?
Solved

Cisco ASA 5510 configuration for host inside private network

Posted on 2011-04-20
31
Medium Priority
?
2,049 Views
Last Modified: 2012-05-11
We have a Citrix host behind a new 5510 that needs to be accessed by the public. I have tried to follow the examples on cisco.com but still continue to get errors. I KNOW I am missing something simple. I have taken out all my 'tries' and have basic config below with errors.

 

I am new to PIX/ASA and would live some suggestions on the proper Access Group and corresponding ACL to get the 192.168.71.100/72.54.197.26 Citrix server to accept ssl from outside.


ASA Version 7.0(8)
!
interface Ethernet0/0
description Outside interface to Cbeyond
nameif OUTSIDE
security-level 0
ip address 72.54.197.28 255.255.255.248
!
interface Ethernet0/1
description Inside interface to internal network
nameif INSIDE
security-level 100
ip address 192.168.72.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.71.2 255.255.255.0
management-only
!
object-group service Citrix1494 tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
port-object range 445 447

 

nat-control

 

global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (OUTSIDE,INSIDE) 192.168.72.100 72.54.197.26 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 72.54.197.26 192.168.72.100 netmask 255.255.255.255
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100

 

http server enable
http 192.168.71.0 255.255.255.0 management

 

class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!

 

Error Log:
3|Apr 15 2011 21:06:07|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 21:06:01|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 21:05:58|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
5|Apr 15 2011 21:05:42|111008: User 'root' executed the 'no access-list OUTSIDE_access_in extended permit tcp host 72.54.197.26 host 72.54.197.26' command.
4|Apr 15 2011 21:05:20|106023: Deny tcp src OUTSIDE:114.38.58.208/2817 dst INSIDE:72.54.197.26/445 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:05:17|106023: Deny tcp src OUTSIDE:114.38.58.208/2817 dst INSIDE:72.54.197.26/445 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:04:37|106023: Deny tcp src OUTSIDE:221.1.220.185/12200 dst INSIDE:72.54.197.26/1080 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:50|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:44|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:41|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:23|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:17|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:14|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
5|Apr 15 2011 21:01:56|111008: User 'root' executed the 'access-list OUTSIDE_access_in line 1 extended permit tcp host 72.54.197.26 host 72.54.197.26' command.
6|Apr 15 2011 21:00:13|302013: Built outbound TCP connection 7173 for OUTSIDE:150.70.85.65/443 (150.70.85.65/443) to INSIDE:192.168.72.100/2959 (72.54.197.26/2959)
6|Apr 15 2011 20:56:57|302016: Teardown UDP connection 7082 for OUTSIDE:72.54.197.26/137 to INSIDE:192.168.72.17/137 duration 0:02:01 bytes 62
6|Apr 15 2011 20:55:19|302013: Built outbound TCP connection 7088 for OUTSIDE:184.85.253.178/80 (184.85.253.178/80) to INSIDE:192.168.72.100/2879 (72.54.197.26/2879)
6|Apr 15 2011 20:55:19|302013: Built outbound TCP connection 7086 for OUTSIDE:74.125.159.147/80 (74.125.159.147/80) to INSIDE:192.168.72.100/2878 (72.54.197.26/2878)
6|Apr 15 2011 20:54:55|302015: Built outbound UDP connection 7082 for OUTSIDE:72.54.197.26/137 (192.168.72.100/137) to INSIDE:192.168.72.17/137 (72.54.197.28/24)
6|Apr 15 2011 20:54:17|302021: Teardown ICMP connection for faddr 10.160.68.225/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:15|302020: Built outbound ICMP connection for faddr 10.160.68.225/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:13|302021: Teardown ICMP connection for faddr 172.28.16.2/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7074 for OUTSIDE:199.7.52.190/80 (199.7.52.190/80) to INSIDE:192.168.72.100/2815 (72.54.197.26/2815)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7073 for OUTSIDE:199.7.55.72/80 (199.7.55.72/80) to INSIDE:192.168.72.100/2813 (72.54.197.26/2813)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7072 for OUTSIDE:199.7.55.72/80 (199.7.55.72/80) to INSIDE:192.168.72.100/2812 (72.54.197.26/2812)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7071 for OUTSIDE:199.7.52.190/80 (199.7.52.190/80) to INSIDE:192.168.72.100/2811 (72.54.197.26/2811)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7070 for OUTSIDE:184.85.253.19/80 (184.85.253.19/80) to INSIDE:192.168.72.100/2810 (72.54.197.26/2810)
3|Apr 15 2011 20:54:12|106014: Deny inbound icmp src OUTSIDE:172.28.16.2 dst INSIDE:72.54.197.26 (type 0, code 0)
6|Apr 15 2011 20:54:11|302020: Built outbound ICMP connection for faddr 172.28.16.2/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:10|302013: Built outbound TCP connection 7063 for OUTSIDE:64.4.18.90/80 (64.4.18.90/80) to INSIDE:192.168.72.100/2809 (72.54.197.26/2809)
3|Apr 15 2011 20:52:17|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:52:11|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:52:08|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
2|Apr 15 2011 20:50:02|106001: Inbound TCP connection denied from 187.28.118.35/1973 to 72.54.197.26/445 flags SYN  on interface OUTSIDE
2|Apr 15 2011 20:49:59|106001: Inbound TCP connection denied from 187.28.118.35/1973 to 72.54.197.26/445 flags SYN  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60784 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60783 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60781 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60782 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60779 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60785 flags RST  on interface OUTSIDE
2|Apr 15 2011 20:49:35|106001: Inbound TCP connection denied from 217.10.43.52/1486 to 72.54.197.26/445 flags SYN  on interface OUTSIDE
2|Apr 15 2011 20:49:32|106001: Inbound TCP connection denied from 217.10.43.52/1486 to 72.54.197.26/445 flags SYN  on interface OUTSIDE
3|Apr 15 2011 20:48:17|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:48:11|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:48:08|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443

