Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
4
Helpful
2
Replies

Citrix - NAT and alias command problem

lheredia
Level 1
Level 1

‎05-14-2003 09:57 AM - edited ‎03-09-2019 03:17 AM

People:

let's see if somebody has the solution for this....

I have a PIX 515 and I am trying to get a Citrix metaframe XPs server to work behind the firewall.. I only use HTTP and HTTPS as the connection ports... and the server is located on the DMZ

right now whenever a client tries to connect, MF tries to open the static IP associated to that server.... and it does not work... so I tried adding an alias (dmz) command to override that... but to no avail.. I can see that the application stills tries to open the external IP X.X.X.41. I tried accessing the HTTP server in the MF server from another machine in the DMZ.. and I can access the server using the FQDN but not the external IP address X.X.X.41, my conclusion is that the alias command is not what I need.... I need a command in the cisco router that tells the router that whenever a request for X.X.X.41 is coming from the DMZ it should be redirected back to the MF server 192.168.2.15.... anybody know how to do this?

this is the list of the relevant commands

----------------------------------------------------------

access-list 100 permit tcp any host X.X.X.41 eqwww

access-list 100 permit tcp any host X.X.X.41 eq 443

access-list 101 permit tcp any any

access-list 101 permit udp any any

access-list 101 permit ip any any

global (outside) 1 X.X.X.45-X.X.X.61 netmask 255.255.255.224

global (outside) 1 X.X.X..62 netmask 255.255.255.224

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

alias (inside) X.X.X.41 192.168.2.15 255.255.255.255

alias (dmz) 192.168.2.15 X.X.X.41 255.255.255.255

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

static (dmz,outside) X.X.X.41 192.168.2.15 netmask 255.255.255.255 0 0

access-group 100 in interface outside

access-group 101 in interface dmz

---------------------------------------------------

thanks a lot!!

Luis.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎05-14-2003 07:36 PM

The alias command is not what you need, the "static" command you already have is mapping connections from x.x.x.41 to 192.168.2.15 on the DMZ.

The trouble you're seeing is how metaframe works, when a client connects, the server sends back a .ica file which contains the IP address for the client to connect to. This IP address is the IP address of the server, which in your case is 192.168.2.15. There's no way the PIX can change the IP address in this file, and the client will try and connect to that address.

Do a search on Google for "nat citrix metaframe" and there's a few links with explanations on this. Searching Citrix's web site I came across this which should fix you up also (http://support.citrix.com/forums/thread.jspa?forumID=1&threadID=31413&messageID=71365#71365), looks like you need to run the "altaddr" command on your server, then it'll advertise the global address to the clients to connect to.

lheredia
Level 1
Level 1
In response to gfullage

‎05-15-2003 08:39 AM

Thanks, I found the same too... but the altaddr command is not enough, you also need to run a port/IP translation utility included with MF... that solved the problem....

Thanks a lot for your help!.

Luis

0 Helpful
Customers Also Viewed These Support Documents