So, I'm highlay unknowledgeable with Cisco configs but managed to get this router set up as is. As you can see, I have SSH port forward to a specific machine:

ip nat inside source static udp 172.30.6.21 22 66.194.86.2 22 extendable

However, due to a recent hacker, I want to only allow specific outside IPs to SSH to that server. How would I go about doing this? If you could be as specific as possible, that'd be AWESOME.

My config, let me know if I should delete something to the public :).

--------

Current configuration : 2037 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AUSRTR1
!
boot-start-marker
boot-end-marker
!
enable secret 5 :):):)
enable password 7 :):)
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ip domain lookup
ip name-server 168.215.165.186
ip name-server 216.136.33.82
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
ip address 172.30.6.3 255.255.255.0
ip nat inside
speed 100
full-duplex
!
interface Serial0/0
description INTERNET_T1_FROM_TW CID:15/HCGS/006350/TWCS
ip address 66.194.86.2 255.255.255.252
ip nat outside
encapsulation ppp
!
interface Serial0/1
description T1_TO_HOUSTON CID:101L/T1ZF/AUSWTXDNN00/HSTZTXVON01
ip address 192.168.1.1 255.255.255.252
encapsulation ppp
!
ip nat pool overload 66.194.86.2 66.194.86.2 netmask 255.255.255.252
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static udp 172.30.6.121 3389 66.194.86.2 3389 extendable
ip nat inside source static tcp 172.30.6.121 3389 66.194.86.2 3389 extendable
ip nat inside source static tcp 172.30.6.105 5905 66.194.86.2 5905 extendable
ip nat inside source static tcp 172.30.6.87 5955 66.194.86.2 5955 extendable
ip nat inside source static udp 172.30.6.87 5955 66.194.86.2 5955 extendable
ip nat inside source static tcp 172.30.6.21 22 66.194.86.2 22 extendable
ip nat inside source static udp 172.30.6.21 22 66.194.86.2 22 extendable
ip nat inside source static udp 172.30.6.65 5855 66.194.86.2 5855 extendable
ip nat inside source static tcp 172.30.6.65 5855 66.194.86.2 5855 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 66.194.86.1
ip route 172.30.1.0 255.255.255.0 192.168.1.2
ip route 172.30.2.0 255.255.255.0 192.168.1.2
no ip http server
!
access-list 1 permit 172.30.6.0 0.0.0.255
access-list 1 permit 172.30.7.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
password 7 :):)
login
!
!
!
end

Most I know is that its somewhere in this mess - can't you just issue a shutdown command to one of the nat and see what happens?

At least your WICs are labled...

ip nat pool overload 66.194.86.2 66.194.86.2 netmask 255.255.255.252
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static udp 172.30.6.121 3389 66.194.86.2 3389 extendable
ip nat inside source static tcp 172.30.6.121 3389 66.194.86.2 3389 extendable
ip nat inside source static tcp 172.30.6.105 5905 66.194.86.2 5905 extendable
ip nat inside source static tcp 172.30.6.87 5955 66.194.86.2 5955 extendable
ip nat inside source static udp 172.30.6.87 5955 66.194.86.2 5955 extendable
ip nat inside source static tcp 172.30.6.21 22 66.194.86.2 22 extendable
ip nat inside source static udp 172.30.6.21 22 66.194.86.2 22 extendable
ip nat inside source static udp 172.30.6.65 5855 66.194.86.2 5855 extendable
ip nat inside source static tcp 172.30.6.65 5855 66.194.86.2 5855 extendable

Well:

ip nat inside source static tcp 172.30.6.21 22 66.194.86.2 22 extendable
ip nat inside source static udp 172.30.6.21 22 66.194.86.2 22 extendable

Is the SSH forwarding, but I want only specific IPs from the outside to be able to access port 22 on machine 172.30.6.21. The current configuration forwards all incoming packets on port 22 to 172.30.6.2.1