Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Citrix Access via ASA5505

We have a customer with a Cisco ASA5505 Firewall and they recently gone to a Citrix cloud environment. We are having a problem allowing the Citrix traffic through the ASA. Anyone with any ideas or "steps to take" would be greatly appreciated.

Community Member

Hi,When a user wants to


When a user wants to connect to a Citrix session using Citrix ICA client (citrix receiver) the ICA client uses port number 1494 and port number 2598 for session reliability.
Port number 1494 is default for ICA connection, allotted by IANA to Citrix.

Session reliability contains a secure connection over SSL and it also has the ability to maintain the sessions during fail-over.

So, you need to permit these ports on user ASA to allow Citirx via ASA.
access-list (name) permit tcp any any eq 1494
access-list (name) permit tcp any any eq 2598

Rahul Chhabra
Network Engineer
Spooster IT Services


Hello,  If you access the



If you access the Citrix Cloud Enviroment from the inside hosts to the outside, you will need to permit that communication on the ASA on the Outside Access group, to the server, and Citrix uses specific TCP ports for this.


Either ways I will give you 3 documents that have the Port numbers and another one for how to apply this access group to permit this communication, also remember the access group applied on the inside interface.


Configuring TCP ports for Citrix communication:




Permitting or Deniying Network Access:




If you have any questions let me know,


Please don't forget to rate and to mark as correct the helpful post!


David Castro,




CreatePlease to create content