Исходное сообщение
"route-map или динамический АСЛ для ната" Отправлено AlexFirst, 02-Ноя-06 18:40
Народ - подскажите - что не так в конфиге? Оно работает... но как-то криво, по-моему (загрузка циски под 80-90%, но трафик прокидывается замечательно) Может чего еще упустил по незнанию.. : no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime service timestamps log datetime localtime no service password-encryption service compress-config no service single-slot-reload-enable .. clock timezone MSK 3 clock summer-time MSD recurring ip subnet-zero no ip bootp server ip cef table consistency-check type lc-detect ip cef table consistency-check type scan-lc ip cef table consistency-check type scan-rp ip cef table consistency-check type scan-rib ip cef distributed ip cef linecard ipc memory 15000 ip audit notify log ip audit po max-events 100 no crypto isakmp enable ! call rsvp-sync interface Tunnel1 bandwidth 1024 ip address 192.168.1.2 255.255.255.252 tunnel source FastEthernet0/0/0 tunnel destination 213.888.888.223 ! interface FastEthernet0/0/0 ip address 213.888.888.111 255.255.255.252 ip access-group 150 in ip nat outside no ip mroute-cache full-duplex no cdp enable ! interface FastEthernet0/1/0 ip address 213.888.888.111 255.255.255.192 secondary ip address 61.888.888.888 255.255.255.192 secondary ip address 10.0.0.1 255.0.0.0 ip access-group 155 in ip nat inside service-policy output Global ip route-cache policy no ip mroute-cache ip policy route-map Global full-duplex no cdp enable ! ip nat translation timeout 3600 ip nat translation tcp-timeout 900 ip nat translation pptp-timeout 1800 ip nat translation udp-timeout 30 ip nat translation dns-timeout 5 ip nat translation icmp-timeout 5 ip nat translation port-timeout tcp 80 15 ip nat translation port-timeout tcp 1600 10 ip nat translation port-timeout tcp 8080 10 ip nat translation port-timeout tcp 110 60 ip nat translation port-timeout tcp 25 60 ip nat translation port-timeout tcp 2041 10 ip nat translation port-timeout tcp 2042 10 ip nat translation port-timeout tcp 4662 5 ip nat pool ComcorNATPool 213.888.888.111 213.888.888.111 netmask 255.255.255.248 ip nat inside source route-map ComcorNAT pool ComcorNATPool overload ip classless ip route 0.0.0.0 0.0.0.0 213.888.888.222 no ip http server ip http authentication local ! logging trap debugging logging facility local0 logging source-interface FastEthernet0/0/0 access-list 100 remark Routing for 10.x access access-list 100 permit tcp host 10.111.111.1 any access-list 100 permit tcp host 10.111.121.3 any access-list 100 permit tcp host 10.111.111.22 any access-list 100 permit tcp host 10.10.11.56 any access-list 100 permit tcp host 10.11.13.34 any ..... дофига записей в этом ACL-100, добавляются-удаляются скриптом для предоставления инета пользователю (через NAT) ..... access-list 101 remark For NAT access-list 101 permit ip 10.0.0.0 0.255.255.255 any access-list 102 remark For drop all packets from routing access-list 102 permit ip any any access-list 105 remark Routing for permanent-host access access-list 105 permit tcp any host 213.180.204.3 eq www access-list 105 permit tcp any host 217.119.29.201 eq 8100 access-list 105 permit tcp any host 82.140.102.72 eq 8100 access-list 105 permit tcp any host 195.239.63.58 eq www access-list 105 permit tcp any host 195.239.63.40 eq www access-list 105 permit tcp any host 195.239.63.40 eq 8128 access-list 105 permit tcp any host 195.239.63.41 eq 8128 access-list 105 permit tcp any host 217.119.29.197 eq 8128 access-list 105 permit tcp any host 213.180.204.20 eq www access-list 105 permit tcp any host 82.140.102.71 eq www access-list 105 permit tcp any host 213.180.204.32 eq www access-list 105 permit tcp any host 213.180.204.23 eq www access-list 105 permit tcp any host 213.180.204.24 eq www access-list 105 permit tcp any 213.180.204.0 0.0.0.63 eq 443 access-list 150 remark Rules for incoming packets to f0 access-list 150 deny   udp any any range 135 netbios-ss access-list 150 deny   tcp any any range 135 139 access-list 150 deny   tcp any any eq 445 access-list 150 deny   tcp any any range 1025 1027 access-list 150 permit ip any any access-list 155 remark Filter of incoming packets to f1 access-list 155 permit ip host 0.0.0.0 host 255.255.255.255 access-list 155 deny   ip any host 255.255.255.255 access-list 155 deny   ip any host 213.888.88.255 access-list 155 deny   ip any host 61.888.888.255 access-list 155 deny   ip any host 10.255.255.255 access-list 155 permit icmp 10.0.0.0 0.255.255.255 any access-list 155 deny   tcp any any range 1025 1027 access-list 155 deny   udp any any range 135 netbios-ss access-list 155 deny   tcp any any range 135 139 access-list 155 deny   tcp any any eq 445 access-list 155 deny   ip any 192.168.0.0 0.0.255.255 access-list 155 permit ip 10.0.0.0 0.255.255.255 any access-list 155 permit ip 61.888.888.192 0.0.0.63 any access-list 155 permit ip 213.888.888.888 0.0.0.63 any access-list 156 remark Routing permit for static IPs access-list 156 permit ip host 61.888.888.111 any access-list 156 permit ip host 61.888.888.222 any ..... некоторое кол-во записей в этом ACL-156, добавляются-удаляются скриптом для предоставления инета пользователю (с прямыми айпишниками) ..... access-list 160 remark For policy-map tunneling access-list 160 permit ip any host 192.888.888.888 access-list 160 permit tcp any host 192.888.888.888 eq 88888 .... no cdp run route-map Global permit 10 match ip address 160 set ip next-hop 192.168.1.1 ! route-map Global permit 20 match ip address 100 set ip next-hop 213.888.888.222 ! route-map Global permit 30 match ip address 156 set ip next-hop 213.888.888.222 ! route-map Global permit 40 match ip address 105 set ip next-hop 213.888.888.222 ! route-map Global permit 50 match ip address 102 set interface Null0 ! route-map ComcorNAT permit 10 match ip address 101 match interface FastEthernet0/0/0 ! -------------------------- Вот можно поправить в этом конфиге, уважаемые гуру?