From: Mark Lewis (mark@mjlnet.com)
Date: Thu Jan 12 2006 - 06:57:50 GMT-3
Hi,
Assuming that you have covered the basics like configuring the HTTP server, enabling WebVPN on the outside interface, configuring the WebVPN group policy and attributes, and configuring remote access user authentication, you should be able to configure port forwarding using a config like this:
!
port-forward tcp.apps 1500 10.1.1.1 telnet
!
group-policy webvpn.grp.policy attributes
webvpn
functions port-forward
port-forward value tcp.apps
port-forward-name value Port-Forwarding
!
The port-forward {listname localport remoteserver remoteport description} command is used to configure the TCP applications that remote access users can access.
The parameters used with the port-forward global configuration mode
command are as follows:
1. the listname parameter configures a name that identifies a set of TCP applications. In this case, the list of TCP application is ?tcp.apps?.
2. the localport parameter is used to specify a TCP port of traffic on a client that is re-directed over SSL to the ASA. In this example, the port-forward command configures TCP traffic on port 1500 to be redirected from remote access clients over SSL to the ASA.
3. the remoteserver parameter specifies the DNS name or IP address of the TCP application server to which the ASA will send TCP traffic forwarded by the remote access clients. In this example, the address of the TCP
application server is 10.1.1.1.
4. the remote port parameter specifies the TCP port of the application on the application server (TCP port 23 [Telnet], in this example).
The port-forward {value listname | none} (under the user group attribute configuration) then references the previously configured port-forward list.
The port-forward-name {value listname | none} command configures the name that identifies TCP port forwarding on the WebVPN home page (the remote access users can click on the name in the home page to launch port forwarding). In this case, the name is configured as, ?Port-Forwarding?.
Finally, the functions port-forward command enables port forwarding on the ASA.
When using DNS names with port forwarding, the hosts file on Windows user workstations are modified during WebVPN access, with the first application used for port forwarding being mapped to IP address 127.0.0.2, the second application being mapped to IP address 127.0.0.3, and so on. A copy of the original hosts file is saved during application access, and restored later.
HTH,
Mark
CCIE#6280 / CCSI#21051 / JNCIS / etc.
Author:
www.ciscopress.com/title/1587051796
www.ciscopress.com/title/1587051044
>From: Carlos G Mendioroz <tron@huapi.ba.ar>
>Reply-To: Carlos G Mendioroz <tron@huapi.ba.ar>
>To: ccielab@groupstudy.com
>Subject: OT: ASA port forwarding...
>Date: Wed, 11 Jan 2006 16:52:21 -0300
>
>Hi there,
>scratching my head against this, anyone already there ? :)
>
>ASA is the new family of security devices from cisco. They run something
>simmilar to Pix OS v7.0, and can do some neat tricks, like having an IPS
>(i.e. IDS new wave :) inside and terminating WEBVPNs, aka no client VPNs
>where your browser does the client thing.
>
>Now, one feature webvpn has is port-forwarding, which enables non http
>apps to tunnel traffic via your browser, using a Java applet for tunnel
>entry/proxy. And I can't get it to work :(
>It starts, but no app shows in the table that lists what is available
>for you to use.
>
>Furthermore, if you use a domain name (instead of an IP address) in
>defining an application for forwarding, you get "direct connect" to the
>application without having to reconfigure local port in the client app.
>I'm courious about how this works if anyone knows... it has some hosts
>file rewriting maginc involved, but I was wondering if it also uses ISC
>for the port mapping.
>
>More than thankful to any light on this :)
>Regards,
>--
>Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:48 GMT-3