topic Can you post sanitized config in Network Security

Cisco ASA and Citrix Netscaler

beesley — Tue, 12 Mar 2019 08:08:39 GMT

Hello!

I am currently attempting to setup a Citrix Netscaler in our environment. I have encountered a roadblock though. We currently have 1 DMZ where the Netscaler is sitting. When attempting to setup LDAP authentication to our domain controller on our Inside network, it fails to detect the server. I opened a thread on Citrix's forums and have made some progress but still haven't resolved the issue.

First off our network details.

Netscaler SNIP - 172.16.1.46

DC - 192.168.1.43

The information I acquired from Citrix was to run nstcpdump.sh host 192.168.1.43 on the console. At first it revealed an R flag when the Netscaler SNIP attempted to communicate to our DC. I added an access rule in our ASA to allow TCP/LDAP from 172.16.1.46 -> 192.168.1.43. Now when performing the nstcpdump.sh command, I receive the R flag but this time from 192.168.1.43 [port 389] -> 172.16.1.46 [any port]. I am having troubles how to achieve a solution. I figure it is an access rule that needs to be set up but what I've tried so far is not fairing well. Any ideas? I really appreciate any feedback!

Thanks,

Kalab

Hi Kalab,

mvsheik123 — Wed, 17 Aug 2016 23:31:07 GMT

Hi Kalab,

What is the ASA version? Assuming you have required routing in place...

1.Inside to DMZ communication allowed?

2. Access list applied and no deny statements above the permit rule?

Try packet tracer from ASA...

packet-tracer input DMZ tcp 172.16.1.46 54444 192.168.1.43 389

It will give display what casing the issue. Post the output.

hth

ASA version is 9.1.7 (ASA

beesley — Thu, 18 Aug 2016 13:47:25 GMT

ASA version is 9.1.7 (ASA 5510)

In our NAT rules, I have a rule that allows Inside to DMZ1 communication (Server on inside network to Netscaler SNIP on DMZ1)

I only have one deny rule and that is the Global which is an implicit rule (Source Any, Dest Any, Service IP, Action Deny)

Here is the output from the packet tracer.

NALL-ASA# packet-tracer input DMZ1 tcp 172.16.1.46 54444 192.168.1.43 389

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ1,Inside) source static Netscaler-SNIP Netscaler-SNIP destination static Inside-Networks Inside-Networks
Additional Information:
NAT divert to egress interface Inside
Untranslate 192.168.1.43/389 to 192.168.1.43/389

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ1_access_in in interface DMZ1
access-list DMZ1_access_in extended permit tcp object Netscaler-SNIP object EYENET09 eq ldap
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ1,Inside) source static Netscaler-SNIP Netscaler-SNIP destination static Inside-Networks Inside-Networks
Additional Information:
Static translate 172.16.1.46/54444 to 172.16.1.46/54444

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FILTER
Subtype: filter-url
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: DMZ1
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Remove the nat statement and

mvsheik123 — Thu, 18 Aug 2016 23:13:17 GMT

Remove the nat statement and try...

no nat (DMZ1,Inside) source static Netscaler-SNIP Netscaler-SNIP destination static Inside-Networks Inside-Networks

Thx

I removed the previous NAT

beesley — Tue, 23 Aug 2016 18:11:00 GMT

I removed the NAT statement and attempted the command through the CLI in the ASDM and received this message:

ERROR: NAT configuration not found

Thanks,

Kalab

Can you post sanitized config

mvsheik123 — Sat, 27 Aug 2016 02:46:05 GMT

Can you post sanitized config of your ASA ?

Thx