3 Replies Latest reply on Feb 20, 2013 1:53 PM by noor

    4430, NAT dropping packets when internal server sending ack back to source

    woohong New Member

      Hello, I am having an issue with an adtran 4430  we have a windows 2008 R2 server I have created NAT for rdp, https, ssl and such.  But when i try to connect to it from externally the packets gets dropped.   I have tested the server internally and it works fine. Wireshark shows traffic is coming through the NAT and going to the server and server sending it back but it looks like the router drops the packet.  I have two internet connection..inbound traffic is coming in from XO, all internet traffic outbound going out of a comcast connection.  I only seem to have issues with the windows 2008 servers. I have other servers on the network (SERVER 2003)  that works fine...currently have sbs 2003 running and it works fine and i am trying to replace that with a 2008 server.  Firewall is disabled on the local 2008 server and i don't have a sniffer to figure out where the packets are going. But logically it seems the adtran is dropping the packet.  Any help would be greatly appreciated.



        • Re: 4430, NAT dropping packets when internal server sending ack back to source

          woohong - Based on the description of your setup, I believe the issue is that the port forward is coming in through the XO connection correctly, but the response is being sent back out the Comcast connection. The RPF check on the firewall is more than likely dropping the return traffic. There are a couple of steps you can take to resolve this issue:


          1. If you would prefer that your port forwarding return traffic use the XO connection instead of the Comcast connection, you will need to configure a route-map on the LAN interface matching the return traffic and specifying the XO connection as the next-hop. The document below explains how to set up a route-map:


          Configuring Policy Based Routing in AOS


          2. You will also need to disable RPF check on the access-policies/security zones that are assigned to your WAN interfaces. This can only be done in the CLI. The command syntax is as follows:


          router(config)# no ip policy-class <Policy-class NAME> rpf-check


          If the above suggestions do not work, please reply to this post with your configuration. Please remember to edit any information that may be sensitive to your network. I will be more than happy to take a look at the configuration.


          Please do not hesitate to let us know if you have any questions.




          1 of 1 people found this helpful