I want to set up our Cisco 2611 router with Network Address Translation (NAT) and ACLs that block all traffic in and out of our Windows 2000 Server Terminal Services machine with Citrix MetaFrame 1.8. What should I do?
Numerous articles state the ICA port needs for communicating with a Citrix server, so I'll just quickly list the ports for you. A Citrix session communicates from the client to the server through port 1494 TCP, and the server responds to the client on any port higher than 1023 TCP. The Citrix master browser uses port 1604 UDP, unless you use the XML service. (For more information about ports, go to the Citrix Web site.)
The Cisco router can use NAT to share one or more external IP addresses for many internal or private addresses. Before your users can get in touch with your servers, you need to map the server's private address to a static address.
Let's start by taking a look at NAT. The first step is to mark your outside and inside interfaces on the router by going into Enable mode and the Configure Terminal mode. Then, set the proper interfaces to outside and inside, as shown in the example below:
Password: Rout1>en Password: Route1#conf t Enter configuration commands, one per line. End with CNTL/Z. Route1(config)#int ser 0/0.100 Route1(config-subif)#ip nat outside Route1(config-subif)#exit Route1(config)#int eth 0/0 Route1(config-subif)#ip nat inside
Next, set up a NAT static route for connecting to the Citrix servers:
ip nat inside source static 192.168.1.2 163.131.8.18
This command allows a direct translation of the inside IP address to the outside IP address and opens the entire machine to the world. This exposure calls for a very strict ACL, as shown in the example below:
:Attatch access list to outside interface Password: Rout1>en Password: Route1#conf t Enter configuration commands, one per line. End with CNTL/Z. Route1(config)#int ser 0/0.100 Route1(config-subif)#ip access-group 102 in Route1(config-subif)#ip access-group 103 out Route1(config)#access-list 102 remark INBOUND only for Metaframe Hosts Route1(config)#access-list 102 permit tcp any host 163.131.8.18 eq 1494 Route1(config)#access-list 102 permit udp any host 163.131.8.18 eq 1604 Route1(config)#access-list 102 deny ip any any Route1(config)#access-list 103 remark OUTBOUND only for Metaframe hosts Route1(config)#access-list 103 permit udp any host 163.131.8.18 eq 1604 Route1(config)#access-list 103 permit tcp any host 163.131.8.18 gt 1023 Route1(config)#access-list 103 permit udp any host 163.131.8.18 gt 1023 Route1(config)#access-list 103 deny ip any any
Next, ensure that the Citrix server knows that it has a different external address. You can accomplish this by setting the alternate address from a command prompt:
Altaddr /SET 163.131.8.18
Then, on your client or ICA file, you should choose to use the alternate address.
I hope this helps. Good luck!
