Core issue

It is sometimes necessary to permit Citrix Metaframe access through a PIX Firewall, so that remote connections can be established. By default, such connections are denied, so the PIX must be configured to allow Citrix traffic from the outside interface to the inside interface.

Resolution

In most PIX scenarios, the inside interface and network use private addressing, while the outside interface and network use public addressing. Therefore, a static mapping must be created to establish the relationship between the outside and inside addresses. Moreover, an Access Control List (ACL) must define the traffic that is permitted through the PIX.

Citrix Metaframe (ICA client or Web interface) uses ports 1494 (TCP) and  1604 (User Datagram Protocol [UDP]) to communicate. Therefore, these ports must be explicitly permitted on the PIX.

Consider the example of a device on the inside interface of the PIX with an IP address of 10.1.1.10, which is mapped to an external (global) IP address of 2.2.2.1. In this case, traffic destined for 2.2.2.1 arrives at the PIX, is translated to 10.1.1.10, and is passed to the inside interface.

Based on these factors, the configuration necessary for this scenario is:

static(inside,outside) 2.2.2.1 10.1.1.10 netmask 255.255.255.255
! --- The static mapping between 2.2.2.1 (outside address) and 10.1.1.10 (inside address).
access-list 101 permit tcp any host 2.2.2.1 eq 1494
! --- Permits TCP traffic to 2.2.2.1, port 1494.
access-list 101 permit udp any host 2.2.2.1 eq 1604
! --- Permits UDP traffic to 2.2.2.1, port 1604.
access-group 101 in interface outside
! --- Apply ACL 101 to the outside interface.

Note: Depending on the number of clients and sessions, try to decrease or increase the range of TCP ports that must be opened. For example, if the number of Citrix clients is large, open TCP port 1494 and also open TCP ports 1023 and above (a maximum of 65535), depending on the number of such clients.