just for testing can you remove the acl and rotary and test connection
if that works apply back the rotary and test via port 3001. - telnet/ssh xxxx 3001
We had this exact issue & it was NAT. NAT was working, maybe a little too well.
We had a 'permit ip any any' for our NAT outbound overload - this was the issue. We had to explicitly permit the inside networks in the NAT access-list & then have a 'deny ip any any' at the bottom. After we did this, we were able to SSH to the WAN interface (the 'ip nat outside' configured interface). Note that we tried to exclude the incoming IP etc. from NAT but that did not work. This was our working config in the end (make sure you apply security policy to your router for security reasons):
ip access-list extended ACL-NAT remark DO NOT ADD "log" TO ANY ACE IN THIS ACL, IT WILL CAUSE NAT FAILURE permit ip host lo.lo.lo.lo any <<< Loopback interface permit ip 10.1.1.0 0.0.0.255 any <<< LAN Data subnet permit ip a.a.a.a m.m.m.m any <<< Other subnet that needs internet deny ip any any <<< explicit DENY anything else ip nat inside source list ACL-NAT interface Dialer1 overload