inside OPCSERVER 一台 outside OPCCLIENT 一台
route模式 配置没成功,放弃,采用透明模式
!----进入全局配置-- configure terminal !--删除原来的配置信息-- clear configure all !--ASA名称--时区-- hostname ciscoasa clock timezone CST 8 !--查看当前防火墙工作模式 show firewall !--配置ASA为透明模式 firewall transparent !--将G1/1和G1/2加入到bridge group 1 interface gigabitEthernet 1/1 nameif outside security-level 0 bridge-group 1 no shutdown interface gigabitEthernet 1/2 nameif inside security-level 100 bridge-group 1 no shutdown !--为bridge group分配一个IP地址,仅用在管理流量,此处BVI,类似与交换机的SVI接口 interface BVI 1 ip address 172.19.38.2 255.255.255.0 !--启用http server--启用后可以使用asdm从内网PC配置ASA-- http server enable http 172.19.38.3 255.255.255.255 inside !--在inside和outside接口绑定允许放行的IP和MAC对应关系,并开启ARP Inspection功能 arp inside 172.19.38.3 D094.6665.031A arp outside 172.19.38.13 000C.291F.A157 !--丢弃ARP不完全不匹配的项--(启用了就通讯不成功了,不知道arp规则那里不对) !--arp-inspection inside enable no-flood !--arp-inspection outside enable no-flood !--禁用MAC学习[禁用后,不在识别添加到内网中的新机器,配合前面的arp绑定,可以杜绝未绑定的PC访问OPCSERVER] mac-learn inside disable mac-learn outside disable !--创建配置Network Objects/Groups-- object network opcserver host 172.19.38.3 object network opcclient host 172.19.38.13 !--创建配置Service Objects-- object service tcp135 service tcp destination eq 135 object service tcp20501 service tcp destination range 20501 20601 !--创建配置Service Groups-- object-group service opc_ports service-object object tcp135 service-object object tcp20501 !--配置访问控制列表-- access-list outside_int extended permit object-group opc_ports object opcclient object opcserver access-list inside_access_in extended permit ip object opcserver object opcclient access-list inside_access_in extended deny ip any any !--将访问控制列表应用到对应端口 access-group outside_int in interface outside access-group inside_access_in in interface inside !--将运行参数保存为启动参数-- write memory exit转载于:https://www.cnblogs.com/guyk/p/11537917.html
