Configuring Port Forwarding
Some end users will require access to applications outside of e-mail and file access. In a
traditional IPSec VPN, this can be done easily, since the end user is directly connected to the
enterprise network through the VPN. When using a WebVPN service, the end user has no
direct connection to the network, and must redirect all application use through the WebVPN
https service. This is done through port forwarding using a Java applet. A security
administrator enables port forwarding in two steps:
Step 1 Create port forwarding application maps.
Step 2 Assign a port forward application list to a user or group policy.
Step 1: Create Port Forwarding Application Maps
You must create a port forwarding application map for each application the ASA 55x0 will
need to port forward. This mapping information will be used by the ASA 55x0 to modify the
host file on the end user’s PC with mapping information. An application entry uses a
hostname or IP address as a unique identifier for port forwarding. This identifier must be
constant; otherwise the end user will be required to modify how these applications are
accessed each time the WebVPN service is used. The use of hostnames is recommended, as it
streamlines access to the application for the end user.
For the WebVPN service, a hostname can be configured with the IP address of the server the
application resides on, as well as the port number from the end user’s computer, which is
required to access the application. This will give the end user a simpler way to access the
application. For example, if the end user needs to telnet to server 10.2.2.12 port 2222, which
Example 13-12 Assigning a URL List
tgasa(config)# group-policy REMOTE1 attributes
tgasa(config-group-policy)# webvpn
tgasa(config-group-webvpn)# url-list value URLS
tgasa(config-group-webvpn)# exit
NOTE The Java applet used for modifying the hosts file is sometimes seen as a malicious
attack by antivirus and antispyware applications. Disabling checking of the hosts file might
be necessary.