When viewed in ASDM, the NAT statement is above the Any Any rule.

See attached pic.

Hmm, ok that looks good.

Can you try packet-tracer from the cli:

packet-tracer input outside tcp 8.8.8.8 1025 <netscaler External IP> 443

Here is the result:

NOBLE-5505# packet-tracer input outside tcp 8.8.8.8 1025 207.78.1.142 443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network NetScaler_Internal
 nat (inside,outside) static NetScaler_External service tcp https https
Additional Information:
NAT divert to egress interface inside
Untranslate Y.Y.Y.142/443 to X.X.X.6/443

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I am not sure what configuration rule it is talking about.

I didn't read your access-list closely enough. You have:

access-list outside_access_in extended permit object https any object NetScaler_Internal

Try instead:

access-list outside_access_in extended permit tcp any4 object NetScaler_Internal eq https

Marvin, that change definitely got the packet tracer to complete with Allows all the way down.

But when I try to connect through the public IP, I am still getting the 0 SYN Timeout.

OK, can you verify the Netscaler is receiving the 3-way handshake (i.e. the initial SYN packet)?

You can use the nstrace utility (filtering on the originator from which the communications is failing to narrow things down) to perform a packet capture on the Netscaler.

Also check the Netscaler default route points to your ASA inside interface so that when it does receive the SYN, it knows where to sent the SYN ACK.

Marvin, first let me thank you for your help so far.

OK, so I tried to run the nstrace on command line, and it is saying "command not found"

do I have to run it from a specific folder?

forgive me, I am not very good with Linux OS.

I did verify the Routes are correct, and I can ping the firewall's inside address.

I am very familiar with Wireshark, but never used nstrace.

Nick,

nstrace on a Netscaler needs to be run from the FreeBSD OS shell, not the Netscaler command prompt. Type "shell" from the latter and see the syntax details here. 

It's also available from the GUI. Instructions.

It will result in a capture file that you can open in Wireshark.

Hi Marvin, sorry, I am new to NetScaler, I actually had a consultant install it, and I am just starting to learn it.

So I ran a trace, and what I am seeing in Wireshark, is the Syn coming from outside to Netscaler, then a Syn/Ack going to Outside, then a RST/ACK coming from Outside.

When comparing to a good connection from my workstation inside the network to the Netscaler, the three way completes in the inside, with the final ACK.

I compared the data between the good handshake, and the failed one, and I cannot see why the ASA is resetting the connection. And the odd part, is the ASA log is saying it is not receiving back the SYN from the Netscaler, when the wireshark is showing that the Netscaler sent it.

I am attaching the Wireshark segment.

That's odd, maybe I don't see the big picture completely enough.

Is the https address you are trying to access the Netscaler itself (i.e an NSIP or Netscaler IP) or a loadbalance VIP for a server farm?

Is the source IP in the failed handshake that you posted the jpeg of (74.92.61.169) your PC testing from a public IP?

Can you try packet-tracer n the ASA from the inside out using that address pair and post the results? i.e.:

packet-tracer input inside tcp 172.16.3.6 443 74.92.61.169 60535 detail

Hi Marvin, the IP is the Netscaler itself, and I can access it from the inside network.

The 74 address is the public address my PC is using, I have also tried it from two different locations.

Here is the output of Packet Tracer:

NOBLE-5505# packet-tracer input inside tcp 172.16.3.6 443 74.92.61.169 60535 d$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network NetScaler_Internal
 nat (inside,outside) static NetScaler_External service tcp https https
Additional Information:
Static translate 172.16.3.6/443 to 207.78.1.142/443
 Forward Flow based lookup yields rule:
 in  id=0xc88cb928, priority=6, domain=nat, deny=false
        hits=3, user_data=0xcca22340, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=172.16.3.6, mask=255.255.255.255, port=443, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc8668990, priority=1, domain=nat-per-session, deny=true
        hits=3334378, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc12d630, priority=0, domain=inspect-ip-options, deny=true
        hits=3147035, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xc8668990, priority=1, domain=nat-per-session, deny=true
        hits=3334380, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xcc0d8320, priority=0, domain=inspect-ip-options, deny=true
        hits=3170385, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3380626, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Everything looks good from the perspective of the ASA.

What exactly are you trying to access on the Netscaler? I haven't checked on the latest versions, but the version 10 boxes I've worked with most required not only tcp/443 for administrative access but also tcp/3008 and/or tcp/3010 for the Java bits of the GUI (encrypted and non-encrypted). You also could add tcp/22 and see if that works for ssh access. Reference.

Primarily I am trying to access the gateway (Citrix Reciever) so I can get to my published applications and desktops.

On my old Citrix platform they referred to it as "Secure Gateway".

As I said, NetScaler is new to me, but the login looks similar.

The consultant that installed it called the virtual server: Netscaler-VPX if that helps.