPsec VPN SPAs)16,0002.5–25 Gbps*2.5–25 GbpsCisco Catalyst 6500 Series VPN Services Port AdapterBundle (includes one or more IPsec VSPAs)16,0008–80 Gbps*8–80 Gbps*** Up to 10 VPN SPAs / VSPAs can be installed in a single chassis, providing increased VPN bandwidth.Cisco IOS Software-based VPN security routers and Cisco Catalyst switches can be managedusing a convenient command-line interface (CLI) through a variety of methods, including Telnet,Secure Shell (SSH) Protocol Version 2.0, or out-of-band through a console port. Alternatively,Cisco IOS Software-based routers can be configured and monitored using Cisco Router andSecurity Device Manager (SDM), an intuitive and secure Web-based tool embedded within CiscoIOS Software-based access routers. Cisco SDM simplifies device and security configuration byoffering wizards to help users quickly and easily deploy, configure, and monitor VPNs withoutextensive knowledge of the Cisco IOS CLI. Cisco IOS Software-based routers can also beconfigured and monitored using tools available from Cisco technology partners.Cisco Security Management Solutions 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 9 of 11

BrochureIn addition to the device managers embedded in Cisco VPN security solutions, Cisco providesstandalone security management applications for those who need to manage a wider range ofdevices.Cisco Security Manager, an integral part of the Cisco Self-Defending Network, combines Webbased tools for configuring, monitoring, and troubleshooting VPNs, firewalls, and network- andhost-based intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). CiscoSecurity Manager delivers VPN configuration management, firewall management, surveillance,device inventory, and software version management features from a single console.Complementing Cisco Security Manager is the Cisco Security Monitoring, Analysis, and ResponseSystem (Cisco Security MARS). Cisco Security MARS is a family of high-performance, scalablethreat mitigation appliances that fortify deployed network devices and security countermeasures bycombining network intelligence, events correlation, and mitigation capability. Cisco Security MARScan readily identify, manage, and eliminate network attacks and maintain regulatory compliance.Additional Product and Ordering InformationFor more information, please visit the following links. Cisco router security bundles: Cisco ASR 1000 Series Aggregation Services Routers: Cisco ASA 5500 Series VPN /prod brochure0900aecd80402e39.html Cisco Catalyst 6500 Series and Cisco 7600 Series IPsec Shared Port /index.html Cisco SSL VPN: Cisco IPsec VPN: Cisco Router and Security Device Manager: Cisco Adaptive Security Device Manager for the Cisco ASA 5500 index.html Cisco Security Manager: tml Cisco Security MARS: tml Cisco Ordering Page: nted in USA 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.C78-364489-04 09/08Page 10 of 11

In addition, the innovative Cisco Easy VPN and Cisco VPN Client auto-update capabilities found in Cisco remote-access VPN solutions deliver a uniquely scalable, cost-effective, and easy-to-manage remote-access VPN architecture. With a foundation of dynamic policy distribution and effortless provisioning,