Задать вопрос

Как победить в Cisco 2951 недоступность лишь одного узла при появлении в сети компьютера?

Доброго времени суток.

Имеется сеть. Во внешку смотрит 2951. Имеется компьютер (ноут) у сотрудника, при появлении которого доступ к серверу mail0.*.ru становится недоступен со всех компьютеров в сети - пинги и tracert не долетают до точки назначения. При этом с самой 2951 искомый сервер исправно пингуется.

При всём при этом с самой циски:
Translating "mail0.*.ru"...domain server (8.8.8.8) [OK]

Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 194.***.***.43, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms


После reload проблема исчезает... на полчаса.
ACL блокирующих нет, clear ip nat trans * не помогает. Если ноута сотрудника в сети нет - достучаться до сервака нет никаких проблем (вот этого вообще никак не понимаю).

sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(1)T, RELEASE SOFTWARE (fc1) 
Technical Support: http://www.cisco.com/techsupport 
Copyright (c) 1986-2011 by Cisco Systems, Inc. 
Compiled Thu 21-Jul-11 18:24 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)

NH_2951RO uptime is 36 minutes 
System returned to ROM by reload at 09:31:04 MSK Wed Dec 18 2013 
System restarted at 09:32:20 MSK Wed Dec 18 2013 
System image file is "flash:c2900-universalk9-mz.SPA.152-1.T.bin" 
Last reload type: Normal Reload 
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United 
States and local country laws governing import, export, transfer and 
use. Delivery of Cisco cryptographic products does not imply 
third-party authority to import, export, distribute or use encryption. 
Importers, exporters, distributors and users are responsible for 
compliance with U.S. and local country laws. By using this product you 
agree to comply with applicable laws and regulations. If you are unable 
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at: 
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to 
export@cisco.com.

Cisco CISCO2921/K9 (revision 1.0) with 483328K/40960K bytes of memory. 
Processor board ID FCZ1533707Z 
4 Gigabit Ethernet interfaces 
1 terminal line 
1 Virtual Private Network (VPN) Module 
DRAM configuration is 64 bits wide with parity enabled. 
255K bytes of non-volatile configuration memory. 
255744K bytes of ATA System CompactFlash 0 (Read/Write)


License Info:

License UDI:

------------------------------------------------- 
Device#   PID                   SN 
------------------------------------------------- 
*0        CISCO2921/K9          

Technology Package License Information for Module:'c2900'

----------------------------------------------------------------- 
Technology    Technology-package           Technology-package 
              Current       Type           Next reboot 
------------------------------------------------------------------ 
ipbase        ipbasek9      Permanent      ipbasek9 
security      securityk9    RightToUse     securityk9 
uc            uck9          RightToUse     uck9 
data          datak9        Permanent      datak9

Configuration register is 0x2102


sh ip route
sh ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP 
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 
       E1 - OSPF external type 1, E2 - OSPF external type 2 
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 
       ia - IS-IS inter area, * - candidate default, U - per-user static route 
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP 
       + - replicated route, % - next hop override

