Citrix Traffic failing through PIX-Netscreen VPN

Unanswered Question
Jun 27th, 2007

Hi,

I finally got the vpn working between a PIX and Netscreen. Client can hit the Citrix web server on port 80 on the remote side just fine. Can ping the web server, too.

However, when I actually try to launch the citrix.ica.asp file via a web browser, I get an error message that the remote citrix server is not responding. However when we test it from another remote site through a vpn tunnel, it works just fine.

I've applied sysopt permit ipsec.

When I clear the counters (clear ipsec sa counters) and run traffic through the tunnel, I don't see any errors on sh ipsec sa for that peer.

Any other hints?

Thanks,

Jeff

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jcw009 Thu, 06/28/2007 - 10:04

Follow up: I was able to resolve the issue by adding a permit ip host w.x.y.z host a.b.c.d to the acl applied to the dmz interface.

However, I thought that since I had applied the sysopt permit ipsec, that i wouldn't have to change any acl, anywhere??? =/

Any thoughts?

-Jeff

Here's the current dmz acl:

PIX# sh ru | g dmzholes

access-list dmzholes permit ip host A.B.C.50 host M.N.O.36

access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq www

access-list dmzholes permit udp A.B.C.0 255.255.255.0 any eq domain

access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq domain

access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq 123

access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq ftp

access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq ssh

access-list dmzholes permit tcp A.B.C.0 255.255.255.0 any eq https

access-list dmzholes permit tcp any host W.X.Y.11 eq smtp

access-list dmzholes permit ip host A.B.C.5 host W.X.Y.49

access-list dmzholes permit tcp host A.B.C.5 host W.X.Y.11 eq 7205

access-list dmzholes permit tcp host A.B.C.5 host W.X.Y.7 eq https

access-list dmzholes permit tcp host A.B.C.5 host W.X.Y.7 eq citrix-ica

access-list dmzholes permit ip host A.B.C.5 host W.X.Y.50

access-list dmzholes permit ip host A.B.C.10 host W.X.Y.50

access-list dmzholes permit ip host A.B.C.5 host W.X.Y.10

access-list dmzholes permit tcp host A.B.C.5 host W.X.Y.7 eq 3389

access-list dmzholes permit icmp any any echo

access-list dmzholes permit icmp any any echo-reply

access-list dmzholes permit icmp any any source-quench

access-list dmzholes permit icmp any any unreachable

access-list dmzholes permit icmp any any time-exceeded

access-list dmzholes permit tcp any host W.X.Y.11 eq pop3

access-group dmzholes in interface dmz

acomiskey Thu, 06/28/2007 - 10:19

If the traffic were originating from the dmz and the acl is applied into dmz interface, which it appears to be, then yes this traffic will need to be allowed.

Sysopt conn permit ipsec will allow ipsec encapsulated packets to bypass interface acls, but the traffic from a dmz host into the dmz interface is not yet part of the tunnel. Make sense?

jcw009 Thu, 06/28/2007 - 10:28

Nope.

Why have I not had to do that on any of the other vpns I've set up? Were they all on the inside interface which allowed everything out by default?

acomiskey Thu, 06/28/2007 - 10:32

"Were they all on the inside interface which allowed everything out by default?"

-They were your vpn's..I can't answer that :)

jcw009 Thu, 06/28/2007 - 10:37

Yeah, they've all been on the inside interface.

Does that explain why I haven't had to change ACL's though? That either the inside interface didn't have an ACL applied, or that since it was going from the inside (sec lvl: 100) to a vpn, it didn't worry about the ACL.

acomiskey Thu, 06/28/2007 - 10:39

Most likely it is because you did not have an acl applied into the inside interface. Therefore any traffic initiated from the inside would obviously be allowed over the tunnel.

jcw009 Thu, 06/28/2007 - 10:45

So I can expect that if I implement aggressive egress filtering at a site that's using a site-site vpn, then I may "break" the vpn until I modify the egress ACL?

acomiskey Thu, 06/28/2007 - 10:57

Yes, if you create an ingress acl on an interface, except for the interface where the vpn is terminating, you will have to allow the traffic as you did above.

note: I assume by egress, you mean out of the remote network, not out of an inteface.

jcw009 Thu, 06/28/2007 - 12:16

correct assumption re egress

Just for clarification, "except for the interface where the vpn is terminating" means (in most if not all cases) the outside interface, as that is where all of my crypto maps get applied as well as my isakmp statements.

Is there a case where it wouldn't be applied to the outside interface?

acomiskey Thu, 06/28/2007 - 12:20

You could apply it to another interface, but I just thought it was important to add that as adding an acl into the outside interface would not do anything as sysopt conn permit ipsec will allow that traffic. So I just wanted to be as particular as possible that's all.

Actions

This Discussion