А что не так в этих строках? Какая должна быть первая часть? Я делал по
мануалу Cisco (раздел FWSM Configuration, static NAT), там в примере дана команда static и задана ACL.
Вот полная конфигурация этого контекста FWSM
FWSM Version 3.2(2) <context>
!
firewall transparent
hostname *****
domain-name net.***.***.ru
enable password ********* encrypted
names
!
interface Vlan2
nameif inside
bridge-group 1
security-level 100
!
interface Vlan5
nameif outside
bridge-group 1
security-level 0
!
interface BVI1
ip address 192.168.3.218 255.255.255.252
!
passwd ********** encrypted
object-group network localnets
network-object 10.0.0.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 127.0.0.0 255.0.0.0
network-object host 93.187.152.62
object-group network denyserv
network-object host 194.***.***.198
network-object host 194.***.***.33
network-object host 194.***.***.50
network-object host 194.***.***.60
network-object host 194.***.***.209
network-object host 194.***.***.234
network-object host 194.***.***.241
object-group network webservers
network-object 194.***.***.32 255.255.255.240
network-object 194.***.***.208 255.255.255.240
access-list INCOMING extended deny udp any any eq 1434 log errors
access-list INCOMING extended deny ip object-group localnets any log disable
access-list INCOMING extended deny ip any object-group localnets log disable
access-list INCOMING extended deny ip object-group denyserv any log errors
access-list INCOMING extended deny ip any object-group denyserv log errors
access-list INCOMING extended permit tcp any host 194.xxx.xxx.244 eq www
access-list INCOMING extended permit icmp any host 194.xxx.xxx.244
access-list INCOMING extended deny ip any any log errors
access-list OUTCOMING extended deny udp any any eq 1434 log errors
access-list OUTCOMING extended permit ip host 192.168.32.20 any
access-list OUTCOMING extended permit ip host 192.168.111.66 any
access-list OUTCOMING extended deny ip object-group localnets any log disable
access-list OUTCOMING extended deny ip any object-group localnets log disable
access-list OUTCOMING extended deny ip any any log errors
pager lines 24
logging enable
logging trap errors
logging asdm errors
logging facility 16
logging host inside 194.***.***.16
mtu inside 1500
mtu outside 1500
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
static (inside,outside) 194.yyy.yyy.243 192.168.111.66 netmask 255.255.255.255
static (inside,outside) 194.xxx.xxx.244 192.168.32.20 netmask 255.255.255.255
access-group OUTCOMING in interface inside
access-group INCOMING in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.3.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 194.***.***.240 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 194.***.***.0 255.255.255.192 inside
ssh 194.***.***.240 255.255.255.240 inside
ssh timeout 30
ssh version 2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 768
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global