Dynamic and static NAT

I have a 3640 Router on a comcast cable line. It is a /30 network (dhcp) so I have one external address. I currently have it setup with PAT so that internal hosts can get out but I want to be able to ssh in. This means I need to use the same IP for both ingress and egress but all the examples I've been able to find use a larger subnet and only use some address as ingress which are different than the egress address. How do I share one address to do both duties? It was easy with my netgear but it crapped out. (I don't have access to my router from here so I'll have to post the config later)

Reply to
Loading thread data ...

Please *everybody*, I beg you, sign the libel reform petition as detailed in the signature. This is a critical freedom of speach issue and we need your help.

Back to Cisco:)

Here is an example config.

ip nat inside source static udp 64328 interface Dialer0 64328 ip nat inside source static tcp 64328 interface Dialer0 64328 ip nat inside source route-map RM.nat interface Dialer0 overload

route-map RM.nat permit 10 match ip address ACL.nat

ip access-list extended ACL.nat permit ip any

You do not need the more complex route-map config on the PAT (overload section). Any valid config there will be OK. Operationally it appears that packets are checked firstly against the static NATs and then if there is no match the dynamic nat is checked.

This config combines two static NATs to specific tcp/udp ports and overload (PAT) outbound.

-- Please sign the libel reform petition - no matter where you are in the world. Get others to sign too. Help to change these oppressive laws.

formatting link
formatting link
If your writing can be read in England or Wales you can be sued here. If you get sued, *you* have to defend yourself. You are assumed to be defamatory unless you can prove otherwise. Legal costs can be =A3Ms. Of course if you are in New York state you are explicitly protected by the "The Libel Terrorism Protection Act". Some other US states have similar protection.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.