09-20-2010 07:09 AM
Hello all,
I am new to Cisco ASA (coming from Watchguard Firebox 1000) and need some help allowing Citrix ICA traffic through our ASA 5510. I am not using secure gateway. I just want to allow a direct connect from the internet to my Citrix server. I have set up a static NAT for the Citrix server and setup a security rule on the outside interface to allow Citrix ICA from any to the NAT IP. When I try to connect to the Citrix server, the packet is denied by rule "access-list Outside_access_in extended permit tcp any eq citrix-ica host 74.9.142.216 eq citrix-ica". This is how I had it set up with our Watchguard. Here is a copy of the config.
Thanks for your help.
ASA Version 7.2(4)18
!
hostname Paetec
domain-name Paetec.thelandlcompany.com
enable password nRkrK2UDMhbxbMqH encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 74.9.142.210 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.11.0.242 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-18-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name Paetec.thelandlcompany.com
access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.50.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.60.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.70.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.80.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.5.0.0 255.255.0.0
access-list Outside_1_cryptomap remark VPN Glenburnie MD
access-list Outside_1_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.50.0.0 255.255.0.0
access-list Outside_2_cryptomap remark VPN Frederick MD
access-list Outside_2_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.60.0.0 255.255.0.0
access-list Outside_access_in extended permit tcp any eq citrix-ica host 74.9.142.216 eq citrix-ica
access-list Outside_3_cryptomap remark VPN Seaford DE
access-list Outside_3_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.70.0.0 255.255.0.0
access-list Outside_4_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.80.0.0 255.255.0.0
access-list Outside_5_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.5.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-52450.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) 74.9.142.216 10.11.0.159 netmask 255.255.255.255
no threat-detection statistics tcp-intercept
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 74.9.142.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.11.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 151.196.59.245
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 2 match address Outside_2_cryptomap
crypto map Outside_map 2 set pfs group1
crypto map Outside_map 2 set peer 70.16.191.240
crypto map Outside_map 2 set transform-set ESP-3DES-SHA
crypto map Outside_map 3 match address Outside_3_cryptomap
crypto map Outside_map 3 set pfs group1
crypto map Outside_map 3 set peer 68.162.89.12
crypto map Outside_map 3 set transform-set ESP-3DES-SHA
crypto map Outside_map 4 match address Outside_4_cryptomap
crypto map Outside_map 4 set pfs group1
crypto map Outside_map 4 set peer 173.73.112.98
crypto map Outside_map 4 set transform-set ESP-3DES-SHA
crypto map Outside_map 5 match address Outside_5_cryptomap
crypto map Outside_map 5 set pfs group1
crypto map Outside_map 5 set peer 216.156.195.162
crypto map Outside_map 5 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.11.0.0 255.255.0.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 120
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
tunnel-group 162.83.93.74 type ipsec-l2l
tunnel-group 162.83.93.74 ipsec-attributes
pre-shared-key *
tunnel-group 70.16.191.240 type ipsec-l2l
tunnel-group 70.16.191.240 ipsec-attributes
pre-shared-key *
tunnel-group 70.155.139.130 type ipsec-l2l
tunnel-group 70.155.139.130 ipsec-attributes
pre-shared-key *
tunnel-group 151.196.59.245 type ipsec-l2l
tunnel-group 151.196.59.245 ipsec-attributes
pre-shared-key *
tunnel-group 68.162.89.12 type ipsec-l2l
tunnel-group 68.162.89.12 ipsec-attributes
pre-shared-key *
tunnel-group 173.73.112.98 type ipsec-l2l
tunnel-group 173.73.112.98 ipsec-attributes
pre-shared-key *
tunnel-group 216.156.195.162 type ipsec-l2l
tunnel-group 216.156.195.162 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c1d61a48af401ee31cafa12c30d42de0
: end
asdm image disk0:/asdm-52450.bin
no asdm history enable
Solved! Go to Solution.
09-21-2010 05:17 AM
From the syslog, it uses port 2598, pls add the following ACL:
access-list Outside_access_in extended permit tcp any host 74.9.142.216 eq 2598
09-20-2010 10:19 PM
Please change the following access-list:
FROM:
access-list Outside_access_in extended permit tcp any eq citrix-ica host 74.9.142.216 eq citrix-ic
TO:
access-list Outside_access_in extended permit tcp any host 74.9.142.216 eq citrix-ica
Please kindly make sure that you add the new line first before removing the existing line of access-list
as I see that you only have 1 line of "Outside_access_in" ACL.
Hope that helps.
09-21-2010 05:14 AM
I made the change but still get denied. Here is the log entry.
4 | Sep 21 2010 | 04:35:37 | 106023 | 72.61.13.83 | 74.9.142.216 | Deny tcp src Outside:72.61.13.83/49244 dst Inside:74.9.142.216/2598 by access-group "Outside_access_in" [0x0, 0x0] |
09-21-2010 05:17 AM
From the syslog, it uses port 2598, pls add the following ACL:
access-list Outside_access_in extended permit tcp any host 74.9.142.216 eq 2598
09-21-2010 06:01 AM
That did it. Citrix ICA uses 1494. port 2598 is for session reliability which is turned on by default on the new Citrix client. I can either turn off session reliability or open port 2598, both work.
Thanks for your help.
06-08-2013 04:11 AM
Hi,
what acces-list should be configure to allow citrix traffic...
i have apply following acl but citrix dosent work...
permit tcp xx.xx.xx.0 0.0.3.255 host 192.168.1.174 eq 2598
plz help
re
suhas
06-08-2013 05:08 PM
I believe it uses both port 1494 and 2598, so please also add 1494 into the ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide