How do I configure a PIX to allow a webserver, in a DMZ, to print to a LAN printer

Can you explain how this is setup?  A 501 only has an inside and outside interface - so there is no hardware DMZ to use.  And if the webserver has an inside address - where is the printer located - is it also on the inside network?  

through access rules I guess on the pix. everything is connected to our switch and the router directs traffic through from the outside. Yes, the printer is attached to my workstation which is physically next to the webserver and on the internal LAN

You will have to excuse me but I'm confused.

You have a webserver on the inside but it has an outside ip - is this a second network card or a translated ip address through the pix?
If the webserver is on the internal lan and so is the printer - you can setup a local lan printer - but I'm guessing you want more than that -

do you want to be able to print from outside via the website to your local printer?

Please draw up a quick diagram showing how devices are connected and exactly what you want this to do and it will be simpler to fix

cheers

The webserver has one active NIC which is NAT'd through the pix. it can be accessed from our LAN using the address that is in our subnet. It can also be accessed from the Internet through a Public IP. As far as I know, the only ports that are open on the webserver are ports 80 and 443 in order to allow access to our website.  I have a web analysis application running on the webserver, and even though I can connect to that app through HTTP, I may want to log onto it locally in which case I would like to be able to print reports to a printer that is on our inside LAN. There may be some other instances where I may want to print from the webserver, when I am on it locally, as well. I have tried installing a network  printer from the webserver and for whatever reason, I would guess because all of the ports are closed except for 80 & 443, I cannot even browse the internal network. So, do I need to open port 9100 to allow this? if that's the case then how do I configure the PiX to allow this? I hope that clarifies things.

If you are on the internal network and you are logged on to the webserver by its internal ip address, the pix plays absolutely no part in what is happening with printing.  As you are able to connect to the webserver and the printer is connected to you, then the webservers inability to print is something on the webserver - check if you can ping it or not.  The pix allowing certain ports access from outside is doing exactly that and nothing more - if you access the webserver from inside, the pix is not involved at all and therefore is not blocking you from connecting to printers.

I think we are on the same wavelength now but pls advise if i am misconstruing your intention

hth

I am able to ping the webserver from my workstation (on which the printer is attached). I understand your logic that if I can ping the webserver from my WS and the printer is attached to my WS, then the webserver should be able to print to my WS. However, when the techie configured things for us he said that he was setting it up so that the webserver could not be attacked through the rear door, i.e. our LAN. So isn't it possible that all interal traffic to that IP (the webserver) is routed through that PIX? And only on ports 80 and 443. The firewall on the webserver is not on because he said it would be unnecessarily redundant because traffic is only allowed on ports 80 and 443.

<<So isn't it possible that all interal traffic to that IP (the webserver) is routed through that PIX>>

No - simply because a PIX cannot route.  Traffic can not go out a pix interface that it originated from - it just does not work that way.  For example -

Internet > PIX > Internal network

If your webserver and your pc are on the internal network, and you try and access the webserver by its public ip - you cannot.  Because - the traffic goes to the pix, the pix sends it out to the internet looking for DNS resolution - but the traffic is not able to come back in as it originated from the inside.

If you are on the inside of this network and so is the webserver - you can forget that the pix even exists.  All the pix is doing regarding port 80 and 443 is allowing external outside traffic through to the webserver.  As you are on the same network, the webserver never needs to go to the gateway (pix) at all as it can see the printer on its local network.  If you local tech has somehow secured the webserver so that its disallowed to access some internal resources - then you will need to get it sorted with the tech but the pix is not your problem here.

If you wish - draw up a quick diagram of how everything is connected in case there is something small we are overlooking - but it certainly isn't your firewall.

hope this helps

This is the response that I got from the technician that set up the webservers for us regarding the production webserver access from our LAN:

It's not technically in a DMZ, which would give the server a direct outside IP address not an internal one, but I'm sure that the tech who set it up blocked most access to the webserver from inside your network for security reasons.  Having any access to your internal network does give hackers potential access to you if the webserver were to ever get cracked.  If you really need to do any printing from the webserver, either move a local printer to it temporarily to it or get a cheap printer to keep there permanently.

Does that shed any light on the setup?

<<It's not technically in a DMZ, which would give the server a direct outside IP address not an internal one, but I'm sure that the tech who set it up blocked most access to the webserver from inside your network for security reasons.  Having any access to your internal network does give hackers potential access to you if the webserver were to ever get cracked.  If you really need to do any printing from the webserver, either move a local printer to it temporarily to it or get a cheap printer to keep there permanently.

Ok- a PIX 501 does not have a dmz interface.  And having it in a dmz would NOT give the server a direct outside ip address - it would give it a dmz ip address that you could translate out to an outside one.  
I understand your frustration with this but if you post your pix config (minus your public ips and any passwords) with a quick diagram of how this is all connected - I can give you a breakdown of how this will or won't work.

hth

ok, I'll try

We have the following setup:

Serial T1 Line

Cisco 1760 Router (strictly doing Routing)

PIX 501

The above three items are connected in series (ONE INTO ANOTHER)

At this point the PIX and everything else (Hubs and Servers) on our LAN are plugged into our switch

Below is the PIX config: (and below that is the Router configuration)(the router has two "outside" IPs-1 in and 1-out)

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
hostname pix501
domain-name home.ourdomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_acl permit icmp any any
access-list outside_acl permit tcp any host XX.XXX.XX.164 eq www
access-list outside_acl permit tcp any host XX.XXX.XX.164 eq https
access-list outside_acl permit tcp 64.73.49.0 255.255.255.128 host XX.XXX.XX.162 eq smtp
access-list outside_acl permit tcp 64.73.152.0 255.255.255.128 host XX.XXX.XX.162 eq smtp
access-list outside_acl permit tcp any host XX.XXX.XX.162 eq www
access-list outside_acl permit ip any host XX.XXX.XX.166
access-list outside_acl permit udp any host XX.XXX.XX.161 eq isakmp
access-list outside_acl permit esp any host XX.XXX.XX.161
access-list outside_acl deny ip any any
access-list no_nat permit ip 192.168.168.0 255.255.255.0 192.168.150.0 255.255.255.0
pager lines 24
logging on
logging trap informational
logging host inside 192.168.168.1
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside XX.XXX.XX.161 255.255.255.248
ip address inside 192.168.168.150 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote_users 192.168.150.1-192.168.150.5 mask 255.255.255.0
pdm location 192.168.150.0 255.255.255.0 inside
pdm location 192.168.168.1 255.255.255.255 inside
pdm location 192.168.168.140 255.255.255.255 inside
pdm location 192.168.168.225 255.255.255.255 inside
pdm location 64.XX.XX.220 255.255.255.255 outside
pdm location 64.XX.XX.0 255.255.255.128 outside
pdm location 64.XX.XXX.0 255.255.255.128 outside
pdm location 192.168.150.0 255.255.255.0 outside
pdm location 192.168.168.0 255.255.255.0 outside
pdm location 70.92.72.0 255.255.255.0 outside
pdm location 192.168.168.240 255.255.255.255 inside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 192.168.168.0 255.255.255.0 0 0
static (inside,outside) XX.XXX.XX.164 192.168.168.225 netmask 255.255.255.255 0 0
static (inside,outside) XX.XXX.XX.162 192.168.168.1 netmask 255.255.255.255 0 0
static (inside,outside) XX.XXX.XX.166 192.168.168.140 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 63.246.64.163 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup MCVPNGroup address-pool remote_users
vpngroup MCVPNGroup dns-server 192.168.168.1
vpngroup MCVPNGroup wins-server 192.168.168.1
vpngroup MCVPNGroup default-domain home.OURDOMAIN.com
vpngroup MCVPNGroup idle-time 1800
vpngroup MCVPNGroup password XXXXXXX
vpngroup address-pool idle-time 1800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 64.XX.XX.220 255.255.255.255 outside
ssh 70.XX.XX.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
username administrator password XXXXXXXXXXXXXX encrypted privilege 15
terminal width 80
Cryptochecksum:XXXXXxxxxxxxxxXXXXXXX
: end
[OK]



Router Configuration:


Building configuration...

Current configuration : 1724 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco1700
!
boot-start-marker
boot system flash:c1700-k9o3sy7-mz.123-6a.bin
boot-end-marker
!
logging buffered 10000 debugging
enable secret 5 XXXXXXXXXXXXXXXXX
!
username XXXXXXXXXX privilege 15 password XXXXXXXXXXXXXXXXXXXXXX
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip domain name home.OUR DOMAIN.com
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0/0
 description LAN interface connected to pix 501 interface ethernet0
 ip address XX.XXX.XX.163 255.255.255.248
 no ip redirects
 no ip proxy-arp
 speed auto
 full-duplex
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay IETF
 service-module t1 remote-alarm-enable
 frame-relay lmi-type ansi
!
interface Serial0/0.32 point-to-point
 description T1 connection to internet service provider
 ip address XX.XXX.XX.141 255.255.255.252
 no ip redirects
 no ip proxy-arp
 frame-relay interface-dlci 32 IETF  
!
ip classless
ip route 0.0.0.0 0.0.0.0 63.246.64.142
ip http server
ip http secure-server
!
!
!
banner login ^CUnauthorized access to this equipment is prohibited!
^C
!
line con 0
 password XXXXXXXXXXXXXXXXXX
line aux 0
 password XXXXXXXXXXXXXXXXXXXX
line vty 0 4
 privilege level 15
 password XXXXXXXXXXXXXXXXX
 transport input telnet
line vty 5 15
 privilege level 15
 password XXXXXXXXXXXXXXXXXXXX
 transport input telnet
!
!
end

