Citrix ICA client uses TCP 1494 to communicate with the Metaframe server but when I allow 1494 inbound on dialer1 via the access list I can not connect. There is no ip inspection. I know that the Metaframe server responds on 1494 but then assigns a high range ip for continued transmissions. Any idea? Probably a simple one to fix for you guys.
In most PIX scenarios, the inside interface and network use private addressing, while the outside interface and network use public addressing. Therefore, a static mapping must be created to establish the relationship between the outside and inside addresses. Moreover, an Access Control List (ACL) must define the traffic that is permitted through the PIX.
Citrix Metaframe (ICA client or Web interface) uses ports 1494 (TCP) and 1604 (User Datagram Protocol [UDP]) to communicate. Therefore, these ports must be explicitly permitted on the PIX.
Consider the example of a device on the inside interface of the PIX with an IP address of 10.1.1.10, which is mapped to an external (global) IP address of 184.108.40.206. In this case, traffic destined for 220.127.116.11 arrives at the PIX, is translated to 10.1.1.10, and is passed to the inside interface.
Based on these factors, the configuration necessary for this scenario is:
! --- The static mapping between 18.104.22.168 (outside address) and 10.1.1.10 (inside address).
access-list 101 permit tcp any host 22.214.171.124 eq 1494
! --- Permits TCP traffic to 126.96.36.199, port 1494.
access-list 101 permit udp any host 188.8.131.52 eq 1604
! --- Permits UDP traffic to 184.108.40.206, port 1604.
access-group 101 in interface outside
! --- Apply ACL 101 to the outside interface.
Note: Depending on the number of clients and sessions, try to decrease or increase the range of TCP ports that must be opened. For example, if the number of Citrix clients is large, open TCP port 1494 and also open TCP ports 1023 and above (a maximum of 65535), depending on the number of such clients.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...