Долгие пляски с бубном привели примерно к такой конфигурации:
!логгирование разного:
logging enable
logging standby
logging timestamp
logging trap 6
logging buffered 6
logging facility 19
logging device-id context-name
logging host 192.168.150.220 udp/514
!обрубаем ненужное:
no logging message 302022
no logging message 302023
no logging message 302024
no logging message 302025
no logging message 302026
no logging message 302027
no logging message 106023
no logging message 305011
no logging message 305012
no logging message 313004
object-group network Network-Monitor
host 192.168.150.198
host 192.168.150.199
!тута АЦЛки всякие:
access-list ANY line 10 extended permit ip any any
access-list FINBLOCK_ACCESS line 100 extended permit ip y.y.0.0 255.254.0.0 any
access-list FULL_ACCESS line 110 extended permit ip y.x.0.0 255.254.0.0 any
access-list FULL_ACCESS line 112 extended permit ip x.x.0.0 255.255.0.0 any
access-list FULL_ACCESS line 114 extended permit ip z.x.0.0 255.255.0.0 any
access-list GUEST_ACCESS line 100 extended permit ip z.z.0.0 255.240.0.0 any
access-list GUEST_ACCESS line 110 extended permit ip y.z.2.0 255.255.255.240 any
access-list ICMP line 10 extended permit icmp any any
access-list INSIDE line 100 extended permit ip any any
access-list IP_Time line 7 extended deny tcp any any
access-list IP_Time line 8 extended deny udp any any
access-list IP_Time line 9 extended deny icmp any any
access-list IP_Time line 16 extended permit ip any any
access-list OUTSIDE line 10 extended permit icmp any any unreachable
access-list OUTSIDE line 20 extended permit icmp any any time-exceeded
access-list OUTSIDE line 30 extended permit ip any xx.xx.xx.16 255.255.255.240
access-list OUTSIDE line 40 extended deny ip any any
access-list StaticNAT-10 line 8 extended permit ip host 192.168.153.48 any
access-list StaticNAT-20 line 8 extended permit ip host 192.168.150.220 any
access-list StaticNAT-30 line 8 extended permit ip host 192.168.153.34 any
access-list TCP line 5 extended deny tcp any any range 21 23
access-list TCP line 6 extended deny tcp any any eq 3389
access-list TCP line 7 extended deny tcp any any eq pptp
access-list TCP line 10 extended permit tcp any any
access-list UDP line 10 extended permit udp any any
access-list server_NAT line 10 extended permit ip host 192.168.131.138 any
access-list server_NAT line 11 extended permit ip host 192.168.131.152 any
access-list server_NAT line 20 extended permit ip host 192.168.131.202 any
!задаём параметры, которые применяются на сессии:
parameter-map type connection ICMP-timeout
set timeout inactivity 4
parameter-map type connection TCP-timeout
set timeout inactivity 120
set tcp timeout half-closed 60
set tcp window-scale 4
tcp-options selective-ack allow
tcp-options timestamp allow
tcp-options window-scale allow
exceed-mss allow
parameter-map type connection Timeouts
set timeout inactivity 120
parameter-map type connection UDP-timeout
set timeout inactivity 30
class-map match-all ANY
2 match any
!классы для статик ната и всякого другого:
class-map match-any Class-StaticNAT-10
2 match access-list StaticNAT-10
class-map match-any Class-StaticNAT-20
2 match access-list StaticNAT-20
class-map match-any Class-StaticNAT-30
2 match access-list StaticNAT-30
class-map match-any FULL_NAT
2 match access-list FULL_ACCESS
class-map match-all ICMP
2 match access-list ICMP
class-map match-any IP_Time
2 match access-list IP_Time
class-map type management match-any REMOTE_ACCESS
4 match protocol icmp any
6 match protocol snmp source-address 192.168.150.203 255.255.255.255
class-map match-any SERVER_NAT
2 match access-list server_NAT
class-map match-all TCP
2 match access-list TCP
class-map match-all UDP
2 match access-list UDP
policy-map type management first-match REMOTE_ACCESS_POLICY
class REMOTE_ACCESS
permit
! полиси что б пинги ходили и трейсы правильные были:
policy-map multi-match ICMP
class ICMP
inspect icmp error
! полиси для статик нат
policy-map multi-match StaticNAT
class Class-StaticNAT-10
nat static xx.xx.xx.27 netmask 255.255.255.255 vlan 14
class Class-StaticNAT-20
nat static xx.xx.xx.20 netmask 255.255.255.255 vlan 14
class Class-StaticNAT-30
nat static xx.xx.xx.22 netmask 255.255.255.255 vlan 14
! полиси для применения параметров на трафик:
policy-map multi-match TIMERS
class UDP
connection advanced-options UDP-timeout
class ICMP
connection advanced-options ICMP-timeout
class IP_Time
connection advanced-options Timeouts
class TCP
connection advanced-options TCP-timeout
! полиси для ната
policy-map multi-match ABON_NAT
class FULL_NAT
nat dynamic 1 vlan 14
class SERVER_NAT
nat dynamic 3 vlan 14
timeout xlate 60
!это внутренний интерфейс
interface vlan 13
description NAT_in
ip address 192.168.255.51 255.255.255.248
alias 192.168.255.49 255.255.255.248
peer ip address 192.168.255.50 255.255.255.248
mtu 1500
!вырубает сборку фрагментированых пакетов:
fragment chain 1
access-group input ANY
service-policy input ICMP
service-policy input REMOTE_ACCESS_POLICY
service-policy input StaticNAT
service-policy input ABON_NAT
service-policy input TIMERS
no shutdown
!это внешний интерфейс
interface vlan 14
description NAT_out
ip address 192.168.255.59 255.255.255.248
alias 192.168.255.57 255.255.255.248
peer ip address 192.168.255.58 255.255.255.248
mtu 1500
fragment chain 1
access-group input OUTSIDE
nat-pool 1 xx.xx.yy.1 xx.xx.yy.30 netmask 255.255.255.224 pat
nat-pool 1 zz.zz.224.1 zz.zz.255.254 netmask 255.255.224.0
nat-pool 4 xx.xx.xy.2 xx.xx.xy.2 netmask 255.255.255.255 pat
service-policy input ICMP
service-policy input TIMERS
no shutdown
!роуты внутрь и наружу:
ip route 0.0.0.0 0.0.0.0 192.168.255.60
ip route 192.168.0.0 255.255.0.0 192.168.255.52
!снмп-ишные дела:
snmp-server community kldjsifu84rjr894group Network-Monitor
snmp-server host 192.168.150.203 traps version 2c kldjsifu84rjr894
Пы.Сы.: АСЕ штука конечно хорошая, но есть две "небольших проблемки": на НАТе тянет не более 1.1Мппс, после чего начинает дропать трафик, и иногда, при пока не выясненных обстоятельствах дропает трафик для некоторых адресов по якобы неверной чексумме. Будем надеяться, что вылечат.... Когда нибудь... Софт был А2(3.0).
