Solved: Citrix ICA through ASA 5510

ronealjr8904 · ‎09-20-2010

Hello all,

I am new to Cisco ASA (coming from Watchguard Firebox 1000) and need some help allowing Citrix ICA traffic through our ASA 5510. I am not using secure gateway. I just want to allow a direct connect from the internet to my Citrix server. I have set up a static NAT for the Citrix server and setup a security rule on the outside interface to allow Citrix ICA from any to the NAT IP. When I try to connect to the Citrix server, the packet is denied by rule "access-list Outside_access_in extended permit tcp any eq citrix-ica host 74.9.142.216 eq citrix-ica". This is how I had it set up with our Watchguard. Here is a copy of the config.

Thanks for your help.

ASA Version 7.2(4)18

hostname Paetec

domain-name Paetec.thelandlcompany.com

enable password nRkrK2UDMhbxbMqH encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address 74.9.142.210 255.255.255.240

interface Ethernet0/1

 nameif Inside

 security-level 100

 ip address 10.11.0.242 255.255.0.0

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

boot system disk0:/asa724-18-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name Paetec.thelandlcompany.com

access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.70.0.0 255.255.0.0

access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.80.0.0 255.255.0.0

access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.5.0.0 255.255.0.0

access-list Outside_1_cryptomap remark VPN Glenburnie MD

access-list Outside_1_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list Outside_2_cryptomap remark VPN Frederick MD

access-list Outside_2_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list Outside_access_in extended permit tcp any eq citrix-ica host 74.9.142.216 eq citrix-ica

access-list Outside_3_cryptomap remark VPN Seaford DE

access-list Outside_3_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.70.0.0 255.255.0.0

access-list Outside_4_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.80.0.0 255.255.0.0

access-list Outside_5_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.5.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-52450.bin

no asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

static (Inside,Outside) 74.9.142.216 10.11.0.159 netmask 255.255.255.255

no threat-detection statistics tcp-intercept

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 74.9.142.209 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.11.0.0 255.255.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs group1

crypto map Outside_map 1 set peer 151.196.59.245

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map 2 match address Outside_2_cryptomap

crypto map Outside_map 2 set pfs group1

crypto map Outside_map 2 set peer 70.16.191.240

crypto map Outside_map 2 set transform-set ESP-3DES-SHA

crypto map Outside_map 3 match address Outside_3_cryptomap

crypto map Outside_map 3 set pfs group1

crypto map Outside_map 3 set peer 68.162.89.12

crypto map Outside_map 3 set transform-set ESP-3DES-SHA

crypto map Outside_map 4 match address Outside_4_cryptomap

crypto map Outside_map 4 set pfs group1

crypto map Outside_map 4 set peer 173.73.112.98

crypto map Outside_map 4 set transform-set ESP-3DES-SHA

crypto map Outside_map 5 match address Outside_5_cryptomap

crypto map Outside_map 5 set pfs group1

crypto map Outside_map 5 set peer 216.156.195.162

crypto map Outside_map 5 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp enable Inside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 10.11.0.0 255.255.0.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 120

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

tunnel-group 162.83.93.74 type ipsec-l2l

tunnel-group 162.83.93.74 ipsec-attributes

 pre-shared-key *

tunnel-group 70.16.191.240 type ipsec-l2l

tunnel-group 70.16.191.240 ipsec-attributes

 pre-shared-key *

tunnel-group 70.155.139.130 type ipsec-l2l

tunnel-group 70.155.139.130 ipsec-attributes

 pre-shared-key *

tunnel-group 151.196.59.245 type ipsec-l2l

tunnel-group 151.196.59.245 ipsec-attributes

 pre-shared-key *

tunnel-group 68.162.89.12 type ipsec-l2l

tunnel-group 68.162.89.12 ipsec-attributes

 pre-shared-key *

tunnel-group 173.73.112.98 type ipsec-l2l

tunnel-group 173.73.112.98 ipsec-attributes

 pre-shared-key *

tunnel-group 216.156.195.162 type ipsec-l2l

tunnel-group 216.156.195.162 ipsec-attributes

 pre-shared-key *

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:c1d61a48af401ee31cafa12c30d42de0

: end

asdm image disk0:/asdm-52450.bin

no asdm history enable

Jennifer Halim · ‎09-21-2010

From the syslog, it uses port 2598, pls add the following ACL:

access-list Outside_access_in extended permit tcp any host 74.9.142.216 eq 2598

View solution in original post

Jennifer Halim · ‎09-20-2010

Please change the following access-list:

FROM:

access-list Outside_access_in extended permit tcp any eq citrix-ica host 74.9.142.216 eq citrix-ic

TO:
access-list Outside_access_in extended permit tcp any host 74.9.142.216 eq citrix-ica

Please kindly make sure that you add the new line first before removing the existing line of access-list
as I see that you only have 1 line of "Outside_access_in" ACL.

Hope that helps.

ronealjr8904 · ‎09-21-2010

I made the change but still get denied. Here is the log entry.

4

Sep 21 2010

04:35:37

106023

72.61.13.83

74.9.142.216

Deny tcp src Outside:72.61.13.83/49244 dst Inside:74.9.142.216/2598 by access-group "Outside_access_in" [0x0, 0x0]

Jennifer Halim · ‎09-21-2010

From the syslog, it uses port 2598, pls add the following ACL:

access-list Outside_access_in extended permit tcp any host 74.9.142.216 eq 2598

ronealjr8904 · ‎09-21-2010

That did it. Citrix ICA uses 1494. port 2598 is for session reliability which is turned on by default on the new Citrix client. I can either turn off session reliability or open port 2598, both work.

Thanks for your help.

suhas_syndrome · ‎06-08-2013

Hi,

what acces-list should be configure to allow citrix traffic...

i have apply following acl but citrix dosent work...

permit tcp xx.xx.xx.0 0.0.3.255 host 192.168.1.174 eq 2598

plz help

re

suhas

Jennifer Halim · ‎06-08-2013

I believe it uses both port 1494 and 2598, so please also add 1494 into the ACL.