forum.opennet.ru

Составление сообщения

Исходное сообщение

"NAT, DNS & ROUTE-MAP"
Отправлено zeda, 03-Мрт-08 17:25

Пожалуйста!
Итак есть три WAN:
XXX.XXX.44.16/29 - org1
YYY.YYY.164.168/29 - org2
ZZZ.ZZZ.91.16/29 - org3
И три LAN
192.168.70.0/24 - org1
192.168.60.0/24 - org2
192.168.50.0/24 - org3
Задача:
маршрутизировать весь трафик org2 - в YYY.YYY.164.169, org3 - ZZZ.ZZZ.91.17,
а всё остальное в XXX.XXX.44.17
Вот конфиг:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname gate
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp default local group radius
aaa authorization exec default local
aaa authorization network default local group radius
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
!
aaa session-id common
!
resource policy
!
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
ip cef
no ip dhcp use vrf connected
!
ip flow-cache timeout active 1
no ip bootp server
ip domain name XXX.ru
ip name-server 192.168.50.3
ip ssh time-out 60
ip ssh authentication-retries 2
no ip ips deny-action ips-interface
ip ips notify SDEE
virtual-profile virtual-template 1
vpdn enable
vpdn authen-before-forward
vpdn ip udp ignore checksum
!
vpdn-template
!
vpdn-group 1
! Default PPTP VPDN group
'  accept-dialin
'  protocol pptp
'  virtual-template 1
!
interface Loopback4418
' ip address XXX.XXX.44.18 255.255.255.255
!
interface Loopback9118
' ip address ZZZ.ZZZ.91.18 255.255.255.255
!
interface Loopback164170
' ip address YYY.YYY.164.170 255.255.255.255
!
interface FastEthernet0/0
' no ip address
' no ip redirects
' no ip unreachables
' no ip proxy-arp
' ip route-cache policy
' ip route-cache flow
' duplex auto
' speed auto
' no mop enabled
!
interface FastEthernet0/0.50
' encapsulation dot1Q 50
' ip address 192.168.50.1 255.255.255.0
' ip access-group org3_int_in in
' ip access-group org3_int_out out
' no ip redirects
' no ip unreachables
' no ip proxy-arp
' ip nat inside
' ip virtual-reassembly
' ip policy route-map org3_map
' no snmp trap link-status
' no cdp enable
!
interface FastEthernet0/0.51
' encapsulation dot1Q 51
' ip unnumbered Loopback9118
' ip access-group org3_ext_in in
' ip access-group org3_ext_out out
' ip nat outside
' ip nat enable
' ip virtual-reassembly
' no snmp trap link-status
' no cdp enable
!
interface FastEthernet0/0.60
' encapsulation dot1Q 60
' ip address 192.168.60.1 255.255.255.0
' ip access-group org2_int_in in
' ip access-group org2_int_out out
' no ip redirects
' no ip unreachables
' no ip proxy-arp
' ip nat inside
' ip virtual-reassembly
' ip policy route-map org2_map
' no snmp trap link-status
' no cdp enable
!
interface FastEthernet0/0.61
' encapsulation dot1Q 61
' ip unnumbered Loopback164170
' ip access-group org2_ext_in in
' ip access-group org2_ext_out out
' ip nat outside
' ip nat enable
' ip virtual-reassembly
' no snmp trap link-status
' no cdp enable
!
interface FastEthernet0/0.70
' encapsulation dot1Q 70
' ip address 192.168.70.1 255.255.255.0
' ip access-group org1_int_in in
' ip access-group org1_int_out out
' no ip redirects
' no ip unreachables
' no ip proxy-arp
' ip nat inside
' ip virtual-reassembly
' no snmp trap link-status
' no cdp enable
!
interface FastEthernet0/0.71
' encapsulation dot1Q 71
' ip unnumbered Loopback4418
' ip access-group org1_ext_in in
' ip access-group org1_ext_out out
' ip nat outside
' ip nat enable
' ip virtual-reassembly
' no snmp trap link-status
' no cdp enable
!
interface FastEthernet0/0.150
' encapsulation dot1Q 150
' ip address 192.168.0.1 255.255.255.0
' no ip redirects
' no ip unreachables
' no ip proxy-arp
' ip nat inside
' ip virtual-reassembly
' no snmp trap link-status
' no cdp enable
!
interface FastEthernet0/1
' description $ETH-LAN$
' ip address 192.168.100.254 255.255.255.0
' ip access-group 101 in
' ip access-group 102 out
' no ip redirects
' no ip unreachables
' no ip proxy-arp
' ip virtual-reassembly
' ip route-cache policy
' ip route-cache flow
' duplex auto
' speed auto
' no mop enabled
!
interface Virtual-Template1
' ip unnumbered FastEthernet0/0.150
' ip nat inside
' ip nat enable
' ip virtual-reassembly
' peer default ip address pool vpnnet
' no keepalive
' ppp encrypt mppe auto required
' ppp authentication ms-chap ms-chap-v2
!
ip local pool vpnnet 192.168.200.1 192.168.200.250
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.44.17
ip route ZZZ.ZZZ.91.17 255.255.255.255 FastEthernet0/0.51
ip route ZZZ.ZZZ.91.21 255.255.255.255 FastEthernet0/0.50
ip route ZZZ.ZZZ.91.22 255.255.255.255 FastEthernet0/0.50
ip route YYY.YYY.164.169 255.255.255.255 FastEthernet0/0.61
ip route YYY.YYY.164.173 255.255.255.255 FastEthernet0/0.60
ip route YYY.YYY.164.174 255.255.255.255 FastEthernet0/0.60
ip route XXX.XXX.44.17 255.255.255.255 FastEthernet0/0.71
ip route XXX.XXX.44.21 255.255.255.255 FastEthernet0/0.70
ip route XXX.XXX.44.22 255.255.255.255 FastEthernet0/0.70
!
