05-14-2003 09:57 AM - edited 03-09-2019 03:17 AM
People:
let's see if somebody has the solution for this....
I have a PIX 515 and I am trying to get a Citrix metaframe XPs server to work behind the firewall.. I only use HTTP and HTTPS as the connection ports... and the server is located on the DMZ
right now whenever a client tries to connect, MF tries to open the static IP associated to that server.... and it does not work... so I tried adding an alias (dmz) command to override that... but to no avail.. I can see that the application stills tries to open the external IP X.X.X.41. I tried accessing the HTTP server in the MF server from another machine in the DMZ.. and I can access the server using the FQDN but not the external IP address X.X.X.41, my conclusion is that the alias command is not what I need.... I need a command in the cisco router that tells the router that whenever a request for X.X.X.41 is coming from the DMZ it should be redirected back to the MF server 192.168.2.15.... anybody know how to do this?
this is the list of the relevant commands
----------------------------------------------------------
access-list 100 permit tcp any host X.X.X.41 eqwww
access-list 100 permit tcp any host X.X.X.41 eq 443
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit ip any any
global (outside) 1 X.X.X.45-X.X.X.61 netmask 255.255.255.224
global (outside) 1 X.X.X..62 netmask 255.255.255.224
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
alias (inside) X.X.X.41 192.168.2.15 255.255.255.255
alias (dmz) 192.168.2.15 X.X.X.41 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) X.X.X.41 192.168.2.15 netmask 255.255.255.255 0 0
access-group 100 in interface outside
access-group 101 in interface dmz
---------------------------------------------------
thanks a lot!!
Luis.
05-14-2003 07:36 PM
The alias command is not what you need, the "static" command you already have is mapping connections from x.x.x.41 to 192.168.2.15 on the DMZ.
The trouble you're seeing is how metaframe works, when a client connects, the server sends back a .ica file which contains the IP address for the client to connect to. This IP address is the IP address of the server, which in your case is 192.168.2.15. There's no way the PIX can change the IP address in this file, and the client will try and connect to that address.
Do a search on Google for "nat citrix metaframe" and there's a few links with explanations on this. Searching Citrix's web site I came across this which should fix you up also (http://support.citrix.com/forums/thread.jspa?forumID=1&threadID=31413&messageID=71365#71365), looks like you need to run the "altaddr" command on your server, then it'll advertise the global address to the clients to connect to.
05-15-2003 08:39 AM
Thanks, I found the same too... but the altaddr command is not enough, you also need to run a port/IP translation utility included with MF... that solved the problem....
Thanks a lot for your help!.
Luis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide