Access citrix server through 827

Unanswered Question
Oct 10th, 2007
User Badges:

Hi,

Can anybody advise me how to allow outside request to my internal citrix webinterface through an 827 router? all other traffic from outside should be blocked too.


also, how to allow only single computer allow access the internet from my given LAN?


Following is the full configuration. I am a novice in cisco so please bear with me, i appreciate if you point me any errors in the configs.


Thanks


______________________________________



Current configuration : 1755 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MYROUTER

!

boot-start-marker

boot-end-marker

!

enable secret xxx

!

no aaa new-model

ip subnet-zero

!

!

!

!

!

!

!

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

!

!

!

!

interface Ethernet0

ip address 192.168.100.27 255.255.255.0

ip nat inside

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

dsl firmware secondary

!

interface ATM0.2 point-to-point

pvc 0/35

pppoe-client dial-pool-number 1

!

!

interface Dialer1

mtu 1492

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxxxxxx

ppp chap password 0 xxxxxxxxxxx

ppp pap sent-username xxxxx password 0 xxxx

ppp ipcp dns request

!

ip nat inside source list 1 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

!

access-list 1 permit 192.168.100.0 0.0.0.255

!

!

voice-port 1

!

voice-port 2

!

voice-port 3

!

voice-port 4

!

!

line con 0

transport preferred all

transport output all

stopbits 1

line vty 0 4

login

transport preferred all

transport input all

transport output all

!

scheduler max-task-time 5000

!

end


MYROUTER#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Wed, 10/10/2007 - 04:18
User Badges:
  • Red, 2250 points or more

Hi


If you want your remote users to access your citrix server which is kept inside your local lan then you need to do proper one to one static mapping(NAT) with the public ip address which can be accessed from the outside world.


If you wish you can have port based mapping(NAT) which can be accessed from the remote users.


ip nat inside source static tcp 192.168.10.1 25 171.69.232.209 25


here the inside host 192.x.x.x has been natted with 171.x.x.x so your remote users will be accessing 171.x.x.x ip in order to access the internal server.


but i m not seeing any static ip being used in your config to achieve this.


for allowing a single pc alone to access interet i would suggest to modify the access-list permitting the ip of the pc which is required to access the internet.


regds


basheerpt Wed, 10/10/2007 - 04:36
User Badges:

Thanks a lot.


Yes, i am not using static IP for internet this time. so, is it correct to use like the following?


ip nat inside source static tcp 192.168.10.1 25 dialer1 25


Besides this, i found in a forum that it should use in the dialer as follows:

IP Access group xxx in


If you dont mind, please help me to write the exact configuration


Best regards

spremkumar Wed, 10/10/2007 - 05:02
User Badges:
  • Red, 2250 points or more

Hi Basheer


Though i havent tried exprimenting ever with interface followed by the port number i dont think that will work or even allow the command to be keyed in.


also the one i posted is just a sample dealing with SMTP connection citrix ICA normally uses 1494.


so you need to open both UDP/TCP ports 1494 accordingly.


You can block the access by either ways by configuring alone the ip address which is attached to the nat overload statement you will be able to access internet only with that ip.



ip nat inside source list 1 interface Dialer1 overload

!

access-list 1 permit 192.168.100.x


where 192.168.100.x is the ip from which you want to have internet access



regds


basheerpt Wed, 10/10/2007 - 06:17
User Badges:

Thanks again.

I did try as follows but it didnt open my internal webserver page. here is the config i changed:


ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 192.168.100.8 8081 interface Dialer1 80

ip nat inside source static tcp 192.168.100.8 443 interface Dialer1 443

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

!

access-list 1 permit 192.168.100.8

access-list 1 permit 192.168.100.128


------------------------------------

Is the configuration correct? when i enter my external IP in the browser, i dont get redirected to the internal webservers page, instead i get page cannot be displayed.


Thanks for any help

Actions

This Discussion