There are always multiple ways of getting to the same goal.
The most common way of doing this (that I have seen) is through DNS
modification. I assume guests are using a DNS entry to resolve the Citrix
farm as 1.1.1.2.
If you are pointing the guests to a public DNS server outside the ASA, you
can modify the response and they can connect directly to the 10.10.32.25
address, never touching the outside interface.
In that case, you would allow the guest source IP to have TCP 443 access to
10.10.32.25 on your router. Do a NAT 0 on the 10.10.10.254 source when going
to 10.10.32.25.
Check this link and consider adding the DNS keyword to your static
statement. This is a suggestion, and I don't know your DNS topology to state
if it will impact anything else. If your DNS is set up this way, any query
for your citrix farm would be returned to an inside host as the private IP.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042753
Just another option to consider.
Mark
#17755, Security
Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 28 2011 - 20:12:33 ART
This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART