Port forwarding was the first method of application access deployed by Cisco for SSL VPN way back version numbers 7.x. The ASA admin must first create a new port forwarding list consisting of a name, the local forwarded port on the client machine, the remote/application server name, the application server's port, and a description. The port forwarding list is then made available through a Java applet that automatically opens when the user logs in to the SSL VPN portal or clicks the Application Access pane from within the portal and chooses Start Application Access.
Upon starting application access, a Java applet is downloaded to the client, and an entry is created in the local hosts file of the user's PC, which contains the application server's name and the local machine's loopback address. The application in use must be configured to send its traffic via the local port as configured in the port forwarding entry on the ASA. With the Java applet open, all traffic originating from Telnet is sent via the SSL tunnel to the ASA. The ASA then establishes a TCP session with the destination server and relays any application data between the client and server.
The drawbacks with this solution is that client application must be installed locally on the user's machine and it requires administrative access. It can also operate with simple applications that runs only on static TCP ports.
MY-ASA-FW(config)# webvpn
MY-ASA-FW(config-webvpn)# ?
WebVPN commands:
anyconnect AnyConnect configuration parameters
anyconnect-essentials Enable/Disable AnyConnect Essentials
apcf Load Aplication Profile Customization Framework
(APCF) profile
auto-signon Configure auto-sign to allow login to certain
applications using the WebVPN session credentials
cache Configure WebVPN cache
certificate-group-map Associate a tunnel-group with a certificate map rule
character-encoding Configures the character encoding for WebVPN portal
pages
csd This specifies whether Cisco Secure Desktop is
enabled and the package file name to be used.
default-idle-timeout This is the default idle timeout in seconds
default-language Default language to use
dtls Configure DTLS for WebVPN
enable Enable WebVPN on the specified interface
error-recovery Contact TAC before using this command
exit Exit from WebVPN configuration mode
file-encoding Configures the file encoding for a file sharing
server
help Help for WebVPN commands
http-proxy This is the proxy server to use for HTTP requests
https-proxy This is the proxy server to use for HTTPS requests
internal-password Adds an option to input a different password for
accessing internal servers
java-trustpoint Configure WebVPN java trustpoint
kcd-server Configure an KCD-Server
keepout Shows Web page when the login is disabled
memory-size Configure WebVPN memory size. CHECK MEMORY USAGE
BEFORE APPLYING THIS COMMAND. USE ONLY IF ADVISED BY
CISCO
mobile-device Configure access from mobile devices
mus Configure Mobile User Security
no Remove a WebVPN command or set to its default
onscreen-keyboard Adds WebVPN onscreen keyboard for typing password on
the WebVPN logon page and internal pages requiring
authentication
port WebVPN should listen for connections on the
specified port
port-forward Configure the port-forward list for WebVPN
portal-access-rule Configuration related to portal access rules
proxy-bypass Configure proxy bypass
rewrite Configure content rewriting rule
smart-tunnel Configure a list of programs to use smart tunnel
sso-server Configure an SSO Server
tunnel-group-list Configure WebVPN group list dropdown in login page
tunnel-group-preference Enable/Disable Tunnel Group Preference
MY-ASA-FW(config-webvpn)# port-forward ?
webvpn mode commands/options:
WORD < 65 char A name by which to identify the list of ports to be forwarded
via WebVPN
MY-ASA-FW(config-webvpn)# port-forward PF-TELNET ?
webvpn mode commands/options:
<1-65535> This is the port that the WebVPN user connects to on their local
workstation. Enter a port number (1-65535) or port name. Use a
port number greater than 1024 to avoid conflicts with existing
services.
MY-ASA-FW(config-webvpn)# port-forward PF-TELNET 2300 ?
webvpn mode commands/options:
A.B.C.D Enter an IP address for the Remote Server
WORD < 256 char Enter a DNS name for the Remote Server
X:X:X:X::X Enter an IPv6 address for the Remote Server
MY-ASA-FW(config-webvpn)# port-forward PF-TELNET 2300 192.168.1.254 ?
webvpn mode commands/options:
<1-65535> This is the port on the remote server that connections to
the local port will be forwarded to. Enter a port number
(1-65535) or port name.