Barny and dwielgosz

This is what i have been saying.  The webserver is on the 192.168.168.0 network as your local pc and print server.  If the webserver tries to access a 192.168.168.x machine, it is in its local subnet so never needs to go to its default gateway (the pix).  The problem here seems to be more of a misunderstanding than anything else - as the pix is NOT blocking you from printing.  The tech who is telling you that it is protected from the internal network - can you ask him what is protecting it?  And if he believes it is the pix - ask him what he thinks is protecting it on the pix?

To answer Barny's questions:

"the Webserver is on the same subnet as your PC's"- - - - YES
"Have you shared your printer on the PC?"- - - - YES, it is
"then go onto the webserver and try and access is via your PC's IP address and share name"- - - - I have tried both and, in fact, cannot see anything else on the network

This may be part of the problem:
I was looking at the "Network Connections" in the Control Panel and saw that the webserver PC has two physical NICs that are "teamed" and that the resulting network connection's properties are the following:

The IP address, as stated, is set to an internal IP address and the Default Gateway is set to the PIX IP. HOWEVER, the preferred DNS server IPs are both set to our ISPs, EXTERNAL DNS servers. Will this not cause the webserver to be "looking" outward and therefore not be able to "see" the internal network?

How do I go about that? Do I just create a text file like this:

webserver  192.168.168.225


and name it "LMHosts.txt"
and then put it where?

On the webserver to go c:\windows\system32\drivers\etc and open the lmhosts.sam file
put in the ip address as follows:

[machine name]       [ip address]

e.g.

192.168.10.1            internalpc

Save the file as "lmhosts" - note no .sam extension

you should then be able to ping the ip address of internalpc by typing
ping internalpc
from the webserver

hth

Not wanting to offend anyone but I need to say that experts need to be very specific with instructions to those of us that don't eat, sleep and (you know what) network stuff day in and day out. For instance, your instructions above I'm sure are extrememly simple to you but I'm thinking that I need to create a file that looks like this (and I'm sure it'd be wrong)

[machine name]      [ip address]-----(Do I include this part)

e.g.----(Do I include this)

192.168.168.225    PE2850WEB----(Are the name and IP intentionally transposed?)

This can't be correct, or is it?

Apologies - we don't know your skillset so sometimes assume more than we should.
First of all - you need to be able to contact the pc (with the printer) by the webserver.
From the webserver, make sure you can ping the internal pc ok.
If for example the internal pc is called mypc, and the ip address of it is 192.168.168.10 then create an lmhosts file on the webserver.
The file should have the following in it :

192.168.168.10            mypc

Save the file as lmhosts (note no filename extension) and see if you can now ping mypc from the webserver :
e.g.  ping mypc

It should reply with the ip address (192.168.168.10 - this is just a sample address)
You should now be able to connect to the printer

hth

OK, I did not do a LMHosts file because I did not understand the above directions.

What I do have to report though is that, on a whim, I went back into the ADD Printer Wizard and I chose the "add network Printer" path and it found my PC immediately and my shared printer. I installed it, printed a test page and for whatever reason, it now works. I cannot explain what happened. Although I must stress my absolute certainty that I was unable to do the same thing yesterday following the same process as today.So apparently the problem is solved and I do want to thank everyone for trying to help.

Glad you are working - but to re-emphasise the problem was not to do with your PIX.  Just an FYI for the future

I think I believe you. :=)

OH! What about the points for the question? Any suggestions would be welcome.

Points really are up to you - have a look at the help section on answering/grading if you're unsure

https://www.experts-exchange.com/help.jsp#hi73

If you do choose to have the question closed without accepting answers, pls don't request a deletion as there is plenty of worthwhile information in the thread for the database.

cheers

nodisco gets an "A" for effort and perserverance and IPKON Networks gets 25 points for trying to be of assistance. Thanks folks!

thank you