Thanks to everyone that participated and shared the link in some way. Contest #1 is now closed and here is the solution:
- Wrong destination in the ACL. Irrespective of the traffic flow, when using ACLs to configure policies for ZBF, you must always match the real untranslated (inside local, outside global) addresses.
- The ‘IN_TO_OUT_CMAP’ should be “match-any” instead of “match-all”.
- The ‘IN_TO_OUT_PMAP’ policy-map should have the “inspect” action for the ‘IN_TO_OUT_CMAP’ class and “drop” for the ‘class-default’ class.
- Wrong NAT domains specified on the interfaces. Fa0/0 should have “ip nat inside” and Fa0/1 should have “ip nat outside” configured.
- Even though these NAT rules are correct, they are for NVI-based NAT (ip nat enable) and not traditional NAT (ip nat inside/outside). Because NVI-based NAT may not work when ZBF is configured (depending on the IOS version), then you should stick with traditional NAT. In that case, the NAT rules should be:
ip nat inside source static 192.168.12.2 192.168.13.2 ip nat outside source static 192.168.13.3 192.168.12.3 add-route
The “add-route” option is one of the most important things here because of the NAT order of operation. When traffic is flowing from the inside to the outside, routing takes place before NAT. Therefore if the router doesn’t know how to reach the outside local address (192.168.12.3), routing will fail. You can refer to this INE article for more information.
Especially because of something like the last point, it may be necessary to lab the scenarios presented in these contests. GNS3 is a good way to go. You can download the working configuration for this contest here: Contest #1 solution.
There were no winners in this contest, but two people – Mr Sturvs and Olu – were close. Out of good faith, we will share the airtime between them.