Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Citrix ICA through ASA 5510

Hello all,

I am new to Cisco ASA (coming from Watchguard Firebox 1000) and need some help allowing Citrix ICA traffic through our ASA 5510. I am not using secure gateway. I just want to allow a direct connect from the internet to my Citrix server. I have set up a static NAT for the Citrix server and setup a security rule on the outside interface to allow Citrix ICA from any to the NAT IP. When I try to connect to the Citrix server, the packet is denied by rule "access-list Outside_access_in extended permit tcp any eq citrix-ica host 74.9.142.216 eq citrix-ica". This is how I had it set up with our Watchguard. Here is a copy of the config.

Thanks for your help.

ASA Version 7.2(4)18 
!
hostname Paetec
domain-name Paetec.thelandlcompany.com
enable password nRkrK2UDMhbxbMqH encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 74.9.142.210 255.255.255.240 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.11.0.242 255.255.0.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa724-18-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name Paetec.thelandlcompany.com
access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.50.0.0 255.255.0.0 
access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.60.0.0 255.255.0.0 
access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.70.0.0 255.255.0.0 
access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.80.0.0 255.255.0.0 
access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.5.0.0 255.255.0.0 
access-list Outside_1_cryptomap remark VPN Glenburnie MD
access-list Outside_1_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.50.0.0 255.255.0.0 
access-list Outside_2_cryptomap remark VPN Frederick MD
access-list Outside_2_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.60.0.0 255.255.0.0 
access-list Outside_access_in extended permit tcp any eq citrix-ica host 74.9.142.216 eq citrix-ica 
access-list Outside_3_cryptomap remark VPN Seaford DE
access-list Outside_3_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.70.0.0 255.255.0.0 
access-list Outside_4_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.80.0.0 255.255.0.0 
access-list Outside_5_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.5.0.0 255.255.0.0 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-52450.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) 74.9.142.216 10.11.0.159 netmask 255.255.255.255 
no threat-detection statistics tcp-intercept
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 74.9.142.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.11.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 151.196.59.245 
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 2 match address Outside_2_cryptomap
crypto map Outside_map 2 set pfs group1
crypto map Outside_map 2 set peer 70.16.191.240 
crypto map Outside_map 2 set transform-set ESP-3DES-SHA
crypto map Outside_map 3 match address Outside_3_cryptomap
crypto map Outside_map 3 set pfs group1
crypto map Outside_map 3 set peer 68.162.89.12 
crypto map Outside_map 3 set transform-set ESP-3DES-SHA
crypto map Outside_map 4 match address Outside_4_cryptomap
crypto map Outside_map 4 set pfs group1
crypto map Outside_map 4 set peer 173.73.112.98 
crypto map Outside_map 4 set transform-set ESP-3DES-SHA
crypto map Outside_map 5 match address Outside_5_cryptomap
crypto map Outside_map 5 set pfs group1
crypto map Outside_map 5 set peer 216.156.195.162 
crypto map Outside_map 5 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.11.0.0 255.255.0.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 120
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
tunnel-group 162.83.93.74 type ipsec-l2l
tunnel-group 162.83.93.74 ipsec-attributes
 pre-shared-key *
tunnel-group 70.16.191.240 type ipsec-l2l
tunnel-group 70.16.191.240 ipsec-attributes
 pre-shared-key *
tunnel-group 70.155.139.130 type ipsec-l2l
tunnel-group 70.155.139.130 ipsec-attributes
 pre-shared-key *
tunnel-group 151.196.59.245 type ipsec-l2l
tunnel-group 151.196.59.245 ipsec-attributes
 pre-shared-key *
tunnel-group 68.162.89.12 type ipsec-l2l
tunnel-group 68.162.89.12 ipsec-attributes
 pre-shared-key *
tunnel-group 173.73.112.98 type ipsec-l2l
tunnel-group 173.73.112.98 ipsec-attributes
 pre-shared-key *
tunnel-group 216.156.195.162 type ipsec-l2l
tunnel-group 216.156.195.162 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:c1d61a48af401ee31cafa12c30d42de0
: end
asdm image disk0:/asdm-52450.bin
no asdm history enable


					
				
			
			
				
			
			
				
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Citrix ICA through ASA 5510

From the syslog, it uses port 2598, pls add the following ACL:

access-list Outside_access_in extended permit tcp any host 74.9.142.216 eq 2598
6 REPLIES
Cisco Employee

Re: Citrix ICA through ASA 5510

Please change the following access-list:

FROM:

access-list Outside_access_in extended permit tcp any eq citrix-ica host 74.9.142.216 eq citrix-ic

TO:
access-list Outside_access_in extended permit tcp any host 74.9.142.216 eq citrix-ica

Please kindly make sure that you add the new line first before removing the existing line of access-list
as I see that you only have 1 line of "Outside_access_in" ACL.

Hope that helps.
New Member

Re: Citrix ICA through ASA 5510

I made the change but still get denied. Here is the log entry.

4Sep 21 201004:35:3710602372.61.13.8374.9.142.216Deny tcp src Outside:72.61.13.83/49244 dst Inside:74.9.142.216/2598 by access-group "Outside_access_in" [0x0, 0x0]

Cisco Employee

Re: Citrix ICA through ASA 5510

From the syslog, it uses port 2598, pls add the following ACL:

access-list Outside_access_in extended permit tcp any host 74.9.142.216 eq 2598
New Member

Re: Citrix ICA through ASA 5510

That did it. Citrix ICA uses 1494. port 2598 is for session reliability which is turned on by default on the new Citrix client. I can either turn off session reliability or open port 2598, both work.

Thanks for your help.

New Member

Citrix ICA through ASA 5510

Hi,

what acces-list should be configure to allow citrix traffic...

i have apply following acl but citrix dosent work...

permit tcp xx.xx.xx.0 0.0.3.255 host 192.168.1.174 eq 2598

plz help

re

suhas

Cisco Employee

Citrix ICA through ASA 5510

I believe it uses both port 1494 and 2598, so please also add 1494 into the ACL.

6764
Views
5
Helpful
6
Replies