Home > Articles > Cisco

  • Print
  • + Share This
From the author of Port Forwarding

Port Forwarding

A familiar concept to many network engineers is port forwarding; for this feature, the ASA is configured to forward traffic through the ASA to an internal application. The port forwarding feature in this context is limited in a number of ways, the most obvious includes its support for only TCP static port applications.

What this means is that if the application uses any form of dynamic port assignment, the port forwarding feature will not work for that specific application; this includes a lack of support for FTP.

Like many of the individual features available for the Clientless SSL VPN, the configuration is not complex and is shown in Table 5.

1

Enter WebVPN service configuration mode.

asa(config)#webvpn

2

Configure a port-forwarding entry to a (newly created with this command) application list.

Notes:

The list-name is then used to assign a specific application list (of port-forward entries) to a group or user.

The local-port is a port that is open on the local machine (the client) and is accessed via the loopback address (127.0.0.1).

The remote-server can be a DNS entry (if configured) or an IP address.

asa(config-webvpn)#port-forward list-name local-port remote-server remote-port

3

Enter Username Attributes configuration mode.

asa(config)#username username attributes

4

Enter webvpn sub-configuration mode.

asa(config-username)#webvpn

5

Assign an existing port-forwarding list to the user.

asa(config-username-webvpn)#port-forward {auto-start | enable} list-name


OR


3

Enter Group Policy Attributes configuration mode.

asa(config)#group-policy group-name attributes

4

Enter webvpn sub-configuration mode.

asa(config-username)#webvpn

5

Assign an existing port-forwarding list to the user.

asa(config-username-webvpn)#port-forward {auto-start | enable} list-name

There are two different main ways that the port-forwarding feature can be enabled. The first simply enables the option to have a port-forwarded.

For this option, the enable keyword is used; when users want the port to be forwarded, they enable it within the WebVPN homepage. The other option will automatically enable port forwarding when the user logs in to the WebVPN homepage. For this option, the auto-start keyword is used.

Summary

There are certainly a number of different situations in which the use of a Clientless VPN option would be preferable to a network engineer/architect. The Clientless SSL VPN feature available on the ASA certainly enables a number of different options that can be configured to the specific environment.

The topics that were discussed in this article just touch the surface of the number of options that are available with this feature and give a little bit of an introduction as to the complexity (or lack thereof, depending on the situation) of the configuration of this feature.

This article enables you to get an idea of what is possible with this feature. If it looks as if it may work for your specific environment, take a closer look at the available documentation on the Cisco website.

  • + Share This
  • 🔖 Save To Your Account