Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- Network Security
- I will PAYPAL 100 bucks to the person who can help me with 5510 issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
1064
Views
0
Helpful
1
Replies
I will PAYPAL 100 bucks to the person who can help me with 5510 issue
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2011
10:02 AM
- last edited on
02-21-2020
11:21 PM
by
cc_security_adm
Below is a on going chat i am having with a PIX expert... Can anyone see where the problem is when you read the message below???
Cisco ASA 5510 configuration for host inside private network
Question: We have a Citrix host behind a new 5510 that needs to be accessed by the public. I have tried to follow the examples on cisco.com but still continue to get errors. I KNOW I am missing something simple. I have taken out all my 'tries' and have basic config below with errors.
I am new to PIX/ASA and would live some suggestions on the proper Access Group and corresponding ACL to get the 192.168.71.100/72.54.197.26 Citrix server to accept ssl from outside.
ASA Version 7.0(8)
!
interface Ethernet0/0
description Outside interface to Cbeyond
nameif OUTSIDE
security-level 0
ip address 72.54.197.28 255.255.255.248
!
interface Ethernet0/1
description Inside interface to internal network
nameif INSIDE
security-level 100
ip address 192.168.72.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.71.2 255.255.255.0
management-only
!
object-group service Citrix1494 tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
port-object range 445 447
nat-control
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (OUTSIDE,INSIDE) 192.168.72.100 72.54.197.26 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 72.54.197.26 192.168.72.100 netmask 255.255.255.255
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
http server enable
http 192.168.71.0 255.255.255.0 management
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
Error Log:
3|Apr 15 2011 21:06:07|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 21:06:01|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 21:05:58|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
5|Apr 15 2011 21:05:42|111008: User 'root' executed the 'no access-list OUTSIDE_access_in extended permit tcp host 72.54.197.26 host 72.54.197.26' command.
4|Apr 15 2011 21:05:20|106023: Deny tcp src OUTSIDE:114.38.58.208/2817 dst INSIDE:72.54.197.26/445 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:05:17|106023: Deny tcp src OUTSIDE:114.38.58.208/2817 dst INSIDE:72.54.197.26/445 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:04:37|106023: Deny tcp src OUTSIDE:221.1.220.185/12200 dst INSIDE:72.54.197.26/1080 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:50|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:44|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:41|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:23|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:17|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:14|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
5|Apr 15 2011 21:01:56|111008: User 'root' executed the 'access-list OUTSIDE_access_in line 1 extended permit tcp host 72.54.197.26 host 72.54.197.26' command.
6|Apr 15 2011 21:00:13|302013: Built outbound TCP connection 7173 for OUTSIDE:150.70.85.65/443 (150.70.85.65/443) to INSIDE:192.168.72.100/2959 (72.54.197.26/2959)
6|Apr 15 2011 20:56:57|302016: Teardown UDP connection 7082 for OUTSIDE:72.54.197.26/137 to INSIDE:192.168.72.17/137 duration 0:02:01 bytes 62
6|Apr 15 2011 20:55:19|302013: Built outbound TCP connection 7088 for OUTSIDE:184.85.253.178/80 (184.85.253.178/80) to INSIDE:192.168.72.100/2879 (72.54.197.26/2879)
6|Apr 15 2011 20:55:19|302013: Built outbound TCP connection 7086 for OUTSIDE:74.125.159.147/80 (74.125.159.147/80) to INSIDE:192.168.72.100/2878 (72.54.197.26/2878)
6|Apr 15 2011 20:54:55|302015: Built outbound UDP connection 7082 for OUTSIDE:72.54.197.26/137 (192.168.72.100/137) to INSIDE:192.168.72.17/137 (72.54.197.28/24)
6|Apr 15 2011 20:54:17|302021: Teardown ICMP connection for faddr 10.160.68.225/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:15|302020: Built outbound ICMP connection for faddr 10.160.68.225/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:13|302021: Teardown ICMP connection for faddr 172.28.16.2/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7074 for OUTSIDE:199.7.52.190/80 (199.7.52.190/80) to INSIDE:192.168.72.100/2815 (72.54.197.26/2815)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7073 for OUTSIDE:199.7.55.72/80 (199.7.55.72/80) to INSIDE:192.168.72.100/2813 (72.54.197.26/2813)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7072 for OUTSIDE:199.7.55.72/80 (199.7.55.72/80) to INSIDE:192.168.72.100/2812 (72.54.197.26/2812)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7071 for OUTSIDE:199.7.52.190/80 (199.7.52.190/80) to INSIDE:192.168.72.100/2811 (72.54.197.26/2811)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7070 for OUTSIDE:184.85.253.19/80 (184.85.253.19/80) to INSIDE:192.168.72.100/2810 (72.54.197.26/2810)
