Solved

I'm not having success getting port forwarding to work so I can send print jobs to an HP printer.

Posted on 2007-11-20
4
245 Views
Last Modified: 2010-04-21
I have a site to site vpn setup between my campus and the remote site.   At the remote site is a printer that I need to give access to a 3rd party.    I have one public address and using NAT for the private address.   My problem is that I have been unsuccessful in getting PAT to work.    Any suggestiion?  
hostname BozTechCtr
domain-name default.domain.invalid
enable password BDbyj0/T51wCEzFP encrypted
names
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 69.xxx.xxx.26 255.255.255.192 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.xxx.xxx.15 255.255.255.0 
!
interface Ethernet2
 nameif dmz
 security-level 15
 ip address 207.xxx.xxx.25 255.255.255.248 
!
passwd kB0J6MuzN9KaYswD encrypted
boot system flash:/pix722.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any any 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit tcp host 69.xxx.xxx.26 eq 9100 host 192.xxx.xxx.100 eq 9100 
access-list outside_access_in_1 extended permit tcp any eq 9100 host 69.xxx.xxx.26 eq 9100 
access-list outside_access_in_1 extended permit icmp any any 
access-list outside_access_in_1 extended permit icmp host 207.xxx.xxx.254 any 
access-list outside_access_in_1 extended permit tcp any eq 9100 any eq 9100 
access-list outside_access_in_1 extended permit ip any host 69.145.83.26 
access-list outside_20_cryptomap extended permit ip 192.xxx.xxx.0 255.255.255.0 host 207.xxx.xxx.10 
access-list outside_20_cryptomap extended permit ip 192.xxx.xxx.0 255.255.255.0 207.xxx.xxx.0 255.255.255.0 
access-list outside_20_cryptomap extended permit ip host 69.xxx.xxx.26 host 207.xxx.xxx.10 
access-list outside_20_cryptomap extended permit ip host 69.xxx.xxx.26 207.xxx.xxx.0 255.255.255.0 
access-list outside_20_cryptomap extended permit ip 192.xxx.xxx.0 255.255.255.0 207.xxx.xxx.0 255.255.255.0 
access-list outside_20_cryptomap extended permit ip host 69.xxx.xxx.26 207.xxx.xxx.0 255.255.255.0 
access-list outside_20_cryptomap extended permit ip 192.xxx.xxx.0 255.255.255.0 207.xxx.xxx.0 255.255.255.0 
access-list outside_20_cryptomap extended permit ip host 69.xxx.xxx.26 207.xxx.xxx.0 255.255.255.0 
access-list outside_20_cryptomap extended permit ip 192.xxx.xxx.0 255.255.255.0 207.xxx.xxx.0 255.255.255.0 
access-list outside_20_cryptomap extended permit ip host 69.xxx.xxx.26 207.xxx.xxx.0 255.255.255.0 
access-list dmz_access_in extended permit ip host 207.196.151.254 any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 207.xxx.xxx.0 255.255.255.0 outside
icmp permit 207.xxx.xxx.0 255.255.255.0 outside
icmp permit 207.xxx.xxx.0 255.255.255.0 outside
icmp permit any outside
icmp permit any echo-reply inside
icmp permit any echo inside
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list outside_20_cryptomap
nat (inside) 1 192.xxx.xxx.0 255.255.255.0
static (inside,outside) tcp 69.xxx.xxx.26 9100 192.xxx.xxx.100 9100 netmask 255.255.255.255 
access-group outside_access_in_1 in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.1 1
route outside 207.xxx.xxx.0 255.255.255.0 207.xxx.xxx.10 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username wmcgee password gihAktvoYWwdnvcm encrypted privilege 15
http server enable
http 207.xxx.xxx.0 255.255.255.0 outside
http 192.xxx.xxx.0 255.255.255.0 inside
http 207.xxx.xxx.70 255.255.255.255 outside
http 207.xxx.xxx.26 255.255.255.255 dmz
http 192.xxx.xxx.0 255.255.255.0 inside
http 207.xxx.xxx.0 255.255.255.0 outside
http 207.xxx.xxx.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 207.xxx.xxx.10 
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
tunnel-group 207.xxx.xxx.10 type ipsec-l2l
tunnel-group 207.xxx.xxx.10 ipsec-attributes
 pre-shared-key *
telnet 207.xxx.xxx.70 255.255.255.255 outside
telnet 207.xxx.xxx.0 255.255.255.0 outside
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.xxx.xxx.0 255.255.255.0 inside
telnet 207.xxx.xxx.26 255.255.255.255 dmz
telnet timeout 15
ssh 207.xxx.xxx.0 255.255.255.0 outside
ssh timeout 5
console timeout 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:f68db8dba128529e6e63b7e3d2bd355d
: end
asdm image flash:/asdm-522.bin
asdm history enable
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:f68db8dba128529e6e63b7e3d2bd355d
: end
asdm image flash:/asdm-522.bin
asdm history enable

Open in new window

0
Comment
Question by:dmbonilla4
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 20322021
Im guessing you are printing on tcp port 9100 and you have been trying to get it to work hence the

access-list inside_access_in extended permit tcp host 69.xxx.xxx.26 eq 9100 host 192.xxx.xxx.100 eq 9100
access-list outside_access_in_1 extended permit tcp any eq 9100 host 69.xxx.xxx.26 eq 9100
static (inside,outside) tcp 69.xxx.xxx.26 9100 192.xxx.xxx.100 9100 netmask 255.255.255.255


correct?

if so get rid of those

conf t
no access-list inside_access_in extended permit tcp host 69.xxx.xxx.26 eq 9100 host 192.xxx.xxx.100 eq 9100
no access-list outside_access_in_1 extended permit tcp any eq 9100 host 69.xxx.xxx.26 eq 9100
no static (inside,outside) tcp 69.xxx.xxx.26 9100 192.xxx.xxx.100 9100 netmask 255.255.255.255

now do the following

name 192.xxx.xxx.100 Printer
access-list inbound permit tcp host 69.xxx.xxx.26 interface outside eq 3389
static (inside,outside) tcp interface 3389 Printer 3389 dns netmask 255.255.255.255 0 0
clear xlate
write mem

now try
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 125 total points
ID: 20322029
aaah typo that will teach me to copy and paste!

name 192.xxx.xxx.100 Printer
access-list inbound permit tcp host 69.xxx.xxx.26 interface outside eq 9100
static (inside,outside) tcp interface 9100 Printer 9100 dns netmask 255.255.255.255 0 0
clear xlate
write mem

sorry Im an arse! :)
0
 

Author Closing Comment

by:dmbonilla4
ID: 31410174
Working now!   Thanks!!!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 20333535
ThanQ
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month3 days, 15 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question