CarTer Опубликовано 2 октября, 2008 · Жалоба Добрый вечер Помогите настроить циску 7200 для снятия с интерфейса исходящего и исходящего трафика. Желательно спомощью ip flow ingress и ip flow egress Клиенты выходят в инет через VPN + NAT Вот конфиг циски: vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! interface GigabitEthernet0/1 ip address 84.53.173.90 255.255.255.248 ip access-group anti-spoofing in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop duplex auto speed auto media-type rj45 negotiation auto no cdp enable no mop enabled ! interface FastEthernet0/2 ip address 10.115.200.229 255.255.255.0 ip access-group base-firewall in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop duplex half speed auto no cdp enable no mop enabled ! interface GigabitEthernet0/2 no ip address ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop duplex auto speed auto media-type rj45 negotiation auto no cdp enable no mop enabled ! interface GigabitEthernet0/2.1 description Radius encapsulation dot1Q 2 ip address 192.168.2.1 255.255.255.0 ip access-group base-firewall in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop no snmp trap link-status no cdp enable ! interface GigabitEthernet0/2.2 description pptp server encapsulation dot1Q 3 ip address 192.168.1.1 255.255.255.0 ip access-group base-firewall in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop no snmp trap link-status pppoe enable group global no cdp enable interface Virtual-Template1 ip unnumbered GigabitEthernet0/2.2 ip access-group base-firewall in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip flow ingress ip flow egress ip nat inside ip virtual-reassembly rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop ip route-cache policy ip route-cache flow autodetect encapsulation ppp ppp encrypt mppe auto ppp authentication ms-chap-v2 ! ip classless ip route 0.0.0.0 0.0.0.0 84.53.203.217 no ip http server no ip http secure-server ! ip flow-export source GigabitEthernet0/2.1 ip flow-export version 5 ip flow-export destination 192.168.2.2 9996 ! ip nat inside source list NAT_LAN_Staff interface GigabitEthernet0/1 overload ! ip access-list extended NAT_LAN_Staff permit ip 10.115.200.0 0.0.0.255 any permit ip 10.200.0.0 0.0.255.255 any deny ip any any ip access-list extended anti-spoofing deny ip 192.168.0.0 0.0.255.255 any deny ip 0.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip 240.0.0.0 7.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any permit ip host 172.18.20.39 any deny ip 172.16.0.0 0.15.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny udp any any eq 445 deny udp any any eq 4444 deny tcp any any eq 135 deny tcp any any eq 445 deny tcp any any eq 4444 deny tcp any any eq 139 deny udp any any eq 135 deny udp any any eq netbios-ss deny udp any any eq netbios-ns deny udp any any eq netbios-dgm permit ip any any ip access-list extended base-firewall deny udp any any eq 445 deny udp any any eq 4444 deny tcp any any eq 135 deny tcp any any eq 445 deny tcp any any eq 4444 deny tcp any any eq 139 deny udp any any eq 135 deny udp any any eq netbios-ss deny udp any any eq netbios-ns deny udp any any eq netbios-dgm permit ip any any ! ip radius source-interface GigabitEthernet0/2.1 logging alarm informational access-list 99 permit 10.115.200.0 0.0.0.255 access-list 99 deny any access-list 2020 permit icmp any any echo-reply no cdp run ! radius-server configure-nas radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 radius-server timeout 30 radius-server key 7 15000A080D3F38 Заранее благодарен Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...