3|Apr 15 2011 20:54:12|106014: Deny inbound icmp src OUTSIDE:172.28.16.2 dst INSIDE:72.54.197.26 (type 0, code 0)
6|Apr 15 2011 20:54:11|302020: Built outbound ICMP connection for faddr 172.28.16.2/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:10|302013: Built outbound TCP connection 7063 for OUTSIDE:64.4.18.90/80 (64.4.18.90/80) to INSIDE:192.168.72.100/2809 (72.54.197.26/2809)
3|Apr 15 2011 20:52:17|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:52:11|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:52:08|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
2|Apr 15 2011 20:50:02|106001: Inbound TCP connection denied from 187.28.118.35/1973 to 72.54.197.26/445 flags SYN on interface OUTSIDE
2|Apr 15 2011 20:49:59|106001: Inbound TCP connection denied from 187.28.118.35/1973 to 72.54.197.26/445 flags SYN on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60784 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60783 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60781 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60782 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60779 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60785 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:35|106001: Inbound TCP connection denied from 217.10.43.52/1486 to 72.54.197.26/445 flags SYN on interface OUTSIDE
2|Apr 15 2011 20:49:32|106001: Inbound TCP connection denied from 217.10.43.52/1486 to 72.54.197.26/445 flags SYN on interface OUTSIDE
3|Apr 15 2011 20:48:17|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:48:11|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:48:08|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
THANKS!!
I am new to PIX/ASA and would live some suggestions on the proper Access Group and corresponding ACL to get the 192.168.71.100/72.54.197.26 Citrix server to accept ssl from outside.
ASA Version 7.0(8)
!
interface Ethernet0/0
description Outside interface to Cbeyond
nameif OUTSIDE
security-level 0
ip address 72.54.197.28 255.255.255.248
!
interface Ethernet0/1
description Inside interface to internal network
nameif INSIDE
security-level 100
ip address 192.168.72.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.71.2 255.255.255.0
management-only
!
object-group service Citrix1494 tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
port-object range 445 447
nat-control
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (OUTSIDE,INSIDE) 192.168.72.100 72.54.197.26 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 72.54.197.26 192.168.72.100 netmask 255.255.255.255
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
http server enable
http 192.168.71.0 255.255.255.0 management
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
Error Log:
3|Apr 15 2011 21:06:07|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 21:06:01|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 21:05:58|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
5|Apr 15 2011 21:05:42|111008: User 'root' executed the 'no access-list OUTSIDE_access_in extended permit tcp host 72.54.197.26 host 72.54.197.26' command.
4|Apr 15 2011 21:05:20|106023: Deny tcp src OUTSIDE:114.38.58.208/2817 dst INSIDE:72.54.197.26/445 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:05:17|106023: Deny tcp src OUTSIDE:114.38.58.208/2817 dst INSIDE:72.54.197.26/445 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:04:37|106023: Deny tcp src OUTSIDE:221.1.220.185/12200 dst INSIDE:72.54.197.26/1080 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:50|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:44|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:41|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:23|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:17|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:14|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
5|Apr 15 2011 21:01:56|111008: User 'root' executed the 'access-list OUTSIDE_access_in line 1 extended permit tcp host 72.54.197.26 host 72.54.197.26' command.
