This is a quick and easy way to give access to an internal resource from outside using SSL type of VPN without a vpn client.
Configuration on ASA will be like the following,
Assuming basic configuration is done,
webvpn
enable OUTSIDE
group-policy WEBVPN internal
group-policy WEBVPN attributes
banner value "Unauthorized Access Denied"
vpn-tunnel-protocol ssl-clientless
username cisco password cisco123
username cisco attributes
vpn-group-policy WEBVPN
OUTSIDE is the G0/0 interface name, what I have done over there is that the group-policy and it's attributes were defined and the group policy is specified under username attributes.
When the user opens his web browser and browse the OUTSIDE interface IP,
The banner will be displayed after entering the username. In this example it is cisco and password is cisco123.
You can see that the following services will be accessible.
If the routing is available from ASA to the server, the user will be able to gain access without the need of any access control entry.
What happens at the backend actually is a new IP will be assigned to the user session from ASA. The server will see that IP, not the real user IP.
Port Forwarding with WebVPN
As you can see on the dropdown, only http, https, cifs and ftp are the capable protocols. But if you need to do any other protocol like telnet, ssh etc, you will do a port forward in WebVPN.
webvpn
port-forward APPS 30001 192.168.10.10 23
group-policy WEBVPN attributes
webvpn
port-forward value APPS
Anyone in the WebVPN group will have this access..
Now log off and login again will show another new icon "Application Access".
If JRE1.4 is working well on the users PC, you will get the dialog box to access. Because of Java issues, will not be possible to run on most machines. Even the later versions of JRE would not work.
