Solved

ASA Config - Access Printer from DMZ to Inside Interface

Posted on 2011-03-02
10
1,171 Views
Last Modified: 2012-05-11
Here is my current config.

Inside Interface: 192.168.0.0/24
Wireless Interface (DMZ): 192.168.2.0/24
Printer IP: 192.168.0.20/24

How can I print to a printer from the Wireless (DMZ) to the Inside interface?


hostname test-fw
domain-name abc.com
enable password cmxu3gie7plFdPq/ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan12
 nameif Wireless
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd cmxu3gie7plFdPq/ encrypted
boot system disk0:/asa722-k8.bin
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name abc.com

same-security-traffic permit intra-interface

access-list Internet extended permit icmp any any
access-list Internet extended permit icmp any any echo-reply
access-list Internet extended permit icmp any any unreachable
access-list Internet extended permit icmp any any time-exceeded

access-list Wireless extended permit icmp any any
access-list Wireless extended permit icmp any any echo-reply
access-list Wireless extended permit icmp any any unreachable
access-list Wireless extended permit icmp any any time-exceeded
***access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any


asdm image disk0:/asdm-611.bin
no asdm history enable

global (outside) 1 interface
global (Wireless) 1 192.168.2.190-192.168.2.199 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0
nat (Wireless) 1 0.0.0.0 0.0.0.0

***static (inside,wireless) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group Internet in interface outside
access-group Wireless in interface DMZ

crypto isakmp nat-traversal  30

http server enable
http 192.168.0.0 255.255.255.0 inside
http redirect outside 80

telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 wireless
telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0


dhcpd auto_config outside
!
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 4.2.2.1 4.2.2.2 interface inside
dhcpd enable inside

dhcpd address 192.168.2.100-192.168.2.200 Wireless
dhcpd dns 4.2.2.1 4.2.2.2 interface Wireless
dhcpd enable Wireless

0
Comment
Question by:Aeroquinn
  • 4
  • 4
10 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 35018192
access-list nonat extended permit ip 192.168.0.24 255.255.255.255 192.168.0.24 255.255.255.255

global (inside) 0 access-list nonat

access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0


This will create a nonat from the printer to the DMZ.   Apply the nonat.  Then adds an ACL item to allow any wireless lan device to connect to the printer (all open).
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35018402
I doubt that that will work. The above configuration will NAT all traffic FROM the 192.168.0.24-address destined TO the same addess, and that doesnt make sense.

Instead do this:
static (inside,dmz) 192.168.0.24 192.168.0.25 255.255.255.0
and of course
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0

Best regards
Kvistofta
0
 

Author Comment

by:Aeroquinn
ID: 35018507
What is 192.168.0.25? I understand 0.24 is the printer IP. I thought passing from the DMZ to the Inside, the same address is used?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 17

Expert Comment

by:Kvistofta
ID: 35018566
Sorry, typo from me. It should be

static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0

/Kvistofta



0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 35018588
...so what I am saying is that the accepted  answer is wrong because it bases its policy NAT upon an access-list that states traffic with the same ip address in both source and destination field, and that traffic could never exist.

If nat0 should be used, the access-list must be modified. Or use my static-command instead.

/Kvistofta
0
 

Author Comment

by:Aeroquinn
ID: 35018660
So, this is all I need to add?

static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0

Do I need to use this statement as well:

access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any

Thanks. I will make sure you receive credit.

0
 

Author Comment

by:Aeroquinn
ID: 35023299
How do I give you credit
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35026121
I think you have to ask an EE administrator or moderator. I dunno.

/Kvistofta
0
 

Author Comment

by:Aeroquinn
ID: 35217700
Resolved
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WLC 5508 controller configuration 4 98
Cisco 3560 switches not seeing VTP V3 12 67
How difficult is it to migrate from Cisco ACS to Cisco ISE? 2 31
ASA ISP failover 3 24
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

827 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question