cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1331
Views
0
Helpful
1
Replies

5510 NAT to WWW server problem

Charlie Taylor
Level 4
Level 4

Problem:

Outside access to Inside Citrix server.

IP Info:

ISP gave me x.x.x.16/30 so my IP address on e0/0 is x.x.x.18

ISP gave me x.x.x.24/29 as usable IP address's

IP's I want to use:

192.168.76.12 = Citrix

x.x.x.29 = NAT to Citrix

On last site I had a /29 so my config was simple to NAT but here I 'thought' I could use sub interfaces but that is not working.

Config:

hostname Dasa

names

name 192.168.74.0 Vallywood description Valleywood D

!

interface Ethernet0/0

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address x.x.x.18 255.255.255.252

!

interface Ethernet0/0.2

vlan 2

nameif Outside_IPs

security-level 0

ip address x.x.x.25 255.255.255.248

!

interface Ethernet0/1

nameif INSIDE

security-level 100

ip address 192.168.76.1 255.255.254.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa832-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit intra-interface

object network obj-192.168.76.0

subnet 192.168.76.0 255.255.254.0

object network Vallywood

subnet 192.168.74.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Citrix

host 192.168.76.12

description Citrix Server Inside

object network Citrix_Outside

host x.x.x.29

description Citrix Server Outside

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object icmp echo-reply

object-group service DM_INLINE_SERVICE_2

service-object icmp echo

service-object tcp-udp destination eq www

service-object tcp destination eq 2598

access-list 101 extended permit icmp any any echo-reply inactive

access-list 101 extended permit icmp any any source-quench inactive

access-list 101 extended permit icmp any any unreachable inactive

access-list 101 extended permit icmp any any time-exceeded inactive

access-list INSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list INSIDE_nat0_outbound extended permit ip 192.168.76.0 255.255.254.0 object Vallywood

access-list OUTSIDE_1_cryptomap extended permit ip object obj-192.168.76.0 object Vallywood

access-list Outside_access_in extended permit tcp any host 50.200.31.29 eq citrix-ica

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host x.x.x.29

pager lines 24

logging enable

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu Outside_IPs 1500

failover timeout -1

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (INSIDE,any) source static obj-192.168.76.0 obj-192.168.76.0 destination static Vallywood Vallywood unidirectional

nat (INSIDE,OUTSIDE) source static obj-192.168.76.0 obj-192.168.76.0 destination static Vallywood Vallywood

nat (INSIDE,OUTSIDE) source static Citrix Citrix destination static Citrix_Outside Citrix_Outside description Citrix NAT

!

object network obj_any

nat (INSIDE,OUTSIDE) dynamic interface

access-group Outside_access_in in interface OUTSIDE

access-group INSIDE_access_in in interface INSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 x.x.x.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-reco

rd DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap
crypto map OUTSIDE_map 1 set pfs group1
crypto map OUTSIDE_map 1 set peer 2.2.2.2
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp enable INSIDE
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
username root password IRP4f9U6/uZI6DzC encrypted
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
!
!
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e818005e53e7571abb597401c371c510
: end
[OK]


Anyone have any tips to get this working?
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

Access-list:

"access-list Outside_access_in extended permit tcp any host 50.200.31.29 eq citrix-ica"  is incorrect, it should be the private IP as follows:

access-list Outside_access_in extended permit tcp any host 192.168.76.12 eq citrix-ica

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: