CITRIX ICA connection through PIX 501

[scrimmy]

I am having problems connecting to my citrix ica servers from remote offices.
Telnet and ping to the servers is OK.
To complicate matters further I use NAT to mask my server address from the users in the remote offices.

Is there anyway I can see if UDP packets are being blocked or is there something else missing ?

192.x.x.x is remote office LAN
10.y.y.y is NATed addresses
172.z.z.z is citrix server

Thanks in advance.



Truncated config:

PIX Version 6.3(3)

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

access-list 100 permit icmp any any echo-reply
access-list 100 permit ip 192.x.x.0 255.255.255.0 host 10.y.y.30
global (outside) 1 10.y.y.61
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.y.y.30 172.z.z.116 netmask 255.255.255.255 0 0
access-group 100 in interface outside

 

[themut]

Try to look at syslogs to determine if the packets are being denied but if you can telnet and ping the server then I suspect it is something on the server itself and not in the PIX.

 

[br0ck]

can you make a diagram of the network it is LAN-pvt wan-LAN connection or accross the internet,vpn etc..

also do you have the altaddr set on the citrix server ?

depending on the diag you might want to change the access-lists

 

[smeek]

By telnet, did you mean you are able to telnet to the Citrix port OK (I think it is 1494).

telnet <ip address> 1494

You should get a response of ICA.

Steve

 

[zacca]

In order to let your Nfuse access to Citrix applications work in an NAT-ed environment, you need to configure the alternate address feature on the Citrix server first. It is done to make the server to return you the mapped address, instead of its local one. The steps are as follows:

1) Use the ALTADDR command to set the alternate address on the server. Enter the following command in the Citrix server and RESTART the server afterwards.
e.g altaddr /set 172.z.z.16 10.y.y.30
You can check it by using simply typing altaddr.

2) After the server restarts, go to the Nfuse Admin page thru the web browser to configure the Nfuse. The link is as follows:

http://servername/Citrix/metaframeXP/wiadmin

Once go in, you can focus to the server-side firewall. Click into the link of Server-side Firewall on the pane of the left-hand side. Afterwards, on the right-hand side, choose the Alternate address in the Default address translation settings. Also, you can set your local client IP prefix in order to prevent the use of the alternate address for local users.

 

[netwalker1]

Zacca is completly right ,,
As i think the Pix is configured well but I think you need only to let TCP port 1494 , and port 80 only to pass

And you should do the rest from Citrix server itself ...


Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[scrimmy]

Many thanks for all the above replies.

I have had to remove the firewall and use access lists and NAT in the router instead. This works fine and when I get time I will look at the problem in a lab.