Cisco ASA 5505 Configuration Manual page 1488

Configuring Port Forwarding
•
•
Configuring DNS for Port Forwarding
Port Forwarding forwards the domain name of the remote server or its IP address to the ASA for
resolution and connection. In other words, the port forwarding applet accepts a request from the
application and forwards it to the ASA. The ASA makes the appropriate DNS queries and establishes
the connection on behalf of the port forwarding applet. The port forwarding applet only makes DNS
queries to the ASA. It updates the host file so that when a port forwarding application attempts a DNS
query, the query redirects to a loopback address.
Configure the adaptive security appliance to accept the DNS requests from the port forwarding applet as
follows:
Click Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles.
Step 1
The DefaultWEBVPNGroup entry is the default connection profile used for clientless connections.
Highlight the DefaultWEBVPNGroup entry, then click Edit if your configuration uses it for clientless
Step 2
connections. Otherwise, highlight a connection profile used in your configuration for clientless
connections, then click Edit.
The Basic window opens.
Scan to the DNS area and select the DNS server from the drop-down list. Note the domain name,
Step 3
disregard the remaining steps, and go to the next section if ASDM displays the DNS server you want to
use. You need to enter the same domain name when you specify the remote server while configuring an
entry in the port forwarding list. Continue with the remaining steps if the DNS server is not present in
the configuration.
Click Manage in the DNS area.
Step 4
The Configure DNS Server Groups window opens.
Click Configure Multiple DNS Server Groups.
Step 5
A window displays a table of DNS server entries.
Click Add.
Step 6
The Add DNS Server Group window opens.
Step 7 Enter a new server group name in the Name field, and enter the IP address and domain name (see
Figure
Cisco ASA 5500 Series Configuration Guide using ASDM
67-24
The Java applet displays in its own window on the end user HTML interface. It shows the contents
of the list of forwarded ports available to the user, as well as which ports are active, and amount of
traffic in bytes sent and received.
Neither port forwarding nor the ASDM Java applet work with user authentication using digital
certificates. Java does not have the ability to access the web browser keystore. Therefore Java cannot
use certificates that the browser uses to authenticate users, and the application cannot start.
The port forwarding applet displays the local port and the remote port as the same when the local IP
address 127.0.0.1 is being used and cannot be updated by the clientless SSL VPN connection from
the ASA. As a result, the ASA creates new IP addresses 127.0.0.2, 127.0.0.3, and so on for local
proxy IDs. Because you can modify the hosts file and use different loopbacks, the remote port is
used as the local port in the applet. To connect, you can use Telnet with the host name, without
specifying the port. The corect local IP addresses are available in the local hosts file.
67-3)
Chapter 67 Clientless SSL VPN
OL-20339-01