We are having problems connecting to gotomeeting.com.

It is allowed in the Astaro web filter but I think the Firewall is blocking it.

Can you tell me how to configure the firewall to allow gotomeeting to work.

Here is the write up from Citrix.

I think I would like to allow outbound through port 8200.

1. Citrix Online products are configured to work outbound through ports 8200, or 80 or 443. In a restricted environment port 8200 can be set

up for outbound connections. Our products do not listen for, nor do they require, any inbound connections. Connections outbound via

port 8200 are optimal, although connections through ports 80 and 443 can also be used.

2. If your firewall includes a content or application data scanning filter, this may cause blocking or latency, which would be indicated in the log

files for the filter. To address this problem, verify the below IP ranges will not be scanned or filtered by content or application data scanning

filters by specifying exception IP ranges that will not be filtered.

3. If your security policy requires you to specify explicit IP ranges, then configure your firewall to limit port 8200 or 80 or 443 destination IP

addresses to only the Citrix Online ranges listed below.

Important Note: Steps 2 and 3 are discouraged unless absolutely necessary because such IP ranges need to be periodically audited

and modified, creating additional maintenance to your network. These changes are rare, but they may be necessary to continue to provide

the maximum performance for the Citrix Online family of applications. Maintenance and failover events may cause you to connect to servers

within any of the ranges.

Citrix Online Server / Datacenter IP Addresses for Use in Firewall Configurations

Equivalent Specifications in 3 Common Formats

Citrix Online

Assigned Range

by Block*

Numeric IP Address Range Netmask Notation CIDR Notation

Block 1 216.115.208.0 - 216.115.223.255 216.115.208.0 255.255.240.0 216.115.208.0 / 20

Block 2 216.219.112.0 - 216.219.127.255 216.219.112.0 255.255.240.0 216.219.112.0 / 20

Block 3 66.151.158.0 - 66.151.158.255 66.151.158.0 255.255.255.0 66.151.158.0 / 24

Block 4 66.151.150.160 - 66.151.150.191 66.151.150.160 255.255.255.224 66.151.150.160 / 27

Block 5 66.151.115.128 - 66.151.115.191 66.151.115.128 255.255.255.192 66.151.115.128 / 26

Block 6 64.74.80.0 - 64.74.80.255 64.74.80.0 255.255.255.0 64.74.80.0 / 24

Block 7 202.173.24.0 - 202.173.31.255 202.173.24.0 255.255.248.0 202.173.24.0 / 21

Block 8 67.217.64.0 - 67.217.95.255 67.217.64.0 255.255.224.0 67.217.64.0 / 19

Block 9 78.108.112.0 - 78.108.127.255 78.108.112.0 255.255.240.0 78.108.112.0 / 20

Block 10 68.64.0.0 - 68.64.31.255 68.64.0.0 255.255.224.0 68.64.0.0 / 19

Block 11 206.183.100.0 - 206.183.103.255 206.183.100.0 255.255.252.0 206.183.100.0 / 22

You will need to check the configuration of the ASA to check if it's blocking the traffic then.

What you can check is the following:

ACL applied to the inside interface should be allowing this traffic.

If you're filtering HTTP also check that.

If you need assistance to check the configuration, you can post the ''sh run'' here and just remove the sensitive part of the configuration.

Federico.

Here is the config without the critical information.

There's inspection for HTTP but I think the problem might be with the ACL applied to the inside interface (acl_in).

You can do the following test just to confirm the above:

Pick up an internal host i.e. 10.1.1.1

Add a rule to permit that host to access any traffic on the internet:

access-list acl_in line 1 permit ip host 10.1.1.1 any

Then, try accesing gotomeeting.com from that host and see if it works. If it works is because there's something on that ACL blocking the traffic and we can check it out to determine why.

Federico.

I added the following

access-list acl_in extended permit ip host "users ip address" any

Now it is working.  This solution will not work because he takes his laptop out to other branches and will not always get the same IP address.

I need to create an ACL that will allow everyone to get out to gotomeeting.com.

Now we know that it's just a matter of permitting the traffic in the ACL.

If you include a permit ip statement it works, so one solution could be the following:

Instead of:

access-list acl_in extended permit ip host "users ip address" any

Use:

access-list acl_in extended permit ip LOCAL_NETWORK any

The above will allow any IP in the LOCAL_NETWORK to get out.

Now, if you want to restrict the traffic instead of opening the entire IP stack, you should enable logs for the Citrix transactions and check which ports are being used so that you open only those.

Federico.

Okay I believe we are almost there!.

Can you show me the configuration to allow traffice on port 8200.

access-list NAME permit tcp LOCAL_LAN any eq 8200

If 8200 runs on top of UDP, just change TCP for UDP.

Federico.