• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1204
  • Last Modified:

ASA Config - Access Printer from DMZ to Inside Interface

Here is my current config.

Inside Interface: 192.168.0.0/24
Wireless Interface (DMZ): 192.168.2.0/24
Printer IP: 192.168.0.20/24

How can I print to a printer from the Wireless (DMZ) to the Inside interface?


hostname test-fw
domain-name abc.com
enable password cmxu3gie7plFdPq/ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan12
 nameif Wireless
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd cmxu3gie7plFdPq/ encrypted
boot system disk0:/asa722-k8.bin
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name abc.com

same-security-traffic permit intra-interface

access-list Internet extended permit icmp any any
access-list Internet extended permit icmp any any echo-reply
access-list Internet extended permit icmp any any unreachable
access-list Internet extended permit icmp any any time-exceeded

access-list Wireless extended permit icmp any any
access-list Wireless extended permit icmp any any echo-reply
access-list Wireless extended permit icmp any any unreachable
access-list Wireless extended permit icmp any any time-exceeded
***access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any


asdm image disk0:/asdm-611.bin
no asdm history enable

global (outside) 1 interface
global (Wireless) 1 192.168.2.190-192.168.2.199 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0
nat (Wireless) 1 0.0.0.0 0.0.0.0

***static (inside,wireless) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group Internet in interface outside
access-group Wireless in interface DMZ

crypto isakmp nat-traversal  30

http server enable
http 192.168.0.0 255.255.255.0 inside
http redirect outside 80

telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 wireless
telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0


dhcpd auto_config outside
!
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 4.2.2.1 4.2.2.2 interface inside
dhcpd enable inside

dhcpd address 192.168.2.100-192.168.2.200 Wireless
dhcpd dns 4.2.2.1 4.2.2.2 interface Wireless
dhcpd enable Wireless

0
Aeroquinn
Asked:
Aeroquinn
  • 4
  • 4
1 Solution
 
MikeKaneCommented:
access-list nonat extended permit ip 192.168.0.24 255.255.255.255 192.168.0.24 255.255.255.255

global (inside) 0 access-list nonat

access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0


This will create a nonat from the printer to the DMZ.   Apply the nonat.  Then adds an ACL item to allow any wireless lan device to connect to the printer (all open).
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
I doubt that that will work. The above configuration will NAT all traffic FROM the 192.168.0.24-address destined TO the same addess, and that doesnt make sense.

Instead do this:
static (inside,dmz) 192.168.0.24 192.168.0.25 255.255.255.0
and of course
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0

Best regards
Kvistofta
0
 
AeroquinnAuthor Commented:
What is 192.168.0.25? I understand 0.24 is the printer IP. I thought passing from the DMZ to the Inside, the same address is used?
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Sorry, typo from me. It should be

static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0

/Kvistofta



0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
...so what I am saying is that the accepted  answer is wrong because it bases its policy NAT upon an access-list that states traffic with the same ip address in both source and destination field, and that traffic could never exist.

If nat0 should be used, the access-list must be modified. Or use my static-command instead.

/Kvistofta
0
 
AeroquinnAuthor Commented:
So, this is all I need to add?

static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0

Do I need to use this statement as well:

access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any

Thanks. I will make sure you receive credit.

0
 
AeroquinnAuthor Commented:
How do I give you credit
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
I think you have to ask an EE administrator or moderator. I dunno.

/Kvistofta
0
 
AeroquinnAuthor Commented:
Resolved
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now