I want to set up our Cisco 2611 router with Network Address Translation (NAT) and ACLs that block all traffic in and out of our Windows 2000 Server Terminal Services machine with Citrix MetaFrame 1.8. What should I do?

Numerous articles state the ICA port needs for communicating with a Citrix server, so I'll just quickly list the ports for you. A Citrix session communicates from the client to the server through port 1494 TCP, and the server responds to the client on any port higher than 1023 TCP. The Citrix master browser uses port 1604 UDP, unless you use the XML service. (For more information about ports, go to the Citrix Web site.)

The Cisco router can use NAT to share one or more external IP addresses for many internal or private addresses. Before your users can get in touch with your servers, you need to map the server's private address to a static address.

Let's start by taking a look at NAT. The first step is to mark your outside and inside interfaces on the router by going into Enable mode and the Configure Terminal mode. Then, set the proper interfaces to outside and inside, as shown in the example below:

Password:
Rout1>en
Password:
Route1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Route1(config)#int ser 0/0.100
Route1(config-subif)#ip nat outside
Route1(config-subif)#exit
Route1(config)#int eth 0/0
Route1(config-subif)#ip nat inside

Next, set up a NAT static route for connecting to the Citrix servers:

ip nat inside source static 192.168.1.2 163.131.8.18

This command allows a direct translation of the inside IP address to the outside IP address and opens the entire machine to the world. This exposure calls for a very strict ACL, as shown in the example below:

:Attatch access list to outside interface
Password:
Rout1>en
Password:
Route1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Route1(config)#int ser 0/0.100
Route1(config-subif)#ip access-group 102 in
Route1(config-subif)#ip access-group 103 out
Route1(config)#access-list 102 remark INBOUND only for Metaframe Hosts
Route1(config)#access-list 102 permit tcp any host 163.131.8.18 eq 1494
Route1(config)#access-list 102 permit udp any host 163.131.8.18 eq 1604
Route1(config)#access-list 102 deny ip any any
Route1(config)#access-list 103 remark OUTBOUND only for Metaframe hosts
Route1(config)#access-list 103 permit udp any host 163.131.8.18 eq 1604
Route1(config)#access-list 103 permit tcp any host 163.131.8.18 gt 1023
Route1(config)#access-list 103 permit udp any host 163.131.8.18 gt 1023
Route1(config)#access-list 103 deny ip any any

Next, ensure that the Citrix server knows that it has a different external address. You can accomplish this by setting the alternate address from a command prompt:

Altaddr /SET 163.131.8.18

Then, on your client or ICA file, you should choose to use the alternate address.

I hope this helps. Good luck!