Gateway of last resort is 94.140.2**.73 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 94.140.2**.73 
      94.0.0.0/8 is variably subnetted, 4 subnets, 2 masks 
C        94.140.2**.72/29 is directly connected, GigabitEthernet0/0 
L        94.140.2**.75/32 is directly connected, GigabitEthernet0/0 
L        94.140.2**.76/32 is directly connected, GigabitEthernet0/0 
L        94.140.2**.77/32 is directly connected, GigabitEthernet0/0 
      172.1.0.0/16 is variably subnetted, 2 subnets, 2 masks 
C        172.1.0.0/19 is directly connected, GigabitEthernet0/0/0.17 
L        172.1.0.1/32 is directly connected, GigabitEthernet0/0/0.17 
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks 
C        172.16.0.0/24 is directly connected, Loopback0 
L        172.16.0.1/32 is directly connected, Loopback0 
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks 
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0/0.1 
L        192.168.1.1/32 is directly connected, GigabitEthernet0/0/0.1 
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks 
C        192.168.10.0/24 is directly connected, GigabitEthernet0/0/0.10 
L        192.168.10.1/32 is directly connected, GigabitEthernet0/0/0.10 
      192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks 
C        192.168.11.0/24 is directly connected, GigabitEthernet0/0/0.11 
L        192.168.11.1/32 is directly connected, GigabitEthernet0/0/0.11 
      192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks 
C        192.168.12.0/24 is directly connected, GigabitEthernet0/0/0.12 
L        192.168.12.1/32 is directly connected, GigabitEthernet0/0/0.12 
      192.168.13.0/24 is variably subnetted, 2 subnets, 2 masks 
C        192.168.13.0/24 is directly connected, GigabitEthernet0/0/0.13 
L        192.168.13.1/32 is directly connected, GigabitEthernet0/0/0.13 
      192.168.14.0/24 is variably subnetted, 2 subnets, 2 masks 
C        192.168.14.0/24 is directly connected, GigabitEthernet0/0/0.14 
L        192.168.14.1/32 is directly connected, GigabitEthernet0/0/0.14 
      192.168.15.0/24 is variably subnetted, 2 subnets, 2 masks 
C        192.168.15.0/24 is directly connected, GigabitEthernet0/0/0.15 
L        192.168.15.1/32 is directly connected, GigabitEthernet0/0/0.15 
      192.168.16.0/24 is variably subnetted, 2 subnets, 2 masks 
C        192.168.16.0/24 is directly connected, GigabitEthernet0/0/0.16 
L        192.168.16.1/32 is directly connected, GigabitEthernet0/0/0.16 
      192.168.18.0/24 is variably subnetted, 2 subnets, 2 masks 
C        192.168.18.0/24 is directly connected, GigabitEthernet0/0/0.18 
L        192.168.18.1/32 is directly connected, GigabitEthernet0/0/0.18 
      192.168.19.0/24 is variably subnetted, 2 subnets, 2 masks 
C        192.168.19.0/24 is directly connected, GigabitEthernet0/0/0.19 
L        192.168.19.1/32 is directly connected, GigabitEthernet0/0/0.19


В момент зависания соединения
sh int g0/0
GigabitEthernet0/0 is up, line protocol is up 
  Hardware is CN Gigabit Ethernet, address is 7081.052a.e6a0 (bia 7081.052a.e6a0) 
  Description: WAN_to_U 
  Internet address is 94.140.2**.75/29 
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, 
     reliability 255/255, txload 25/255, rxload 22/255 
  Encapsulation ARPA, loopback not set 
  Keepalive set (10 sec) 
  Full Duplex, 100Mbps, media type is RJ45 
  output flow-control is unsupported, input flow-control is unsupported 
  ARP type: ARPA, ARP Timeout 04:00:00 
  Last input 00:00:00, output 00:00:00, output hang never 
  Last clearing of "show interface" counters never 
  Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 
  Queueing strategy: fifo 
  Output queue: 0/40 (size/max) 
  5 minute input rate 8962000 bits/sec, 1326 packets/sec 
  5 minute output rate 10134000 bits/sec, 1404 packets/sec 
     7736888 packets input, 2152780043 bytes, 0 no buffer 
     Received 252 broadcasts (0 IP multicasts) 
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 
     0 watchdog, 92 multicast, 0 pause input 
     8197678 packets output, 3062471341 bytes, 0 underruns 
     0 output errors, 0 collisions, 0 interface resets 
     92 unknown protocol drops 
     0 babbles, 0 late collision, 0 deferred 
     0 lost carrier, 0 no carrier, 0 pause output 
     0 output buffer failures, 0 output buffers swapped out


