> ЗЫ: Ну и как правильно заметили, лучше не изобретать велосипед. Суете линк
> с провайдером в вилан, и приземляете в нем хосты с реальным
> IP наравне с роутером.

Уважаемые гуру! Я переделал всю конфигу исходя из ваших советов, но протестировал пока только в виртуальной среде - работает, все кого надо - видят, кого не надо - не видят.

Подскажите корректная ли эта конфига?

сети в влане 110 и 111 разделил RACL, обе сетки натятся на 2 разных IP
третий белый  ip - уходит на устройство прямо из коммутатора через Ethernet1/0.

Роутер:
interface Ethernet0/0                                                                                                          
ip address хх.хх.хх.122 255.255.255.0                                                                                        
ip access-group FIREWALL in                                                                                                  
ip nat outside                                                                                                                
ip inspect FW out                                                                                                            
ip virtual-reassembly in                                                                                                      
!                                                                                                                              
interface Ethernet0/1                                                                                                          
no ip address
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/1.110 (внутренняя сеть)
encapsulation dot1Q 110
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/1.111 (DMZ)
encapsulation dot1Q 111
ip address 192.168.10.1 255.255.255.0
ip access-group DMZ_in in
ip access-group DMZ_out out
ip nat inside
ip virtual-reassembly in
!

ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat pool POOL_dmz хх.хх.хх.124 хх.хх.хх.124  netmask 255.255.255.0
ip nat inside source list NAT interface Ethernet0/0 overload
ip nat inside source list NAT_dmz pool POOL_dmz overload
ip route 0.0.0.0 0.0.0.0 хх.хх.хх.121
!

ip access-list extended DMZ_in
evaluate inav_lan
deny   ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip any any
ip access-list extended DMZ_out
permit tcp 192.168.0.0 0.0.0.255 any reflect inav_lan timeout 300
permit icmp 192.168.0.0 0.0.0.255 any reflect inav_lan timeout 300

ip access-list extended FIREWALL
permit ip any any
ip access-list extended NAT
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended NAT_dmz
permit ip 192.168.10.0 0.0.0.255 any
!
!
!

Конфига коммутатора:

interface Ethernet0/0
switchport access vlan 100
duplex auto
!
interface Ethernet0/1
switchport access vlan 100
duplex auto
!
interface Ethernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 110,111
switchport mode trunk
duplex auto
!
interface Ethernet0/3
switchport access vlan 110
duplex auto
!
interface Ethernet1/0
switchport access vlan 100
duplex auto
!
interface Ethernet1/1
switchport access vlan 111
duplex auto
!
interface Ethernet1/2
switchport access vlan 110
duplex auto
!