Re: Nat Question

stevem · ‎02-22-2005

Hello to all,

Just wanted to see if somebody out there with a keener eye than mine (ok smarter too ;-) could look at this config and let me know whether the Nat statements look ok or not?

We are having trouble RDP'ing in to a remote office that has just added a Symantec Firewall (prior to the firewall we had no problems connecting) and we can still RDP in anywhere else. BUT, here is the output from the symantec Firewall that makes us think maybe it is our cisco config?

Symantec LOG: Feb 22, 2005 09:10:06.031 AM CST eswfirewall.yyy.net pingd 2009 503 ALERT Reverse address does not match, so denied, Count=1, Source IP=xxx.136.124.162, Destination Name=xxx.250.135.1, Destination IP=0.0.0.0

We have had problems with our ISP and think that it may be them but we know what their answer will be (not our fault etc.) so please advise if you see anything that you see as being off or if it looks good that will help us in building a case to look elsewhere. Thanks.

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname

!

no logging buffered

no logging console

enable secret xxxx

!

memory-size iomem 25

ip subnet-zero

no ip source-route

no ip finger

ip domain-name

!

interface Serial0

description T1 to ISP

ip address xxx.136.124.162 255.255.255.252

no ip directed-broadcast

ip nat outside

encapsulation ppp

keepalive 5

no fair-queue

no cdp enable

!

interface FastEthernet0

description LAN

ip address xxx.250.135.1 255.255.255.240 secondary

ip address 192.168.100.254 255.255.255.0

no ip redirects

no ip directed-broadcast

no ip proxy-arp

ip nat inside

no cdp enable

!

ip nat inside source list 101 interface Serial0 overload

ip nat inside source static tcp 192.168.100.2 110 xxx.250.135.1 110 extendable

ip nat inside source static tcp 192.168.100.2 80 xxx.250.135.1 80 extendable

ip nat inside source static tcp 192.168.100.2 25 xxx.250.135.1 25 extendable

ip nat inside source static tcp 192.168.100.2 21 xxx.250.135.1 21 extendable

ip nat inside source static tcp 192.168.100.2 20 xxx.250.135.1 20 extendable

ip nat inside source static tcp 192.168.100.2 4125 xxx.250.135.1 4125 extendable

ip nat inside source static tcp 192.168.100.2 443 xxx.250.135.1 443 extendable

ip nat inside source static tcp 192.168.100.2 3389 xxx.250.135.1 3389 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.136.124.161

no ip http server

!

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

no cdp run

!

line con 0

password xxxx

login

transport input none

line aux 0

line vty 0 4

password xxxx

login

!

end

mhussein · ‎02-22-2005

Looking at the Symantec firewall log, it is possible that the firewall is trying to perform a reverse dns lookup on the source ip address. May be disabling dns reverse lookup or setting up a host/arpa on the firewall will fix the problem:

162.124.136.xxx.IN-ADDR.ARPA. yyy.zzz.com.

yyy.zzz.com xxx.136.124.162

Regards

Mustafa

stevem · ‎02-23-2005

Thank you Mustafa, we are trying to get the folks that manage the firewall to just allow our IP in and that should solve the problem but we are getting push back from them on that...so I wanted to make sure that the config on our router was good specifically the NAT statements we had so that I can tell them that it's not our config but something else and that the easiest way to resolve this is to allow us to come in by permitting our IP through the firewall. So thank you for your follow up.

Steve