 

THANKS!!
0
Comment
Question by:charlietaylor
  • 18
  • 12
31 Comments
 
LVL 25

Expert Comment

by:Ken Boone
ID: 35436022
ok do this:

no static (OUTSIDE,INSIDE) 192.168.72.100 72.54.197.26 netmask 255.255.255.255
clear xlate

access-list Outside-ACL extended permit tcp any host 72.54.197.26 object-group Citrix1494

access-group Outside-ACL in interface OUTSIDE

That should do it for you..
0
 

Author Comment

by:charlietaylor
ID: 35436079
Let me try it!

THANKS!
0
 

Author Comment

by:charlietaylor
ID: 35442785
No, still does not work. Added lines to cli and here is error I get

Here are errors in log

6|Apr 21 2011 12:45:57|302014: Teardown TCP connection 11445 for OUTSIDE:74.125.159.104/80 to INSIDE:192.168.72.100/57178 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:45:44|302014: Teardown TCP connection 11208 for OUTSIDE:74.125.159.104/80 to INSIDE:192.168.72.100/57176 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:45:39|302014: Teardown TCP connection 11144 for OUTSIDE:216.52.233.147/443 to INSIDE:192.168.72.100/57173 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:45:27|302013: Built outbound TCP connection 11445 for OUTSIDE:74.125.159.104/80 (74.125.159.104/80) to INSIDE:192.168.72.100/57178 (72.54.197.26/57178)
6|Apr 21 2011 12:45:14|302013: Built outbound TCP connection 11208 for OUTSIDE:74.125.159.104/80 (74.125.159.104/80) to INSIDE:192.168.72.100/57176 (72.54.197.26/57176)
6|Apr 21 2011 12:45:09|302013: Built outbound TCP connection 11144 for OUTSIDE:216.52.233.147/443 (216.52.233.147/443) to INSIDE:192.168.72.100/57173 (72.54.197.26/57173)
5|Apr 21 2011 12:44:41|111008: User 'enable_15' executed the 'static (OUTSIDE,INSIDE) 192.168.72.100 72.54.197.26 netmask 255.255.255.255' command.
6|Apr 21 2011 12:44:41|305009: Built static translation from OUTSIDE:72.54.197.26 to INSIDE:192.168.72.100
6|Apr 21 2011 12:41:34|302014: Teardown TCP connection 9117 for OUTSIDE:216.52.233.131/80 to INSIDE:192.168.72.100/57146 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:41:13|302014: Teardown TCP connection 9079 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57142 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:41:04|302013: Built outbound TCP connection 9117 for OUTSIDE:216.52.233.131/80 (216.52.233.131/80) to INSIDE:192.168.72.100/57146 (72.54.197.26/57146)
6|Apr 21 2011 12:40:44|302014: Teardown TCP connection 8954 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57140 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:40:43|302013: Built outbound TCP connection 9079 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57142 (72.54.197.26/57142)
6|Apr 21 2011 12:40:14|302013: Built outbound TCP connection 8954 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57140 (72.54.197.26/57140)
6|Apr 21 2011 12:40:13|302014: Teardown TCP connection 8618 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57134 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:39:43|302013: Built outbound TCP connection 8618 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57134 (72.54.197.26/57134)
6|Apr 21 2011 12:39:35|302014: Teardown TCP connection 8369 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57129 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:39:05|302013: Built outbound TCP connection 8369 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57129 (72.54.197.26/57129)
