Solved

I'm not having success getting port forwarding to work so I can send print jobs to an HP printer.

Posted on 2007-11-20
4
241 Views
Last Modified: 2010-04-21
I have a site to site vpn setup between my campus and the remote site.   At the remote site is a printer that I need to give access to a 3rd party.    I have one public address and using NAT for the private address.   My problem is that I have been unsuccessful in getting PAT to work.    Any suggestiion?  
hostname BozTechCtr

domain-name default.domain.invalid

enable password BDbyj0/T51wCEzFP encrypted

names

dns-guard

!

interface Ethernet0

 nameif outside

 security-level 0

 ip address 69.xxx.xxx.26 255.255.255.192 

!

interface Ethernet1

 nameif inside

 security-level 100

 ip address 192.xxx.xxx.15 255.255.255.0 

!

interface Ethernet2

 nameif dmz

 security-level 15

 ip address 207.xxx.xxx.25 255.255.255.248 

!

passwd kB0J6MuzN9KaYswD encrypted

boot system flash:/pix722.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns server-group DefaultDNS

 domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list outside_access_in extended permit ip any any 

access-list outside_access_in extended permit tcp any any 

access-list inside_access_in extended permit ip any any 

access-list inside_access_in extended permit icmp any any 

access-list inside_access_in extended permit tcp host 69.xxx.xxx.26 eq 9100 host 192.xxx.xxx.100 eq 9100 

access-list outside_access_in_1 extended permit tcp any eq 9100 host 69.xxx.xxx.26 eq 9100 

access-list outside_access_in_1 extended permit icmp any any 

access-list outside_access_in_1 extended permit icmp host 207.xxx.xxx.254 any 

access-list outside_access_in_1 extended permit tcp any eq 9100 any eq 9100 

access-list outside_access_in_1 extended permit ip any host 69.145.83.26 

access-list outside_20_cryptomap extended permit ip 192.xxx.xxx.0 255.255.255.0 host 207.xxx.xxx.10 

access-list outside_20_cryptomap extended permit ip 192.xxx.xxx.0 255.255.255.0 207.xxx.xxx.0 255.255.255.0 

access-list outside_20_cryptomap extended permit ip host 69.xxx.xxx.26 host 207.xxx.xxx.10 

access-list outside_20_cryptomap extended permit ip host 69.xxx.xxx.26 207.xxx.xxx.0 255.255.255.0 

access-list outside_20_cryptomap extended permit ip 192.xxx.xxx.0 255.255.255.0 207.xxx.xxx.0 255.255.255.0 

access-list outside_20_cryptomap extended permit ip host 69.xxx.xxx.26 207.xxx.xxx.0 255.255.255.0 

access-list outside_20_cryptomap extended permit ip 192.xxx.xxx.0 255.255.255.0 207.xxx.xxx.0 255.255.255.0 

access-list outside_20_cryptomap extended permit ip host 69.xxx.xxx.26 207.xxx.xxx.0 255.255.255.0 

access-list outside_20_cryptomap extended permit ip 192.xxx.xxx.0 255.255.255.0 207.xxx.xxx.0 255.255.255.0 

access-list outside_20_cryptomap extended permit ip host 69.xxx.xxx.26 207.xxx.xxx.0 255.255.255.0 

access-list dmz_access_in extended permit ip host 207.196.151.254 any 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 207.xxx.xxx.0 255.255.255.0 outside

icmp permit 207.xxx.xxx.0 255.255.255.0 outside

icmp permit 207.xxx.xxx.0 255.255.255.0 outside

icmp permit any outside

icmp permit any echo-reply inside

icmp permit any echo inside

asdm image flash:/asdm-522.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list outside_20_cryptomap

nat (inside) 1 192.xxx.xxx.0 255.255.255.0

static (inside,outside) tcp 69.xxx.xxx.26 9100 192.xxx.xxx.100 9100 netmask 255.255.255.255 

access-group outside_access_in_1 in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.1 1

route outside 207.xxx.xxx.0 255.255.255.0 207.xxx.xxx.10 255

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username wmcgee password gihAktvoYWwdnvcm encrypted privilege 15

http server enable

http 207.xxx.xxx.0 255.255.255.0 outside

http 192.xxx.xxx.0 255.255.255.0 inside

http 207.xxx.xxx.70 255.255.255.255 outside

http 207.xxx.xxx.26 255.255.255.255 dmz

http 192.xxx.xxx.0 255.255.255.0 inside

http 207.xxx.xxx.0 255.255.255.0 outside

http 207.xxx.xxx.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs 

crypto map outside_map 20 set peer 207.xxx.xxx.10 

crypto map outside_map 20 set transform-set ESP-DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

tunnel-group 207.xxx.xxx.10 type ipsec-l2l

tunnel-group 207.xxx.xxx.10 ipsec-attributes

 pre-shared-key *

telnet 207.xxx.xxx.70 255.255.255.255 outside

telnet 207.xxx.xxx.0 255.255.255.0 outside

telnet 0.0.0.0 0.0.0.0 outside

telnet 192.xxx.xxx.0 255.255.255.0 inside

telnet 207.xxx.xxx.26 255.255.255.255 dmz

telnet timeout 15

ssh 207.xxx.xxx.0 255.255.255.0 outside

ssh timeout 5

console timeout 15

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:f68db8dba128529e6e63b7e3d2bd355d

: end

asdm image flash:/asdm-522.bin

asdm history enable

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:f68db8dba128529e6e63b7e3d2bd355d

: end

asdm image flash:/asdm-522.bin

asdm history enable

Open in new window

0
Comment
Question by:dmbonilla4
  • 3
4 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 20322021
Im guessing you are printing on tcp port 9100 and you have been trying to get it to work hence the

access-list inside_access_in extended permit tcp host 69.xxx.xxx.26 eq 9100 host 192.xxx.xxx.100 eq 9100
access-list outside_access_in_1 extended permit tcp any eq 9100 host 69.xxx.xxx.26 eq 9100
static (inside,outside) tcp 69.xxx.xxx.26 9100 192.xxx.xxx.100 9100 netmask 255.255.255.255


correct?

if so get rid of those

conf t
no access-list inside_access_in extended permit tcp host 69.xxx.xxx.26 eq 9100 host 192.xxx.xxx.100 eq 9100
no access-list outside_access_in_1 extended permit tcp any eq 9100 host 69.xxx.xxx.26 eq 9100
no static (inside,outside) tcp 69.xxx.xxx.26 9100 192.xxx.xxx.100 9100 netmask 255.255.255.255

now do the following

name 192.xxx.xxx.100 Printer
access-list inbound permit tcp host 69.xxx.xxx.26 interface outside eq 3389
static (inside,outside) tcp interface 3389 Printer 3389 dns netmask 255.255.255.255 0 0
clear xlate
write mem

now try
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 125 total points
ID: 20322029
aaah typo that will teach me to copy and paste!

name 192.xxx.xxx.100 Printer
access-list inbound permit tcp host 69.xxx.xxx.26 interface outside eq 9100
static (inside,outside) tcp interface 9100 Printer 9100 dns netmask 255.255.255.255 0 0
clear xlate
write mem

sorry Im an arse! :)
0
 

Author Closing Comment

by:dmbonilla4
ID: 31410174
Working now!   Thanks!!!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 20333535
ThanQ
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now