02-22-2005 05:51 PM - edited 03-02-2019 09:49 PM
Hello to all,
Just wanted to see if somebody out there with a keener eye than mine (ok smarter too ;-) could look at this config and let me know whether the Nat statements look ok or not?
We are having trouble RDP'ing in to a remote office that has just added a Symantec Firewall (prior to the firewall we had no problems connecting) and we can still RDP in anywhere else. BUT, here is the output from the symantec Firewall that makes us think maybe it is our cisco config?
Symantec LOG: Feb 22, 2005 09:10:06.031 AM CST eswfirewall.yyy.net pingd 2009 503 ALERT Reverse address does not match, so denied, Count=1, Source IP=xxx.136.124.162, Destination Name=xxx.250.135.1, Destination IP=0.0.0.0
We have had problems with our ISP and think that it may be them but we know what their answer will be (not our fault etc.) so please advise if you see anything that you see as being off or if it looks good that will help us in building a case to look elsewhere. Thanks.
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname
!
no logging buffered
no logging console
enable secret xxxx
!
memory-size iomem 25
ip subnet-zero
no ip source-route
no ip finger
ip domain-name
!
!
!
interface Serial0
description T1 to ISP
ip address xxx.136.124.162 255.255.255.252
no ip directed-broadcast
ip nat outside
encapsulation ppp
keepalive 5
no fair-queue
no cdp enable
!
interface FastEthernet0
description LAN
ip address xxx.250.135.1 255.255.255.240 secondary
ip address 192.168.100.254 255.255.255.0
no ip redirects
no ip directed-broadcast
no ip proxy-arp
ip nat inside
no cdp enable
!
ip nat inside source list 101 interface Serial0 overload
ip nat inside source static tcp 192.168.100.2 110 xxx.250.135.1 110 extendable
ip nat inside source static tcp 192.168.100.2 80 xxx.250.135.1 80 extendable
ip nat inside source static tcp 192.168.100.2 25 xxx.250.135.1 25 extendable
ip nat inside source static tcp 192.168.100.2 21 xxx.250.135.1 21 extendable
ip nat inside source static tcp 192.168.100.2 20 xxx.250.135.1 20 extendable
ip nat inside source static tcp 192.168.100.2 4125 xxx.250.135.1 4125 extendable
ip nat inside source static tcp 192.168.100.2 443 xxx.250.135.1 443 extendable
ip nat inside source static tcp 192.168.100.2 3389 xxx.250.135.1 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.136.124.161
no ip http server
!
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
no cdp run
!
line con 0
password xxxx
login
transport input none
line aux 0
line vty 0 4
password xxxx
login
!
end
02-22-2005 07:07 PM
Looking at the Symantec firewall log, it is possible that the firewall is trying to perform a reverse dns lookup on the source ip address. May be disabling dns reverse lookup or setting up a host/arpa on the firewall will fix the problem:
162.124.136.xxx.IN-ADDR.ARPA. yyy.zzz.com.
yyy.zzz.com xxx.136.124.162
Regards
Mustafa
02-23-2005 06:00 PM
Thank you Mustafa, we are trying to get the folks that manage the firewall to just allow our IP in and that should solve the problem but we are getting push back from them on that...so I wanted to make sure that the config on our router was good specifically the NAT statements we had so that I can tell them that it's not our config but something else and that the easiest way to resolve this is to allow us to come in by permitting our IP through the firewall. So thank you for your follow up.
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide