cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1190
Views
0
Helpful
4
Replies

Enabling PCoIP outbound traffic through an ASA 5520 8.4(4)1

Igor Rodriguez
Level 1
Level 1

Hello all,

We've got a proyect that requires a few thin clients to connect to a remote PCoIP server.

Looking to the documentation, the only port required to be open through Firewalls is TCP/UDP 4172, however, we've seen (making interface captures) that it somehow also uses ESP (IP protocol 50).

We've got a static NAT translation translating those thin clients to a public IP address, we've created ACLs to allow inbound (shouldn't be necessary as our user is connecting to a remote server) and outbound traffic for TCP/UDP 4172 and ESP and I cannot make it work.

I've also enabled IPSec pass-through Inspection to no avail.

Does anybody know how should we configure our ASA to enable this kind of traffic?

Thanks in advance.

Best regards,

Igor

4 Replies 4

Igor Rodriguez
Level 1
Level 1

Any ideas?

Am I on the correct way to enable that traffic through our ASA?

Best regards,

Igor

No one has an idea of what should I do to configure it?

Am I doing it correctly?

Hi,

Sadly I have no expirience with PCoIP. A quick look around online lists multiple ports for it but does not mention anything about ESP.

If you have gone as far as capture traffic on the local network to define which traffic to allow then I am not sure what more can be done in this situation.

I personally usually start troubleshooting by simply looking at the logs of the ASA while attempting the connections. See if anything gets blocked or if some TCP connections are timing out or resetted right away. And as you have done if the logs dont tell anything I resort to capture on the ASA directly and try to confirm what is being sent between the endpoints and if indeed the remote end is responding at all.

Is there any chance that the remote end is blocking something?

- Jouni

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Igor,

Is the view server on the outside interface of the ASA?

If this is the case as long as you are permitting outbound traffic and you have performed the required nat you should be good.

What ports must be open

TCP  4172

UDP 4172

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: