Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAtting on ASA with Citrix connection.

Hi everyone,

I am accessing my corp network via citrix client.

Here are logs from internet ASA when i use citrix

TCP outside 70.75..x.x:52705 Internal 10.31.35.10:443, idle 0:00:00, bytes 3614224, flags UIOB

This tells us that connection is coming from outside interface of ASA and going to Internal IP 10.31.35.10.

Where 70.75 is MY PC IP.

Here is Natting on ASA

nat (Internal) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

This NAT tells us that if source is any and coming from Internal  then translate it to the Public IP of outside interface which will be PAT right?

Here is static nat config for Citrix

static (Internal,outside) 210.x.x.x  10.31.35.10 netmask 255.255.255.255

where 10.31.35.10 is internal IP of citrix server and 210.x.x.x is global IP.

Need to understand when i open the url with global ip which is 210.x.x.x it comes to the ASA and first hits the outside interface then it hits

the static nat rule which says if destination is 210.x.x then translate this into internal IP of server which is 10.31.35.10.

Regards

Mahesh

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: NAtting on ASA with Citrix connection.

Mahesh

The nat/global statements translate all source IPs to the outside interface IP address when going from inside to outside. In terms of your Citrix access this rule does not do anything because you have a static NAT statement which takes precedence.

The static NAT statement does exactly what you say.

So your PC src IP is never translated because coming in from the internet it is the source IP and you do not have a rule to translate those and going back to your PC is it the destination IP and again you do not have a rule to translate that.

Note when i say you don't have rules i mean from what you have posted as there may well be other rules on the firewall.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: NAtting on ASA with Citrix connection.

Mahesh

The nat/global statements translate all source IPs to the outside interface IP address when going from inside to outside. In terms of your Citrix access this rule does not do anything because you have a static NAT statement which takes precedence.

The static NAT statement does exactly what you say.

So your PC src IP is never translated because coming in from the internet it is the source IP and you do not have a rule to translate those and going back to your PC is it the destination IP and again you do not have a rule to translate that.

Note when i say you don't have rules i mean from what you have posted as there may well be other rules on the firewall.

Jon

New Member

NAtting on ASA with Citrix connection.

Thanks John for  replying to my question.

Regards

Mahesh

99
Views
0
Helpful
2
Replies
CreatePlease to create content