sh ip nat stat
Total active translations: 5514 (14 static, 5500 dynamic; 5513 extended) 
Peak translations: 7610, occurred 01:20:06 ago 
Outside interfaces: 
  GigabitEthernet0/0 
Inside interfaces: 
  GigabitEthernet0/0/0.1, GigabitEthernet0/0/0.10, GigabitEthernet0/0/0.11 
  GigabitEthernet0/0/0.12, GigabitEthernet0/0/0.13, GigabitEthernet0/0/0.14 
  GigabitEthernet0/0/0.15, GigabitEthernet0/0/0.16, GigabitEthernet0/0/0.17 
  GigabitEthernet0/0/0.18, GigabitEthernet0/0/0.19 
Hits: 15571759  Misses: 0 
CEF Translated packets: 15520279, CEF Punted packets: 51364 
Expired translations: 157820 
Dynamic mappings: 
-- Inside Source 
[Id: 1] access-list 150 pool NGD_NAT_POOL refcount 5497 
pool NGD_NAT_POOL: netmask 255.255.255.248 
        start 94.140.2**.75 end 94.140.2**.75 
        type generic, total addresses 1, allocated 1 (100%), misses 0

Total doors: 0 
Appl doors: 0 
Normal doors: 0 
Queued Packets: 0


Помогите, пожалуйста, определить в чём проблема и как её решить.
  • Вопрос задан
  • 4577 просмотров
Подписаться 4 Оценить Комментировать
Пригласить эксперта
Ответы на вопрос 5
@Konditer Автор вопроса
sh run

