>конфиг покажите...

Исходная конфигурация с одним Ethernet-ом:

...
version 12.1
...
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_0_0 tcp
ip inspect name Ethernet_0_0 udp
ip inspect name Ethernet_0_0 cuseeme
ip inspect name Ethernet_0_0 ftp
ip inspect name Ethernet_0_0 h323
ip inspect name Ethernet_0_0 rcmd
ip inspect name Ethernet_0_0 realaudio
ip inspect name Ethernet_0_0 smtp
ip inspect name Ethernet_0_0 streamworks
ip inspect name Ethernet_0_0 vdolive
ip inspect name Ethernet_0_0 sqlnet
ip inspect name Ethernet_0_0 tftp
ip inspect name Serial_0_0 tcp
ip inspect name Serial_0_0 udp
ip inspect name Serial_0_0 smtp
ip inspect name Serial_0_0 http
ip inspect name Async_65 tcp
ip inspect name Async_65 udp
ip inspect name Async_65 cuseeme
ip inspect name Async_65 ftp
ip inspect name Async_65 h323
ip inspect name Async_65 rcmd
ip inspect name Async_65 realaudio
ip inspect name Async_65 smtp
ip inspect name Async_65 streamworks
ip inspect name Async_65 vdolive
ip inspect name Async_65 sqlnet
ip inspect name Async_65 tftp
...
!
interface Ethernet0/0
description connected to EthernetLAN
ip address 10.2.10.1 255.255.0.0
ip access-group 100 in
ip accounting output-packets
ip nat inside
ip inspect Ethernet_0_0 in
ip route-cache flow
half-duplex
no cdp enable
!
interface Serial0/0
description connected to Internet
bandwidth 128
ip address xxx.xxx.xxx.138 255.255.255.252
ip access-group 101 in
ip accounting output-packets
ip nat outside
ip inspect Serial_0_0 in
ip audit IDS in
ip route-cache flow
no ip mroute-cache
no cdp enable
!
interface Ethernet0/1
no ip address
ip nat inside
shutdown
half-duplex
no cdp enable
!
interface Async65
description connected to Dial-inPCs(modem)
ip unnumbered Ethernet0/0
ip access-group 103 in
ip accounting output-packets
ip nat inside
ip inspect Async_65 in
ip audit IDS in
encapsulation ppp
ip route-cache flow
ip tcp header-compression
no ip mroute-cache
async mode interactive
peer default ip address 10.2.11.4
no cdp enable
ppp authentication chap
!
router ospf 10
log-adjacency-changes
network 10.2.0.0 0.0.255.255 area 0
!
ip nat pool cisco-natpool-1 xxx.xxx.xxx.233 xxx.xxx.xxx.238 netmask
255.255.255.248
ip nat inside source list 1 pool cisco-natpool-1 overload
ip nat inside source static 10.2.11.203 xxx.xxx.xxx.235
ip nat inside source static 10.2.11.100 xxx.xxx.xxx.234
ip nat inside source static tcp 10.2.10.8 xxx.xxx.xxx.238
ip nat inside source static 10.2.10.110 xxx.xxx.xxx.237
ip nat inside source static 10.2.11.204 xxx.xxx.xxx.236
!
ip flow-export source Ethernet0/0
ip flow-export version 5
ip flow-export destination 10.2.11.100 3012
!
...
access-list 1 permit 10.2.11.1
access-list 1 permit 10.2.11.4
access-list 1 permit 10.2.10.8
access-list 1 permit 10.2.10.13
access-list 1 permit 10.2.11.102
access-list 1 permit 10.2.11.101
access-list 1 permit 10.2.10.185
access-list 100 permit tcp any any established
access-list 100 deny   udp any any range netbios-ns netbios-ss
access-list 100 deny   tcp any any range 137 139
access-list 100 deny   tcp any any eq gopher
access-list 100 permit ip any any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host xxx.xxx.xxx.234 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.238 eq www
access-list 101 permit icmp any host xxx.xxx.xxx.138
access-list 101 permit tcp xxx.xxx.xxx.192 0.0.0.63 host xxx.xxx.xxx.235 eq
1352 log
access-list 101 permit icmp any host xxx.xxx.xxx.234
access-list 101 permit icmp any host xxx.xxx.xxx.236
access-list 103 permit tcp any any established
access-list 103 permit tcp any host 10.2.11.100 eq pop3
access-list 103 permit tcp any host 10.2.11.100 eq smtp
access-list 103 permit tcp any host 10.2.11.100 eq www
access-list 103 permit udp any host 10.2.11.100 eq domain
...