All,

I need some help troubleshooting a connectivity issue. Everything works fine except for this one device.

1) If I see a NAT entry for a specific ip address (1921.68.1.17) when I run "sh ip nat translations", does that mean the fw allowed it and it went to the destination? ie:  passed through the firewall

sh ip nat translations inc 192.168.1.17
udp 96.229.67.41:3060  192.168.1.17:3060 66.222.222.222:3011 66.222.222.222:3011

2) How can I log drops ONLY for a specific ip address  (192.168.1.17)?

The application needs to speak outbound only on port 3011 and I believe my outbound config allows everything.

class-map type inspect match-any IN-TO-OUT-ALLOW-ALL-CLASS
 match protocol tcp
 match protocol udp
 match protocol icmp
 

policy-map type inspect IN-TO-OUT-POLICY
 class type inspect IN-TO-OUT-ALLOW-ALL-CLASS
  inspect
 class class-default
  drop log
 

zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect IN-TO-OUT-POLICY
 

interface GigabitEthernet0/0
 description INSIDE_LAN_192_168-1_0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 duplex auto
 speed auto
!
 

interface GigabitEthernet0/1
 description OUTSIDE_INTERNET
 bandwidth 51200
 ip address x.x.x.x 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 duplex auto
 speed auto
 crypto map vpnmap