Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT inside outside problem with Citrix SG environment

Please help, I'm trying this couple of days with no success.

With Cisco 1811 router, and would like to test Citrix environment with Secure gateway in DMZ zone, and with XenApp servers in secure network. We have single public IP address. I had to forward port 443(https) from public to DMZ, and need to forward ports 1494 and 80 from DMZ to secure network.

Problem is with latest port forwarding (DMZ->secure)

Fe0  is ip nat outside

DMZ is ip nat inside

and forwarding port 443 works great.

But I don't know how to forward further from inside (DMZ) to outside (secure).

Here is stripped config. I am using ZFW, but I didn't show that for readability.

interface FastEthernet0
description ISP
ip address 89.x.x.254
ip nat ouside
interface FastEthernet1
description SECURE_NET
ip address
ip nat outside
interface FastEthernet2
switchport access vlan 21
interface FastEthernet3
switchport access vlan 22
interface FastEthernet4
switchport access vlan 23
interface Vlan1
no ip address
interface Vlan21
ip address
ip nat inside
interface Vlan22
ip address
ip nat inside
interface Vlan23
description DMZ
ip address
ip nat inside
ip route 89.x.x.253
! full access vlan21 to internet
ip nat inside source list 21 interface FastEthernet0 overload
! port forwarding ftp port to publish ftp server (vlan22) on internet
ip nat inside source static tcp 21 interface FastEthernet0 21
! port forwarding https (443) to Citrix Secure Gateway in DMZ zone (vlan23)
ip nat inside source static tcp 443 interface FastEthernet0 443
access-list 11 permit
access-list 13 permit

This portion work OK.

Now I am trying to check ICA port 1494 on server on secure net

If I use:

ip nat inside source list 13 interface FastEthernet1 overload

and check with:

telnet 1494 from Secure Gateway server in Vlan23 (DMZ)

telnet works, so I can see "ICAICAICA..." response from ICA heartbeat.

But this is not "real" port forwarding, isn't it ? In this case I actually have whole network available directly, which was not intention.

If I try to use "real" port forwarding:

ip nat outside source static

I can ping from Secure Gateway server in DMZ, but when try to

telnet 1494 there is no response. Yes, I put altaddr to on XenApp(PS) server (

Is it OK to nat outside in this case ? Problem is that VLAN23 (DMZ) already has nat inside, due to port forwarding from public net (F0). If I put secure network (Fe1) as ip nat inside as well, probably no translation will happen.

I am really confused.

Cisco Employee

Re: NAT inside outside problem with Citrix SG environment

So what are you trying to achieve here?

Why can't you simply route traffic between your DMZ and SECURE_NET and use ACLs or firewall features (if present) to allow or deny traffic?

CreatePlease login to create content