I'm trying to configure a simple static NAT rule for a webserver on my 877 router but it's not working and I'm not sure why.
I have a nat overload rule based on a route-map for internet access that works fine, so the internet (at least outbound) appears to work.
The router can also ping/telnet to the port on the webserver that I need, so the path is in place.
Essentially the nat rules are:
ip nat inside source static tcp 172.31.33.3 80 dialer0 80
ip nat inside source static tcp 172.31.33.3 443 dialer0 443
I have also tried using the actual external Ip address in place of 'dialer0' but to no avail.
I can see the actual nat translations appear in 'show ipnat translations.'
The default gateway for 172.31.33.3 is actually the router, 172.31.33.2, so it's only 1 hop. I have an allow any rule on the dialer interface at the moment for testing, there is no ACL on the vlan interface (with ip 172.31.33.2).
Is there something I am missing? How best to debug this, are there NAT debug command (I couldn't see any).
The VPN will go on the ADSL router (the one with the NAT rule).
We do want a default route on the LAN router, but we want it to be to our production ASA (which has our links to other sites and our main internet feed). That's why I was saying you have a NAT rule on a dummy IP on the LAN router, so that you can follow the same path out as it comes in (is that possible).
Can you please explain how that route would work (you put it on the LAN router I assume?) Wouldn't that just cause a routing problem as it would send packets destined to for 172.31.33.3 to the wrong router?
Sorry I'm not exactly sure what you mean. Are you saying set the default route of the LAN router to be to the ASA, and then put a route in the ASA like this:
172.31.33.3 255.255.255.255 172.31.14.248.
So this would mean the full path would be:
Client-->Internet-->ADSL Router-->Lan Router-->Web Server-->Lan Router-->ASA-->Lan Router-->ADSL Router-->Internet-->Client
Or do you mean something completely different?
There are 2 options you can go from client to server
1. client -->internet-->adsl-->lan-->webserver -this is like my topology
2. client -->internet-->adsl-->asa-->lan-->webserver -if you need to use the ASA and is between lan and adsl you need to configure it accordingly.
Hmmm. I can see how they are both done, but I was hoping more along the lines of having the default route for the LAN be to the ASA, but traffic coming in via the ADSL natting to the webserver then going back out via the ADSL and not going to the ASA.
Would my double NAT idea work do you think?
Only for server access you can use
client -->internet -->adsl -->lan -->webserver
for all other traffic
clients -->internet -->adsl -->asa -->lan --pc
I'm not entirely sure what you mean by that...
Just to clarify I don't want the traffic coming in the ADSL to go to the ASA, I just want the default route to that.
Traffic going to the webserver from the ADSL I want to path out the way it came in.
Thats what I meant. Your traffic for default route goes to ASA, and all traffic coming to webserver goes directly to it without asa.
on LAN router you will have
ip route 0.0.0.0 0.0.0.0 ASA ip
ip route 22.214.171.124 255.255.255.0 ADSL ip
on ADSL you will have
you have acl to permit traffic for webserver going out the interface connected to LAN router.
and other acl to direct all other traffic to ASA.
I added the route on the lan router as follows:
ip route 172.31.33.3 255.255.255.255
But it had no effect. The 172.31.33.3/24 subnet is locally connected to the LAN router so wouldn't that take precedence?
Besides, correct me if I'm wrong, but the problem is outbound, I think it reaches the webserver fine but then when the packet goes back out it goes back out the wrong way. As such I need to change the outbound destination packet.
Can I write an outside NAT rule somehow to modify the source IP on the inbound packet to be the outside local address (ie the ADSL IP) rather than the outside global address? Then a simple route of