6|Apr 21 2011 12:38:55|302014: Teardown TCP connection 8227 for OUTSIDE:74.125.159.99/80 to INSIDE:192.168.72.100/57121 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:38:25|302013: Built outbound TCP connection 8227 for OUTSIDE:74.125.159.99/80 (74.125.159.99/80) to INSIDE:192.168.72.100/57121 (72.54.197.26/57121)
6|Apr 21 2011 12:37:36|302014: Teardown TCP connection 7667 for OUTSIDE:216.52.233.134/443 to INSIDE:192.168.72.100/57108 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:37:32|302014: Teardown TCP connection 7568 for OUTSIDE:74.125.159.99/80 to INSIDE:192.168.72.100/57107 duration 0:00:30 bytes 0 SYN Timeout


you can see where I put the reverse static back in because the citrix server can NOT get to internet, like before I put your acg/l in.

Any suggestions?
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
LVL 25

Expert Comment

by:Ken Boone
ID: 35443040
Your reverse static needs to be taken out. then you need to do a "clear xlate" command.  do that and post your config again and let me see it.  I'll be standing by.
0
 

Author Comment

by:charlietaylor
ID: 35443158
ASA Version 7.0(8)
!
hostname 5510
domain-name xxxxx
enable password xxxxx encrypted
passwd xxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
 description Outside interface to Cbeyond
 nameif OUTSIDE
 security-level 0
 ip address 72.54.197.28 255.255.255.248
!
interface Ethernet0/1
 description Inside interface to internal network
 nameif INSIDE
 security-level 100
 ip address 192.168.72.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.71.2 255.255.255.0
 management-only
!
banner exec xxxxx
banner login VPN firewall/router
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup INSIDE
dns name-server 66.180.96.12
dns name-server 64.180.96.12
object-group service Citrix1494 tcp
 port-object eq citrix-ica
 port-object eq www
 port-object eq https
 port-object range 445 447
access-list Outside-ACL extended permit tcp any host 72.54.197.26 object-group C
itrix1494
pager lines 24
logging enable
logging asdm informational
logging mail critical
logging from-address xxxxx
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) 72.54.197.26 192.168.72.100 netmask 255.255.255.255
access-group Outside-ACL in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username root password xxxxxx encrypted privilege 15
http server enable
http 192.168.71.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.72.0 255.255.255.0 management
telnet 192.168.73.0 255.255.255.0 management
telnet 192.168.71.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.71.3-192.168.71.254 management
dhcpd dns 66.180.96.12 64.180.96.12
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 66.180.96.57
Cryptochecksum:472013675a200d36e6155c03238fa05c
: end
[OK]
5510#
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 35443336
Ok so at this point if you issues a clear xlate command that would have flushed the translation table and citrix should be able to get out with the current configuration.  If it can't post the logs for it..  This is the right config for what you want to do.
0
 

Author Comment

by:charlietaylor
ID: 35443411
Did that, no connections. Here is what the log says with the config above right after I cle xlate and try to connect from outside.....

