SSL VPN and Port Forwarding

Unanswered Question
May 4th, 2010
User Badges:

Could someone explain SSL VPN and Port Forwarding to me?


I have a recently installed AS 5520 that replaced our old PIX 515.  We have a contractor who accesses some devices on our network, and they previously used traditional ipsec vpn (we also had a VPN 3000 Concentrator) to access them.


I've set them up with a login for SSL VPN with links to the devices they need to access, however the application they access (with IE) does not load properly - a problem the contractor says is due to ports 1911 and 3011 being blocked.  In the limited reading I've been able to do I understand that unlike ipsec vpn, ssl vpn only allows certain ports through.  Do I need to configure port forwarding for these two ports to allow access to this application, and if so what do I need for the "local port" and "remote port"?


Thanks,


Rob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Paul Carco Tue, 05/04/2010 - 11:58
User Badges:

Since you were allowing the contractor to use the IPSec client - can you allow them to use AnyConnect?   That will most likely solve your issue quickly.


Is the problem application truly a web based application that doesn't involve using a client/server type app on the end users PC?   If you want to stay in a clientless only scenario and there is app on the client - you should look at SmartTunnels before you go down the road of using Port Forwarding..


Regards,


Paul

rcoote5902_2 Tue, 05/04/2010 - 12:06
User Badges:

I could do that, but I'd rather limit them to the web portal that SSL offers.  It keeps them were they need to be.

Paul Carco Tue, 05/04/2010 - 12:20
User Badges:

Understood, we will do the same if possible when we migrate contractors from IPSec to SSL..


Here are a few links https://supportforums.cisco.com/docs/DOC-6172   SmartTunnel


Havent really spent too much time with Port Forwarding but here is some info directly from Cisco.. HTH.

"

Why Port Forwarding?

Port forwarding is the legacy technology for supporting TCP-based applications over a clientless SSL VPN connection. You may choose to use port forwarding because you have built earlier configurations that support this technology.

Please consider the following alternatives to port forwarding:

Smart tunnel access offers the following advantages to users:

Smart tunnel offers better performance than plug-ins.

Unlike port forwarding, smart tunnel simplifies the user experience by not requiring the user connection of the local application to the local port.

Unlike port forwarding, smart tunnel does not require users to have administrator privileges.

Unlike port forwarding and smart tunnel access, a plug-in does not require the client application to be installed on the remote computer.

When configuring port forwarding on the security appliance, you specify the port the application uses. When configuring smart tunnel access, you specify the name of the executable file or its path.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1291474

Jay Young Wed, 05/05/2010 - 15:32
User Badges:
  • Cisco Employee,

Just like with the IPsec client, the anyconnect client will provide full ip access to your network.  This will highly likely solve any application issue.  If you are concerned about your vendors from reaching other resources within your network you may want to consider using a vpnfilter.  It is basically an access to filter all traffic that comes across the vpn tunnel.  This way you can limit your vendors to only access specific services.

rcoote5902_2 Thu, 05/06/2010 - 10:08
User Badges:

I'd like to keep things as simple as possible for these folks they aren't that savvy.  If I can present them with the clientless SSL login and a portal page with just the links to what they need to access, that is exactly what I need.


I really just need to find a way to make this web-application work properly..and I assume it's these ports that are the problem.

Jay Young Thu, 05/06/2010 - 10:50
User Badges:
  • Cisco Employee,

rcoote5902,


I would say then using a bookmark with smart-tunneling enabled will be your best bet. If it still fails at that point then you probably have something like a java app embedded with in the page. You'll then need to smart tunnel certain applications in addition (like java.exe and javaws.exe).

rcoote5902_2 Thu, 05/06/2010 - 11:08
User Badges:

You might be onto something there, while it is only a webpage they access, it does use java, and I believe that is the part that is failing.

Paul Carco Thu, 05/06/2010 - 11:00
User Badges:

I am currently running an SSL Pilot and working through some of the same issues you seem to have..  And as I said the users that get AnyConnect

are just fine but I do have some "web applications" that are troublesome on the Clientless portal.  I will most likely end up with some APCF files

to help the rewriting issues.  If the application is written sloppily there is only so much the ASA's rewriter can do.


If you don't have 'HttpWatch', look into it as its very helpful in analyzing the web applications.


Is there a process (.exe) that has to be run on the users machine to access this application?


What is the error when they try to use the application?

rcoote5902_2 Thu, 05/06/2010 - 11:33
User Badges:

Part of the page loads (the top menu bar) and then the content fails with a 'red x' and null message.  There is a details button that provides the following:


java.net.ConnectException: Connection refused: connect
   at java.net.PlainSocketImpl.socketConnect(Native Method)
   at java.net.PlainSocketImpl.doConnect(Unknown Source)
   at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
   at java.net.PlainSocketImpl.connect(Unknown Source)
   at java.net.SocksSocketImpl.connect(Unknown Source)
   at java.net.Socket.connect(Unknown Source)
   at sun.net.NetworkClient.doConnect(Unknown Source)
   at sun.net.www.http.HttpClient.openServer(Unknown Source)
   at sun.net.www.http.HttpClient.openServer(Unknown Source)
   at sun.net.www.http.HttpClient.(Unknown Source)
   at sun.net.www.http.HttpClient.New(Unknown Source)
   at sun.net.www.http.HttpClient.New(Unknown Source)
   at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
   at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
   at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
   at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
   at java.net.URL.openStream(Unknown Source)
   at com.tridium.workbench.shell.BNiagaraWbApplet.logon(BNiagaraWbApplet.java)
   at com.tridium.workbench.shell.BNiagaraWbApplet.appletStart(BNiagaraWbApplet.java)

City of Kalamazoo Thu, 09/23/2010 - 13:21
User Badges:

@rcoote5902 - Did you ever get this to work.  I believe I'm going down the EXACT same path as you.  Would these java based web applications happen to be related to a Niagra HVAC system by chance? 


I'm to the point of entering in the Smart Tunneling information, but I haven't found a clear description of what needs to be entered in the "Application ID" portion...and obviously what .exe to list.  So far I've listed java.exe, javaw.exe, jp2launcher.exe, javaws.exe and iexplore.exe.


Let me know how you got around this....thanks.

rcoote5902_2 Thu, 09/23/2010 - 16:05
User Badges:

Sadly, no I never did get this to work.  I ended up giving the vendor access using AnyConnect.  It is HVAC software but I'm not entirely sure what brand, but it is definitely java-based.  If you get it to work I've love to know how.

City of Kalamazoo Fri, 09/24/2010 - 05:46
User Badges:

Well I'm still trying to get it to work.  I've found that if you're ASA is running 8.04 or older that Smart Tunneling won't work if your application is using Java...and your client is using Java 6 Update 10 or newer.  It also looks like Windows wants the exact path to the Java file being used, which is impossible since different versions of Java install to slightly different paths.  I think I could get this to work on my test box, but our HVAC users could have one of a zillion different install paths for Java on the PCs they use off site, depending on which version they have installed.  Ugh.


Did you happen to try to get this with Port Forwarding?

rcoote5902_2 Fri, 09/24/2010 - 07:02
User Badges:

Checked this morning - the application is Johnson Controls Facility Browser HVAC system, also java based.  I did try the port forwarding however I was unable to find any information on exactly which applications needed to be forwarded.  I tried the same as you java.exe, etc. but was unable to get it working.

Jay Young Fri, 09/24/2010 - 10:15
User Badges:
  • Cisco Employee,

I would try running the HVAC program, then open up task manager and confirm

what processes are actually being run.  Many times these java programs are kicked off by java.exe but are actually some other process.

Actions

This Discussion