Is this correct? "For outside to inside flows, CBAC, ZBF operate after NAT; therefore in ZBF, the class maps should map the inside addresses."
E.g., an inside 10.1.1.100 TACACS server, is outside statically NAT'ed to 4.8.24.100. Outside to Inside zone should match on the inside local address.(Vol 2 Lab 13) ip access-list ext TACACS-Server !-- Use pre-NAT, i.e.inside local address !-- ZBF operates after NAT undoes the translation !-- Right? match tcp any host 10.1.1.100 eq tacacs !--- !--- WRONG: match tcp any host 4.8.24.100 eq tacacs class-map type inspect cm.TACACS match access-group name TACACS-Server policy-map type inspect outside->inside !--- allow inbound connections to TACACS+ class cm.TACACS inspect Richard
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
