I am concerned that the outside_access_in ACL permits any to either address. i would personally normally permit the services specifically and deny anything else, Would the NAT statements prevent any unwanted traffic? or would such an open ACL on the outside int still leave us vunerable?
Also I cannot see the Alias command present which I used when configuring a citrix gateway on a 515e into a DMZ, is that only required when using a DMZ?
The Access Control Entries will allow all traffic but since there are only translations for specific ports the traffic not defined by a xlate entry will get dropped on a xlate lookup. Really the best thing is to be specific with your ACEs. Can be helpful with ACL counters, rule specific logging etc...
The alias command does DNAT and DNS doctoring. Neither is required for Citrix. You may have had to use it for a specific reason but There usually is a way around having to use it.
As Joe has said the NAT transaltions will only allow through those specific ports so no there is not a greater security risk but i agree wholehearteldy with Joe in that you really should do this will acl's and not translations. Simply because the nat translation are a more indirect way of controlling access than using acl's applied to the interface and it would be easier in my opinion to make a config error.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :