Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Citrix - NAT and alias command problem


let's see if somebody has the solution for this....

I have a PIX 515 and I am trying to get a Citrix metaframe XPs server to work behind the firewall.. I only use HTTP and HTTPS as the connection ports... and the server is located on the DMZ

right now whenever a client tries to connect, MF tries to open the static IP associated to that server.... and it does not work... so I tried adding an alias (dmz) command to override that... but to no avail.. I can see that the application stills tries to open the external IP X.X.X.41. I tried accessing the HTTP server in the MF server from another machine in the DMZ.. and I can access the server using the FQDN but not the external IP address X.X.X.41, my conclusion is that the alias command is not what I need.... I need a command in the cisco router that tells the router that whenever a request for X.X.X.41 is coming from the DMZ it should be redirected back to the MF server anybody know how to do this?

this is the list of the relevant commands


access-list 100 permit tcp any host X.X.X.41 eqwww

access-list 100 permit tcp any host X.X.X.41 eq 443

access-list 101 permit tcp any any

access-list 101 permit udp any any

access-list 101 permit ip any any

global (outside) 1 X.X.X.45-X.X.X.61 netmask

global (outside) 1 X.X.X..62 netmask

nat (inside) 1 0 0

alias (inside) X.X.X.41

alias (dmz) X.X.X.41

static (inside,dmz) netmask 0 0

static (dmz,outside) X.X.X.41 netmask 0 0

access-group 100 in interface outside

access-group 101 in interface dmz


thanks a lot!!


Cisco Employee

Re: Citrix - NAT and alias command problem

The alias command is not what you need, the "static" command you already have is mapping connections from x.x.x.41 to on the DMZ.

The trouble you're seeing is how metaframe works, when a client connects, the server sends back a .ica file which contains the IP address for the client to connect to. This IP address is the IP address of the server, which in your case is There's no way the PIX can change the IP address in this file, and the client will try and connect to that address.

Do a search on Google for "nat citrix metaframe" and there's a few links with explanations on this. Searching Citrix's web site I came across this which should fix you up also (, looks like you need to run the "altaddr" command on your server, then it'll advertise the global address to the clients to connect to.

New Member

Re: Citrix - NAT and alias command problem

Thanks, I found the same too... but the altaddr command is not enough, you also need to run a port/IP translation utility included with MF... that solved the problem....

Thanks a lot for your help!.