Current configuration : 15203 bytes 
! 
! No configuration change since last restart 
version 15.2 
no service pad 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname NH_2951RO 
! 
boot-start-marker 
boot system flash:c2900-universalk9-mz.SPA.152-1.T.bin 
boot-end-marker 
! 
! 
security authentication failure rate 5 log 
logging buffered 51200 warnings 
enable secret 5 * 
! 
aaa new-model 
! 
! 
aaa authentication login default local 
aaa authentication login ciscocp_vpn_xauth_ml_1 local 
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
! 
! 
! 
! 
! 
aaa session-id common 
! 
clock timezone MSK 4 0 
! 
no ipv6 cef 
no ip source-route 
! 
! 
! 
ip dhcp binding cleanup interval 600 
ip dhcp excluded-address 192.168.11.1 192.168.11.50 
ip dhcp excluded-address 192.168.12.1 192.168.12.50 
ip dhcp excluded-address 192.168.13.1 192.168.13.50 
ip dhcp excluded-address 192.168.14.1 192.168.14.50 
ip dhcp excluded-address 192.168.15.1 192.168.15.50 
ip dhcp excluded-address 192.168.16.1 192.168.16.50 
ip dhcp excluded-address 192.168.10.1 192.168.10.50 
ip dhcp excluded-address 192.168.9.1 192.168.9.10 
ip dhcp excluded-address 172.1.0.1 172.1.0.100 
! 
ip dhcp pool NGD 
network 192.168.11.0 255.255.255.0 
default-router 192.168.11.1 
dns-server 192.168.11.3 192.168.11.1 8.8.8.8 
lease 7 
! 
ip dhcp pool Ai 
network 192.168.12.0 255.255.255.0 
dns-server 192.168.12.3 192.168.12.1 8.8.8.8 
default-router 192.168.12.1 
lease 7 
! 
ip dhcp pool Saw 
network 192.168.13.0 255.255.255.0 
default-router 192.168.13.1 
dns-server 8.8.8.8 8.8.4.4 
lease 7 
! 
ip dhcp pool Partners 
network 192.168.14.0 255.255.255.0 
dns-server 8.8.8.8 8.8.4.4 
default-router 192.168.14.1 
lease 7 
! 
ip dhcp pool Guest 
network 192.168.15.0 255.255.255.0 
default-router 192.168.15.1 
dns-server 8.8.8.8 8.8.4.4 
lease 7 
! 
ip dhcp pool Voip 
network 192.168.16.0 255.255.255.0 
dns-server 8.8.8.8 8.8.4.4 
default-router 192.168.16.1 
lease 30 
! 
ip dhcp pool DMZ 
network 192.168.10.0 255.255.255.0 
dns-server 192.168.12.3 192.168.12.1 8.8.8.8 
default-router 192.168.12.1 
lease 7 
! 
ip dhcp pool LETO 
network 172.1.0.0 255.255.224.0 
dns-server 8.8.8.8 8.8.4.4 
default-router 172.1.0.1 
lease 0 3 
! 
ip dhcp pool Slo 
network 192.168.18.0 255.255.255.0 
default-router 192.168.18.1 
dns-server 8.8.8.8 8.8.4.4 
lease 30 
! 
ip dhcp pool Co-W 
network 192.168.19.0 255.255.255.0 
dns-server 8.8.8.8 8.8.4.4 
default-router 192.168.19.1 
lease 7 
! 
! 
no ip bootp server 
ip domain name new*.com 
ip name-server 8.8.8.8 
ip name-server 8.8.4.4 
ip cef 
! 
multilink bundle-name authenticated 
! 
! 
! 
! 
! 
crypto pki token default removal timeout 0 
! 
crypto pki trustpoint TP-self-signed-3286905914 
enrollment selfsigned 
subject-name cn=IOS-Self-Signed-Certificate-3286905914 
revocation-check none 
rsakeypair TP-self-signed-3286905914 
! 
! 
crypto pki certificate chain TP-self-signed-3286905914 
certificate self-signed 01 
  3082022B 30820194  02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D  39303539 3134301E 170D3131 30383039 30303430 
  34325A17  31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 65642D43 65727469 66696361 74652D33 32383639 
  30353931 3430819F 2A864886 F70D0101 01050003 818D0030 81890281 
