I have a question around pix 501 (6.3) configuration which I was hoping someone can shed some light on. I am trying to allow traffic from a single Citrix CAG across a variety of ports (80,443,9001-9005,27000,7279,1494,2598) from external (dmz) interface through to multiple addresses (on the same ports) on the internal (secure) network and dont know how to best approach it or if its possible. The only way I have found to allow traffic through is via Static Nat entries which I cant see will work for this requirement as we need some ports to be allowed into multiple addresses.
I am happy to provide a config though tbh it can be assumed to be blank as the environment is being replaced so I am happy to rebuild to best practice.
Any help would be appreciated as PIX are really not my thing and let me know if you need more information.
The environment is (Internet)External Pix(DMZ)----------------Citrix Gateway-----------------(DMZ)Internal Pix(LAN)-----------LAN.
A 4500 switch is used to link the different VLANs that make up the DMZ and LAN.
The problem we have is the Citrix Gateway will receive requests from the internet through the External Pix and then forward requests to the outside interface of the internal pix, destined for a Citrix farm on the LAN. These requests will be over various ports and to one of a number of internal ip addresses, (say 10.0.1.120/28) so for example port 80 traffic may need to go to any one of these hosts.
By default the pix is configured with Dynamic NAT to allow all access from the LAN to the DMZ but I am unsure how to allow access from the DMZ to the LAN to multiple hosts on the same port. My understanding is that static NAT will only allow one port per host per interface but I could well be wrong?
Apologies if this is not clear so feel free to query anything.
I guess you would be doing the nat on the external pix, so the packets that are forwarded to the internal pix would have the destination as their private ip's only, for that on the internal pix you can either do a nat exempt on them for the entire lan or policy nat for it. On the external pix, you would definitely need static nats, so that users from the outside are able to hit your servers on the internal lan. My suggestions is, restrict the traffic (ports and ip's) on the external pix, and then just pass the traffic through the internal pix, but it all depends on your requirement.
Packets are restricted on the external pix and are translated to the address of the Citrix CAG. Once the CAG receives the the request it then processes it and will send various requests to one or more Citrix servers on the LAN. For example assuming the dmz has an address range of 10.13.7.0/27 and the lan has 10.0.0.0/16: -
My understanding is that the CAG in this configuration sends requests to the internal farm from 10.13.7.5 using 10.13.7.11 as the default gateway (OSPF on the pix to allow routing to 10.0.0.0/16 network). I could add static entries but that breaks down because some ports (e.g particularly 80,443) may need to go to more than one internal host so I cant create a static nat for a single internal host (or at least I dont think I can).
Apologies if it seems like an odd configuration but its one I have inherited and im pretty much stuck with it until I can redesign in a few months
Thanks for your help with this. Creating the nat exemption and a specific outside_in access list resolved the issue. It took longer than expected to test this sufficiently so sorry for the delay in responding.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :