Cisco ASA Series Cli Configuration Manual page 1873

Chapter 1 Configuring Clientless SSL VPN
Restrictions
•
•
•
•
•
Configuring DNS for Port Forwarding
Port Forwarding forwards the domain name of the remote server or its IP address to the ASA for
resolution and connection. In other words, the port forwarding applet accepts a request from the
application and forwards it to the ASA. The ASA makes the appropriate DNS queries and establishes
the connection on behalf of the port forwarding applet. The port forwarding applet only makes DNS
queries to the ASA. It updates the host file so that when a port forwarding application attempts a DNS
query, the query redirects to a loopback address. Configure the ASA to accept the DNS requests from
the port forwarding applet as follows:
Command
Step 1
dns server-group
Example:
hostname(config)# dns server-group example.com
hostname(config-dns-server-group)# domain-name
example.com
hostname(config-dns-server-group)# name-server
192.168.10.10
Step 2
domain-name
Step 3
name-server
Step 4
webvpn
Port forwarding supports only TCP applications that use static TCP ports. Applications that use
dynamic ports or multiple TCP ports are not supported. For example, SecureFTP, which uses port
22, works over clientless SSL VPN port forwarding, but standard FTP, which uses ports 20 and 21,
does not.
Port forwarding does not support Microsoft Outlook Exchange (MAPI) proxy. However, you can
configure smart tunnel support for Microsoft Office Outlook in conjunction with Microsoft Outlook
Exchange Server.
A stateful failover does not retain sessions established using Application Access (either port
forwarding or smart tunnel access). Users must reconnect following a failover.
The Java applet displays in its own window on the end user HTML interface. It shows the contents
of the list of forwarded ports available to the user, as well as which ports are active, and amount of
traffic in bytes sent and received.
The port forwarding applet displays the local port and the remote port as the same when the local IP
address 127.0.0.1 is being used and cannot be updated by the clientless SSL VPN connection from
the ASA. As a result, the ASA creates new IP addresses 127.0.0.2, 127.0.0.3, and so on for local
proxy IDs. Because you can modify the hosts file and use different loopbacks, the remote port is
used as the local port in the applet. To connect, you can use Telnet with the host name, without
specifying the port. The correct local IP addresses are available in the local hosts file.
Configuring Port Forwarding
Purpose
Enters the dns server-group mode.
Configures a DNS server group named
example.com.
Specifies the domain name. The default setting of
domain-name is DefaultDNS.
Resolves the domain name to an IP address.
Switches to webvpn configuration mode.
Cisco ASA Series CLI Configuration Guide
1-65