I believe everyone who answered was correct with regards to the NAT behaviour. With a single outside address being the entire global outside NAT with overload, essentially ) or even with a single static NAT to the web server, any IP with a destination of the public address would immediately go through the NAT process and be directed to the web server. With NAT turned off, and policy routing enabled, the situation is a little bit different. remember that policy routing takes a packet received on the configured interface, and operates on it prior to that packet entering the regular routing process. call it a "pre-routing process" if you will, or routing process sub 0, as opposed to the regular routing process sub 1. I.e, with policy routing enabled, if an inbound packet is destined for someplace other than the interface on which it is received, it will first go through the route map, and if there is no match, it will fall into the regular routing process. but what if the destination address of that packet is the interface itself? ah! no routing because the packet has reached its destination. the router hands that packet to the appropriate process ( in this case telnet ) and responds accordingly. hope you all enjoyed the puzzle. Chuck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chuck Larrieu Sent: Sunday, August 12, 2001 9:06 PM To: [EMAIL PROTECTED] Subject: Friday Follies - IP NAT behaviour [7:15822] so I'm late. so sue me ;-> last Friday while I was in the office I got to chatting with one of the other SE's. He had a problem with his home setup and wanted some help. It was an interesting enough problem that I thought some of you CCNA's, some of your CCNP candidates, might enjoy taking a crack at it. this person has a DSL connection to the internet. He has an single assigned IP address. He is using a Cisco router as his firewall, in this fashion: internet---DSL_router--Cisco_router--web_server E0 E1 life is good. then he starts to fool around with NAT. He puts a private IP on his web server, and he runs NAT on the Cisco router. Again, life is good. folks can reach his web server from the net. but now he wants to telnet from the net ( i.e. from work ) into the Cisco router.. He cannot do so. instead he hits his web server, where telnet is not running as a service. so he disables NAT. he configures policy routing, and places the policy statement on the correct interface. tries to telnet into the cisco router. He can do so. however, now he cannot reach the web server from the net. if he enables the http server on the Cisco router, he gets the Cisco router login screen from his browser. now the question is, why? that is, what is the reason that the two situations occur? with NAT enabled, he cannot telnet to the router. with NAT disabled, he cannot browse the web server, even with policy routing in place. you may assume that all configurations are correct, both for NAT and for policy routing. At least that's what the two CCIE's who joined the discussion told us ;-> answers late Monday. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15973&t=15822 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]