6|Apr 15 2011 21:00:13|302013: Built outbound TCP connection 7173 for OUTSIDE:150.70.85.65/443 (150.70.85.65/443) to INSIDE:192.168.72.100/2959 (72.54.197.26/2959)
6|Apr 15 2011 20:56:57|302016: Teardown UDP connection 7082 for OUTSIDE:72.54.197.26/137 to INSIDE:192.168.72.17/137 duration 0:02:01 bytes 62
6|Apr 15 2011 20:55:19|302013: Built outbound TCP connection 7088 for OUTSIDE:184.85.253.178/80 (184.85.253.178/80) to INSIDE:192.168.72.100/2879 (72.54.197.26/2879)
6|Apr 15 2011 20:55:19|302013: Built outbound TCP connection 7086 for OUTSIDE:74.125.159.147/80 (74.125.159.147/80) to INSIDE:192.168.72.100/2878 (72.54.197.26/2878)
6|Apr 15 2011 20:54:55|302015: Built outbound UDP connection 7082 for OUTSIDE:72.54.197.26/137 (192.168.72.100/137) to INSIDE:192.168.72.17/137 (72.54.197.28/24)
6|Apr 15 2011 20:54:17|302021: Teardown ICMP connection for faddr 10.160.68.225/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:15|302020: Built outbound ICMP connection for faddr 10.160.68.225/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:13|302021: Teardown ICMP connection for faddr 172.28.16.2/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7074 for OUTSIDE:199.7.52.190/80 (199.7.52.190/80) to INSIDE:192.168.72.100/2815 (72.54.197.26/2815)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7073 for OUTSIDE:199.7.55.72/80 (199.7.55.72/80) to INSIDE:192.168.72.100/2813 (72.54.197.26/2813)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7072 for OUTSIDE:199.7.55.72/80 (199.7.55.72/80) to INSIDE:192.168.72.100/2812 (72.54.197.26/2812)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7071 for OUTSIDE:199.7.52.190/80 (199.7.52.190/80) to INSIDE:192.168.72.100/2811 (72.54.197.26/2811)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7070 for OUTSIDE:184.85.253.19/80 (184.85.253.19/80) to INSIDE:192.168.72.100/2810 (72.54.197.26/2810)
3|Apr 15 2011 20:54:12|106014: Deny inbound icmp src OUTSIDE:172.28.16.2 dst INSIDE:72.54.197.26 (type 0, code 0)
6|Apr 15 2011 20:54:11|302020: Built outbound ICMP connection for faddr 172.28.16.2/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:10|302013: Built outbound TCP connection 7063 for OUTSIDE:64.4.18.90/80 (64.4.18.90/80) to INSIDE:192.168.72.100/2809 (72.54.197.26/2809)
3|Apr 15 2011 20:52:17|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:52:11|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:52:08|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
2|Apr 15 2011 20:50:02|106001: Inbound TCP connection denied from 187.28.118.35/1973 to 72.54.197.26/445 flags SYN on interface OUTSIDE
2|Apr 15 2011 20:49:59|106001: Inbound TCP connection denied from 187.28.118.35/1973 to 72.54.197.26/445 flags SYN on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60784 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60783 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60781 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60782 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60779 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60785 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:35|106001: Inbound TCP connection denied from 217.10.43.52/1486 to 72.54.197.26/445 flags SYN on interface OUTSIDE
2|Apr 15 2011 20:49:32|106001: Inbound TCP connection denied from 217.10.43.52/1486 to 72.54.197.26/445 flags SYN on interface OUTSIDE
3|Apr 15 2011 20:48:17|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:48:11|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:48:08|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
THANKS!!
