NAT inside outside problem with Citrix SG environment
Please help, I'm trying this couple of days with no success.
With Cisco 1811 router, and would like to test Citrix environment with Secure gateway in DMZ zone, and with XenApp servers in secure network. We have single public IP address. I had to forward port 443(https) from public to DMZ, and need to forward ports 1494 and 80 from DMZ to secure network.
Problem is with latest port forwarding (DMZ->secure)
Fe0 is ip nat outside
DMZ is ip nat inside
and forwarding port 443 works great.
But I don't know how to forward further from inside (DMZ) to outside (secure).
Here is stripped config. I am using ZFW, but I didn't show that for readability.
interface FastEthernet0 description ISP ip address 89.x.x.254 255.255.255.252 ip nat ouside ! interface FastEthernet1 description SECURE_NET ip address 10.146.1.5 255.255.255.0 ip nat outside ! interface FastEthernet2 switchport access vlan 21 ! interface FastEthernet3 switchport access vlan 22 ! interface FastEthernet4 switchport access vlan 23 ! ! interface Vlan1 no ip address shutdown ! interface Vlan21 description FULL_INTERNET_ACCESS ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface Vlan22 description PUBLIC_SERVICES ip address 192.168.2.1 255.255.255.0 ip nat inside ! interface Vlan23 description DMZ ip address 192.168.3.1 255.255.255.0 ip nat inside ! ! ip route 0.0.0.0 0.0.0.0 89.x.x.253 ! ! ! full access vlan21 to internet ip nat inside source list 21 interface FastEthernet0 overload ! ! port forwarding ftp port to publish ftp server (vlan22) on internet ip nat inside source static tcp 192.168.2.101 21 interface FastEthernet0 21 ! ! port forwarding https (443) to Citrix Secure Gateway in DMZ zone (vlan23) ip nat inside source static tcp 192.168.3.10 443 interface FastEthernet0 443 ! access-list 11 permit 192.168.1.0 0.0.0.255 access-list 13 permit 192.168.3.10
This portion work OK.
Now I am trying to check ICA port 1494 on server 10.146.1.20 on secure net
If I use:
ip nat inside source list 13 interface FastEthernet1 overload
and check with:
telnet 10.146.1.20 1494 from Secure Gateway server 192.168.3.10 in Vlan23 (DMZ)
telnet works, so I can see "ICAICAICA..." response from ICA heartbeat.
But this is not "real" port forwarding, isn't it ? In this case I actually have whole 10.146.1.0/24 network available directly, which was not intention.
If I try to use "real" port forwarding:
ip nat outside source static 10.146.1.20 192.168.3.20
I can ping 192.168.3.20 from Secure Gateway server in DMZ, but when try to
telnet 192.168.3.20 1494 there is no response. Yes, I put altaddr to 192.168.3.20 on XenApp(PS) server (10.146.1.20)
Is it OK to nat outside in this case ? Problem is that VLAN23 (DMZ) already has nat inside, due to port forwarding from public net (F0). If I put secure network (Fe1) as ip nat inside as well, probably no translation will happen.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...