Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 configuration for

How can I setup my asa 5510 to allow my users to be able to

get to


Re: ASA 5510 configuration for


If the ASA allows internet all websites are allowed.

If you're talking about using the MPF feature on the ASA to allow access to you can use a regular expression to match that string and permit the traffic.

Or do you have a CSC module that it's filtering HTTP?

Please explain what you want to do.


New Member

Re: ASA 5510 configuration for

We are having problems connecting to

It is allowed in the Astaro web filter but I think the Firewall is blocking it.

Can you tell me how to configure the firewall to allow gotomeeting to work.

Here is the write up from Citrix.

I think I would like to allow outbound through port 8200.

1. Citrix Online products are configured to work outbound through ports 8200, or 80 or 443. In a restricted environment port 8200 can be set

up for outbound connections. Our products do not listen for, nor do they require, any inbound connections. Connections outbound via

port 8200 are optimal, although connections through ports 80 and 443 can also be used.

2. If your firewall includes a content or application data scanning filter, this may cause blocking or latency, which would be indicated in the log

files for the filter. To address this problem, verify the below IP ranges will not be scanned or filtered by content or application data scanning

filters by specifying exception IP ranges that will not be filtered.

3. If your security policy requires you to specify explicit IP ranges, then configure your firewall to limit port 8200 or 80 or 443 destination IP

addresses to only the Citrix Online ranges listed below.

Important Note: Steps 2 and 3 are discouraged unless absolutely necessary because such IP ranges need to be periodically audited

and modified, creating additional maintenance to your network. These changes are rare, but they may be necessary to continue to provide

the maximum performance for the Citrix Online family of applications. Maintenance and failover events may cause you to connect to servers

within any of the ranges.

Citrix Online Server / Datacenter IP Addresses for Use in Firewall Configurations

Equivalent Specifications in 3 Common Formats

Citrix Online

Assigned Range

by Block*

Numeric IP Address Range Netmask Notation CIDR Notation

Block 1 - / 20

Block 2 - / 20

Block 3 - / 24

Block 4 - / 27

Block 5 - / 26

Block 6 - / 24

Block 7 - / 21

Block 8 - / 19

Block 9 - / 20

Block 10 - / 19

Block 11 - / 22

Re: ASA 5510 configuration for

You will need to check the configuration of the ASA to check if it's blocking the traffic then.

What you can check is the following:

ACL applied to the inside interface should be allowing this traffic.

If you're filtering HTTP also check that.

If you need assistance to check the configuration, you can post the ''sh run'' here and just remove the sensitive part of the configuration.


New Member

Re: ASA 5510 configuration for

Here is the config without the critical information.

Re: ASA 5510 configuration for

There's inspection for HTTP but I think the problem might be with the ACL applied to the inside interface (acl_in).

You can do the following test just to confirm the above:

Pick up an internal host i.e.

Add a rule to permit that host to access any traffic on the internet:

access-list acl_in line 1 permit ip host any

Then, try accesing from that host and see if it works. If it works is because there's something on that ACL blocking the traffic and we can check it out to determine why.


New Member

Re: ASA 5510 configuration for

I added the following

access-list acl_in extended permit ip host "users ip address" any

Now it is working.  This solution will not work because he takes his laptop out to other branches and will not always get the same IP address.

I need to create an ACL that will allow everyone to get out to

Re: ASA 5510 configuration for

Now we know that it's just a matter of permitting the traffic in the ACL.

If you include a permit ip statement it works, so one solution could be the following:

Instead of:

access-list acl_in extended permit ip host "users ip address" any


access-list acl_in extended permit ip LOCAL_NETWORK any

The above will allow any IP in the LOCAL_NETWORK to get out.

Now, if you want to restrict the traffic instead of opening the entire IP stack, you should enable logs for the Citrix transactions and check which ports are being used so that you open only those.


New Member

Re: ASA 5510 configuration for

Okay I believe we are almost there!.

Can you show me the configuration to allow traffice on port 8200.

Re: ASA 5510 configuration for

access-list NAME permit tcp LOCAL_LAN any eq 8200

If 8200 runs on top of UDP, just change TCP for UDP.


CreatePlease login to create content