Reply.................................
ok do this:
no static (OUTSIDE,INSIDE) 192.168.72.100 72.54.197.26 netmask 255.255.255.255
clear xlate
access-list Outside-ACL extended permit tcp any host 72.54.197.26 object-group Citrix1494
access-group Outside-ACL in interface OUTSIDE
That should do it for you..
no static (OUTSIDE,INSIDE) 192.168.72.100 72.54.197.26 netmask 255.255.255.255
clear xlate
access-list Outside-ACL extended permit tcp any host 72.54.197.26 object-group Citrix1494
access-group Outside-ACL in interface OUTSIDE
That should do it for you..
Reply........................
Your reverse static needs to be taken out. then you need to do a "clear xlate" command. do that and post your config again and let me see it. I'll be standing by.
/M_6253131.html
Was this comment helpful?
Yes No
ASA Version 7.0(8)
!
hostname 5510
domain-name xxxxx
enable password xxxxx encrypted
passwd xxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
description Outside interface to Cbeyond
nameif OUTSIDE
security-level 0
ip address 72.54.197.28 255.255.255.248
!
interface Ethernet0/1
description Inside interface to internal network
nameif INSIDE
security-level 100
ip address 192.168.72.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.71.2 255.255.255.0
management-only
!
banner exec xxxxx
banner login VPN firewall/router
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup INSIDE
dns name-server 66.180.96.12
dns name-server 64.180.96.12
object-group service Citrix1494 tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
port-object range 445 447
access-list Outside-ACL extended permit tcp any host 72.54.197.26 object-group C
itrix1494
pager lines 24
logging enable
logging asdm informational
logging mail critical
logging from-address xxxxx
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) 72.54.197.26 192.168.72.100 netmask 255.255.255.255
access-group Outside-ACL in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username root password xxxxxx encrypted privilege 15
http server enable
http 192.168.71.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.72.0 255.255.255.0 management
telnet 192.168.73.0 255.255.255.0 management
telnet 192.168.71.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.71.3-192.168.71.254 management
dhcpd dns 66.180.96.12 64.180.96.12
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 66.180.96.57
Cryptochecksum:472013675a200d36e6155c03238fa05c
: end
[OK]
5510#
!
hostname 5510
domain-name xxxxx
enable password xxxxx encrypted
passwd xxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
description Outside interface to Cbeyond
nameif OUTSIDE
security-level 0
ip address 72.54.197.28 255.255.255.248
!
interface Ethernet0/1
description Inside interface to internal network
nameif INSIDE
security-level 100
ip address 192.168.72.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.71.2 255.255.255.0
management-only
!
banner exec xxxxx
banner login VPN firewall/router
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup INSIDE
dns name-server 66.180.96.12
dns name-server 64.180.96.12
object-group service Citrix1494 tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
port-object range 445 447
access-list Outside-ACL extended permit tcp any host 72.54.197.26 object-group C
itrix1494
pager lines 24
logging enable
logging asdm informational
logging mail critical
logging from-address xxxxx
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) 72.54.197.26 192.168.72.100 netmask 255.255.255.255
access-group Outside-ACL in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username root password xxxxxx encrypted privilege 15
http server enable
http 192.168.71.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.72.0 255.255.255.0 management
telnet 192.168.73.0 255.255.255.0 management
telnet 192.168.71.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.71.3-192.168.71.254 management
dhcpd dns 66.180.96.12 64.180.96.12
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 66.180.96.57
Cryptochecksum:472013675a200d36e6155c03238fa05c
: end
[OK]
5510#
Ok so at this point if you issues a clear xlate command that would have flushed the translation table and citrix should be able to get out with the current configuration. If it can't post the logs for it.. This is the right config for what you want to do.
Did that, no connections. Here is what the log says with the config above right after I cle xlate and try to connect from outside.....
6|Apr 21 2011 12:40:44|302014: Teardown TCP connection 8954 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57140 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:40:43|302013: Built outbound TCP connection 9079 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57142 (72.54.197.26/57142)
6|Apr 21 2011 12:40:14|302013: Built outbound TCP connection 8954 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57140 (72.54.197.26/57140)
6|Apr 21 2011 12:40:13|302014: Teardown TCP connection 8618 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57134 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:39:43|302013: Built outbound TCP connection 8618 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57134 (72.54.197.26/57134)
6|Apr 21 2011 12:39:35|302014: Teardown TCP connection 8369 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57129 duration 0:00:30 bytes 0 SYN Timeout
AND....
