So as I've been chronicling over on @frednecksec I've been pleasantly surprised with the new ASA5505 I got for my classroom network. Although I'm looking forward to replacing iptables the main reason for the purchase was the WebVpn. In particular the ability to do port forwarding. Yes this is just like SSH local port forwarding.
Here is config snippet for ASA 7.2(4) to allow you to get port forwarding working.
Actually if you stop here you would be able to do URL redirection and get to web servers behind the ASA, although this doesn't show up anymore now that port forwarding is setup.
port-forward SSH 2223 192.168.55.100 ssh
group-policy first internal
group-policy first attributes
functions port-forward auto-download
port-forward value SSH
Some gotchas here. "port-forward" and "auto-download" have to be on the same line together. It wasn't immediately obvious to me that I had to do the "port-forward value" line. My general approach for Cisco CLI work is to just brute force it to find the minimal config. But this was the key thing I ran across. Unless you had this line, the session won't show up in the UI (see above) although the applet will download.
The steps below are pretty straightforward once you have the group-policy created (above)
username vpnuser password ... encrypted
username vpnuser attributes
tunnel-group test type webvpn
tunnel-group test general-attributes
This works on Ubuntu 8.10 (Java6) and Firefox 3.x, OSX 10.4 with Safari 3, and Windows XPSP3 both Firefox 3.x and IE (who knows what versions).