ASA  - SSL VPN Thin Client  - part 1


Before you start to use this tutorial be sure your SSL VPN is operation or if not, please check my tutorial for SSL VPN Clientless - it is some configuration how to enable SSL VPN.

Thin Client often called  "Port Forwarding" is a solution which can help to extend functionality of Clientless VPN solution.You still do not need any special software like vpn client but it gives you some extra features.

Port Forwarding uses Java so it is necessary that Java is installed on end-user station.




Go to Port forwarding menu.


 Click "Add"


List name cannot contain "spaces".

Click "Add" and configure port forwarding.


Forward telnet to core switch

To connect to core switch via telnet(on port 23) you will physically connect to port 5000 on local PC then your connection will be forwarded to Core switch.


 Telnet redirection

 Forward ssh to firewall


 SSH port forwarding


Click "OK" to close forwarding list.

Apply changes (see CLI view below).




Go to group-policy ( we created during SSL VPN Clientless tutorial)



 Click "Edit" and go to Portal - Port Forwarding List, untick "Inherit" and choose our port forwarding list.(see picture below).



When you tick "Auto Applet Download" "Port forwarding application" will automatically  after login to SSL VPN.

It works good in IE browsers but with the rest I recommend not to enable it.

 Click "OK"  and apply configuration.



Login to SSL VPN and click "Application Access"


 Click "Start Applications" to run port forwarding.


 Now do telnet to on port 5000 to connect via telnet to core switch.

telnet 5000


 Working, excellent!


Our application shows us too traffic has been sent to/from core switch.

Be carefull traffic via telnet is only secured to ASA. From asa to switch traffic is send via normal, unencrypted telnet protocol.


dzbanek 2013-03-29

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.