6|Apr 21 2011 12:40:44|302014: Teardown TCP connection 8954 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57140 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:40:43|302013: Built outbound TCP connection 9079 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57142 (72.54.197.26/57142)
6|Apr 21 2011 12:40:14|302013: Built outbound TCP connection 8954 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57140 (72.54.197.26/57140)
6|Apr 21 2011 12:40:13|302014: Teardown TCP connection 8618 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57134 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:39:43|302013: Built outbound TCP connection 8618 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57134 (72.54.197.26/57134)
6|Apr 21 2011 12:39:35|302014: Teardown TCP connection 8369 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57129 duration 0:00:30 bytes 0 SYN Timeout

AND....


Citrix server can not even get out to internet, here is the logs say when you try to open a browser.....

6|Apr 21 2011 12:39:05|302013: Built outbound TCP connection 8369 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57129 (72.54.197.26/57129)
6|Apr 21 2011 12:38:55|302014: Teardown TCP connection 8227 for OUTSIDE:74.125.159.99/80 to INSIDE:192.168.72.100/57121 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:38:25|302013: Built outbound TCP connection 8227 for OUTSIDE:74.125.159.99/80 (74.125.159.99/80) to INSIDE:192.168.72.100/57121 (72.54.197.26/57121)
6|Apr 21 2011 12:37:36|302014: Teardown TCP connection 7667 for OUTSIDE:216.52.233.134/443 to INSIDE:192.168.72.100/57108 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:37:32|302014: Teardown TCP connection 7568 for OUTSIDE:74.125.159.99/80 to INSIDE:192.168.72.100/57107 duration 0:00:30 bytes 0 SYN Timeout

0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 35443575
ok so firewall is showing the rules for the inbound stuff working, but the citrix server is not responding that is why you are getting a SYN timeout.

Does your citrix box have multiple IP addresses or multiple NICs?

What is the default gateway on the citrix box.

I can guarantee you that the config is good.

The logs show sessions getting created - not blocked so its not the firewall causing the problem.  Something else is not quite right.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 35443578
From the ASA can you ping the real ip address of the citix server?
0
 

Author Comment

by:charlietaylor
ID: 35443777
This network is in production. CurrentIy have a cheesy Lynksys router (the only thing it does is NAT for Citrix) and a "Transistion" throwdown firewall with two simple rules that allow all and allow outside to Citrix.

The Citrix has one nic with default gatewway same as all other devices on network (72.2) and goes out just fine until I cut over to 5510. Then is can not get out. (and yes, all other equipment is turned off and the switches are power cycled afer I power up 5510 to make sure I am not having switch arp issues)

The Citrix is in use 24/7 by remote users so I can't switch back and forth. (especialy during day when everybody goes out to Inet via this unit or the cheesy gear I am replacing)

I see the connections too but it connects for half a second and sends 0 bytes..... hmmmm

 
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 35443857
you are having arp issues with the citrix box i would think.

so once you cutover to the ASA .. can you ping the citrix box from the ASA?

The citrix arp table still shows the mac address of the linksys 72.2 interface is my guess and you would need to flush the arp table on the citrix server.

Also, how does the internet connect.  Is it straight to the linksys router?  Is this cable, DSL or T1 to a provider router or what.  There is a router on the outside of the ASA of some sort.  It could be that that devices still has the mac address of public side MAC address of the citrix box in its ARP table.  Most likely that needs a reboot as well to flush its ARP table.  I would bet on it.

I have been working on Cisco firewall since before Cisco bought the PIX.  I can assure the config is good without that reverse static.
0
 

Author Comment

by:charlietaylor
ID: 35443888
OK... but if it is an ARP issue would the 5510 still get the info that it is in the logs?

