Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1802
Views
0
Helpful
3
Replies

SSL port forwarding with ASA ?

Riccardo Veraldi
Level 1
Level 1

‎01-19-2011 12:50 AM

Hello.

I'd need to protect access to a very critical web site on my LAN.

To achieve this I have been thinking to use a cisco ASA, because Cisco VPN3000 appliances are out of market now.  But i do not know if I can achieve what I'd wish to do.

I need (upon authentication) that an user connection to port 443 is forwarded to port 443 (or another TCP port)

to my internal LAN where is the critical web site.

So basically I need a feature like the WebVPN functionality of the Cisco VPN 3000 serires where you can logon

using web interface and you are forwarded to specific TCP port or you jsut type the web site where you want to go after authentication. For maximum compatibility (because users can be anywhere in the world and IPSEC or PPTP can be filtered) I'd need to do this with an SSL port forwarding.

Is it possible to do this with the SSL VPN configuration options of the Cisco ASA ?

Is it possible then to authorize users using LDAP group matching and authenticate users using kerberos 5 ?

thank you very much

Riccardo

Labels:
0 Helpful
3 Replies 3

Nicolas Fournier
Cisco Employee
Cisco Employee

‎01-25-2011 06:47 AM

Hi Riccardo,

You can indeed achieve this by configuring port forwarding on your ASA.

The port-forwarding configuration is described under the following link: http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/webvpn.html#wp1340080

Once it is configured, you can open a browser and open 127.0.0.1: and you should be able to reach your internal web site.

I would however maybe not recommend this since port-forwarding is getting phased out in favor of smart-tunnels: http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/webvpn.html#wp1218044

In your case, I would setup a bookmark in the portal page and smart-tunnel it as shown in the following picture:

This will automatically tunnel the traffic from your browser towards your internal web site without having to go through the mangling process.

Regards,

Nicolas

0 Helpful

Riccardo Veraldi
Level 1
Level 1
In response to Nicolas Fournier

‎02-02-2011 07:08 AM

Hi,

thank you for your help.

But I cannot access the interesting link you reported me about smart tunnels

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/webvpn.html#wp1218044

Forbidden File or Application

I am using my Cisco CCO login credentials but neverless I cannot read it ...

0 Helpful

Nicolas Fournier
Cisco Employee
Cisco Employee
In response to Riccardo Veraldi

‎02-02-2011 09:41 AM

Hi Riccardo,

If you are unable to see this link, it means that your CCO account doesn't have enough privileges to view the document.

I would contact your account team to have it increased as there is personally not much I can do for you on this.

Regards,

Nicolas

0 Helpful
Customers Also Viewed These Support Documents
Top