Here is the network topology:
| 192.168.1.0 Subnet
[Branch office Router] 192.168.1.1 Interface
| Default route of branch office router points to T1 Int. on T3 main router
T1 (partiioned T3) to Main Office 192.168.2.X Subnet
| 192.168.2.X Interface
[Concentrated T3 Router] Default route on 7204 points to DMZ1 interface on PIX
| 192.168.3.1 Interface
| DMZ 1
| 192.168.3.2 Interface
[PIX Firewall 525]
| 192.168.4.1 Interface
| DMZ 2 Server Farm resides in this DMZ along with ISA
| 192.168.4.2 Interface (inside on the ISA Server)
| 192.168.5.1 Interface (outside interface on ISA Server)
| 192.168.5.2 (inside interface of 501)
[PIX Firewall 501] Using PAT to give out addresses
| XXX.XXX.XXX.XXX real outside address (outside interface of 501)
The questions start here. At the branch office, we have a client PC that needs to launch a citrix client from an internet website. We have been told that Citrix requires a SecureNAT connection through the ISA server in order to work. We cannot launch the Citrix client at this branch office. I have tried to troubleshoot this problem to the best of my abilities and I believe I have it narrowed down to the PIX 525. Here are the reasons why:
1. We were able to successfully able to launch the Citrix client from DMZ 2, by running it from a server on that subnet. We had (as securenat dictates) to change the default gateway on that server to the inside interface of the ISA server, but it worked perfect.
2. According to this article: http://www.isaserver.org/tutorials/Designing_An_ISA_Server_Solution_on_a_Complex_Network.html
a. SecureNAT needs the client's default gateway set to the first router in the series (check)
b. ALL of the consecutive routers in the shortest path to the ISA server need to be default gateways of each other (check)
Please note that the branch office default route points to the 7204 and the 7204 points to the PIX 525 interface.
c. The article never mentioned a PIX being stuck in between.
The PIX has a CONNECT route (Directly connected network?) route to the subnet of DMZ 2, but not DIRECTLY pointing to
inside interface of the ISA server. The PIX also has a static route that points back to the branch router's network and that
route points to the DMZ 1 interface of the 7204.
I want to say the PIX is the problem, because wouldn't the PIX need to DIRECTLY point to the inside address of the ISA server? The directly connected interface (route) just tells all traffic to go out the locally connected interface....not to a specific hop.
I don't think the problem lies in the 7204 or previous routers because they are default routes of each other.
Unless the traffic is going out fine and being stopped somewhere on the way back. I am not positive how the client was showing up in the ISA server (proxy, firewall, or securenat).
If anyone can shed some light on this....please let me know.