I want to set up our Cisco 2611 router with Network Address Translation (NAT) and ACLs that block all traffic in and out of our Windows 2000 Server Terminal Services machine with Citrix MetaFrame 1.8. What should I do?

Numerous articles state the ICA port needs for communicating with a Citrix server, so I'll just quickly list the ports for you. A Citrix session communicates from the client to the server through port 1494 TCP, and the server responds to the client on any port higher than 1023 TCP. The Citrix master browser uses port 1604 UDP, unless you use the XML service. (For more information about ports, go to the Citrix Web site.)

The Cisco router can use NAT to share one or more external IP addresses for many internal or private addresses. Before your users can get in touch with your servers, you need to map the server's private address to a static address.

Let's start by taking a look at NAT. The first step is to mark your outside and inside interfaces on the router by going into Enable mode and the Configure Terminal mode. Then, set the proper interfaces to outside and inside, as shown in the example below:

                              Password:                              Rout1>en                              Password:                               Route1#conf t                               Enter configuration commands, one per line.  End with CNTL/Z.                              Route1(config)#int ser 0/0.100                              Route1(config-subif)#ip nat outside                              Route1(config-subif)#exit                              Route1(config)#int eth 0/0                              Route1(config-subif)#ip nat inside

Next, set up a NAT static route for connecting to the Citrix servers:

ip nat inside source static 192.168.1.2 163.131.8.18

This command allows a direct translation of the inside IP address to the outside IP address and opens the entire machine to the world. This exposure calls for a very strict ACL, as shown in the example below:

:Attatch access list to outside interface                              Password:                               Rout1>en                              Password:                               Route1#conf t                               Enter configuration commands, one per line.  End with CNTL/Z.                              Route1(config)#int ser 0/0.100                              Route1(config-subif)#ip access-group 102 in                              Route1(config-subif)#ip access-group 103 out                              Route1(config)#access-list 102 remark INBOUND only for Metaframe Hosts                              Route1(config)#access-list 102 permit tcp any host 163.131.8.18 eq 1494                              Route1(config)#access-list 102 permit udp any host 163.131.8.18 eq 1604                               Route1(config)#access-list 102 deny ip any any                              Route1(config)#access-list 103 remark OUTBOUND only for Metaframe hosts                               Route1(config)#access-list 103 permit udp any host 163.131.8.18 eq 1604                              Route1(config)#access-list 103 permit tcp any host 163.131.8.18 gt 1023                              Route1(config)#access-list 103 permit udp any host 163.131.8.18 gt 1023                              Route1(config)#access-list 103 deny ip any any

Next, ensure that the Citrix server knows that it has a different external address. You can accomplish this by setting the alternate address from a command prompt:

Altaddr /SET 163.131.8.18

Then, on your client or ICA file, you should choose to use the alternate address.

I hope this helps. Good luck!