ip flow-export source FastEthernet0/0.50
ip flow-export version 5
ip flow-export destination 192.168.50.2 9996
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 103 interface Loopback4418 overload
ip nat inside source list org2_nat interface Loopback164170 overload
ip nat inside source list org1_nat interface Loopback4418 overload
ip nat inside source list org3_nat interface Loopback9118 overload
!
ip access-list extended org2_ext_in
' deny   ip 10.0.0.0 0.255.255.255 any
' deny   ip 172.16.0.0 0.15.255.255 any
' deny   ip 192.168.0.0 0.0.255.255 any
' deny   ip 127.0.0.0 0.255.255.255 any
' permit tcp any any established
' permit tcp any any eq 22
' permit udp any host YYY.YYY.164.174 eq domain
' permit tcp any host YYY.YYY.164.174 eq domain
' permit tcp any host YYY.YYY.164.174 eq www
' permit tcp any host YYY.YYY.164.174 eq smtp
' permit tcp any host YYY.YYY.164.173 eq www
' permit tcp any host YYY.YYY.164.174 eq ftp
' permit tcp any host YYY.YYY.164.174 range 55000 56000
' permit udp any eq domain any
' permit udp host 62.117.76.142 eq ntp any
' permit icmp any any
' permit tcp any host YYY.YYY.164.170 eq 1723
' permit gre any any
' deny   ip any any
ip access-list extended org2_ext_out
' permit ip YYY.YYY.164.168 0.0.0.7 any
' deny   ip any any
ip access-list extended org2_int_in
' permit ip host 192.168.60.2 any
' permit ip host 192.168.60.3 any
' permit ip host YYY.YYY.164.173 any
' permit ip host YYY.YYY.164.174 any
' permit ip 192.168.60.128 0.0.0.127 host 192.168.0.17
' permit ip any host 192.168.0.254
' permit ip any host 192.168.0.250
' permit tcp host 192.168.60.252 host 195.151.133.15 eq 1700
' permit tcp host 192.168.60.251 host 195.151.133.15 eq 1700
' permit tcp host 192.168.60.251 host 194.84.125.84 eq smtp
' permit tcp host 192.168.60.251 host 194.84.125.84 eq pop3
' permit tcp host 192.168.60.251 host 212.176.15.13 eq 4430
' permit tcp host 192.168.60.251 host 62.118.250.55 eq telnet
' permit tcp host 192.168.60.251 host 195.161.113.201 eq telnet
' permit tcp host 192.168.60.251 host 195.161.42.227 eq telnet
' permit tcp host 192.168.60.251 host 195.161.113.201 eq pop3
' permit tcp host 192.168.60.251 host 195.161.42.227 eq pop3
' permit tcp host 192.168.60.251 host 195.161.113.201 eq smtp
' permit tcp host 192.168.60.251 host 195.161.42.227 eq smtp
' permit tcp host 192.168.60.251 host 216.93.175.242 eq 443
' permit tcp host 192.168.60.251 host 195.161.113.228 eq pop3
' permit tcp host 192.168.60.251 host 195.161.113.228 eq smtp
' permit tcp 192.168.60.244 0.0.0.3 host 194.67.23.102 eq pop3
' permit tcp 192.168.60.244 0.0.0.3 host 194.67.23.111 eq smtp
' deny   ip any any
ip access-list extended org2_int_out
' permit ip any host 192.168.60.2
' permit ip any host 192.168.60.3
' permit ip any host YYY.YYY.164.173
' permit ip any host YYY.YYY.164.174
' permit ip host 192.168.0.17 192.168.60.128 0.0.0.127
' permit ip host 192.168.0.254 any
' permit ip host 192.168.0.250 any
' permit tcp host 195.151.133.15 eq 1700 host 192.168.60.252
' permit tcp host 195.151.133.15 eq 1700 host 192.168.60.251
' permit tcp host 194.84.125.84 eq smtp host 192.168.60.251
' permit tcp host 194.84.125.84 eq pop3 host 192.168.60.251
' permit tcp host 212.176.15.13 eq 4430 host 192.168.60.251
' permit tcp host 62.118.250.55 eq telnet host 192.168.60.251
' permit tcp host 195.161.113.201 eq telnet host 192.168.60.251
' permit tcp host 195.161.42.227 eq telnet host 192.168.60.251
' permit tcp host 195.161.113.201 eq pop3 host 192.168.60.251
' permit tcp host 195.161.42.227 eq pop3 host 192.168.60.251
' permit tcp host 195.161.113.201 eq smtp host 192.168.60.251
' permit tcp host 195.161.42.227 eq smtp host 192.168.60.251
' permit tcp host 216.93.175.242 eq 443 host 192.168.60.251
' permit tcp host 195.161.113.228 eq pop3 host 192.168.60.251
' permit tcp host 195.161.113.228 eq smtp host 192.168.60.251
' permit tcp host 194.67.23.102 eq pop3 192.168.60.244 0.0.0.3
' permit tcp host 194.67.23.111 eq smtp 192.168.60.244 0.0.0.3
' deny   ip any any
ip access-list extended org2_nat
' deny   ip any 192.168.0.0 0.0.255.255
