I have a 3640 Router on a comcast cable line. It is a /30 network (dhcp) so I have one external address. I currently have it setup with PAT so that internal hosts can get out but I want to be able to ssh in. This means I need to use the same IP for both ingress and egress but all the examples I've been able to find use a larger subnet and only use some address as ingress which are different than the egress address. How do I share one address to do both duties? It was easy with my netgear but it crapped out. (I don't have access to my router from here so I'll have to post the config later)
route-map RM.nat permit 10 match ip address ACL.nat
ip access-list extended ACL.nat permit ip 10.88.3.0 0.0.0.255 any
You do not need the more complex route-map config on the PAT (overload section). Any valid config there will be OK. Operationally it appears that packets are checked firstly against the static NATs and then if there is no match the dynamic nat is checked.
This config combines two static NATs to specific tcp/udp ports and overload (PAT) outbound.
-- Please sign the libel reform petition - no matter where you are in the world. Get others to sign too. Help to change these oppressive laws.
If your writing can be read in England or Wales you can be sued here. If you get sued, *you* have to defend yourself. You are assumed to be defamatory unless you can prove otherwise. Legal costs can be =A3Ms. Of course if you are in New York state you are explicitly protected by the "The Libel Terrorism Protection Act". Some other US states have similar protection.