  8100E122 187BC580 DF871BEF  1F8C4C4C 3D008A3B 7206AEE3 
  AE6913AB 22D10DE 0C8F118F B3F231EF A8E31BB6 A96DE08B 0D4A7F87 
  C97AA13A EE9B12C 519DFF0F 0A456715 D3DB7FC7 5968D358 A9DA6736 
  BF96BCDE C67524C8 43AD3C34 9F3A058F F318918B 6491D15A 97B51BD7 
  3D5B0203 010001A3 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 14DC53CA AE6FC232 30621B1B C4BF3622 0437D8C3 8F301D06 
  03551D0E 04160414 DC53CAAE 6FC23230 621B1BC4 BF362204 37D8C38F 300D0609 
  2A864886 F70D0101 05050003 818100CB B3B2791B 7DF1C3E5 83F725B5 5F998EAD 
  EAC52E0C A1A11F89 F5EC539C 0A66DE92 0B2AFAD8 0B9628EE 839BA677 1178A6BB 
  78A6494F 893FC774 F7E51A2A FC2E701F E9F33C7C 7AB7C2CA 9DBD7F72 
  4F599939 241E4964 907FE64C D5F6EC87 CAE582AD B4AEE1A5 7FB680B1 
  E92CACCA 679590AC AD2B6CC7 64819C 
        quit 
voice-card 0 
! 
! 
! 
! 
! 
! 
! 
! 
license udi pid CISCO2921/K9 sn FCZ1***
license boot module c2900 technology-package securityk9 
license boot module c2900 technology-package uck9 
! 
! 
! 
redundancy 
! 
! 
! 
! 
! 
ip ssh time-out 60 
ip ssh authentication-retries 2 
ip ssh version 2 
! 
! 
crypto isakmp policy 1 
encr 3des 
authentication pre-share 
group 2 
! 
crypto isakmp client configuration group Main_VPN_Group 
key *** 
dns 192.168.11.3 192.168.11.1 
domain nd.local 
pool SDM_POOL_1 
acl 101 
crypto isakmp profile ciscocp-ike-profile-1 
   match identity group Main_VPN_Group 
   client authentication list ciscocp_vpn_xauth_ml_1 
   isakmp authorization list ciscocp_vpn_group_ml_1 
   client configuration address respond 
   virtual-template 1 
! 
! 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
! 
crypto ipsec profile CiscoCP_Profile1 
set transform-set ESP-3DES-SHA 
set isakmp-profile ciscocp-ike-profile-1 
! 
! 
! 
! 
! 
! 
! 
interface Loopback0 
ip address 172.16.0.1 255.255.255.0 
! 
interface Embedded-Service-Engine0/0 
no ip address 
shutdown 
! 
interface GigabitEthernet0/0 
description WAN_to_U 
ip address 94.140.2**.75 255.255.255.248 
ip nat outside 
ip virtual-reassembly in 
duplex auto 
speed auto 
no cdp enable 
! 
interface GigabitEthernet0/1 
no ip address 
shutdown 
duplex auto 
speed auto 
! 
interface GigabitEthernet0/2 
no ip address 
shutdown 
duplex auto 
speed auto 
! 
interface GigabitEthernet0/0/0 
description to_2960S 
no ip address 
negotiation auto 
! 
interface GigabitEthernet0/0/0.1 
description MGT 
encapsulation dot1Q 1 native 
ip address 192.168.1.1 255.255.255.0 
ip nat inside 
ip virtual-reassembly in 
! 
interface GigabitEthernet0/0/0.10 
description DMZ 
encapsulation dot1Q 10 
ip address 192.168.10.1 255.255.255.0 
ip access-group DMZ_LAN in 
ip nat inside 
ip virtual-reassembly in 
! 
interface GigabitEthernet0/0/0.11 
description ND 
encapsulation dot1Q 11 
ip address 192.168.11.1 255.255.255.0 
ip access-group NGD_LAN in 
ip nat inside 
ip virtual-reassembly in 
! 
interface GigabitEthernet0/0/0.12 
description Ai 
encapsulation dot1Q 12 
ip address 192.168.12.1 255.255.255.0 
ip access-group AIRIS_LAN in 
ip nat inside 
ip virtual-reassembly in 
! 
interface GigabitEthernet0/0/0.13 
description Saw 
encapsulation dot1Q 13 
ip address 192.168.13.1 255.255.255.0 
ip access-group SAWATZKY_LAN in 
ip nat inside 
ip virtual-reassembly in 
! 
interface GigabitEthernet0/0/0.14 
description Partners 
encapsulation dot1Q 14 
ip address 192.168.14.1 255.255.255.0 
ip access-group PARTNERS_LAN in 
ip nat inside 
ip virtual-reassembly in 
! 
interface GigabitEthernet0/0/0.15 
description Guest 
encapsulation dot1Q 15 
ip address 192.168.15.1 255.255.255.0 
ip access-group GUEST_LAN in 
ip nat inside 
ip virtual-reassembly in 
rate-limit output 4096000 32000 32000 conform-action continue exceed-action drop 
! 
interface GigabitEthernet0/0/0.16 
description VoIP 
encapsulation dot1Q 16 
ip address 192.168.16.1 255.255.255.0 
ip nbar protocol-discovery 
ip nat inside 
ip virtual-reassembly in 
! 
interface GigabitEthernet0/0/0.17 
description LETO 
encapsulation dot1Q 17 
ip address 172.1.0.1 255.255.224.0 
ip access-group LETO_FREE_WIFI in 
ip nat inside 
ip virtual-reassembly in 
! 
interface GigabitEthernet0/0/0.18 
description Slo 
encapsulation dot1Q 18 
ip address 192.168.18.1 255.255.255.0 
ip access-group Slow_Kitchen in 
ip nat inside 
ip virtual-reassembly in 
rate-limit output 4096000 32000 32000 conform-action continue exceed-action drop 
! 
interface GigabitEthernet0/0/0.19 
description Co-W 
encapsulation dot1Q 19 
ip address 192.168.19.1 255.255.255.0 
ip access-group Co-Working in 
ip nat inside 
ip virtual-reassembly in 
! 
interface Virtual-Template1 type tunnel 
ip unnumbered Loopback0 
tunnel mode ipsec ipv4 
tunnel protection ipsec profile CiscoCP_Profile1 
! 
! 
ip local pool SDM_POOL_1 192.168.11.150 192.168.11.200 
ip forward-protocol nd 
! 
ip http server 
ip http authentication local 
ip http secure-server 
ip http timeout-policy idle 60 life 86400 requests 10000 
! 
ip dns server 
ip nat pool NGD_NAT_POOL 94.140.2**.75 94.140.2**.75 netmask 255.255.255.248 
ip nat inside source list 150 pool NGD_NAT_POOL overload 
ip nat inside source static tcp 192.168.12.3 20 94.140.2**.75 20 extendable 
ip nat inside source static tcp 192.168.12.3 21 94.140.2**.75 21 extendable 
ip nat inside source static tcp 192.168.1.6 22 94.140.2**.75 22 extendable 
ip nat inside source static tcp 172.1.1.14 47 94.140.2**.75 47 extendable 
ip nat inside source static tcp 192.168.1.6 80 94.140.2**.75 80 extendable 
ip nat inside source static tcp 172.1.1.14 1723 94.140.2**.75 1723 extendable 
ip nat inside source static tcp 192.168.18.150 47 94.140.2**.76 47 extendable 
ip nat inside source static tcp 192.168.10.3 80 94.140.2**.76 80 extendable 
ip nat inside source static tcp 192.168.18.150 1723 94.140.2**.76 1723 extendable 
ip nat inside source static tcp 192.168.18.150 3389 94.140.2**.76 3389 extendable 
ip nat inside source static tcp 192.168.18.150 4899 94.140.2**.76 4899 extendable 
ip nat inside source static tcp 192.168.18.150 4999 94.140.2**.76 4999 extendable 
ip nat inside source static tcp 192.168.18.150 5555 94.140.2**.76 5555 extendable 
ip nat inside source static 192.168.10.2 94.140.2**.77 extendable 
ip route 0.0.0.0 0.0.0.0 94.140.2**.73 
! 
ip access-list extended AI_LAN 
deny   ip any 192.168.10.0 0.0.0.255 
deny   ip any 192.168.11.0 0.0.0.255 
deny   ip any 192.168.13.0 0.0.0.255 
deny   ip any 192.168.14.0 0.0.0.255 
deny   ip any 192.168.15.0 0.0.0.255 
deny   ip any 192.168.16.0 0.0.0.255 
permit ip any any 
ip access-list extended Co-W 