I mean, if packets were headed to another port why am I seeing SCR/DES info in the logs?
0
 

Author Comment

by:charlietaylor
ID: 35443911
AND... I REALLY apperciate all your help!
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 35443976
you got a point there.  Here is what I know.  When you try to access it from the outside... the citrix doesn't respond.  So could it be at that point the citrix box has the old arp entry for the linksys? so the packets aren't getting back.

So if you cut over. start everything fresh.  turn off linksys.  reboot ISP router/device.  flush arp table on citrix.  Then ping the citrix box from the ASA.  If that works then try the connection from the outside.  How are you connecting to the outside?  Are you at a different location or are you on a mobile broadband card or what?
0
 

Author Comment

by:charlietaylor
ID: 35444162
I am physically sitting on the network. I am trying access from outside on my broadband card that is known to connect.

Their office is closed tomorrow and I am getting access to come in and powercycle every single device. I will then first try to ping Citrix from ASA and move downstream like you suggest.

Thanks again, I really do hope it is a ARP issue in a device I did not reload. (the ACTELIS ISP box and actual Citrix server)

I will let you know.
0
 

Author Comment

by:charlietaylor
ID: 35448533
reboot of every device in the network did not change anything
0
 

Author Comment

by:charlietaylor
ID: 35448640
the ASA can ping the citrix server
0
 
LVL 1

Expert Comment

by:slamjam2000
ID: 35448844
From your config, I don't see a route to the inside...  

The only route on the ASA is to the outside:

route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
0
 

Author Comment

by:charlietaylor
ID: 35448864
so what are you suggesting?
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 35449005
Route not needed to the inside to reach the device in question.

Ok so now you have this setup:

citrix server -- ASA - ISP Router

Is that correct? Are there any other boxes in the middle here?

And once you rebooted everything the citrix server still could not get out to the internet?  And you still have issues with stuff coming in from the outside?  

When you cut to the ASA is the linksys box turned off and completely out of the picture?  I am assuming that you are using the same IP addressing scheme on the ASA that you were using on the linksys.  Is that correct?
0
 

Author Comment

by:charlietaylor
ID: 35449046
The Citrix server can now browse the internet. (after reboot)

I am using the same IP address as the old Linksys that is now turned off and unplugged from network.

The only device between the ASA and Citrix is a dumb switch that had been reset

0
 

Author Comment

by:charlietaylor
ID: 35449079
when I IP source it (ipchicken.com) the citrix server comes back as 72.54.197.26 where as every other device in network comes back as PAT address of 72.54.197.28

thought I'd mention it since I took out the reverse static, thought it would PAT it....
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 35449186

No because the the static (inside,outside) command works in both directions when it is applied to a host like your citrix server.

ok so now the citrix can get out.  What about access from the outside to the citrix server.  Where does that stand now?
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 35449200
When I open up a browser to that public ip of your citrix I am getting a login prompt.  Is it still going through the ASA?  If so its working.
0
 

Author Comment

by:charlietaylor
ID: 35449203
No outside access, same as before

0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 35449214
Im hitting the citrix xen login page?
0
 

Author Comment

by:charlietaylor
ID: 35449264
I just checked it from outside too, it is now working. I was trying it from internal (that worked with Linksys) so I was assuming it was not.

hmmm, wonder why it does not work from inside?
0
 

Author Comment

by:charlietaylor
ID: 35449273
probally was working upon reboot, did not check from external box since then.
0
 
LVL 25

Accepted Solution

by:
Ken Boone earned 2000 total points
ID: 35449295
Yea you have to come from external.   The ASA security rules enforce that.
0
 

Author Comment

by:charlietaylor
ID: 35449330
I just made an internal DNS entry and got it working....

So, bottom line is you were right. There was some issue with ARP. I was testing initernal as I was powercycling all devices so I can not say for sure whether it was the ISP boxes or server.

Thanks!!!
0
 

Author Closing Comment

by:charlietaylor
ID: 35449351
Ken Boone Jr is excelllent technical help! He was very informative and insightful.
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question