topic Sorry but I'm a bit out of my in Network Security

Accessing NetScaler through ASA5505 issue

NICK SYMIAKAKIS — Tue, 12 Mar 2019 06:16:37 GMT

Hi All, I am hoping someone can help me with this issue.

I have a Citrix NetScaler server on my network that I am trying to access via a public address on the outside of my Cisco ASA5505.

The ASA has two Public Addresses, the first is used for a couple VPN tunnels, which work fine. the second is going to be dedicated tot he Netscaler.

ASA5505 - IOS version 9.0 (1)

Public address: Y.Y.Y.142

NetScaler Server: X.X.X.6

This is what I have programmed in the ASA:

object service https
service tcp source eq https destination eq https
object network NetScaler_External
host Y.Y.Y.142
description Netscaler External IP
object network NetScaler_Internal
host X.X.X.6
description Netscaler Inside Address

access-list outside_access_in remark Netscaler
access-list outside_access_in extended permit object https any object NetScaler_Internal

object network obj_any
nat (inside,outside) dynamic interface
object network NetScaler_Internal
nat (inside,outside) static NetScaler_External service tcp https https
access-group outside_access_in in interface outside

I am not sure what I am missing, but when I try to connect to the NetScaler from the outside, the log shows the connection attempt, then gives me a 30sec. disconnect because of missing SYN.

Any help would greatly be appreciated. I am stuck!

Make sure the Netscaler NAT

Marvin Rhoads — Thu, 16 Jul 2015 15:01:54 GMT

Make sure the Netscaler NAT entry is above the general purpose entry. First match "wins" and if the general rule is being hit, you will not get the desired results.

You can move the rules up or down in ASDM or, if you are using the cli, specify their order to make them be examined in the right sequence.

When viewed in ASDM, the NAT

NICK SYMIAKAKIS — Thu, 16 Jul 2015 15:16:05 GMT

When viewed in ASDM, the NAT statement is above the Any Any rule.

See attached pic.

Hmm, ok that looks good.

Marvin Rhoads — Thu, 16 Jul 2015 15:19:28 GMT

Hmm, ok that looks good.

Can you try packet-tracer from the cli:

packet-tracer input outside tcp 8.8.8.8 1025 <netscaler External IP> 443

Here is the result:NOBLE-5505

NICK SYMIAKAKIS — Thu, 16 Jul 2015 15:24:32 GMT

Here is the result:

NOBLE-5505# packet-tracer input outside tcp 8.8.8.8 1025 207.78.1.142 443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network NetScaler_Internal
nat (inside,outside) static NetScaler_External service tcp https https
Additional Information:
NAT divert to egress interface inside
Untranslate Y.Y.Y.142/443 to X.X.X.6/443

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I am not sure what configuration rule it is talking about.

I didn't read your access

Marvin Rhoads — Thu, 16 Jul 2015 15:36:56 GMT

I didn't read your access-list closely enough. You have:

access-list outside_access_in extended permit object https any object NetScaler_Internal

Try instead:

access-list outside_access_in extended permit tcp any4 object NetScaler_Internal eq https

Marvin, that change

NICK SYMIAKAKIS — Thu, 16 Jul 2015 15:48:14 GMT

Marvin, that change definitely got the packet tracer to complete with Allows all the way down.

But when I try to connect through the public IP, I am still getting the 0 SYN Timeout.

OK, can you verify the

Marvin Rhoads — Thu, 16 Jul 2015 15:52:48 GMT

OK, can you verify the Netscaler is receiving the 3-way handshake (i.e. the initial SYN packet)?

You can use the nstrace utility (filtering on the originator from which the communications is failing to narrow things down) to perform a packet capture on the Netscaler.

Also check the Netscaler default route points to your ASA inside interface so that when it does receive the SYN, it knows where to sent the SYN ACK.

Marvin, first let me thank

NICK SYMIAKAKIS — Thu, 16 Jul 2015 20:21:19 GMT

Marvin, first let me thank you for your help so far.

OK, so I tried to run the nstrace on command line, and it is saying "command not found"

do I have to run it from a specific folder?

forgive me, I am not very good with Linux OS.

I did verify the Routes are correct, and I can ping the firewall's inside address.

I am very familiar with Wireshark, but never used nstrace.

Nick,nstrace on a Netscaler

Marvin Rhoads — Fri, 17 Jul 2015 02:32:58 GMT

Nick,

nstrace on a Netscaler needs to be run from the FreeBSD OS shell, not the Netscaler command prompt. Type "shell" from the latter and see the syntax details here.

It's also available from the GUI. Instructions.

It will result in a capture file that you can open in Wireshark.

Hi Marvin, sorry, I am new to

NICK SYMIAKAKIS — Fri, 17 Jul 2015 13:17:44 GMT

Hi Marvin, sorry, I am new to NetScaler, I actually had a consultant install it, and I am just starting to learn it.

So I ran a trace, and what I am seeing in Wireshark, is the Syn coming from outside to Netscaler, then a Syn/Ack going to Outside, then a RST/ACK coming from Outside.

When comparing to a good connection from my workstation inside the network to the Netscaler, the three way completes in the inside, with the final ACK.

I compared the data between the good handshake, and the failed one, and I cannot see why the ASA is resetting the connection. And the odd part, is the ASA log is saying it is not receiving back the SYN from the Netscaler, when the wireshark is showing that the Netscaler sent it.

I am attaching the Wireshark segment.

That's odd, maybe I don't see

Marvin Rhoads — Fri, 17 Jul 2015 22:50:51 GMT

That's odd, maybe I don't see the big picture completely enough.

Is the https address you are trying to access the Netscaler itself (i.e an NSIP or Netscaler IP) or a loadbalance VIP for a server farm?

Is the source IP in the failed handshake that you posted the jpeg of (74.92.61.169) your PC testing from a public IP?

Can you try packet-tracer n the ASA from the inside out using that address pair and post the results? i.e.:

packet-tracer input inside tcp 172.16.3.6 443 74.92.61.169 60535 detail

Hi Marvin, the IP is the

NICK SYMIAKAKIS — Tue, 21 Jul 2015 12:42:30 GMT

Hi Marvin, the IP is the Netscaler itself, and I can access it from the inside network.

The 74 address is the public address my PC is using, I have also tried it from two different locations.

Here is the output of Packet Tracer:

NOBLE-5505# packet-tracer input inside tcp 172.16.3.6 443 74.92.61.169 60535 d$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network NetScaler_Internal
nat (inside,outside) static NetScaler_External service tcp https https
Additional Information:
Static translate 172.16.3.6/443 to 207.78.1.142/443
Forward Flow based lookup yields rule:
in id=0xc88cb928, priority=6, domain=nat, deny=false
        hits=3, user_data=0xcca22340, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=172.16.3.6, mask=255.255.255.255, port=443, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8668990, priority=1, domain=nat-per-session, deny=true
        hits=3334378, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc12d630, priority=0, domain=inspect-ip-options, deny=true
        hits=3147035, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc8668990, priority=1, domain=nat-per-session, deny=true
        hits=3334380, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcc0d8320, priority=0, domain=inspect-ip-options, deny=true
        hits=3170385, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3380626, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Everything looks good from

Marvin Rhoads — Tue, 21 Jul 2015 12:59:00 GMT

Everything looks good from the perspective of the ASA.

What exactly are you trying to access on the Netscaler? I haven't checked on the latest versions, but the version 10 boxes I've worked with most required not only tcp/443 for administrative access but also tcp/3008 and/or tcp/3010 for the Java bits of the GUI (encrypted and non-encrypted). You also could add tcp/22 and see if that works for ssh access. Reference.

Primarily I am trying to

NICK SYMIAKAKIS — Tue, 21 Jul 2015 14:40:46 GMT

Primarily I am trying to access the gateway (Citrix Reciever) so I can get to my published applications and desktops.

On my old Citrix platform they referred to it as "Secure Gateway".

As I said, NetScaler is new to me, but the login looks similar.

The consultant that installed it called the virtual server: Netscaler-VPX if that helps.

Sorry but I'm a bit out of my

Marvin Rhoads — Tue, 21 Jul 2015 15:40:37 GMT

Sorry but I'm a bit out of my depth when we get into the Secure Gateway flavor of the Netscaler.

The ASA appears fine for https but there may be some fine point about what the Netscaler Secure Gateway requires that I'm not aware of. Can you confirm there's no proxy server setup in your environment that might be blocking or interfering with the https communications?

You might try the community over at Citrix. I've has good results with them in the past.

http://discussions.citrix.com/forum/5-secure-gateway/

Thank you for all of your

NICK SYMIAKAKIS — Tue, 21 Jul 2015 15:42:46 GMT

Thank you for all of your help in confirming the ASA is setup correctly.

Much Appreciated.

Did you ever find your

jessieherrera — Wed, 27 Apr 2016 15:30:05 GMT

Did you ever find your problem? We are having a weird issue similar to yours with a missing ack from the netscaler server.

We see syn,syn ack, then fin,ack.

We are having an missing ack.