PIC

[ РАЗРАБОТКИ РЭА
CISCO ]
CBAC (Cisco IOS Firewall Feature Set) + NAT
!
ip inspect name INET http
ip inspect name INET https
ip inspect name INET ftp
ip inspect name INET icmp router-traffic
ip inspect name INET smtp
ip inspect name INET tcp router-traffic
!
!
interface FastEthernet0
 ip address 10.1.1.1 255.255.255.0
 ip access-group Input-Traf1 in
 ip nat outside
!
!
interface Vlan2
 ip address 192.168.10.1 255.255.255.0
 ip nbar protocol-discovery
 ip nat inside
 ip inspect INET in
!
ip nat inside source list 2 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.10.1 8080 10.1.1.1 8080 extendable no-alias
ip nat inside source static tcp 192.168.10.1 3389 10.1.1.1 3389 extendable no-alias   
!
ip access-list extended Input-Traf1
 remark --------- Deny traf-in ---------
 permit tcp any host 10.1.1.1 eq 22
 permit tcp any host 10.1.1.1 eq 8080
 permit tcp any host 10.1.1.1 eq 3389
 permit icmp any host 10.1.1.1
 deny   ip any any
!
access-list 2 remark --------- NAT ---------
access-list 2 permit 192.168.10.0 0.0.0.255
!