Im having a problem setting up Radius with Citrix Access Gateway.
I had it all set up and working fine when I had the Citrix Access Gateway (CAG) on our main LAN but I want to move it into DMZ.
I have set up a Vyatta firewall inbetween the Radius server and the Gateway. The firewall is set up to only allow HTTP, HTTPS, and Radius traffic through (1812 and 1813). The firewall also provides all the NAT'ing I need, i.e.: I have setup CAG to point at the ip of the firewall with the port, and the firewall then forwards this traffic onto the Radius server, masking the IP address as the IP of the firewall. The firewall should then forward any traffic it recieves coming from inside to the CAG.
The problem seems to be with the traffic going back to the CAG. If I run wireshark I can see the Radius request reaching the server but then the Radius server seems to send an ICMP request back to the firewall which fails and says the port is not open:
23 3.145816 11.1.1.1 11.1.1.2 RADIUS 104 Access-Request(1) (id=0, l=62)
24 3.145883 11.1.1.2 11.1.1.1 ICMP 132 Destination unreachable (Port unreachable)
The traffic going back into the firewall is not filtered at all and it should be passing the data straight to the CAG.
Vyatta NAT config:
service {
nat {
rule 10 {
destination {
address 11.1.1.1
}
inbound-interface eth1
inside-address {
address 192.168.60.2
}
type destination
}
rule 20 {
destination {
address 192.168.60.1
port 1812
}
inbound-interface eth0
inside-address {
address 11.1.1.2
}
protocol udp
type destination
}
rule 21 {
destination {
address 192.168.60.1
port 1813
}
inbound-interface eth0
inside-address {
address 11.1.1.2
}
protocol udp
type destination
}
rule 30 {
outbound-interface eth1
outside-address {
address 11.1.1.1
}
source {
address 192.168.60.2
}
type source
}
Any idea's why this is failing?
Ok, I solved it.
I changed the vyatta config to include an inside port number for the radius ports so it knows where it is coming from and it is forwarding the data to the right place!