topic ASA 5510 configuration for gotomeeting.com in Network Security

ASA 5510 configuration for gotomeeting.com

pingram — Mon, 11 Mar 2019 19:03:37 GMT

How can I setup my asa 5510 to allow my users to be able to

get to gotomeeting.com

Re: ASA 5510 configuration for gotomeeting.com

Federico Coto Fajardo — Tue, 02 Nov 2010 16:23:18 GMT

Hi,

If the ASA allows internet all websites are allowed.

If you're talking about using the MPF feature on the ASA to allow access to gotomeeting.com you can use a regular expression to match that string and permit the traffic.

Or do you have a CSC module that it's filtering HTTP?

Please explain what you want to do.

Federico.

Re: ASA 5510 configuration for gotomeeting.com

pingram — Tue, 02 Nov 2010 16:41:23 GMT

We are having problems connecting to gotomeeting.com.

It is allowed in the Astaro web filter but I think the Firewall is blocking it.

Can you tell me how to configure the firewall to allow gotomeeting to work.

Here is the write up from Citrix.

I think I would like to allow outbound through port 8200.

1. Citrix Online products are configured to work outbound through ports 8200, or 80 or 443. In a restricted environment port 8200 can be set

up for outbound connections. Our products do not listen for, nor do they require, any inbound connections. Connections outbound via

port 8200 are optimal, although connections through ports 80 and 443 can also be used.

2. If your firewall includes a content or application data scanning filter, this may cause blocking or latency, which would be indicated in the log

files for the filter. To address this problem, verify the below IP ranges will not be scanned or filtered by content or application data scanning

filters by specifying exception IP ranges that will not be filtered.

3. If your security policy requires you to specify explicit IP ranges, then configure your firewall to limit port 8200 or 80 or 443 destination IP

addresses to only the Citrix Online ranges listed below.

Important Note: Steps 2 and 3 are discouraged unless absolutely necessary because such IP ranges need to be periodically audited

and modified, creating additional maintenance to your network. These changes are rare, but they may be necessary to continue to provide

the maximum performance for the Citrix Online family of applications. Maintenance and failover events may cause you to connect to servers

within any of the ranges.

Citrix Online Server / Datacenter IP Addresses for Use in Firewall Configurations

Equivalent Specifications in 3 Common Formats

Citrix Online

Assigned Range

by Block*

Numeric IP Address Range Netmask Notation CIDR Notation

Block 1 216.115.208.0 - 216.115.223.255 216.115.208.0 255.255.240.0 216.115.208.0 / 20

Block 2 216.219.112.0 - 216.219.127.255 216.219.112.0 255.255.240.0 216.219.112.0 / 20

Block 3 66.151.158.0 - 66.151.158.255 66.151.158.0 255.255.255.0 66.151.158.0 / 24

Block 4 66.151.150.160 - 66.151.150.191 66.151.150.160 255.255.255.224 66.151.150.160 / 27

Block 5 66.151.115.128 - 66.151.115.191 66.151.115.128 255.255.255.192 66.151.115.128 / 26

Block 6 64.74.80.0 - 64.74.80.255 64.74.80.0 255.255.255.0 64.74.80.0 / 24

Block 7 202.173.24.0 - 202.173.31.255 202.173.24.0 255.255.248.0 202.173.24.0 / 21

Block 8 67.217.64.0 - 67.217.95.255 67.217.64.0 255.255.224.0 67.217.64.0 / 19

Block 9 78.108.112.0 - 78.108.127.255 78.108.112.0 255.255.240.0 78.108.112.0 / 20

Block 10 68.64.0.0 - 68.64.31.255 68.64.0.0 255.255.224.0 68.64.0.0 / 19

Block 11 206.183.100.0 - 206.183.103.255 206.183.100.0 255.255.252.0 206.183.100.0 / 22

Re: ASA 5510 configuration for gotomeeting.com

Federico Coto Fajardo — Tue, 02 Nov 2010 16:45:37 GMT

You will need to check the configuration of the ASA to check if it's blocking the traffic then.

What you can check is the following:

ACL applied to the inside interface should be allowing this traffic.

If you're filtering HTTP also check that.

If you need assistance to check the configuration, you can post the ''sh run'' here and just remove the sensitive part of the configuration.

Federico.

Re: ASA 5510 configuration for gotomeeting.com

pingram — Tue, 02 Nov 2010 18:11:40 GMT

Here is the config without the critical information.

Re: ASA 5510 configuration for gotomeeting.com

Federico Coto Fajardo — Tue, 02 Nov 2010 20:54:40 GMT

There's inspection for HTTP but I think the problem might be with the ACL applied to the inside interface (acl_in).

You can do the following test just to confirm the above:

Pick up an internal host i.e. 10.1.1.1

Add a rule to permit that host to access any traffic on the internet:

access-list acl_in line 1 permit ip host 10.1.1.1 any

Then, try accesing gotomeeting.com from that host and see if it works. If it works is because there's something on that ACL blocking the traffic and we can check it out to determine why.

Federico.

Re: ASA 5510 configuration for gotomeeting.com

pingram — Wed, 03 Nov 2010 18:26:43 GMT

I added the following

access-list acl_in extended permit ip host "users ip address" any

Now it is working. This solution will not work because he takes his laptop out to other branches and will not always get the same IP address.

I need to create an ACL that will allow everyone to get out to gotomeeting.com.

Re: ASA 5510 configuration for gotomeeting.com

Federico Coto Fajardo — Wed, 03 Nov 2010 18:32:02 GMT

Now we know that it's just a matter of permitting the traffic in the ACL.

If you include a permit ip statement it works, so one solution could be the following:

Instead of:

access-list acl_in extended permit ip host "users ip address" any

Use:

access-list acl_in extended permit ip LOCAL_NETWORK any

The above will allow any IP in the LOCAL_NETWORK to get out.

Now, if you want to restrict the traffic instead of opening the entire IP stack, you should enable logs for the Citrix transactions and check which ports are being used so that you open only those.

Federico.

Re: ASA 5510 configuration for gotomeeting.com

pingram — Wed, 03 Nov 2010 18:57:05 GMT

Okay I believe we are almost there!.

Can you show me the configuration to allow traffice on port 8200.

Re: ASA 5510 configuration for gotomeeting.com

Federico Coto Fajardo — Wed, 03 Nov 2010 19:00:13 GMT

access-list NAME permit tcp LOCAL_LAN any eq 8200

If 8200 runs on top of UDP, just change TCP for UDP.

Federico.