Citrix server can not even get out to internet, here is the logs say when you try to open a browser.....
6|Apr 21 2011 12:39:05|302013: Built outbound TCP connection 8369 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57129 (72.54.197.26/57129)
6|Apr 21 2011 12:38:55|302014: Teardown TCP connection 8227 for OUTSIDE:74.125.159.99/80 to INSIDE:192.168.72.100/57121 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:38:25|302013: Built outbound TCP connection 8227 for OUTSIDE:74.125.159.99/80 (74.125.159.99/80) to INSIDE:192.168.72.100/57121 (72.54.197.26/57121)
6|Apr 21 2011 12:37:36|302014: Teardown TCP connection 7667 for OUTSIDE:216.52.233.134/443 to INSIDE:192.168.72.100/57108 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:37:32|302014: Teardown TCP connection 7568 for OUTSIDE:74.125.159.99/80 to INSIDE:192.168.72.100/57107 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:40:44|302014: Teardown TCP connection 8954 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57140 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:40:43|302013: Built outbound TCP connection 9079 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57142 (72.54.197.26/57142)
6|Apr 21 2011 12:40:14|302013: Built outbound TCP connection 8954 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57140 (72.54.197.26/57140)
6|Apr 21 2011 12:40:13|302014: Teardown TCP connection 8618 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57134 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:39:43|302013: Built outbound TCP connection 8618 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57134 (72.54.197.26/57134)
6|Apr 21 2011 12:39:35|302014: Teardown TCP connection 8369 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57129 duration 0:00:30 bytes 0 SYN Timeout
AND....
Citrix server can not even get out to internet, here is the logs say when you try to open a browser.....
6|Apr 21 2011 12:39:05|302013: Built outbound TCP connection 8369 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57129 (72.54.197.26/57129)
6|Apr 21 2011 12:38:55|302014: Teardown TCP connection 8227 for OUTSIDE:74.125.159.99/80 to INSIDE:192.168.72.100/57121 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:38:25|302013: Built outbound TCP connection 8227 for OUTSIDE:74.125.159.99/80 (74.125.159.99/80) to INSIDE:192.168.72.100/57121 (72.54.197.26/57121)
6|Apr 21 2011 12:37:36|302014: Teardown TCP connection 7667 for OUTSIDE:216.52.233.134/443 to INSIDE:192.168.72.100/57108 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:37:32|302014: Teardown TCP connection 7568 for OUTSIDE:74.125.159.99/80 to INSIDE:192.168.72.100/57107 duration 0:00:30 bytes 0 SYN Timeout
ok so firewall is showing the rules for the inbound stuff working, but the citrix server is not responding that is why you are getting a SYN timeout.
Does your citrix box have multiple IP addresses or multiple NICs?
What is the default gateway on the citrix box.
I can guarantee you that the config is good.
The logs show sessions getting created - not blocked so its not the firewall causing the problem. Something else is not quite right.
Does your citrix box have multiple IP addresses or multiple NICs?
What is the default gateway on the citrix box.
I can guarantee you that the config is good.
The logs show sessions getting created - not blocked so its not the firewall causing the problem. Something else is not quite right.
From the ASA can you ping the real ip address of the citix server?
/M_6253131.html
This network is in production. CurrentIy have a cheesy Lynksys router (the only thing it does is NAT for Citrix) and a "Transistion" throwdown firewall with two simple rules that allow all and allow outside to Citrix.
The Citrix has one nic with default gatewway same as all other devices on network (72.2) and goes out just fine until I cut over to 5510. Then is can not get out. (and yes, all other equipment is turned off and the switches are power cycled afer I power up 5510 to make sure I am not having switch arp issues)
The Citrix is in use 24/7 by remote users so I can't switch back and forth. (especialy during day when everybody goes out to Inet via this unit or the cheesy gear I am replacing)
I see the connections too but it connects for half a second and sends 0 bytes..... hmmmm
The Citrix has one nic with default gatewway same as all other devices on network (72.2) and goes out just fine until I cut over to 5510. Then is can not get out. (and yes, all other equipment is turned off and the switches are power cycled afer I power up 5510 to make sure I am not having switch arp issues)
The Citrix is in use 24/7 by remote users so I can't switch back and forth. (especialy during day when everybody goes out to Inet via this unit or the cheesy gear I am replacing)
I see the connections too but it connects for half a second and sends 0 bytes..... hmmmm
/M_4911140.html
Rank: Sage
you are having arp issues with the citrix box i would think.
so once you cutover to the ASA .. can you ping the citrix box from the ASA?
The citrix arp table still shows the mac address of the linksys 72.2 interface is my guess and you would need to flush the arp table on the citrix server.
Also, how does the internet connect. Is it straight to the linksys router? Is this cable, DSL or T1 to a provider router or what. There is a router on the outside of the ASA of some sort. It could be that that devices still has the mac address of public side MAC address of the citrix box in its ARP table. Most likely that needs a reboot as well to flush its ARP table. I would bet on it.
I have been working on Cisco firewall since before Cisco bought the PIX. I can assure the config is good without that reverse static.
so once you cutover to the ASA .. can you ping the citrix box from the ASA?
The citrix arp table still shows the mac address of the linksys 72.2 interface is my guess and you would need to flush the arp table on the citrix server.
Also, how does the internet connect. Is it straight to the linksys router? Is this cable, DSL or T1 to a provider router or what. There is a router on the outside of the ASA of some sort. It could be that that devices still has the mac address of public side MAC address of the citrix box in its ARP table. Most likely that needs a reboot as well to flush its ARP table. I would bet on it.
I have been working on Cisco firewall since before Cisco bought the PIX. I can assure the config is good without that reverse static.
/M_6253131.html
OK... but if it is an ARP issue would the 5510 still get the info that it is in the logs?
I mean, if packets were headed to another port why am I seeing SCR/DES info in the logs?
I mean, if packets were headed to another port why am I seeing SCR/DES info in the logs?
you got a point there. Here is what I know. When you try to access it from the outside... the citrix doesn't respond. So could it be at that point the citrix box has the old arp entry for the linksys? so the packets aren't getting back.
So if you cut over. start everything fresh. turn off linksys. reboot ISP router/device. flush arp table on citrix. Then ping the citrix box from the ASA. If that works then try the connection from the outside. How are you connecting to the outside? Are you at a different location or are you on a mobile broadband card or what?
So if you cut over. start everything fresh. turn off linksys. reboot ISP router/device. flush arp table on citrix. Then ping the citrix box from the ASA. If that works then try the connection from the outside. How are you connecting to the outside? Are you at a different location or are you on a mobile broadband card or what?
I am physically sitting on the network. I am trying access from outside on my broadband card that is known to connect.
Their office is closed tomorrow and I am getting access to come in and powercycle every single device. I will then first try to ping Citrix from ASA and move downstream like you suggest.
Thanks again, I really do hope it is a ARP issue in a device I did not reload. (the ACTELIS ISP box and actual Citrix server)
I will let you know.
Their office is closed tomorrow and I am getting access to come in and powercycle every single device. I will then first try to ping Citrix from ASA and move downstream like you suggest.
Thanks again, I really do hope it is a ARP issue in a device I did not reload. (the ACTELIS ISP box and actual Citrix server)
I will let you know.
reboot of every device in the network did not change anything
/M_777876.html
From your config, I don't see a route to the inside...
The only route on the ASA is to the outside:
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
The only route on the ASA is to the outside:
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
Labels:
1 Reply 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2011 10:45 AM
solved
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents
