вот конфиг, немного поправил заводской под свои нужды:
Код: Выделить всё
object-group service ssh
port-range 22
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service ntp
port-range 123
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default info
username admin
password encrypted XXXXXXXX
exit
boot host auto-config
vlan 2
exit
domain lookup enable
domain name-server 77.88.8.8
domain name-server 8.8.8.8
security zone trusted
exit
security zone untrusted
exit
bridge 1
vlan 1
security-zone trusted
ip address 192.168.1.6/19
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip firewall disable
ip address 176.XXX.XXX.182/22
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 1/0/3
mode switchport
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface gigabitethernet 1/0/5
mode switchport
exit
interface gigabitethernet 1/0/6
mode switchport
exit
interface gigabitethernet 1/0/7
mode switchport
exit
interface gigabitethernet 1/0/8
mode switchport
exit
interface gigabitethernet 1/0/9
mode switchport
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port ssh
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port ntp
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool lan-pool
network 192.168.1.0/24
address-range 192.168.1.2-192.168.1.254
default-router 192.168.1.6
dns-server 77.88.8.8,8.8.8.8
exit
ip route 0.0.0.0/0 176.XXX.XXX.181
ip ssh server
ntp enable
ntp broadcast-client enable
pbx
ruleset from_ssw
rule 1
description "Incoming call from trunk"
pattern '_${ST_PREFIX}XXXX,1,Dial(SIP/${EXTEN:4})'
enable
exit
exit
ruleset main_rule
rule 1
description "Local call"
pattern '_00[1-5],1,Dial(SIP/${EXTEN},,t)'
enable
exit
rule 2
description "Outgoing call to fxo"
pattern '_9XXX,1,Dial(SIP/004/004${EXTEN:1})'
enable
exit
rule 3
description "CGPN Modification"
pattern '_56XXX,1,Set(CALLERID(num)=${ST_PREFIX}${CALLERID(num)})'
enable
exit
rule 4
description "Outgoing call to trunk"
pattern '_56XXX,n,Dial(SIP/trunk_SSW/${EXTEN})'
enable
exit
rule 5
description "Call on IVR"
pattern '0000,1,Goto(menu,s,1)'
enable
exit
exit
profile fxs_ports
client friend
codec allow g711a
codec allow g711u
nat comedia
qualify 10000
ruleset main_rule
exit
profile trunk_SSW
type external
client friend
codec allow g711a
codec allow g711u
security level invite-port
nat comedia
qualify 10000
host-address 192.168.1.2
ruleset from_ssw
exit
profile fxo_ports
client friend
codec allow g711a
codec allow g711u
security level invite-port
nat comedia
qualify 10000
ruleset main_rule
exit
profile sip_phones
client friend
codec allow g711a
codec allow g711u
codec allow g722
codec allow g726
nat comedia
qualify 10000
ruleset main_rule
exit
register-server SSW
ip address 192.168.1.2
ip port 5060
profile trunk_SSW
username ssw
exit
user 001
profile fxs_ports
exit
user 002
profile fxs_ports
exit
user 003
profile fxs_ports
exit
user 004
profile fxo_ports
exit
user 005
profile sip_phones
exit
enable
exit
Подскажите, что нужно поправить чтобы у клиентов был выход в интернет, если у них статические адреса и в адрес DNS сервера прописан адрес роутера (192.168.1.6)?