Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2719
Views
0
Helpful
6
Replies

Port forwarding for clientless SSL VPN access

calebjpatrin
Level 1
Level 1

‎05-09-2013 01:02 PM - edited ‎02-21-2020 06:53 PM

Hello,

I am currently trying to set up clientless SSL VPN access for some remote sites that our company does business with. Since their machines are not owned by my company, we don't want to install/support a VPN client. Therefore, SSL is a great option.

However, I'm running into an issue. I'm trying to set up port forwarding for a few remote servers. These remote servers are different and have distinct IP addresses. They are attempting to connect with two different servers here.

But my issue is that both servers are trying to use the same TCP port. The ASDM is not letting me use two different port forwarding rules for the same TCP port. The rules can exist side-by-side, but they cannot be used at the same time.

Why? It's not trying to access the same TCP port on a server when it's already in use. Is there anyway I can get around this?

If this doesn't make sense, please let me know and I'll do my best to explain it better.

Labels:
0 Helpful
6 Replies 6

calebjpatrin
Level 1
Level 1

‎05-22-2013 09:02 AM

Here is some more information:

Any ideas?

0 Helpful

malshbou
Level 1
Level 1

‎05-22-2013 10:10 AM

Hi Caleb,

if you mean clientless webvpn port-forwarding lists, then you should be able to get your requirments. even the same port of the same server can be mapped to different ports bound to the loopback IP.

CLI:

ciscoasa(config) webvpn

ciscoasa(config-webvpn)# port-forward PF 2323 192.168.1.100 23

ciscoasa(config-webvpn)# port-forward PF 2300 192.168.1.200 23

then you apply the port-forwarder list under a group-policy

Hope this helps

Mashal

Mashal Alshboul

------------------ Mashal Shboul
0 Helpful

calebjpatrin
Level 1
Level 1
In response to malshbou

‎05-22-2013 12:03 PM

Hello Mashal,

Thank you for your response. The remote TCP port is not the one giving me an issue. Instead, it's the local TCP port.

For instance:

As you can see in this picture, the remote servers are different, but the local TCP port is the same. The ASDM will accept these lists but will not allow simultaneous connections from both of the remote servers. Is there way around this?

0 Helpful

malshbou
Level 1
Level 1
In response to calebjpatrin

‎05-22-2013 12:49 PM

The local-to-remote socket bindings should be unique at the client, and having the same local port pointing to different remote ports doesn't make sense.

why don't you use different local ports ?

------------------
Mashal Alshboul

------------------ Mashal Shboul
0 Helpful

calebjpatrin
Level 1
Level 1
In response to malshbou

‎05-24-2013 08:55 AM

So would the user telnet to 127.0.0.1:1111?  That didn’t work when I tested it.  Do I use whatever port number I want when creating the forwarding rules?  On my old hardware I was able to specify different loopback addresses for each forwarding rule, so that’s part of what’s confusing with this configuration.

0 Helpful

calebjpatrin
Level 1
Level 1
In response to malshbou

‎06-03-2013 08:04 AM

Does that make sense?

0 Helpful
Customers Also Viewed These Support Documents