' permit ip 192.168.60.0 0.0.0.255 any
' deny   ip any any
ip access-list extended org1_ext_in
' deny   ip 10.0.0.0 0.255.255.255 any
' deny   ip 172.16.0.0 0.15.255.255 any
' deny   ip 192.168.0.0 0.0.255.255 any
' deny   ip 127.0.0.0 0.255.255.255 any
' permit tcp any any established
' permit tcp any any eq 22
' permit udp any host XXX.XXX.44.21 eq domain
' permit tcp any host XXX.XXX.44.21 eq domain
' permit tcp any host XXX.XXX.44.21 eq www
' permit tcp any host XXX.XXX.44.21 eq smtp
' permit tcp any host XXX.XXX.44.21 eq ftp
' permit tcp any host XXX.XXX.44.21 range 55000 56000
' permit udp any eq domain any
' permit udp host 62.117.76.142 eq ntp any
' permit tcp any host XXX.XXX.44.22 eq www
' permit icmp any any
' permit tcp any host XXX.XXX.44.18 eq 1723
' permit gre any any
' permit tcp any host XXX.XXX.44.21 eq 18878
' deny   ip any any
ip access-list extended org1_ext_out
' permit ip XXX.XXX.44.16 0.0.0.7 any
' permit udp any eq domain any
' permit udp any any eq domain
' permit tcp any eq domain any
' permit tcp any any eq 2000
' deny   ip any any
ip access-list extended org1_int_in
' permit ip host 192.168.70.2 any
' permit ip host 192.168.70.3 any
' permit ip host XXX.XXX.44.21 any
' permit ip host XXX.XXX.44.22 any
' permit ip 192.168.70.128 0.0.0.127 host 192.168.0.17
' permit ip any host 192.168.0.254
' permit ip any host 192.168.0.250
' deny   ip any any
ip access-list extended org1_int_out
' permit ip any host 192.168.70.2
' permit ip any host 192.168.70.3
' permit ip any host XXX.XXX.44.21
' permit ip any host XXX.XXX.44.22
' permit ip host 192.168.0.17 192.168.70.128 0.0.0.127
' permit ip host 192.168.0.254 any
' permit ip host 192.168.0.250 any
' deny   ip any any
ip access-list extended org1_nat
' deny   ip any 192.168.0.0 0.0.255.255
' permit ip 192.168.70.0 0.0.0.255 any
' deny   ip any any
ip access-list extended map_right
' permit ip any host ZZZ.ZZZ.91.17
' permit ip any host XXX.XXX.44.17
' permit ip any host YYY.YYY.164.169
' deny   ip any ZZZ.ZZZ.91.16 0.0.0.7
' deny   ip any XXX.XXX.44.16 0.0.0.7
' deny   ip any YYY.YYY.164.168 0.0.0.7
' deny   ip any 192.168.0.0 0.0.255.255
' permit ip any any
ip access-list extended org3_ext_in
' deny   ip 10.0.0.0 0.255.255.255 any
' deny   ip 172.16.0.0 0.15.255.255 any
' deny   ip 192.168.0.0 0.0.255.255 any
' deny   ip 127.0.0.0 0.255.255.255 any
' permit tcp any any established
' permit tcp any any eq 22
' permit tcp any any eq 2005
' permit udp any host ZZZ.ZZZ.91.22 eq domain
' permit tcp any host ZZZ.ZZZ.91.22 eq domain
' permit tcp any host ZZZ.ZZZ.91.22 eq www
' permit tcp any host ZZZ.ZZZ.91.21 eq www
' permit tcp any host ZZZ.ZZZ.91.22 eq smtp
' permit tcp any host ZZZ.ZZZ.91.22 eq ftp
' permit tcp any host ZZZ.ZZZ.91.22 range 55000 56000
' permit tcp any host ZZZ.ZZZ.91.22 eq 3306
' permit udp any eq domain any
' permit udp host 62.117.76.142 eq ntp any
' permit icmp any any
' permit tcp any host ZZZ.ZZZ.91.18 eq 1723
' permit gre any any
' deny   ip any any
ip access-list extended org3_ext_out
' permit ip ZZZ.ZZZ.91.16 0.0.0.7 any
' deny   ip any any
ip access-list extended org3_int_in
' permit ip host 192.168.50.2 any
' permit ip host 192.168.50.3 any
' permit ip host 192.168.50.11 any
' permit ip host ZZZ.ZZZ.91.21 any
' permit ip host ZZZ.ZZZ.91.22 any
' permit ip 192.168.50.128 0.0.0.127 host 192.168.0.17
' permit ip any host 192.168.0.254
' permit ip any host 192.168.0.250
' permit tcp any host 85.114.128.159 eq 3306
' permit tcp host 192.168.50.253 host 62.118.250.55 eq telnet
' permit tcp host 192.168.50.253 host 195.151.133.15 eq 1700
' permit tcp host 192.168.50.253 host 212.176.15.13 eq 4430
' permit ip any host 192.168.200.130
' permit tcp host 192.168.50.253 host 213.33.231.202 eq 443
' permit tcp host 192.168.50.253 host 62.118.250.55 eq pop3
' permit tcp host 192.168.50.253 host 62.118.250.55 eq smtp
' permit tcp host 192.168.50.253 host 195.161.113.201 eq smtp
' permit tcp host 192.168.50.253 host 195.161.113.201 eq pop3
' permit tcp host 192.168.50.253 host 195.161.113.201 eq telnet
' permit tcp host 192.168.50.250 any eq 2020
' permit tcp host 192.168.50.250 any eq 2000
' permit tcp host 192.168.50.250 any eq 2022
' permit tcp host 192.168.50.250 any eq 1001
' permit tcp host 192.168.50.250 any eq 1002
' permit tcp host 192.168.50.250 any eq 1004
' permit tcp host 192.168.50.250 any eq 1003
' permit tcp host 192.168.50.250 any eq 1005
' permit tcp host 192.168.50.250 any eq 1006
' permit tcp host 192.168.50.250 any eq 1007
' permit ip host 192.168.50.250 any
' deny   ip any any
ip access-list extended org3_int_out
' permit ip any host 192.168.50.2
' permit ip any host 192.168.50.3
' permit ip any host 192.168.50.11
' permit ip any host ZZZ.ZZZ.91.21
' permit ip any host ZZZ.ZZZ.91.22
' permit ip host 192.168.0.17 192.168.50.128 0.0.0.127
' permit ip host 192.168.0.254 any
' permit ip host 192.168.0.250 any
' permit tcp host 85.114.128.159 eq 3306 any
' permit tcp host 62.118.250.55 eq telnet host 192.168.50.253
' permit tcp host 195.151.133.15 eq 1700 host 192.168.50.253
' permit tcp host 212.176.15.13 eq 4430 host 192.168.50.253
' permit ip host 192.168.200.130 any
' permit tcp host 213.33.231.202 eq 443 host 192.168.50.253
' permit tcp host 62.118.250.55 eq pop3 host 192.168.50.253
' permit tcp host 62.118.250.55 eq smtp host 192.168.50.253
' permit tcp host 195.161.113.201 eq smtp host 192.168.50.253
' permit tcp host 195.161.113.201 eq pop3 host 192.168.50.253
' permit tcp host 195.161.113.201 eq telnet host 192.168.50.253
' permit tcp any eq 2020 host 192.168.50.250
' permit tcp any eq 2000 host 192.168.50.250
' permit tcp any eq 2022 host 192.168.50.250
' permit tcp any eq 1001 host 192.168.50.250
' permit tcp any eq 1002 host 192.168.50.250
' permit tcp any eq 1004 host 192.168.50.250
' permit tcp any eq 1003 host 192.168.50.250
' permit tcp any eq 1005 host 192.168.50.250
' permit tcp any eq 1006 host 192.168.50.250
' permit tcp any eq 1007 host 192.168.50.250
' permit ip any host 192.168.50.250
' deny   ip any any
ip access-list extended org3_nat
' deny   ip any 192.168.0.0 0.0.255.255
' permit ip 192.168.50.0 0.0.0.255 any
' deny   ip any any
!
ip radius source-interface FastEthernet0/0.50
logging trap debugging
access-list 90 permit 192.168.200.130
access-list 90 permit 192.168.0.2
access-list 90 permit 192.168.0.254
access-list 90 deny   any
access-list 101 permit ip 192.168.100.0 0.0.0.255 host 192.168.100.254
access-list 101 permit ip 192.168.100.0 0.0.0.7 host 192.168.0.254
access-list 101 permit ip 192.168.100.0 0.0.0.7 host 192.168.0.250
access-list 101 permit ip 192.168.100.0 0.0.0.7 192.168.200.128 0.0.0.127
access-list 101 deny   ip any any
access-list 102 permit ip host 192.168.100.254 192.168.100.0 0.0.0.255
access-list 102 permit ip host 192.168.0.254 192.168.100.0 0.0.0.7
access-list 102 permit ip host 192.168.0.250 192.168.100.0 0.0.0.7
access-list 102 permit ip 192.168.200.128 0.0.0.127 192.168.100.0 0.0.0.7
access-list 102 deny   ip any any
access-list 103 deny   ip 192.168.200.128 0.0.0.127 192.168.100.0 0.0.0.255
access-list 103 deny   ip host 192.168.0.254 192.168.100.0 0.0.0.255
access-list 103 deny   ip host 192.168.0.250 192.168.100.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 permit ip 192.168.200.0 0.0.0.255 any
access-list 103 deny   ip any any
access-list 106 permit ip any 192.168.0.0 0.0.255.255
access-list 107 permit ip host 192.168.0.9 any
access-list 107 permit ip host 192.168.0.17 192.168.0.0 0.0.255.255
access-list 107 permit ip host 192.168.0.254 any
access-list 107 permit ip host 192.168.0.250 any
access-list 107 permit ip any host 192.168.200.130
access-list 107 deny   ip any any
access-list 108 permit ip any host 192.168.0.9
access-list 108 permit ip 192.168.0.0 0.0.255.255 host 192.168.0.17
access-list 108 permit ip any host 192.168.0.254
access-list 108 permit ip any host 192.168.0.250
access-list 108 permit ip host 192.168.200.130 any
access-list 108 deny   ip any any
no cdp run
!
route-map org3_map permit 10
match ip address map_right
set ip next-hop ZZZ.ZZZ.91.17
!
route-map org2_map permit 10
match ip address map_right
set ip next-hop YYY.YYY.164.169
!
!
