N/APosted on - 01/25/2013
I'm planning to switch from port-forwarding to smart tunnel.
From what i hear, smart tunnel is like port-forwarding but uses a browser.
If I use IE browser or Firefox, how do I tunnel through the ASA?
Which supports split-tunneling?
Does someone here know how to use smart tunnel Cisco?
How to use smart tunnel cisco using IE and Firefox?
To give you a brief overview, Smart Tunnel allows for relay of random TCP applications over a clientless SSL protected VPN session which the remote users establish.
A small broker applet downloaded from the ASA (read VPN Gateway) listens for preselected applications and routes them across the SSL VPN Gateway connectivity.
Currently though, this works only on the latest Windows and Mac OS X operating systems. There are also different configuration approaches to configure thick clients (native software) or thin clients (web clients).
For Thick Clients:
1. Start with creating a list of smart tunnels in ASDM (Adaptive Security Device Manager). Go to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels
2. This Smart Tunnels list needs to be mapped with group policy or a particular user profile. Under Clientless SSL VPN Access, go to Group Policies > Edit > Portal
And to configure Web Clients:
1. Create a bookmark in the bookmarks list. Go to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks
2. Now go ahead and enable the bookmarks under the same section.
3. Similar to above, map the bookmark to a group policy or user profile.
Looking at it from the command line perspective, a sample config should look like:
smart-tunnel list TEST Microsoft-RDP-Client MSTSC.EXE platform windows
group-policy WORKGROUPPOLICY attributes
smart-tunnel auto-start TEST
A couple of typical issues you might come across while trying to configure and test are:
1. The broker agent fails to start in the client. To correct this, double check the auto start config and IE/Firefox's Java/ActiveX functions
2. The application fails to connect. In this scenario, verify that proper access has been provided in Webtype ACL and of course recheck the application name and relative path.