cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

982
Views
0
Helpful
4
Replies
Highlighted
Beginner

Enabling PCoIP outbound traffic through an ASA 5520 8.4(4)1

Hello all,

We've got a proyect that requires a few thin clients to connect to a remote PCoIP server.

Looking to the documentation, the only port required to be open through Firewalls is TCP/UDP 4172, however, we've seen (making interface captures) that it somehow also uses ESP (IP protocol 50).

We've got a static NAT translation translating those thin clients to a public IP address, we've created ACLs to allow inbound (shouldn't be necessary as our user is connecting to a remote server) and outbound traffic for TCP/UDP 4172 and ESP and I cannot make it work.

I've also enabled IPSec pass-through Inspection to no avail.

Does anybody know how should we configure our ASA to enable this kind of traffic?

Thanks in advance.

Best regards,

Igor

4 REPLIES 4
Highlighted
Beginner

Any ideas?

Am I on the correct way to enable that traffic through our ASA?

Best regards,

Igor

Highlighted

No one has an idea of what should I do to configure it?

Am I doing it correctly?

Highlighted

Hi,

Sadly I have no expirience with PCoIP. A quick look around online lists multiple ports for it but does not mention anything about ESP.

If you have gone as far as capture traffic on the local network to define which traffic to allow then I am not sure what more can be done in this situation.

I personally usually start troubleshooting by simply looking at the logs of the ASA while attempting the connections. See if anything gets blocked or if some TCP connections are timing out or resetted right away. And as you have done if the logs dont tell anything I resort to capture on the ASA directly and try to confirm what is being sent between the endpoints and if indeed the remote end is responding at all.

Is there any chance that the remote end is blocking something?

- Jouni

Highlighted

Hello Igor,

Is the view server on the outside interface of the ASA?

If this is the case as long as you are permitting outbound traffic and you have performed the required nat you should be good.

What ports must be open

TCP  4172

UDP 4172

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Content for Community-Ad