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nfs
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
MY-ASA-FW(config-webvpn)# port-forward PF-TELNET 2300 192.168.1.254 23 ?
webvpn mode commands/options:
LINE < 65 char A description of this port forward entry
<cr>
MY-ASA-FW(config-webvpn)# port-forward PF-TELNET 2300 192.168.1.254 23 Telnet to R1
MY-ASA-FW(config-webvpn)# group-policy Engineering attributes
MY-ASA-FW(config-group-policy)# w?
group-policy mode commands/options:
webvpn wins-server
configure mode commands/options:
wccp webvpn
exec mode commands/options:
webvpn-cache who write
MY-ASA-FW(config-group-policy)# webvpn ?
group-policy mode commands/options:
<cr>
configure mode commands/options:
<cr>
exec mode commands/options:
remove Remove cached object identified by URL
MY-ASA-FW(config-group-policy)# webvpn
MY-ASA-FW(config-group-webvpn)# ?
Group-policy WebVPN commands:
activex-relay Enable or disable activex relay
always-on-vpn Configure the always-on-vpn setting for AnyConnect
anyconnect AnyConnect Parameters configuration
auto-signon Configure auto-sign to allow login to certain
applications using the WebVPN session credentials
customization Configure a customization object
deny-message Configure the Deny message
download-max-size Set maximum object size to download
exit Exit from user or group policy webvpn configuration mode
file-browsing Allow browsing for file servers and shares
file-entry Allow user entry of file server names to access
filter Configure the name of the webtype access-list
help Help for group policy webvpn commands
hidden-shares CIFS hidden shares
homepage Configure URL of web page to be displayed upon login
html-content-filter Configures the content/objects to be filtered from the
HTML for this policy
http-comp HTTP Compression
http-proxy Controls HTTP Proxy port forwarding
keep-alive-ignore Maximum object size to ignore for updating the session
timer
no Remove a command or set to its default
port-forward Configure the name of the Port Forwarding applet and
auto-download options
post-max-size Set maximum object size to post
smart-tunnel Configure smart tunnel
sso-server Configure SSO server name
storage-key Configure storage key for the data stored between
sessions.
storage-objects Configure storage objects for the data stored between
sessions.
unix-auth-gid Set the Unix group ID
unix-auth-uid Set the Unix user ID
upload-max-size Set maximum object size to upload
url-entry Control the ability of the user to enter any HTTP/HTTPS
URL
url-list Configure a list of WebVPN servers/URLs
user-storage Configure location for storing user data between
sessions.
MY-ASA-FW(config-group-webvpn)# port-forward ?
config-group-webvpn mode commands/options:
auto-start Enable and Auto Start port-forward
disable Disable port-forward
enable Enable port-forward
name port-forward-name
none (DEPRECATED) Disable port-forward
value (DEPRECATED) Specify a list of WebVPN forwarded ports
MY-ASA-FW(config-group-webvpn)# port-forward enable ?
config-group-webvpn mode commands/options:
WORD < 100 char A valid port forward list
MY-ASA-FW(config-group-webvpn)# port-forward enable PF-TELNET
Notice the Application Access appeared on the left navigation pane. Just click on the Start Application button and a pop-up window appears that runs Java. Open a command prompt and Telnet using the PC's loopback address 127.0.0.1 and the local port number defined on the ASA.
Saturday, April 19, 2014
Saturday, April 5, 2014
HTTP or HTTPS Bookmarks
HTTP or HTTPS bookmarks are generally used to grant access to an intranet portal (for example, a SharePoint or web mail access). These bookmarks are entered in the same format as a URL entered directly into your browser and the ASA rewrites or manages the individual bookmarks and sends them to the client browser. As a result of the rewrite, any requests for the bookmark travels to the ASA.
Whenever a user clicks an HTTPS bookmark, the ASA establishes a direct SSL session between itself and the web or mail server being accessed, and it performs the process of certificate validation on behalf of the client. The client never directly receives a copy of the server's certificate, and therefore the client cannot carry out its own verification/authentication of the server.
This is where ASDM comes in handy when importing the URL list.
Whenever a user clicks an HTTPS bookmark, the ASA establishes a direct SSL session between itself and the web or mail server being accessed, and it performs the process of certificate validation on behalf of the client. The client never directly receives a copy of the server's certificate, and therefore the client cannot carry out its own verification/authentication of the server.
This is where ASDM comes in handy when importing the URL list.
Subscribe to:
Posts (Atom)