!
radius-server host 192.168.50.2 auth-port 1812 acct-port 1813
radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Исходное сообщение
"NAT, DNS & ROUTE-MAP" Отправлено zeda, 03-Мрт-08 17:25
Пожалуйста! Итак есть три WAN: XXX.XXX.44.16/29 - org1 YYY.YYY.164.168/29 - org2 ZZZ.ZZZ.91.16/29 - org3 И три LAN 192.168.70.0/24 - org1 192.168.60.0/24 - org2 192.168.50.0/24 - org3 Задача: маршрутизировать весь трафик org2 - в YYY.YYY.164.169, org3 - ZZZ.ZZZ.91.17, а всё остальное в XXX.XXX.44.17 Вот конфиг: version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime service timestamps log datetime service password-encryption service sequence-numbers ! hostname gate ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX ! aaa new-model ! aaa authentication login default local aaa authentication ppp default local group radius aaa authorization exec default local aaa authorization network default local group radius aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius ! aaa session-id common ! resource policy ! clock timezone MSK 3 clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 3:00 ip subnet-zero no ip source-route ip tcp synwait-time 10 ! ip cef no ip dhcp use vrf connected ! ip flow-cache timeout active 1 no ip bootp server ip domain name XXX.ru ip name-server 192.168.50.3 ip ssh time-out 60 ip ssh authentication-retries 2 no ip ips deny-action ips-interface ip ips notify SDEE virtual-profile virtual-template 1 vpdn enable vpdn authen-before-forward vpdn ip udp ignore checksum ! vpdn-template ! vpdn-group 1 ! Default PPTP VPDN group ' accept-dialin ' protocol pptp ' virtual-template 1 ! interface Loopback4418 ' ip address XXX.XXX.44.18 255.255.255.255 ! interface Loopback9118 ' ip address ZZZ.ZZZ.91.18 255.255.255.255 ! interface Loopback164170 ' ip address YYY.YYY.164.170 255.255.255.255 ! interface FastEthernet0/0 ' no ip address ' no ip redirects ' no ip unreachables ' no ip proxy-arp ' ip route-cache policy ' ip route-cache flow ' duplex auto ' speed auto ' no mop enabled ! interface FastEthernet0/0.50 ' encapsulation dot1Q 50 ' ip address 192.168.50.1 255.255.255.0 ' ip access-group org3_int_in in ' ip access-group org3_int_out out ' no ip redirects ' no ip unreachables ' no ip proxy-arp ' ip nat inside ' ip virtual-reassembly ' ip policy route-map org3_map ' no snmp trap link-status ' no cdp enable ! interface FastEthernet0/0.51 ' encapsulation dot1Q 51 ' ip unnumbered Loopback9118 ' ip access-group org3_ext_in in ' ip access-group org3_ext_out out ' ip nat outside ' ip nat enable ' ip virtual-reassembly ' no snmp trap link-status ' no cdp enable ! interface FastEthernet0/0.60 ' encapsulation dot1Q 60 ' ip address 192.168.60.1 255.255.255.0 ' ip access-group org2_int_in in ' ip access-group org2_int_out out ' no ip redirects ' no ip unreachables ' no ip proxy-arp ' ip nat inside ' ip virtual-reassembly ' ip policy route-map org2_map ' no snmp trap link-status ' no cdp enable ! interface FastEthernet0/0.61 ' encapsulation dot1Q 61 ' ip unnumbered Loopback164170 ' ip access-group org2_ext_in in ' ip access-group org2_ext_out out ' ip nat outside ' ip nat enable ' ip virtual-reassembly ' no snmp trap link-status ' no cdp enable ! interface FastEthernet0/0.70 ' encapsulation dot1Q 70 ' ip address 192.168.70.1 255.255.255.0 ' ip access-group org1_int_in in ' ip access-group org1_int_out out ' no ip redirects ' no ip unreachables ' no ip proxy-arp ' ip nat inside ' ip virtual-reassembly ' no snmp trap link-status ' no cdp enable ! interface FastEthernet0/0.71 ' encapsulation dot1Q 71 ' ip unnumbered Loopback4418 ' ip access-group org1_ext_in in ' ip access-group org1_ext_out out ' ip nat outside ' ip nat enable ' ip virtual-reassembly ' no snmp trap link-status ' no cdp enable ! interface FastEthernet0/0.150 ' encapsulation dot1Q 150 ' ip address 192.168.0.1 255.255.255.0 ' no ip redirects ' no ip unreachables ' no ip proxy-arp ' ip nat inside ' ip virtual-reassembly ' no snmp trap link-status ' no cdp enable ! interface FastEthernet0/1 ' description $ETH-LAN$ ' ip address 192.168.100.254 255.255.255.0 ' ip access-group 101 in ' ip access-group 102 out ' no ip redirects ' no ip unreachables ' no ip proxy-arp ' ip virtual-reassembly ' ip route-cache policy ' ip route-cache flow ' duplex auto ' speed auto ' no mop enabled ! interface Virtual-Template1 ' ip unnumbered FastEthernet0/0.150 ' ip nat inside ' ip nat enable ' ip virtual-reassembly ' peer default ip address pool vpnnet ' no keepalive ' ppp encrypt mppe auto required ' ppp authentication ms-chap ms-chap-v2 ! ip local pool vpnnet 192.168.200.1 192.168.200.250 ip classless ip route 0.0.0.0 0.0.0.0 XXX.XXX.44.17 ip route ZZZ.ZZZ.91.17 255.255.255.255 FastEthernet0/0.51 ip route ZZZ.ZZZ.91.21 255.255.255.255 FastEthernet0/0.50 ip route ZZZ.ZZZ.91.22 255.255.255.255 FastEthernet0/0.50 ip route YYY.YYY.164.169 255.255.255.255 FastEthernet0/0.61 ip route YYY.YYY.164.173 255.255.255.255 FastEthernet0/0.60 ip route YYY.YYY.164.174 255.255.255.255 FastEthernet0/0.60 ip route XXX.XXX.44.17 255.255.255.255 FastEthernet0/0.71 ip route XXX.XXX.44.21 255.255.255.255 FastEthernet0/0.70 ip route XXX.XXX.44.22 255.255.255.255 FastEthernet0/0.70 ! ip flow-export source FastEthernet0/0.50 ip flow-export version 5 ip flow-export destination 192.168.50.2 9996 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source list 103 interface Loopback4418 overload ip nat inside source list org2_nat interface Loopback164170 overload ip nat inside source list org1_nat interface Loopback4418 overload ip nat inside source list org3_nat interface Loopback9118 overload ! ip access-list extended org2_ext_in ' deny ip 10.0.0.0 0.255.255.255 any ' deny ip 172.16.0.0 0.15.255.255 any ' deny ip 192.168.0.0 0.0.255.255 any ' deny ip 127.0.0.0 0.255.255.255 any ' permit tcp any any established ' permit tcp any any eq 22 ' permit udp any host YYY.YYY.164.174 eq domain ' permit tcp any host YYY.YYY.164.174 eq domain ' permit tcp any host YYY.YYY.164.174 eq www ' permit tcp any host YYY.YYY.164.174 eq smtp ' permit tcp any host YYY.YYY.164.173 eq www ' permit tcp any host YYY.YYY.164.174 eq ftp ' permit tcp any host YYY.YYY.164.174 range 55000 56000 ' permit udp any eq domain any ' permit udp host 62.117.76.142 eq ntp any ' permit icmp any any ' permit tcp any host YYY.YYY.164.170 eq 1723 ' permit gre any any ' deny ip any any ip access-list extended org2_ext_out ' permit ip YYY.YYY.164.168 0.0.0.7 any ' deny ip any any ip access-list extended org2_int_in ' permit ip host 192.168.60.2 any ' permit ip host 192.168.60.3 any ' permit ip host YYY.YYY.164.173 any ' permit ip host YYY.YYY.164.174 any ' permit ip 192.168.60.128 0.0.0.127 host 192.168.0.17 ' permit ip any host 192.168.0.254 ' permit ip any host 192.168.0.250 ' permit tcp host 192.168.60.252 host 195.151.133.15 eq 1700 ' permit tcp host 192.168.60.251 host 195.151.133.15 eq 1700 ' permit tcp host 192.168.60.251 host 194.84.125.84 eq smtp ' permit tcp host 192.168.60.251 host 194.84.125.84 eq pop3 ' permit tcp host 192.168.60.251 host 212.176.15.13 eq 4430 ' permit tcp host 192.168.60.251 host 62.118.250.55 eq telnet ' permit tcp host 192.168.60.251 host 195.161.113.201 eq telnet ' permit tcp host 192.168.60.251 host 195.161.42.227 eq telnet ' permit tcp host 192.168.60.251 host 195.161.113.201 eq pop3 ' permit tcp host 192.168.60.251 host 195.161.42.227 eq pop3 ' permit tcp host 192.168.60.251 host 195.161.113.201 eq smtp ' permit tcp host 192.168.60.251 host 195.161.42.227 eq smtp ' permit tcp host 192.168.60.251 host 216.93.175.242 eq 443 ' permit tcp host 192.168.60.251 host 195.161.113.228 eq pop3 ' permit tcp host 192.168.60.251 host 195.161.113.228 eq smtp ' permit tcp 192.168.60.244 0.0.0.3 host 194.67.23.102 eq pop3 ' permit tcp 192.168.60.244 0.0.0.3 host 194.67.23.111 eq smtp ' deny ip any any ip access-list extended org2_int_out ' permit ip any host 192.168.60.2 ' permit ip any host 192.168.60.3 ' permit ip any host YYY.YYY.164.173 ' permit ip any host YYY.YYY.164.174 ' permit ip host 192.168.0.17 192.168.60.128 0.0.0.127 ' permit ip host 192.168.0.254 any ' permit ip host 192.168.0.250 any ' permit tcp host 195.151.133.15 eq 1700 host 192.168.60.252 ' permit tcp host 195.151.133.15 eq 1700 host 192.168.60.251 ' permit tcp host 194.84.125.84 eq smtp host 192.168.60.251 ' permit tcp host 194.84.125.84 eq pop3 host 192.168.60.251 ' permit tcp host 212.176.15.13 eq 4430 host 192.168.60.251 ' permit tcp host 62.118.250.55 eq telnet host 192.168.60.251 ' permit tcp host 195.161.113.201 eq telnet host 192.168.60.251 ' permit tcp host 195.161.42.227 eq telnet host 192.168.60.251 ' permit tcp host 195.161.113.201 eq pop3 host 192.168.60.251 ' permit tcp host 195.161.42.227 eq pop3 host 192.168.60.251 ' permit tcp host 195.161.113.201 eq smtp host 192.168.60.251 ' permit tcp host 195.161.42.227 eq smtp host 