Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1295
Views
0
Helpful
1
Replies

NAT inside outside problem with Citrix SG environment

newbie1111
Level 1
Level 1

‎11-07-2010 12:54 PM - edited ‎03-06-2019 01:55 PM

Please help, I'm trying this couple of days with no success.

With Cisco 1811 router, and would like to test Citrix environment with Secure gateway in DMZ zone, and with XenApp servers in secure network. We have single public IP address. I had to forward port 443(https) from public to DMZ, and need to forward ports 1494 and 80 from DMZ to secure network.

Problem is with latest port forwarding (DMZ->secure)

Fe0  is ip nat outside

DMZ is ip nat inside

and forwarding port 443 works great.

But I don't know how to forward further from inside (DMZ) to outside (secure).

Here is stripped config. I am using ZFW, but I didn't show that for readability.

interface FastEthernet0
 description ISP
 ip address 89.x.x.254 255.255.255.252
 ip nat ouside
!
interface FastEthernet1
 description SECURE_NET
 ip address 10.146.1.5 255.255.255.0
 ip nat outside
!
interface FastEthernet2
 switchport access vlan 21
!
interface FastEthernet3
 switchport access vlan 22
!
interface FastEthernet4
 switchport access vlan 23
!
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan21
 description FULL_INTERNET_ACCESS
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface Vlan22
 description PUBLIC_SERVICES
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
!
interface Vlan23
 description DMZ
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
!
!
ip route 0.0.0.0 0.0.0.0 89.x.x.253
!
!
! full access vlan21 to internet
ip nat inside source list 21 interface FastEthernet0 overload
!
! port forwarding ftp port to publish ftp server (vlan22) on internet
ip nat inside source static tcp 192.168.2.101 21 interface FastEthernet0 21
!
! port forwarding https (443) to Citrix Secure Gateway in DMZ zone (vlan23)
ip nat inside source static tcp 192.168.3.10 443 interface FastEthernet0 443
!
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 13 permit 192.168.3.10

This portion work OK.

Now I am trying to check ICA port 1494 on server 10.146.1.20 on secure net

If I use:

ip nat inside source list 13 interface FastEthernet1 overload

and check with:

telnet 10.146.1.20 1494 from Secure Gateway server 192.168.3.10 in Vlan23 (DMZ)

telnet works, so I can see "ICAICAICA..." response from ICA heartbeat.

But this is not "real" port forwarding, isn't it ? In this case I actually have whole 10.146.1.0/24 network available directly, which was not intention.

If I try to use "real" port forwarding:

ip nat outside source static 10.146.1.20 192.168.3.20

I can ping 192.168.3.20 from Secure Gateway server in DMZ, but when try to

telnet 192.168.3.20 1494 there is no response. Yes, I put altaddr to 192.168.3.20 on XenApp(PS) server (10.146.1.20)

Is it OK to nat outside in this case ? Problem is that VLAN23 (DMZ) already has nat inside, due to port forwarding from public net (F0). If I put secure network (Fe1) as ip nat inside as well, probably no translation will happen.

I am really confused.

Labels:
0 Helpful
1 Reply 1

margalla
Cisco Employee
Cisco Employee

‎11-10-2010 02:49 PM

So what are you trying to achieve here?

Why can't you simply route traffic between your DMZ and SECURE_NET and use ACLs or firewall features (if present) to allow or deny traffic?

0 Helpful
Customers Also Viewed These Support Documents