Solution to Contest #1 – Cisco IOS ZBF and NAT. Winners announced

Posted: July 1, 2015 in contest solutions
Tags: , , , , , , , ,

Thanks to everyone that participated and shared the link in some way. Contest #1 is now closed and here is the solution:

  1. Wrong destination in the ACL. Irrespective of the traffic flow, when using ACLs to configure policies for ZBF, you must always match the real untranslated (inside local, outside global) addresses.
  2. The ‘IN_TO_OUT_CMAP’ should be “match-any” instead of “match-all”.
  3. The ‘IN_TO_OUT_PMAP’ policy-map should have the “inspect” action for the ‘IN_TO_OUT_CMAP’ class and “drop” for the ‘class-default’ class.
  4. Wrong NAT domains specified on the interfaces. Fa0/0 should have “ip nat inside” and Fa0/1 should have “ip nat outside” configured.
  5. Even though these NAT rules are correct, they are for NVI-based NAT (ip nat enable) and not traditional NAT (ip nat inside/outside). Because NVI-based NAT may not work when ZBF is configured (depending on the IOS version), then you should stick with traditional NAT. In that case, the NAT rules should be:
    ip nat inside source static
    ip nat outside source static add-route

    The “add-route” option is one of the most important things here because of the NAT order of operation. When traffic is flowing from the inside to the outside, routing takes place before NAT. Therefore if the router doesn’t know how to reach the outside local address (, routing will fail. You can refer to this INE article for more information.

Especially because of something like the last point, it may be necessary to lab the scenarios presented in these contests. GNS3 is a good way to go. You can download the working configuration for this contest here: Contest #1 solution.

There were no winners in this contest, but two people – Mr Sturvs and Olu – were close. Out of good faith, we will share the airtime between them.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s