Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT inside outside problem with Citrix SG environment

Please help, I'm trying this couple of days with no success.

With Cisco 1811 router, and would like to test Citrix environment with Secure gateway in DMZ zone, and with XenApp servers in secure network. We have single public IP address. I had to forward port 443(https) from public to DMZ, and need to forward ports 1494 and 80 from DMZ to secure network.

Problem is with latest port forwarding (DMZ->secure)

Fe0  is ip nat outside

DMZ is ip nat inside

and forwarding port 443 works great.

But I don't know how to forward further from inside (DMZ) to outside (secure).

Here is stripped config. I am using ZFW, but I didn't show that for readability.

interface FastEthernet0
description ISP
ip address 89.x.x.254 255.255.255.252
ip nat ouside
!
interface FastEthernet1
description SECURE_NET
ip address 10.146.1.5 255.255.255.0
ip nat outside
!
interface FastEthernet2
switchport access vlan 21
!
interface FastEthernet3
switchport access vlan 22
!
interface FastEthernet4
switchport access vlan 23
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan21
description FULL_INTERNET_ACCESS
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Vlan22
description PUBLIC_SERVICES
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface Vlan23
description DMZ
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
!
ip route 0.0.0.0 0.0.0.0 89.x.x.253
!
!
! full access vlan21 to internet
ip nat inside source list 21 interface FastEthernet0 overload
!
! port forwarding ftp port to publish ftp server (vlan22) on internet
ip nat inside source static tcp 192.168.2.101 21 interface FastEthernet0 21
!
! port forwarding https (443) to Citrix Secure Gateway in DMZ zone (vlan23)
ip nat inside source static tcp 192.168.3.10 443 interface FastEthernet0 443
!
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 13 permit 192.168.3.10

This portion work OK.

Now I am trying to check ICA port 1494 on server 10.146.1.20 on secure net

If I use:

ip nat inside source list 13 interface FastEthernet1 overload

and check with:

telnet 10.146.1.20 1494 from Secure Gateway server 192.168.3.10 in Vlan23 (DMZ)

telnet works, so I can see "ICAICAICA..." response from ICA heartbeat.

But this is not "real" port forwarding, isn't it ? In this case I actually have whole 10.146.1.0/24 network available directly, which was not intention.

If I try to use "real" port forwarding:

ip nat outside source static 10.146.1.20 192.168.3.20

I can ping 192.168.3.20 from Secure Gateway server in DMZ, but when try to

telnet 192.168.3.20 1494 there is no response. Yes, I put altaddr to 192.168.3.20 on XenApp(PS) server (10.146.1.20)

Is it OK to nat outside in this case ? Problem is that VLAN23 (DMZ) already has nat inside, due to port forwarding from public net (F0). If I put secure network (Fe1) as ip nat inside as well, probably no translation will happen.

I am really confused.

1 REPLY
Cisco Employee

Re: NAT inside outside problem with Citrix SG environment

So what are you trying to achieve here?

Why can't you simply route traffic between your DMZ and SECURE_NET and use ACLs or firewall features (if present) to allow or deny traffic?

684
Views
0
Helpful
1
Replies
CreatePlease login to create content