We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Routing/Firewall Issue

Medium Priority
459 Views
Last Modified: 2013-11-16
We work with a partner who recently changed the way we access information.  Previously we used Citrix web interface to access their server farm.  We now use the local Citrix client, they also changed an IP address.  This is NOT a citrix issue, I have verified that everyway from Sunday its a firewall issue.  

We have an internal router a PIX and then an external router.  From the external router i am able to telnet to the IP address over 1494 and it works.  If I try from behind the firewall it doesnt.  

I thought outbound connections dont have any restrictions from a PIX unless implicity put there?  I dont have any specific rule for PORT 80 or 443 traffic.  It seems that the problem would be when the traffic is trying to come back in.

Any ideas?
Comment
Watch Question

Top Expert 2004

Commented:
The PIX is a stateful firewall.  If an outbound connection goes through, it gets entered into a state table.  Then, when the reply comes back, the firewall checks the state table, sees the entry, and lets the reply back through.

Best security practice is NOT to allow everything out.  Best practice is to deny everything unless explicitly allowed - cuts down on the spread of virus infections, zombie attacks, etc.  Plus good for letting you know when you're infected.

Author

Commented:
Thanks for that, but to the point of my question, what do you think could be causing it not to work
A simple way to find out if it is the firewall *ALONE* that is causing the problem would be to let your inbound access-list allow all connections to that public IP which you use to connect to Citrix Server and see if it works.

Cheers,
Rajesh

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
To test rsivanandan , I set up access-list outside_in permit tcp any any

There was no change.  I still could not telnet.  Did I do the access-list wrong, or is there another problem
I set up access-list outside_in permit ip any any

Change it to the above and apply it on the outside. If it still doesn't work, can you paste the config of the firewall ?

Cheers,
Rajesh

Author

Commented:
Do you mean to apply it with this?

access-group outside_in in interface outside
YES.

Cheers,
Rajesh

Author

Commented:
It did not work, which leads me to believe its not a firewall issue, but I am not sure what else it could be.

Which portions of the config do you want to see
Everything, sanitized (just remove the passwords/usernames and last 3 octects of your public ip.

Cheers,
Rajesh

Author

Commented:
Here is the main portion, I took out all the VPN stuff to make it smaller, I also didnt include the typical top junk

access-list 100 permit ip 10.0.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.35.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list 100 permit ip 10.0.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.36.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.45.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.46.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.37.0 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 192.168.38.0 255.255.255.0
access-list outside_in permit tcp any host 64.x.x.x eq https
access-list outside_in permit tcp any host 64.x.x.x eq www
access-list outside_in permit tcp any host 64.x.x.x eq smtp
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit tcp any any
access-list 110 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 110 permit ip host 10.0.1.18 host 216.x.x.x
access-list 180 permit ip 10.0.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 190 permit ip 10.0.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 200 permit ip 10.0.1.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list 160 permit ip 10.0.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 170 permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 220 permit ip 10.0.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 240 permit ip 10.0.1.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list 250 permit ip 10.0.1.0 255.255.255.0 192.168.35.0 255.255.255.0
access-list 260 permit ip 10.0.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 230 permit ip 10.0.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 270 permit ip 10.0.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 280 permit ip 10.0.1.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list 290 permit ip 10.0.1.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 300 permit ip 10.0.1.0 255.255.255.0 192.168.36.0 255.255.255.0
access-list 295 permit ip 10.0.1.0 255.255.255.0 192.168.45.0 255.255.255.0
access-list 195 permit ip 10.0.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 310 permit ip 10.0.1.0 255.255.255.0 192.168.46.0 255.255.255.0
access-list 320 permit ip 10.0.1.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list 330 permit ip 10.0.1.0 255.255.255.0 192.168.37.0 255.255.255.0
access-list 340 permit ip 10.0.1.0 255.255.255.0 192.168.38.0 255.255.255.0
pager lines 24
logging timestamp
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside 64.x.x.x 255.255.255.224
ip address inside 172.16.32.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool SYNSACpool 172.16.1.1-172.16.1.25
pdm location 10.0.1.0 255.255.255.0 inside
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
static (inside,outside) tcp 64.x.x.x www 10.0.1.3 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.x.x.x https 10.0.1.3 https netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.x.x.x 1
route inside 10.0.1.0 255.255.255.0 172.16.32.254 1
route outside 10.0.2.0 255.255.255.0 64.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 10.0.1.15
no snmp-server location
no snmp-server contact
snmp-server community syncon
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
This does look to me like a firewall issue. It has something to do with their setup on the other side. Confirm with them about the settings (it might be overlooked for a different port as well, who knows)...

Cheers,
Rajesh

Author

Commented:
All of their outside people can connect.  I also just hooked up a PC on the outside of our firewall and was able to connect.  What would I have them look for
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
What is the IP address of the local host that you are trying to telnet from?
10.0.1.x or 172.16.32.x ?

Author

Commented:
10.0.1x
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
The reason I asked that is because the inside of this pix is 172.16.32.x but only 10.0.1.x has a nat rule.
As long as the client is 10.0.1.x I can't see anything in the config that you've posted that would be preventing it from working.

Author

Commented:
Me either, thats the kicker.

There is nothing on the 172. network except the inside of this firewall a router and another firewall.  We have traffic split up for internet and a few other things.  The default route on the router is to send all traffic to 172.16.32.253.  Specific traffic goes out to a PIX 515.  I have put a specific route to send traffic to the specific network out our other PIX just for giggles, with the same result.

