cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
316
Views
0
Helpful
2
Replies

NAtting on ASA with Citrix connection.

mahesh18
Level 6
Level 6

Hi everyone,

I am accessing my corp network via citrix client.

Here are logs from internet ASA when i use citrix

TCP outside 70.75..x.x:52705 Internal 10.31.35.10:443, idle 0:00:00, bytes 3614224, flags UIOB

This tells us that connection is coming from outside interface of ASA and going to Internal IP 10.31.35.10.

Where 70.75 is MY PC IP.

Here is Natting on ASA

nat (Internal) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

This NAT tells us that if source is any and coming from Internal  then translate it to the Public IP of outside interface which will be PAT right?

Here is static nat config for Citrix

static (Internal,outside) 210.x.x.x  10.31.35.10 netmask 255.255.255.255

where 10.31.35.10 is internal IP of citrix server and 210.x.x.x is global IP.

Need to understand when i open the url with global ip which is 210.x.x.x it comes to the ASA and first hits the outside interface then it hits

the static nat rule which says if destination is 210.x.x then translate this into internal IP of server which is 10.31.35.10.

Regards

Mahesh

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Mahesh

The nat/global statements translate all source IPs to the outside interface IP address when going from inside to outside. In terms of your Citrix access this rule does not do anything because you have a static NAT statement which takes precedence.

The static NAT statement does exactly what you say.

So your PC src IP is never translated because coming in from the internet it is the source IP and you do not have a rule to translate those and going back to your PC is it the destination IP and again you do not have a rule to translate that.

Note when i say you don't have rules i mean from what you have posted as there may well be other rules on the firewall.

Jon

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

Mahesh

The nat/global statements translate all source IPs to the outside interface IP address when going from inside to outside. In terms of your Citrix access this rule does not do anything because you have a static NAT statement which takes precedence.

The static NAT statement does exactly what you say.

So your PC src IP is never translated because coming in from the internet it is the source IP and you do not have a rule to translate those and going back to your PC is it the destination IP and again you do not have a rule to translate that.

Note when i say you don't have rules i mean from what you have posted as there may well be other rules on the firewall.

Jon

Thanks John for  replying to my question.

Regards

Mahesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: