All,
I need some help troubleshooting a connectivity issue. Everything works fine except for this one device.
1) If I see a NAT entry for a specific ip address (1921.68.1.17) when I run "sh ip nat translations", does that mean the fw allowed it and it went to the destination? ie: passed through the firewall
sh ip nat translations inc 192.168.1.17
udp 96.229.67.41:3060 192.168.1.17:3060 66.222.222.222:3011 66.222.222.222:3011
2) How can I log drops ONLY for a specific ip address (192.168.1.17)?
The application needs to speak outbound only on port 3011 and I believe my outbound config allows everything.
class-map type inspect match-any IN-TO-OUT-ALLOW-ALL-CLASS
match protocol tcp
match protocol udp
match protocol icmp
policy-map type inspect IN-TO-OUT-POLICY
class type inspect IN-TO-OUT-ALLOW-ALL-CLASS
inspect
class class-default
drop log
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
interface GigabitEthernet0/0
description INSIDE_LAN_192_168-1_0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description OUTSIDE_INTERNET
bandwidth 51200
ip address x.x.x.x 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
crypto map vpnmap