Dynamic and static NAT
in [Cisco]
|
Prev: Multiple VPN clients behind home router
Next: 100% pass without exam CISCO, CCNA, CCNP, CCIE Certification by certxpert.com
From: tomarseneault on 28 Apr 2010 21:30 I have a 3640 Router on a comcast cable line. It is a /30 network (dhcp) so I have one external address. I currently have it setup with PAT so that internal hosts can get out but I want to be able to ssh in. This means I need to use the same IP for both ingress and egress but all the examples I've been able to find use a larger subnet and only use some address as ingress which are different than the egress address. How do I share one address to do both duties? It was easy with my netgear but it crapped out. (I don't have access to my router from here so I'll have to post the config later)
From: bod43 on 28 Apr 2010 21:57
On 29 Apr, 02:30, tomarseneault <tomarsenea...(a)yahoo.com> wrote: > I have a 3640 Router on a comcast cable line. It is a /30 network > (dhcp) so I have one external address. I currently have it setup with > PAT so that internal hosts can get out but I want to be able to ssh > in. This means I need to use the same IP for both ingress and egress > but all the examples I've been able to find use a larger subnet and > only use some address as ingress which are different than the egress > address. How do I share one address to do both duties? It was easy > with my netgear but it crapped out. (I don't have access to my router > from here so I'll have to post the config later) Please *everybody*, I beg you, sign the libel reform petition as detailed in the signature. This is a critical freedom of speach issue and we need your help. Back to Cisco:) Here is an example config. ip nat inside source static udp 10.88.3.130 64328 interface Dialer0 64328 ip nat inside source static tcp 10.88.3.130 64328 interface Dialer0 64328 ip nat inside source route-map RM.nat interface Dialer0 overload route-map RM.nat permit 10 match ip address ACL.nat ip access-list extended ACL.nat permit ip 10.88.3.0 0.0.0.255 any You do not need the more complex route-map config on the PAT (overload section). Any valid config there will be OK. Operationally it appears that packets are checked firstly against the static NATs and then if there is no match the dynamic nat is checked. This config combines two static NATs to specific tcp/udp ports and overload (PAT) outbound. -- Please sign the libel reform petition - no matter where you are in the world. Get others to sign too. Help to change these oppressive laws. http://www.libelreform.org/sign http://www.senseaboutscience.org.uk/index.php/site/about/476 http://www.libelreform.org/news/449-libel-reform-campaign-welcomes-jack-straws-commitment-to-libel http://www.libelreform.org/who-is-silenced http://www.libelreform.org/our-report/key-findings-of-report If your writing can be read in England or Wales you can be sued here. If you get sued, *you* have to defend yourself. You are assumed to be defamatory unless you can prove otherwise. Legal costs can be £Ms. Of course if you are in New York state you are explicitly protected by the "The Libel Terrorism Protection Act". Some other US states have similar protection. |