Very strange
Correct me if I'm wrong, but generally a 10.0.1.x network Address generally indicates that the computer is auto-assigning it's IP address, which could very well point to connectivity issues within your network between those computers and your DHCP server.

Author

Commented:
Thanks nikpelgar, but we are not having any issues there, its much more advanced than that.
Just thought to bring that up.  I've always learned to start with the simple things first... Unfortunately this is beyond my ability so I cannot help you any with this problem.
Yves AccadNetwork Security Engineer
CERTIFIED EXPERT

Commented:
Is 172.16.32.254 the interface on the internal router?

Can you access other services outside your external router from the 10.0.1.x client?

Author

Commented:
Oh yeah, all of them.  Everything is working fine, we have no issues other than the fact that we can no longer connect to this partner because they changed they way we connect from a web connection to a straight client connection.  I would think that it is something on the partner end except that they are not havinf connectivity problems from any of their locations.  i tested from home and I can get to their connection and I just moved a PC outside of our firewall and it connected.  So it appears to be some sort of routing/firewall issue on this end.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Nikpegler -
169.254.0.0 is range for APIPA addressing. This is what a XP/2000 pc will default to if no DHCP server is reachable.
10.0.0.0 is very much normal and within RFC 1918 guidelines for private IP addressing with or without DHCP servers.

snowsurfer -
If you have a spare public IP, try assiging a static 1-1 nat to your 10.0.1.x client and see if that makes a difference.

Yves AccadNetwork Security Engineer
CERTIFIED EXPERT

Commented:
can you install a sniffer on the client machine? like ethereal or packetizer?
It will help you identify the issue.

Author

Commented:
I have ethreal on one of our network machines, I have recentely installed and not played with it.  How would it help?
Yves AccadNetwork Security Engineer
CERTIFIED EXPERT

Commented:
If you run it on the client machine that you're trying to connect from and start a capturing session to the remote server. It will start capturing the network traffic, let it run for a minute or so, while you're trying to to connect.
Stop the capture.

Go to Edit > Find Packet > Find by String > host of remote server

You should now see the TCP conversation.

You can also in the filter window put:
(ip.addr eq remoteserverip and ip.addr eq clientip)

or
ip.dst == remoteserverip

Now you can right-click > Follow TCP Stream
It will map out the TCP Flow

Please post those results

Author

Commented:
okay, I am heading out for the night, Ill post in the AM

Author

Commented:
All the stream says is

sftc

I dont know what that means

Author

Commented:
The only thing that I can think of is that the packet is being altered and when it is sent back the PIX is dropping it.  They have a SONICWALL on the other end.  In troublshooting I moved a client to the 172 network to eliminate a routing problem.  The same issue exists.  I am in the process of hooking up a new pix with the most basic config possible and connecting it to a testing T1 we have to try again, then I am going to use a cheapie Linksys router/vpn device to see the results, I am expecting that it will work with linksys and not the PIX.

instillmotion do you think i could use ethereal to capture the packets from outside of the firewall to see it working and then analyze the packet to see if its being altered in someway?

Author

Commented:
Ok i was wrong, the pix with the very basic config worked.  So now i am going to compare the configs to see why it is happening, I am leaning towards a NAT issue now
Network Security Engineer
CERTIFIED EXPERT
Commented:
Hey snowsurfer. If you have available public ips on the ip block for that pix, try this. create a static to the client machine.

static (inside, outside) publicip 10.0.1.x netmask 255.255.255.255 0 0
clear xlate local 10.0.1.x

(where 10.0.1.x is the ip of the client)

Try it now
Yves AccadNetwork Security Engineer
CERTIFIED EXPERT

Commented:
Yes putting the sniffer on the outside of the PIX could very well be more helpful if the packet is being dropped there. You will need a hub (not switch) between the outside interface and the exteral router.

Author

Commented:
Just so I double check.  Wont clear xlate drop all connections we currently have?  I need to know if I need to do this after hours
Yves AccadNetwork Security Engineer
CERTIFIED EXPERT

Commented:
no if you do clear xlate local 10.0.1.x where 10.0.1.x is the address of the specific client it will only clear translation for that ip.

clear xlate local 10.0.1.x

Author

Commented:
I didnt have any extra IP addresses, so I used our testing line and rebuilt or exact setup in the lab and started removing things one at a time until I was able to connect.

isakmp enable outside is what did it.  Obvioulsy in our lab we dont need any crypto map and isakmp statements because we dont have a VPN.  

As soon as I take that off I can get to the connection.  If I put that back on, then no dice.  Why would the isakmp statement be affecting port 1494 traffic?

Author

Commented:
I put the isakmp statement back in and it still works, I clear xlate and rebooted the PIX and it still works.

Now I am really confused.
I believe there is some problem (bug) with transient state with crypto map and isakmp statements with PIX. If you browse this site, you can see numerous examples of the same.

Cheers,
Rajesh

Author

Commented:
Thats good to know, that makes sense.  I just took the isakmp enable from our production pix and cleared all the isakmp sa's.  I was able to connect.  I put it back and the vpn's started coming back up.  It was still working.

Then poof for no reason, I cant connect anymore.

You wouldnt happen to know if the newest version of the PIX software fixes it do you?
What version are you running now? The latest and stable one is 6.3(5). But I've seen people with that version have this problem as well though.

Cheers,
Rajesh

Author

Commented:
6.3(4), it doesnt seem like it will fix the problem.
But if possible I'll go there.

Cheers,
Rajesh

Author

Commented:
Thanks everyone for the help.  Points have been spread out.  I am going to attack this a different way all togther.

thanks again
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.