deny   ip any 172.0.0.0 0.0.0.255 
deny   ip any 192.168.10.0 0.0.0.255 
deny   ip any 192.168.11.0 0.0.0.255 
deny   ip any 192.168.12.0 0.0.0.255 
deny   ip any 192.168.13.0 0.0.0.255 
deny   ip any 192.168.14.0 0.0.0.255 
deny   ip any 192.168.15.0 0.0.0.255 
deny   ip any 192.168.16.0 0.0.0.255 
deny   ip any 192.168.17.0 0.0.0.255 
deny   ip any 192.168.18.0 0.0.0.255 
permit ip any any 
ip access-list extended DMZ_LAN 
deny   ip any 192.168.13.0 0.0.0.255 
deny   ip any 192.168.14.0 0.0.0.255 
deny   ip any 192.168.15.0 0.0.0.255 
deny   ip any 192.168.16.0 0.0.0.255 
permit ip any any 
ip access-list extended GUEST_LAN 
permit udp any any eq bootpc 
permit udp any any eq bootps 
permit tcp 192.168.15.0 0.0.0.255 eq 443 192.168.11.0 0.0.0.255 
permit icmp 192.168.15.0 0.0.0.255 192.168.11.0 0.0.0.255 echo 
permit icmp 192.168.15.0 0.0.0.255 192.168.11.0 0.0.0.255 echo-reply 
permit icmp 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255 echo 
permit icmp 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255 echo-reply 
permit tcp 192.168.15.0 0.0.0.255 eq 443 192.168.1.0 0.0.0.255 
deny   ip any 192.168.10.0 0.0.0.255 
deny   ip any 192.168.11.0 0.0.0.255 
deny   ip any 192.168.12.0 0.0.0.255 
deny   ip any 192.168.13.0 0.0.0.255 
deny   ip any 192.168.14.0 0.0.0.255 
deny   ip any 192.168.16.0 0.0.0.255 
permit tcp 192.168.15.0 0.0.0.255 any eq www 
permit tcp 192.168.15.0 0.0.0.255 any eq 443 
permit tcp 192.168.15.0 0.0.0.255 any eq pop3 
permit tcp 192.168.15.0 0.0.0.255 any eq 143 
permit tcp 192.168.15.0 0.0.0.255 any eq 993 
permit tcp 192.168.15.0 0.0.0.255 any eq 995 
permit tcp 192.168.15.0 0.0.0.255 any eq 587 
permit tcp 192.168.15.0 0.0.0.255 any eq smtp 
permit tcp 192.168.15.0 0.0.0.255 any eq ftp 
permit tcp 192.168.15.0 0.0.0.255 any eq ftp-data 
permit tcp 192.168.15.0 0.0.0.255 any eq 37 
permit tcp 192.168.15.0 0.0.0.255 any eq daytime 
permit udp 192.168.15.0 0.0.0.255 any eq time 
permit udp 192.168.15.0 0.0.0.255 any eq domain 
permit udp 192.168.15.0 0.0.0.255 any eq ntp 
deny   ip any any 
ip access-list extended LETO 
deny   ip any 192.168.10.0 0.0.0.255 
deny   ip any 192.168.11.0 0.0.0.255 
deny   ip any 192.168.12.0 0.0.0.255 
deny   ip any 192.168.13.0 0.0.0.255 
deny   ip any 192.168.14.0 0.0.0.255 
deny   ip any 192.168.15.0 0.0.0.255 
deny   ip any 192.168.16.0 0.0.0.255 
permit ip any any 
ip access-list extended ND_LAN 
deny   ip any 192.168.12.0 0.0.0.255 
deny   ip any 192.168.13.0 0.0.0.255 
deny   ip any 192.168.14.0 0.0.0.255 
deny   ip any 192.168.15.0 0.0.0.255 
permit ip any any 
ip access-list extended PARTNERS_LAN 
deny   ip any 192.168.10.0 0.0.0.255 
deny   ip any 192.168.12.0 0.0.0.255 
deny   ip any 192.168.13.0 0.0.0.255 
deny   ip any 192.168.15.0 0.0.0.255 
deny   ip any 192.168.16.0 0.0.0.255 
deny   ip any 192.168.11.0 0.0.0.255 
deny   tcp host 192.168.14.68 any eq www 
permit ip any any 
ip access-list extended SAW_LAN 
deny   ip any 192.168.10.0 0.0.0.255 
deny   ip any 192.168.11.0 0.0.0.255 
deny   ip any 192.168.12.0 0.0.0.255 
deny   ip any 192.168.14.0 0.0.0.255 
deny   ip any 192.168.15.0 0.0.0.255 
deny   ip any 192.168.16.0 0.0.0.255 
permit ip any any 
ip access-list extended Slo 
deny   ip any 192.168.10.0 0.0.0.255 
