10-10-2007 12:11 AM - edited 03-03-2019 07:06 PM
Hi,
Can anybody advise me how to allow outside request to my internal citrix webinterface through an 827 router? all other traffic from outside should be blocked too.
also, how to allow only single computer allow access the internet from my given LAN?
Following is the full configuration. I am a novice in cisco so please bear with me, i appreciate if you point me any errors in the configs.
Thanks
______________________________________
Current configuration : 1755 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MYROUTER
!
boot-start-marker
boot-end-marker
!
enable secret xxx
!
no aaa new-model
ip subnet-zero
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.100.27 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
dsl firmware secondary
!
interface ATM0.2 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxx
ppp pap sent-username xxxxx password 0 xxxx
ppp ipcp dns request
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
access-list 1 permit 192.168.100.0 0.0.0.255
!
!
voice-port 1
!
voice-port 2
!
voice-port 3
!
voice-port 4
!
!
line con 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end
MYROUTER#
10-10-2007 04:18 AM
Hi
If you want your remote users to access your citrix server which is kept inside your local lan then you need to do proper one to one static mapping(NAT) with the public ip address which can be accessed from the outside world.
If you wish you can have port based mapping(NAT) which can be accessed from the remote users.
ip nat inside source static tcp 192.168.10.1 25 171.69.232.209 25
here the inside host 192.x.x.x has been natted with 171.x.x.x so your remote users will be accessing 171.x.x.x ip in order to access the internal server.
but i m not seeing any static ip being used in your config to achieve this.
for allowing a single pc alone to access interet i would suggest to modify the access-list permitting the ip of the pc which is required to access the internet.
regds
10-10-2007 04:36 AM
Thanks a lot.
Yes, i am not using static IP for internet this time. so, is it correct to use like the following?
ip nat inside source static tcp 192.168.10.1 25 dialer1 25
Besides this, i found in a forum that it should use in the dialer as follows:
IP Access group xxx in
If you dont mind, please help me to write the exact configuration
Best regards
10-10-2007 05:02 AM
Hi Basheer
Though i havent tried exprimenting ever with interface followed by the port number i dont think that will work or even allow the command to be keyed in.
also the one i posted is just a sample dealing with SMTP connection citrix ICA normally uses 1494.
so you need to open both UDP/TCP ports 1494 accordingly.
You can block the access by either ways by configuring alone the ip address which is attached to the nat overload statement you will be able to access internet only with that ip.
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 192.168.100.x
where 192.168.100.x is the ip from which you want to have internet access
regds
10-10-2007 06:17 AM
Thanks again.
I did try as follows but it didnt open my internal webserver page. here is the config i changed:
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.100.8 8081 interface Dialer1 80
ip nat inside source static tcp 192.168.100.8 443 interface Dialer1 443
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
access-list 1 permit 192.168.100.8
access-list 1 permit 192.168.100.128
------------------------------------
Is the configuration correct? when i enter my external IP in the browser, i dont get redirected to the internal webservers page, instead i get page cannot be displayed.
Thanks for any help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide