Solved

ASA Config - Access Printer from DMZ to Inside Interface

Posted on 2011-03-02
10
1,162 Views
Last Modified: 2012-05-11
Here is my current config.

Inside Interface: 192.168.0.0/24
Wireless Interface (DMZ): 192.168.2.0/24
Printer IP: 192.168.0.20/24

How can I print to a printer from the Wireless (DMZ) to the Inside interface?


hostname test-fw
domain-name abc.com
enable password cmxu3gie7plFdPq/ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan12
 nameif Wireless
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd cmxu3gie7plFdPq/ encrypted
boot system disk0:/asa722-k8.bin
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name abc.com

same-security-traffic permit intra-interface

access-list Internet extended permit icmp any any
access-list Internet extended permit icmp any any echo-reply
access-list Internet extended permit icmp any any unreachable
access-list Internet extended permit icmp any any time-exceeded

access-list Wireless extended permit icmp any any
access-list Wireless extended permit icmp any any echo-reply
access-list Wireless extended permit icmp any any unreachable
access-list Wireless extended permit icmp any any time-exceeded
***access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any


asdm image disk0:/asdm-611.bin
no asdm history enable

global (outside) 1 interface
global (Wireless) 1 192.168.2.190-192.168.2.199 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0
nat (Wireless) 1 0.0.0.0 0.0.0.0

***static (inside,wireless) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group Internet in interface outside
access-group Wireless in interface DMZ

crypto isakmp nat-traversal  30

http server enable
http 192.168.0.0 255.255.255.0 inside
http redirect outside 80

telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 wireless
telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0


dhcpd auto_config outside
!
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 4.2.2.1 4.2.2.2 interface inside
dhcpd enable inside

dhcpd address 192.168.2.100-192.168.2.200 Wireless
dhcpd dns 4.2.2.1 4.2.2.2 interface Wireless
dhcpd enable Wireless

0
Comment
Question by:Aeroquinn
  • 4
  • 4
10 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 35018192
access-list nonat extended permit ip 192.168.0.24 255.255.255.255 192.168.0.24 255.255.255.255

global (inside) 0 access-list nonat

access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0


This will create a nonat from the printer to the DMZ.   Apply the nonat.  Then adds an ACL item to allow any wireless lan device to connect to the printer (all open).
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35018402
I doubt that that will work. The above configuration will NAT all traffic FROM the 192.168.0.24-address destined TO the same addess, and that doesnt make sense.

Instead do this:
static (inside,dmz) 192.168.0.24 192.168.0.25 255.255.255.0
and of course
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0

Best regards
Kvistofta
0
 

Author Comment

by:Aeroquinn
ID: 35018507
What is 192.168.0.25? I understand 0.24 is the printer IP. I thought passing from the DMZ to the Inside, the same address is used?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35018566
Sorry, typo from me. It should be

static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0

/Kvistofta



0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 35018588
...so what I am saying is that the accepted  answer is wrong because it bases its policy NAT upon an access-list that states traffic with the same ip address in both source and destination field, and that traffic could never exist.

If nat0 should be used, the access-list must be modified. Or use my static-command instead.

/Kvistofta
0
 

Author Comment

by:Aeroquinn
ID: 35018660
So, this is all I need to add?

static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0

Do I need to use this statement as well:

access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any

Thanks. I will make sure you receive credit.

0
 

Author Comment

by:Aeroquinn
ID: 35023299
How do I give you credit
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35026121
I think you have to ask an EE administrator or moderator. I dunno.

/Kvistofta
0
 

Author Comment

by:Aeroquinn
ID: 35217700
Resolved
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now