Showing results for 
Search instead for 
Did you mean: 

Cisco 877 NAT, what am I missing?


I'm trying to configure a simple static NAT rule for a webserver on my 877 router but it's not working and I'm not sure why.

I have a nat overload rule based on a route-map for internet access that works fine, so the internet (at least outbound) appears to work.

The router can also ping/telnet to the port on the webserver that I need, so the path is in place.

Essentially the nat rules are:

ip nat inside source static tcp 80 dialer0 80

ip nat inside source static tcp 443 dialer0 443

I have also tried using the actual external Ip address in place of 'dialer0' but to no avail.

I can see the actual nat translations appear in 'show ipnat translations.'

The default gateway for is actually the router,, so it's only 1 hop. I have an allow any rule on the dialer interface at the moment for testing, there is no ACL on the vlan interface (with ip

Is there something I am missing? How best to debug this, are there NAT debug command (I couldn't see any).


The VPN will go on the ADSL router (the one with the NAT rule).

We do want a default route on the LAN router, but we want it to be to our production ASA (which has our links to other sites and our main internet feed). That's why I was saying you have a NAT rule on a dummy IP on the LAN router, so that you can follow the same path out as it comes in (is that possible).

Can you please explain how that route would work (you put it on the LAN router I assume?) Wouldn't that just cause a routing problem as it would send packets destined to for to the wrong router?

Yes for both static and default routes on LAN change to match the ip of ASA and then ASA will forward it.

Sorry I'm not exactly sure what you mean. Are you saying set the default route of the LAN router to be to the ASA, and then put a route in the ASA like this:

So this would mean the full path would be:

Client-->Internet-->ADSL Router-->Lan Router-->Web Server-->Lan Router-->ASA-->Lan Router-->ADSL Router-->Internet-->Client

Or do you mean something completely different?

There are 2 options you can go from client to server

1. client -->internet-->adsl-->lan-->webserver  -this is like my topology

2. client -->internet-->adsl-->asa-->lan-->webserver  -if you need to use the ASA and is between lan and adsl you need to configure it accordingly.

Hmmm. I can see how they are both done, but I was hoping more along the lines of having the default route for the LAN be to the ASA, but traffic coming in via the ADSL natting to the webserver then going back out via the ADSL and not going to the ASA.

Would my double NAT idea work do you think?

Only for server access you can use

client -->internet -->adsl -->lan -->webserver

for all other traffic

clients -->internet -->adsl -->asa -->lan --pc

I'm not entirely sure what you mean by that...

Just to clarify I don't want the traffic coming in the ADSL to go to the ASA, I just want the default route to that.

Traffic going to the webserver from the ADSL I want to path out the way it came in.

Thats what I meant. Your traffic for default route goes to ASA, and all traffic coming to webserver goes directly to it without asa.

on LAN router you will have

ip route ASA ip

ip route ADSL ip

on ADSL you will have

you have acl to permit traffic for webserver going out the interface connected to LAN router.

and other acl to direct all other traffic to ASA.

I added the route on the lan router as follows:

ip route

But it had no effect. The subnet is locally connected to the LAN router so wouldn't that take precedence?

Besides, correct me if I'm wrong, but the problem is outbound, I think it reaches the webserver fine but then when the packet goes back out it goes back out the wrong way. As such I need to change the outbound destination packet.

Can I write an outside NAT rule somehow to modify the source IP on the inbound packet to be the outside local address (ie the ADSL IP) rather than the outside global address? Then a simple route of would fix that.


This might be stupid question but you have 'ip nat inside' and 'ip nat outside' on your interface right?