I tried that and it still does not work. Is the static route (ip route 0.0.0.0 0.0.0.0 FastEthernet0/1) overriding this?

Can you post the new router config ?

Can you also turn debug against ACL 101 and see if the traffic is matching the route-map.

#debug ip packet 101 detail

In addition, change your NAT routine to a standard NAT and let the PBR I posted do its job. You are performing 2 PBRs.

I attached the new config and the debug information.

based on the debug and config, this should work, my only suggestion is removing

set interface Vlan1

from the route-map command.

Post Edit:

I'm thinking the NAT is taking place before the PBR, let's do the following

access-list 103 permit tcp any any eq ftp

access-list 103 permit tcp any any eq ftp-data

I tried that and still a no go. Any other ideas?

Sorry to ask the obvious question but is the T1 actually working ? If you remove the PBR and change the default route to VLAN 1, can you connect to anything ?

I found some discrepancies in the debug output

1)

IP: s=x.x.x.70 (FastEthernet0/0)

Isn't .70 sourcing from F0/1 ?

2)

d=x.x.x.197 (FastEthernet0/1)

isn't that VLAN 1?

.70 is the IP on F0/1

.197 is the IP of the ftp site being accessed.

The T1 does work if I remove all PBR and have just one NAT statement to the T1 along with changing the static route (0.0.0.0 0.0.0.0) to the T1.

The debug you posted is not showing this correctly. It's showing .70 is sourcing from Fa0/0 and .197 corresponding to Fa0/1

000127: *Aug 19 16:44:14.487 UTC: IP: tableid=0, s=192.168.1.128 (FastEthernet0/0), d=x.x.x.197 (FastEthernet0/1), routed via FIB

000128: *Aug 19 16:44:14.491 UTC: IP: s=x.x.x.70 (FastEthernet0/0), d=x.x.x.197 (Vlan1), g=x.x.x.33, len 52, forward

000129: *Aug 19 16:44:14.491 UTC: TCP src=50179, dst=21, seq=209448447, ack=0, win=8192 SYN

000130: *Aug 19 16:44:17.399 UTC: IP: tableid=0, s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), routed via FIB

000131: *Aug 19 16:44:17.399 UTC: IP: s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), len 40, sending

000132: *Aug 19 16:44:17.399 UTC: TCP src=50177, dst=21, seq=582833431, ack=0, win=0 RST

000133: *Aug 19 16:44:17.483 UTC: IP: tableid=0, s=192.168.1.128 (FastEthernet0/0), d=x.x.x.197 (FastEthernet0/1), routed via FIB

000134: *Aug 19 16:44:17.483 UTC: IP: s=x.x.x.70 (FastEthernet0/0), d=x.x.x.197 (Vlan1), g=x.x.x.33, len 52, forward

000135: *Aug 19 16:44:17.483 UTC: TCP src=50179, dst=21, seq=209448447, ack=0, win=8192 SYN

000136: *Aug 19 16:44:23.483 UTC: IP: tableid=0, s=192.168.1.128 (FastEthernet0/0), d=x.x.x.197 (FastEthernet0/1), routed via FIB

000137: *Aug 19 16:44:23.483 UTC: IP: s=x.x.x.70 (FastEthernet0/0), d=x.x.x.197 (Vlan1), g=x.x.x.33, len 52, forward

000138: *Aug 19 16:44:23.483 UTC: TCP src=50179, dst=21, seq=209448447, ack=0, win=8192 SYN

000139: *Aug 19 16:44:44.487 UTC: IP: tableid=0, s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), routed via FIB

000140: *Aug 19 16:44:44.487 UTC: IP: s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), len 40, sending

000141: *Aug 19 16:44:44.487 UTC: TCP src=50179, dst=21, seq=209448448, ack=0, win=0 RST

As you can see, once you try to use port 21, it gets forwarded by the PBR, the rest gets routed via FIB.

The packet is leaving the interface, now the question is the return packet.

Ah !

What about that ip access-group 151 ?

I don't see you allowing any FTP traffic back in

access-list 151 remark Inbound F0/1

access-list 151 remark SDM_ACL Category=17

access-list 151 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 151 permit ip 192.168.250.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 151 permit udp any host x.x.x.70 eq non500-isakmp

access-list 151 permit udp any host x.x.x.70 eq isakmp

access-list 151 permit esp any host x.x.x.70

access-list 151 permit ahp any host x.x.x.70

access-list 151 deny ip 192.168.1.0 0.0.0.255 any

access-list 151 permit udp any eq domain host 66.93.3.70

access-list 151 permit icmp any host x.x.x.70 echo-reply

access-list 151 permit icmp any host x.x.x.70 time-exceeded

access-list 151 deny ip 10.0.0.0 0.255.255.255 any

access-list 151 deny ip 172.16.0.0 0.15.255.255 any

access-list 151 deny ip 192.168.0.0 0.0.255.255 any

access-list 151 deny ip 127.0.0.0 0.255.255.255 any

access-list 151 deny ip host 255.255.255.255 any

access-list 151 deny ip host 0.0.0.0 any

access-list 151 permit icmp any host x.x.x.70 unreachable

access-list 151 deny ip any any log

It isn't showing up in the log as being stopped by ACL 151.

If you email me, I can just send you my exact config (minus passwords) with the debug information so you can see everything without me editing all the IPs and pieces of the config. My email is listed in the posting header.

Before going into the email exchange, please remove the ip access-group 151, for troubleshooting purposes and reinstate the PBR I posted.

Let me know if it works. If it does, I can look over the ACL better.

You only have a log on the last deny. I believe it's denying the packet before hitting the last entry. Remember, ACLs are read sequentially and yours have denies in the middle. Not an easy flow, there.