Jump to content
Welcome to our new Citrix community!
  • 0

ip pool - routing


piddon

Question

Hi,

 

I have seen this question come up a few times and tried to follow what people like Carl Stalhhod has recommended but Im still not getting anywhere. 

 

I have a vpn group that gets an intranet IP of 172.16.200.0/24 

 

When connected any device in that group can ping each other - The device can ping the SNIP 

 

However it cannot get out to our servers. 

 

I have set up a route for 172.16.200.0/24 to go out to our firewall 

 

Our firewall team can see traffic being attempted to things like exchange servers but the connections are torn down. 

 

They can also see traffic going to and from the netscaler.

 

If I turn off the intranet IP I can connect to internal resources. 

 

Im guessing Im missing something simple. Any help would be appreciated. 

 

Many thanks, 

 

Paul 

 

 

Link to comment

1 answer to this question

Recommended Posts

  • 0

The IPS you hand out in an intranet ip/IP POOL configuration must be a valid range of routable IP addresses on your internal network and they must not conflict or overlap with DHCP or other IPS (meaning no one else can be using the ips allocated from the pool).

 

So, if you are handing out 172.16.200.0/24 addresses, this must be routable from your ADC backend to the networks you are trying to reach via the firewall and what the routers recognize.  

 

Without IP pools, the gateway/vpn connections use the SNIP to reach the majority of backend destinations. So if the SNIP is working but the IP Pool addresses are not:

1) Is the IP Pool bound properly and the session policy properly configured to hand out IP Pool addresses?

2) If you had a server with the IP allocated could it talk via the firewall to internal resources?  If not, what firewall rules (update the firewall) or routes would be needed (this is what your gateway needs to know) and are your routers recognizing this source subnet for routing purposes to reach internal network destinations (do your routers need an update too)?

3) Do you have any ACLS on the ADC or firewall that is blocking or preventing this range of IPS.

 

 

 

 

 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...