My apologies, that's actually a typo as I re-wrote the command rather than copying them.

I've updated the original post. I'll investigate the nat debugging and post some results.

Well upon using the debug command it seemed the NAT rule is working it's just not communicating properly with it's intended destination.

I tested out connecting up a device onto the router with a subnet/vlan unique to that device and the nat rule worked fine to that, I could access it externally.

So now I'm left with working out why it's not connecting. The 172.31.33.3 address is routed to a different router first. I can access both the other router and the destination IP/ports from the NATing router. My only ACL on the NATing router that is in place currently is a permit ip any any rule on the external interface and a NAT overload route-map group for internet access.

Could it be ACLs on the original router? (there are a few on there NAT overload rules and outbound/inbound restrictions on the dialer interface (I'm moving it over to the new router)). Do I need to add an ACL somewhere something like a 'permit tcp any host 172.31.33.3 80' on the old router?

How do I best debug this?

Thank you.

Does the other routers involved in this have a route to your subnet?

Eugen

Yeah, I can ping from the webserver to both routers, and other subnets on both routers. I also tried setting up a NAT rule to another subnet on the 2nd router but the same thing happened (and there is proper connectivity there).

It's something to do with NATing to that other router it seems. Any debugging tips?

If I understand correctly, your set up is like this:

WebServer(your local LAN) -->router-->router-->router-->PC(destination LAN). Is this assumption correct?

Not quite, it's like this (where the dot is the interface it comes in/goes out on and the @ is the nat rule):

WebServer-->Subint.Router.Subint-->VlanIP.Router@.ADSL(Static IP)--->Internet--->RemoteClient

So it should go, for example:

Client types in http://1.2.3.4

1.2.3.4-->External ADSL Interface (Rtr1)-->NAT 172.31.33.3--->Route to 172.31.14.1 (int on Rtr2)--->Route to 172.31.33.1 (subint on Rtr2)--->Send to webserver

You have only 2 routers between server and Internet, is that correct?

I assume that all subnets have /24 mask, is that correct?

Your server has an ip in 172.31.33.0 subnet with default gateway of 172.31.33.1, is that correct?

Yes, all subnets are /24.

And yes, that's the IP and gateway setup I'm using.

2 Routers total

Does this look like your set up?

Almost, the 172.31.33.3 address isn't actually on the interface on the ADSL router, that's the webserver IP address (instead of 172.31.33.10). I may have mislead you above as I stated that it NATs to that in the diagram, but I meant more that's where the NAT rule is. The inside interface of the ADSL router is 172.31.14.248 (the vlan 1 IP address) which is how it talks to the 2nd router.

So in that diagram if you replace 172.31.33.3 with 172.31.14.248 and replace 172.31.33.10 with 172.31.33.3 then that's the setup, with the NAT rule on the ADSL router.

I am able to NAT across an intermediary router right?

Ok.

Try this on ADSL

ip route 0.0.0.0 0.0.0.0 dialer0 (or outside int)

ip route 172.31.33.0 255.255.255.0 172.31.14.1

ip nat source static 172.31.33.3 x.x.x.x (public ip on outside int)

On LAN router

ip route 0.0.0.0 0.0.0.0 172.31.14.248

Yes the outside interface is the dialer interface and the inside interfaces are the VLANs on the router

eugen barticel wrote:
Ok.
Try this on ADSL
ip route 0.0.0.0 0.0.0.0 dialer0 (or outside int)
ip route 172.31.33.0 255.255.255.0 172.31.14.1
ip nat source static 172.31.33.3 x.x.x.x (public ip on outside int)
On LAN router
ip route 0.0.0.0 0.0.0.0 172.31.14.248

Ah, I see what you did there...

Yes this actually makes it work, once I add the default route on the other router (everything else was always in place). It would seem the packets are not going in the same path as they are going out.

However the whole reason we got this new router is so that we could set the default route on the other router to be our production ASA (this 2nd router is a redundancy link and will be used for VPN) so this doesn't suite my needs.

However as we now know the problem how can I get around it?

Could I, for example, change the NAT rule to be something like 172.31.34.3, make a subinterface on the 2nd router with that IP, mark it as 'ip nat outside', then NAT from 172.31.34.3 to 172.31.33.3 on the 2nd router? So you basically nat to hop to the first router, then nat to hop to the webserver. Is my logic off here?

Which router are you going to use for VPN? ADSL or LAN?

If you don't want a default route on LAN router you can create a more specific static route

ip route 172.31.33.3 255.255.255.255 172.31.14.248 and then use acl to permit or block other ip addresses