I am using it over a vpn.

so from outside on the internet I hit my router 2222 this takes me to my linux box port 22. its natted and all works well.

now from company/site to site vpn I try to ssh port 22 directly on the linux box and it doesn't work and I'm 99.9% sure it's because of that nat in my first email... I need to somehow change this so it nats to the internet but does not nat to the vpn site to site tunnel.

Okay,

Are you trying to ssh from the other side of the vpn? For example:

you ---> router <-----> vpn <-----> router (nat) ----> device running ssh?

from work to home router to my linux box it doesn't work

from internet to my router to my linux box works.

this is the nat statement that takes me to the linux box.

ip nat inside source static tcp 10.181.20.84 22 interface FastEthernet4 2222

this nat is on my 881 router in my house.

this says that anything hitting the outside interface on port 2222 will take my to my linux machine behind the router on port 22.

the problem is that when I come from work network which is on 10.0.0.0/8 it doesn't work. there is a site to site vpn between office and my house.

so all I need to know is if there is a way to do that nat statement in a way that I can say nat only to the internet but not to the office just like this one,

ip nat inside source list 110 interface FastEthernet4 overload

access-list 110 deny  ip 10.181.20.80 0.0.0.7 10.0.0.0 0.255.255.255

access-list 110 permit ip 10.181.20.80 0.0.0.7 any

this works perfect but not my other nat statement.

I labbed this up and I see what you're seeing. The problem is that the ssh session on port 22 is allowed over the tunnel, but when debugging nat, the router is redirecting all traffic to port 2222. I was able to get around this by the following:

ip nat pool SSH 10.181.20.84 10.181.20.84 prefix 24 type rotary

ip nat inside destination list 105 pool SSH

access-list 105 permit tcp any any eq 22

Give this a shot and let me know...

HTH,

John

**** Please rate useful posts ****