192.168.60.251 ' permit tcp host 216.93.175.242 eq 443 host 192.168.60.251 ' permit tcp host 195.161.113.228 eq pop3 host 192.168.60.251 ' permit tcp host 195.161.113.228 eq smtp host 192.168.60.251 ' permit tcp host 194.67.23.102 eq pop3 192.168.60.244 0.0.0.3 ' permit tcp host 194.67.23.111 eq smtp 192.168.60.244 0.0.0.3 ' deny ip any any ip access-list extended org2_nat ' deny ip any 192.168.0.0 0.0.255.255 ' permit ip 192.168.60.0 0.0.0.255 any ' deny ip any any ip access-list extended org1_ext_in ' deny ip 10.0.0.0 0.255.255.255 any ' deny ip 172.16.0.0 0.15.255.255 any ' deny ip 192.168.0.0 0.0.255.255 any ' deny ip 127.0.0.0 0.255.255.255 any ' permit tcp any any established ' permit tcp any any eq 22 ' permit udp any host XXX.XXX.44.21 eq domain ' permit tcp any host XXX.XXX.44.21 eq domain ' permit tcp any host XXX.XXX.44.21 eq www ' permit tcp any host XXX.XXX.44.21 eq smtp ' permit tcp any host XXX.XXX.44.21 eq ftp ' permit tcp any host XXX.XXX.44.21 range 55000 56000 ' permit udp any eq domain any ' permit udp host 62.117.76.142 eq ntp any ' permit tcp any host XXX.XXX.44.22 eq www ' permit icmp any any ' permit tcp any host XXX.XXX.44.18 eq 1723 ' permit gre any any ' permit tcp any host XXX.XXX.44.21 eq 18878 ' deny ip any any ip access-list extended org1_ext_out ' permit ip XXX.XXX.44.16 0.0.0.7 any ' permit udp any eq domain any ' permit udp any any eq domain ' permit tcp any eq domain any ' permit tcp any any eq 2000 ' deny ip any any ip access-list extended org1_int_in ' permit ip host 192.168.70.2 any ' permit ip host 192.168.70.3 any ' permit ip host XXX.XXX.44.21 any ' permit ip host XXX.XXX.44.22 any ' permit ip 192.168.70.128 0.0.0.127 host 192.168.0.17 ' permit ip any host 192.168.0.254 ' permit ip any host 192.168.0.250 ' deny ip any any ip access-list extended org1_int_out ' permit ip any host 192.168.70.2 ' permit ip any host 192.168.70.3 ' permit ip any host XXX.XXX.44.21 ' permit ip any host XXX.XXX.44.22 ' permit ip host 192.168.0.17 192.168.70.128 0.0.0.127 ' permit ip host 192.168.0.254 any ' permit ip host 192.168.0.250 any ' deny ip any any ip access-list extended org1_nat ' deny ip any 192.168.0.0 0.0.255.255 ' permit ip 192.168.70.0 0.0.0.255 any ' deny ip any any ip access-list extended map_right ' permit ip any host ZZZ.ZZZ.91.17 ' permit ip any host XXX.XXX.44.17 ' permit ip any host YYY.YYY.164.169 ' deny ip any ZZZ.ZZZ.91.16 0.0.0.7 ' deny ip any XXX.XXX.44.16 0.0.0.7 ' deny ip any YYY.YYY.164.168 0.0.0.7 ' deny ip any 192.168.0.0 0.0.255.255 ' permit ip any any ip access-list extended org3_ext_in ' deny ip 10.0.0.0 0.255.255.255 any ' deny ip 172.16.0.0 0.15.255.255 any ' deny ip 192.168.0.0 0.0.255.255 any ' deny ip 127.0.0.0 0.255.255.255 any ' permit tcp any any established ' permit tcp any any eq 22 ' permit tcp any any eq 2005 ' permit udp any host ZZZ.ZZZ.91.22 eq domain ' permit tcp any host ZZZ.ZZZ.91.22 eq domain ' permit tcp any host ZZZ.ZZZ.91.22 eq www ' permit tcp any host ZZZ.ZZZ.91.21 eq www ' permit tcp any host ZZZ.ZZZ.91.22 eq smtp ' permit tcp any host ZZZ.ZZZ.91.22 eq ftp ' permit tcp any host ZZZ.ZZZ.91.22 range 55000 56000 ' permit tcp any host ZZZ.ZZZ.91.22 eq 3306 ' permit udp any eq domain any ' permit udp host 62.117.76.142 eq ntp any ' permit icmp any any ' permit tcp any host ZZZ.ZZZ.91.18 eq 1723 ' permit gre any any ' deny ip any any ip access-list extended org3_ext_out ' permit ip ZZZ.ZZZ.91.16 0.0.0.7 any ' deny ip any any ip access-list extended org3_int_in ' permit ip host 192.168.50.2 any ' permit ip host 192.168.50.3 any ' permit ip host 192.168.50.11 any ' permit ip host ZZZ.ZZZ.91.21 any ' permit ip host ZZZ.ZZZ.91.22 any ' permit ip 192.168.50.128 0.0.0.127 host 192.168.0.17 ' permit ip any host 192.168.0.254 ' permit ip any host 192.168.0.250 ' permit tcp any host 85.114.128.159 eq 3306 ' permit tcp host 192.168.50.253 host 62.118.250.55 eq telnet ' permit tcp host 192.168.50.253 host 195.151.133.15 eq 1700 ' permit tcp host 192.168.50.253 host 212.176.15.13 eq 4430 ' permit ip any host 192.168.200.130 ' permit tcp host 192.168.50.253 host 213.33.231.202 eq 443 ' permit tcp host 192.168.50.253 host 62.118.250.55 eq pop3 ' permit tcp host 192.168.50.253 host 62.118.250.55 eq smtp ' permit tcp host 192.168.50.253 host 195.161.113.201 eq smtp ' permit tcp host 192.168.50.253 host 195.161.113.201 eq pop3 ' permit tcp host 192.168.50.253 host 195.161.113.201 eq telnet ' permit tcp host 192.168.50.250 any eq 2020 ' permit tcp host 192.168.50.250 any eq 2000 ' permit tcp host 192.168.50.250 any eq 2022 ' permit tcp host 192.168.50.250 any eq 1001 ' permit tcp host 192.168.50.250 any eq 1002 ' permit tcp host 192.168.50.250 any eq 1004 ' permit tcp host 192.168.50.250 any eq 1003 ' permit tcp host 192.168.50.250 any eq 1005 ' permit tcp host 192.168.50.250 any eq 1006 ' permit tcp host 192.168.50.250 any eq 1007 ' permit ip host 192.168.50.250 any ' deny ip any any ip access-list extended org3_int_out ' permit ip any host 192.168.50.2 ' permit ip any host 192.168.50.3 ' permit ip any host 192.168.50.11 ' permit ip any host ZZZ.ZZZ.91.21 ' permit ip any host ZZZ.ZZZ.91.22 ' permit ip host 192.168.0.17 192.168.50.128 0.0.0.127 ' permit ip host 192.168.0.254 any ' permit ip host 192.168.0.250 any ' permit tcp host 85.114.128.159 eq 3306 any ' permit tcp host 62.118.250.55 eq telnet host 192.168.50.253 ' permit tcp host 195.151.133.15 eq 1700 host 192.168.50.253 ' permit tcp host 212.176.15.13 eq 4430 host 192.168.50.253 ' permit ip host 192.168.200.130 any ' permit tcp host 213.33.231.202 eq 443 host 192.168.50.253 ' permit tcp host 62.118.250.55 eq pop3 host 192.168.50.253 ' permit tcp host 62.118.250.55 eq smtp host 192.168.50.253 ' permit tcp host 195.161.113.201 eq smtp host 192.168.50.253 ' permit tcp host 195.161.113.201 eq pop3 host 192.168.50.253 ' permit tcp host 195.161.113.201 eq telnet host 192.168.50.253 ' permit tcp any eq 2020 host 192.168.50.250 ' permit tcp any eq 2000 host 192.168.50.250 ' permit tcp any eq 2022 host 192.168.50.250 ' permit tcp any eq 1001 host 192.168.50.250 ' permit tcp any eq 1002 host 192.168.50.250 ' permit tcp any eq 1004 host 192.168.50.250 ' permit tcp any eq 1003 host 192.168.50.250 ' permit tcp any eq 1005 host 192.168.50.250 ' permit tcp any eq 1006 host 192.168.50.250 ' permit tcp any eq 1007 host 192.168.50.250 ' permit ip any host 192.168.50.250 ' deny ip any any ip access-list extended org3_nat ' deny ip any 192.168.0.0 0.0.255.255 ' permit ip 192.168.50.0 0.0.0.255 any ' deny ip any any ! ip radius source-interface FastEthernet0/0.50 logging trap debugging access-list 90 permit 192.168.200.130 access-list 90 permit 192.168.0.2 access-list 90 permit 192.168.0.254 access-list 90 deny any access-list 101 permit ip 192.168.100.0 0.0.0.255 host 192.168.100.254 access-list 101 permit ip 192.168.100.0 0.0.0.7 host 192.168.0.254 access-list 101 permit ip 192.168.100.0 0.0.0.7 host 192.168.0.250 access-list 101 permit ip 192.168.100.0 0.0.0.7 192.168.200.128 0.0.0.127 access-list 101 deny ip any any access-list 102 permit ip host 192.168.100.254 192.168.100.0 0.0.0.255 access-list 102 permit ip host 192.168.0.254 192.168.100.0 0.0.0.7 access-list 102 permit ip host 192.168.0.250 192.168.100.0 0.0.0.7 access-list 102 permit ip 192.168.200.128 0.0.0.127 192.168.100.0 0.0.0.7 access-list 102 deny ip any any access-list 103 deny ip 192.168.200.128 0.0.0.127 192.168.100.0 0.0.0.255 access-list 103 deny ip host 192.168.0.254 192.168.100.0 0.0.0.255 access-list 103 deny ip host 192.168.0.250 192.168.100.0 0.0.0.255 access-list 103 permit ip 192.168.0.0 0.0.0.255 any access-list 103 permit ip 192.168.200.0 0.0.0.255 any access-list 103 deny ip any any access-list 106 permit ip any 192.168.0.0 0.0.255.255 access-list 107 permit ip host 192.168.0.9 any access-list 107 permit ip host 192.168.0.17 192.168.0.0 0.0.255.255 access-list 107 permit ip host 192.168.0.254 any access-list 107 permit ip host 192.168.0.250 any access-list 107 permit ip any host 192.168.200.130 access-list 107 deny ip any any access-list 108 permit ip any host 192.168.0.9 access-list 108 permit ip 192.168.0.0 0.0.255.255 host 192.168.0.17 access-list 108 permit ip any host 192.168.0.254 access-list 108 permit ip any host 192.168.0.250 access-list 108 permit ip host 192.168.200.130 any access-list 108 deny ip any any no cdp run ! route-map org3_map permit 10 match ip address map_right set ip next-hop ZZZ.ZZZ.91.17 ! route-map org2_map permit 10 match ip address map_right set ip next-hop YYY.YYY.164.169 ! ! ! radius-server host 192.168.50.2 auth-port 1812 acct-port 1813 radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 privilege level 15 transport input telnet ssh line vty 5 15 privilege level 15 transport input telnet ssh ! scheduler allocate 20000 1000 ! end

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру