Добрый день.
Есть Cisco 2911. Привожу рабочий конфиг.


version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO_2911
!
boot-start-marker
boot system flash0 c2900-universalk9-mz.SPA.151-4.M.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$QL59$6f1Nz/phOVZRORnWASgdq1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
clock timezone Moscow 4 0
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.168.1
!
ip dhcp pool $Vlan1$
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
netbios-name-server 192.168.0.1
netbios-node-type h-node
lease 0 12
!
ip dhcp pool $Vlan2$
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
netbios-name-server 192.168.1.1
netbios-node-type h-node
lease 0 12
!
ip dhcp pool $Vlan3$
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.1
netbios-name-server 192.168.2.1
netbios-node-type h-node
lease 0 12
!
ip dhcp pool $Vlan4$
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.3.1
netbios-name-server 192.168.3.1
netbios-node-type h-node
lease 0 12
!
ip dhcp pool $Vlan169$
network 192.168.168.0 255.255.255.0
default-router 192.168.168.1
dns-server 192.168.168.1
netbios-name-server 192.168.168.1
netbios-node-type h-node
lease 0 12
!
!
no ip bootp server
ip domain name local
ip name-server 212.188.4.10
ip name-server 195.34.32.116
ip inspect tcp reassembly queue length 128
ip inspect tcp reassembly timeout 10
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip inspect name CCP_LOW http
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint TP-self-signed-714539355
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-714539355
revocation-check none
rsakeypair TP-self-signed-714539355
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-714539355
crypto pki certificate chain test_trustpoint_config_created_for_sdm
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ1540902Z
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
!
archive
log config
hidekeys
username Admin privilege 15 secret 5 $1$E0eZ$9DX.uIy90aDCQXkfk.0iz0
!
redundancy
!
!
!
!
controller VDSL 0/3/0
operating mode adsl2+ annex A
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
ip ssh version 1
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface ATM0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0/3/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 1/50
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/3/0
no ip address
shutdown
no fair-queue
!
interface GigabitEthernet0/0/0
description $FOR NAS ONLY$
switchport access vlan 169
no ip address
!
interface GigabitEthernet0/0/1
description $FOR MAC ONLY$
switchport access vlan 169
no ip address
!
interface GigabitEthernet0/0/2
switchport access vlan 2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface GigabitEthernet0/1/0
description $FOR NAS ONLY$
switchport access vlan 169
no ip address
power inline never
!
interface GigabitEthernet0/1/1
switchport access vlan 2
no ip address
speed 100
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
description $FOR AIR-AP ONLY$
switchport trunk allowed vlan 1-4,1002-1005
switchport mode trunk
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1448
!
interface Vlan2
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1448
!
interface Vlan3
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1448
!
interface Vlan4
description $FW_INSIDE$
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1448
!
interface Vlan169
description $FW_INSIDE$$ES_LAN$
ip address 192.168.168.1 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1448
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1448
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx
ppp chap password 7 121423471F3D07501E
ppp pap sent-username xxxxxxx password 7 10432F490821195F38
no cdp enable
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging esm config
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark CCP_ACL Category=19
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.168.0 0.0.0.255
access-list 1 deny any
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 deny ip 192.168.168.0 0.0.0.255 any
access-list 100 deny ip 192.168.3.0 0.0.0.255 any
access-list 100 deny ip 192.168.2.0 0.0.0.255 any
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 deny ip 192.168.168.0 0.0.0.255 any
access-list 101 deny ip 192.168.3.0 0.0.0.255 any
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 deny ip 192.168.168.0 0.0.0.255 any
access-list 102 deny ip 192.168.3.0 0.0.0.255 any
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip 192.168.0.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 deny ip 192.168.168.0 0.0.0.255 any
access-list 103 deny ip 192.168.2.0 0.0.0.255 any
access-list 103 deny ip 192.168.1.0 0.0.0.255 any
access-list 103 deny ip 192.168.0.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 deny ip 192.168.3.0 0.0.0.255 any
access-list 104 deny ip 192.168.2.0 0.0.0.255 any
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 deny ip 192.168.0.0 0.0.0.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by CCP firewall configuration
access-list 105 remark CCP_ACL Category=1
access-list 105 permit udp host 195.34.32.116 eq domain any
access-list 105 permit udp host 212.188.4.10 eq domain any
access-list 105 remark Auto generated by CCP for NTP (123) 62.149.0.30
access-list 105 permit udp host 62.149.0.30 eq ntp any eq ntp
access-list 105 remark Auto generated by CCP for NTP (123) 62.119.40.98
access-list 105 permit udp host 62.119.40.98 eq ntp any eq ntp
access-list 105 remark Auto generated by CCP for NTP (123) 192.36.143.150
access-list 105 permit udp host 192.36.143.150 eq ntp any eq ntp
access-list 105 deny ip 192.168.168.0 0.0.0.255 any
access-list 105 deny ip 192.168.3.0 0.0.0.255 any
access-list 105 deny ip 192.168.2.0 0.0.0.255 any
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
access-list 105 deny ip 192.168.0.0 0.0.0.255 any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
dialer-list 1 protocol ip list 1
!
no cdp run
!
!
!
!
snmp-server ifindex persist
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
no shutdown
!
!
banner login Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!

!
line con 0
exec-timeout 30 0
login authentication local_authen
transport output telnet
line aux 0
exec-timeout 30 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 30 0
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp source Dialer0
ntp update-calendar
ntp server 192.36.143.150 prefer
ntp server 62.149.0.30 prefer
ntp server 62.119.40.98 prefer
end


Все работает. Но недавно в роутер поставил серверный модуль UCS-E140, возникло желание завернуть трафик на этот модуль, там открыть NAT, DNS server и TMG. Вопрос как перенаправить входной и выходной траффик на этот модуль?

Думаю это надо делать с Dialer0 поскольку на нем висит авторизация у прова.
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1448
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx
ppp chap password 7 121423471F3D07501E
ppp pap sent-username xxxxxxx password 7 10432F490821195F38
no cdp enable

и направить на один из свободных портов
interface GigabitEthernet0/0/0
description $FOR NAS ONLY$
switchport access vlan 169
no ip address
!
interface GigabitEthernet0/0/1
description $FOR MAC ONLY$
switchport access vlan 169
no ip address
!
interface GigabitEthernet0/0/2
switchport access vlan 2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface GigabitEthernet0/1/0
description $FOR NAS ONLY$
switchport access vlan 169
no ip address
power inline never
!
interface GigabitEthernet0/1/1
switchport access vlan 2
no ip address
speed 100
!
interface GigabitEthernet0/1/2
no ip address

с перенапрвленного порта патчем соединяю с внешней сетевой картой модуля UCS, то есть физика понятна, но как и что в роутере прописать. У UCS есть еще внешний порт смотрящий сразу в роутер -- ucses 1/1. Можно наверное и на него, но не все команды видят порт ucses, хотя по сущность от свитч-порт.


С уважением.

P.S. Понимаю, что конфиг придется вычистить в пунктах NAT, FIREWAL и INSPECT.