11-02-2010 08:44 AM - edited 03-11-2019 12:03 PM
How can I setup my asa 5510 to allow my users to be able to
get to gotomeeting.com
11-02-2010 09:23 AM
Hi,
If the ASA allows internet all websites are allowed.
If you're talking about using the MPF feature on the ASA to allow access to gotomeeting.com you can use a regular expression to match that string and permit the traffic.
Or do you have a CSC module that it's filtering HTTP?
Please explain what you want to do.
Federico.
11-02-2010 09:41 AM
We are having problems connecting to gotomeeting.com.
It is allowed in the Astaro web filter but I think the Firewall is blocking it.
Can you tell me how to configure the firewall to allow gotomeeting to work.
Here is the write up from Citrix.
I think I would like to allow outbound through port 8200.
1. Citrix Online products are configured to work outbound through ports 8200, or 80 or 443. In a restricted environment port 8200 can be set
up for outbound connections. Our products do not listen for, nor do they require, any inbound connections. Connections outbound via
port 8200 are optimal, although connections through ports 80 and 443 can also be used.
2. If your firewall includes a content or application data scanning filter, this may cause blocking or latency, which would be indicated in the log
files for the filter. To address this problem, verify the below IP ranges will not be scanned or filtered by content or application data scanning
filters by specifying exception IP ranges that will not be filtered.
3. If your security policy requires you to specify explicit IP ranges, then configure your firewall to limit port 8200 or 80 or 443 destination IP
addresses to only the Citrix Online ranges listed below.
Important Note: Steps 2 and 3 are discouraged unless absolutely necessary because such IP ranges need to be periodically audited
and modified, creating additional maintenance to your network. These changes are rare, but they may be necessary to continue to provide
the maximum performance for the Citrix Online family of applications. Maintenance and failover events may cause you to connect to servers
within any of the ranges.
Citrix Online Server / Datacenter IP Addresses for Use in Firewall Configurations
Equivalent Specifications in 3 Common Formats
Citrix Online
Assigned Range
by Block*
Numeric IP Address Range Netmask Notation CIDR Notation
Block 1 216.115.208.0 - 216.115.223.255 216.115.208.0 255.255.240.0 216.115.208.0 / 20
Block 2 216.219.112.0 - 216.219.127.255 216.219.112.0 255.255.240.0 216.219.112.0 / 20
Block 3 66.151.158.0 - 66.151.158.255 66.151.158.0 255.255.255.0 66.151.158.0 / 24
Block 4 66.151.150.160 - 66.151.150.191 66.151.150.160 255.255.255.224 66.151.150.160 / 27
Block 5 66.151.115.128 - 66.151.115.191 66.151.115.128 255.255.255.192 66.151.115.128 / 26
Block 6 64.74.80.0 - 64.74.80.255 64.74.80.0 255.255.255.0 64.74.80.0 / 24
Block 7 202.173.24.0 - 202.173.31.255 202.173.24.0 255.255.248.0 202.173.24.0 / 21
Block 8 67.217.64.0 - 67.217.95.255 67.217.64.0 255.255.224.0 67.217.64.0 / 19
Block 9 78.108.112.0 - 78.108.127.255 78.108.112.0 255.255.240.0 78.108.112.0 / 20
Block 10 68.64.0.0 - 68.64.31.255 68.64.0.0 255.255.224.0 68.64.0.0 / 19
Block 11 206.183.100.0 - 206.183.103.255 206.183.100.0 255.255.252.0 206.183.100.0 / 22
11-02-2010 09:45 AM
You will need to check the configuration of the ASA to check if it's blocking the traffic then.
What you can check is the following:
ACL applied to the inside interface should be allowing this traffic.
If you're filtering HTTP also check that.
If you need assistance to check the configuration, you can post the ''sh run'' here and just remove the sensitive part of the configuration.
Federico.
11-02-2010 11:11 AM
11-02-2010 01:54 PM
There's inspection for HTTP but I think the problem might be with the ACL applied to the inside interface (acl_in).
You can do the following test just to confirm the above:
Pick up an internal host i.e. 10.1.1.1
Add a rule to permit that host to access any traffic on the internet:
access-list acl_in line 1 permit ip host 10.1.1.1 any
Then, try accesing gotomeeting.com from that host and see if it works. If it works is because there's something on that ACL blocking the traffic and we can check it out to determine why.
Federico.
11-03-2010 11:26 AM
I added the following
access-list acl_in extended permit ip host "users ip address" any
Now it is working. This solution will not work because he takes his laptop out to other branches and will not always get the same IP address.
I need to create an ACL that will allow everyone to get out to gotomeeting.com.
11-03-2010 11:32 AM
Now we know that it's just a matter of permitting the traffic in the ACL.
If you include a permit ip statement it works, so one solution could be the following:
Instead of:
access-list acl_in extended permit ip host "users ip address" any
Use:
access-list acl_in extended permit ip LOCAL_NETWORK any
The above will allow any IP in the LOCAL_NETWORK to get out.
Now, if you want to restrict the traffic instead of opening the entire IP stack, you should enable logs for the Citrix transactions and check which ports are being used so that you open only those.
Federico.
11-03-2010 11:57 AM
Okay I believe we are almost there!.
Can you show me the configuration to allow traffice on port 8200.
11-03-2010 12:00 PM
access-list NAME permit tcp LOCAL_LAN any eq 8200
If 8200 runs on top of UDP, just change TCP for UDP.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide