Sunday, March 01, 2009

ASA5505 SSLVPN Port Forwarding

So as I've been chronicling over on @frednecksec I've been pleasantly surprised with the new ASA5505 I got for my classroom network. Although I'm looking forward to replacing iptables the main reason for the purchase was the WebVpn. In particular the ability to do port forwarding. Yes this is just like SSH local port forwarding.

Here is config snippet for ASA 7.2(4) to allow you to get port forwarding working.

Enable WebVPN

enable outside

Actually if you stop here you would be able to do URL redirection and get to web servers behind the ASA, although this doesn't show up anymore now that port forwarding is setup.

port-forward SSH 2223 ssh

group-policy first internal
group-policy first attributes
vpn-tunnel-protocol webvpn
functions port-forward auto-download
port-forward value SSH

Some gotchas here. "port-forward" and "auto-download" have to be on the same line together. It wasn't immediately obvious to me that I had to do the "port-forward value" line. My general approach for Cisco CLI work is to just brute force it to find the minimal config. But this was the key thing I ran across. Unless you had this line, the session won't show up in the UI (see above) although the applet will download.

The steps below are pretty straightforward once you have the group-policy created (above)

username vpnuser password ... encrypted
username vpnuser attributes
vpn-group-policy first
tunnel-group test type webvpn
tunnel-group test general-attributes
default-group-policy first

This works on Ubuntu 8.10 (Java6) and Firefox 3.x, OSX 10.4 with Safari 3, and Windows XPSP3 both Firefox 3.x and IE (who knows what versions).

No comments: