Shawn,
The log is not detailed. telnet should be Permit tcp 10.7.8.8 eq 23 7.56.0.6 gt 1024 But your ACL for the route-map shoud be permit ip 10.7.8.8 7.56.0.6 Your nat Ip nat inside source static tcp 10.7.8.8 23 7.56.0.1 23 route-map ACL reversible Typically unless you are trying to do policy nat for overloading an address for several ports which I don't see below you would just do all IP and use an interface ACL to filter the traffic. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Shawn Mesiatowsky Sent: Monday, May 18, 2009 3:22 PM To: 'OSL Security' Subject: [OSL | CCIE_Security] lab 7.2 and policy nat I was playing around with policy nat. I tried several variations to really understand policy nat. I was having trouble setting up a static nat with routemap checking for outside to inside traffic using the reversible keyword. It seems if you do not use the reversible keyword, all out->in traffic is allowed and is not checked against the routemap. If you use the reversible keyword, then the routemap is checked. However, for out->in traffic, it seems that when the routemap is checked, it only checks the ip protocol, and not the actual port number. I tried all variations for trying to use port numbers, but none worked. In the acl for the routemap, I also put in a permit tcp any any log at the end, and when an inbound telnet session was created I saw the following in the log: May 18 14:27:28.857: %SEC-6-IPACCESSLOGP: list r8anyacl permitted tcp 10.7.8.8(0) -> 7.56.0.6(0), 1 packet As you can see, no port numbers are seen, only the ip protocol number (in this case tcp) So the only way I can get an inbound tcp session from R6 to R8 on port 23, outside->inside is by allowing all tcp traffic: Ip access-list ext r8testacl Permit tcp host 10.7.8.8 host 7.56.0.6 Route-map r8test Match ip address r8testacl Ip nat inside source static 10.7.8.8 7.56.0.1 route-map r8testacl reversible Am I missing anything here, or does inbound static nats via routemaps not include port numbers and only include protocol numbers? Thanks
