Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
415
Views
0
Helpful
2
Replies

NAtting on ASA with Citrix connection.

Go to solution
mahesh18
Level 6
Level 6

ā€Ž02-16-2014 10:34 AM - edited ā€Ž03-11-2019 08:46 PM

Hi everyone,

I am accessing my corp network via citrix client.

Here are logs from internet ASA when i use citrix

TCP outside 70.75..x.x:52705 Internal 10.31.35.10:443, idle 0:00:00, bytes 3614224, flags UIOB

This tells us that connection is coming from outside interface of ASA and going to Internal IP 10.31.35.10.

Where 70.75 is MY PC IP.

Here is Natting on ASA

nat (Internal) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

This NAT tells us that if source is any and coming from Internal  then translate it to the Public IP of outside interface which will be PAT right?

Here is static nat config for Citrix

static (Internal,outside) 210.x.x.x  10.31.35.10 netmask 255.255.255.255

where 10.31.35.10 is internal IP of citrix server and 210.x.x.x is global IP.

Need to understand when i open the url with global ip which is 210.x.x.x it comes to the ASA and first hits the outside interface then it hits

the static nat rule which says if destination is 210.x.x then translate this into internal IP of server which is 10.31.35.10.

Regards

Mahesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

ā€Ž02-16-2014 02:29 PM

Mahesh

The nat/global statements translate all source IPs to the outside interface IP address when going from inside to outside. In terms of your Citrix access this rule does not do anything because you have a static NAT statement which takes precedence.

The static NAT statement does exactly what you say.

So your PC src IP is never translated because coming in from the internet it is the source IP and you do not have a rule to translate those and going back to your PC is it the destination IP and again you do not have a rule to translate that.

Note when i say you don't have rules i mean from what you have posted as there may well be other rules on the firewall.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

ā€Ž02-16-2014 02:29 PM

Mahesh

The nat/global statements translate all source IPs to the outside interface IP address when going from inside to outside. In terms of your Citrix access this rule does not do anything because you have a static NAT statement which takes precedence.

The static NAT statement does exactly what you say.

So your PC src IP is never translated because coming in from the internet it is the source IP and you do not have a rule to translate those and going back to your PC is it the destination IP and again you do not have a rule to translate that.

Note when i say you don't have rules i mean from what you have posted as there may well be other rules on the firewall.

Jon

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jon Marshall

ā€Ž02-16-2014 03:45 PM

Thanks John for  replying to my question.

Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card