05-06-2012
04:12 PM
- last edited on
02-21-2020
11:23 PM
by
cc_security_adm
Problem:
Outside access to Inside Citrix server.
IP Info:
ISP gave me x.x.x.16/30 so my IP address on e0/0 is x.x.x.18
ISP gave me x.x.x.24/29 as usable IP address's
IP's I want to use:
192.168.76.12 = Citrix
x.x.x.29 = NAT to Citrix
On last site I had a /29 so my config was simple to NAT but here I 'thought' I could use sub interfaces but that is not working.
Config:
hostname Dasa
names
name 192.168.74.0 Vallywood description Valleywood D
!
interface Ethernet0/0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address x.x.x.18 255.255.255.252
!
interface Ethernet0/0.2
vlan 2
nameif Outside_IPs
security-level 0
ip address x.x.x.25 255.255.255.248
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.76.1 255.255.254.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit intra-interface
object network obj-192.168.76.0
subnet 192.168.76.0 255.255.254.0
object network Vallywood
subnet 192.168.74.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Citrix
host 192.168.76.12
description Citrix Server Inside
object network Citrix_Outside
host x.x.x.29
description Citrix Server Outside
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object icmp echo
service-object tcp-udp destination eq www
service-object tcp destination eq 2598
access-list 101 extended permit icmp any any echo-reply inactive
access-list 101 extended permit icmp any any source-quench inactive
access-list 101 extended permit icmp any any unreachable inactive
access-list 101 extended permit icmp any any time-exceeded inactive
access-list INSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list INSIDE_nat0_outbound extended permit ip 192.168.76.0 255.255.254.0 object Vallywood
access-list OUTSIDE_1_cryptomap extended permit ip object obj-192.168.76.0 object Vallywood
access-list Outside_access_in extended permit tcp any host 50.200.31.29 eq citrix-ica
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host x.x.x.29
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu Outside_IPs 1500
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (INSIDE,any) source static obj-192.168.76.0 obj-192.168.76.0 destination static Vallywood Vallywood unidirectional
nat (INSIDE,OUTSIDE) source static obj-192.168.76.0 obj-192.168.76.0 destination static Vallywood Vallywood
nat (INSIDE,OUTSIDE) source static Citrix Citrix destination static Citrix_Outside Citrix_Outside description Citrix NAT
!
object network obj_any
nat (INSIDE,OUTSIDE) dynamic interface
access-group Outside_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 x.x.x.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
05-17-2012 06:15 AM
Access-list:
"access-list Outside_access_in extended permit tcp any host 50.200.31.29 eq citrix-ica" is incorrect, it should be the private IP as follows:
access-list Outside_access_in extended permit tcp any host 192.168.76.12 eq citrix-ica
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide