尊重原创,转发请声名
inside OPCSERVER 一台
outside OPCCLIENT 一台
route模式 配置没成功,放弃,采用透明模式
!----进入全局配置--
configure terminal
!--删除原来的配置信息--
clear configure all
!--ASA名称--时区--
hostname ciscoasa
clock timezone CST 8
!--查看当前防火墙工作模式
show firewall
!--配置ASA为透明模式
firewall transparent
!--将G1/1和G1/2加入到bridge group 1
interface gigabitEthernet 1/1
nameif outside
security-level 0
bridge-group 1
no shutdown
interface gigabitEthernet 1/2
nameif inside
security-level 100
bridge-group 1
no shutdown
!--为bridge group分配一个IP地址,仅用在管理流量,此处BVI,类似与交换机的SVI接口
interface BVI 1
ip address 172.19.38.2 255.255.255.0
!--启用http server--启用后可以使用asdm从内网PC配置ASA--
http server enable
http 172.19.38.3 255.255.255.255 inside
!--在inside和outside接口绑定允许放行的IP和MAC对应关系,并开启ARP Inspection功能
arp inside 172.19.38.3 D094.6665.031A
arp outside 172.19.38.13 000C.291F.A157
!--丢弃ARP不完全不匹配的项--(启用了就通讯不成功了,不知道arp规则那里不对)
!--arp-inspection inside enable no-flood
!--arp-inspection outside enable no-flood
!--禁用MAC学习[禁用后,不在识别添加到内网中的新机器,配合前面的arp绑定,可以杜绝未绑定的PC访问OPCSERVER]
mac-learn inside disable
mac-learn outside disable
!--创建配置Network Objects/Groups--
object network opcserver
host 172.19.38.3
object network opcclient
host 172.19.38.13
!--创建配置Service Objects--
object service tcp135
service tcp destination eq 135
object service tcp20501
service tcp destination range 20501 20601
!--创建配置Service Groups--
object-group service opc_ports
service-object object tcp135
service-object object tcp20501
!--配置访问控制列表--
access-list outside_int extended permit object-group opc_ports object opcclient object opcserver
access-list inside_access_in extended permit ip object opcserver object opcclient
access-list inside_access_in extended deny ip any any
!--将访问控制列表应用到对应端口
access-group outside_int in interface outside
access-group inside_access_in in interface inside
!--将运行参数保存为启动参数--
write memory
exit