deny   ip any 192.168.11.0 0.0.0.255 
deny   ip any 192.168.12.0 0.0.0.255 
deny   ip any 192.168.13.0 0.0.0.255 
deny   ip any 192.168.14.0 0.0.0.255 
deny   ip any 192.168.15.0 0.0.0.255 
deny   ip any 192.168.16.0 0.0.0.255 
deny   ip any 192.168.17.0 0.0.0.255 
permit ip any any 
ip access-list extended VOIP_LAN 
deny   ip any 192.168.10.0 0.0.0.255 
deny   ip any 192.168.11.0 0.0.0.255 
deny   ip any 192.168.12.0 0.0.0.255 
deny   ip any 192.168.13.0 0.0.0.255 
deny   ip any 192.168.14.0 0.0.0.255 
deny   ip any 192.168.15.0 0.0.0.255 
permit ip any any 
! 
access-list 100 permit ip any any 
access-list 101 remark CCP_ACL Category=4 
access-list 101 permit ip 192.168.0.0 0.0.255.255 any 
access-list 123 permit tcp 192.168.1.0 0.0.0.255 any eq 22 
access-list 123 permit tcp 192.168.11.0 0.0.0.255 any eq 22 
access-list 123 deny   ip any any 
access-list 150 permit ip 172.1.0.0 0.0.3.255 any 
access-list 150 permit ip 192.168.0.0 0.0.255.255 any 
access-list 150 permit ip 172.1.0.0 0.0.31.255 any 
! 
! 
! 
! 
! 
snmp-server community nhcomm RO 
snmp-server enable traps entity-sensor threshold 
! 
! 
control-plane host 
! 
! 
control-plane 
! 
! 
! 
! 
mgcp profile default 
! 
! 
! 
! 
! 
gatekeeper 
shutdown 
! 
! 
! 
line con 0 
line aux 0 
line 2 
no activation-character 
no exec 
transport preferred none 
transport input all 
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh 
stopbits 1 
line vty 0 4 
access-class 123 in 
transport input telnet ssh 
line vty 5 15 
access-class 123 in 
transport input telnet ssh 
! 
scheduler allocate 20000 1000 
ntp source GigabitEthernet0/0/0.1 
ntp master 
ntp update-calendar 
ntp server 46.165.196.144 
ntp server 129.70.132.35 
ntp server 85.214.230.247 
time-range WIFI 
periodic daily 1:00 to 8:00 
! 
end
Ответ написан
Комментировать
@Ars1s
Что говорит nslookup -type=a mail0.*.ru с других клиентов, при включенном проблемном ноуте сотрудника ? Случаем не ссылается ли dns на ip проблемного ноута ?)
Ответ написан
Возможно, у Вас ситуация "icmp redirects" - это например, позволяет любой локальной станции заявить, что она "знает более короткий путь" до любого IP, который она включит в пакет ICMP type=5.

Попробуйте команду "no ip redirects" на Циске на FastEthernet интерфейсе - в Вашем случае единственного внешнего uplink-а ничего плохого от нее не будет.

А если изучение таблиц маршрутизации на хостах покажет, что подвергаются изменению и они, то www.windowsreference.com/security/disable-icmp-red...
Ответ написан
@rdntw
на компе вирусы мб? возможно ARP-spoofing.
сравните маки сервера до включение "проблемного" компа и после. маки проверять на шлюзе и на юзерских тачках.
Ответ написан
@Konditer Автор вопроса
Итак-итак, обновление!
Было выяснено опытным путём, что при обрыве соединения со всех компов достаточно откл-подкл входящий провод от провайдера. Таким образом, возможно, обрывается сессия соединения с почтовым сервером на проблемном компе, которую перед этим на той стороне блокируют по времени и/или по другим параметрам. Ну, кажется, проблема локализована... У кого-то какие-то мысли будут на этот счёт?)
З.Ы. Кстати, не может ли быть провайдер виноватым в подобном поведении?
Ответ написан
Комментировать
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы