Aeroquinn
asked on
ASA Config - Access Printer from DMZ to Inside Interface
Here is my current config.
Inside Interface: 192.168.0.0/24
Wireless Interface (DMZ): 192.168.2.0/24
Printer IP: 192.168.0.20/24
How can I print to a printer from the Wireless (DMZ) to the Inside interface?
hostname test-fw
domain-name abc.com
enable password cmxu3gie7plFdPq/ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan12
nameif Wireless
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd cmxu3gie7plFdPq/ encrypted
boot system disk0:/asa722-k8.bin
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name abc.com
same-security-traffic permit intra-interface
access-list Internet extended permit icmp any any
access-list Internet extended permit icmp any any echo-reply
access-list Internet extended permit icmp any any unreachable
access-list Internet extended permit icmp any any time-exceeded
access-list Wireless extended permit icmp any any
access-list Wireless extended permit icmp any any echo-reply
access-list Wireless extended permit icmp any any unreachable
access-list Wireless extended permit icmp any any time-exceeded
***access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any
asdm image disk0:/asdm-611.bin
no asdm history enable
global (outside) 1 interface
global (Wireless) 1 192.168.2.190-192.168.2.19 9 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Wireless) 1 0.0.0.0 0.0.0.0
***static (inside,wireless) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group Internet in interface outside
access-group Wireless in interface DMZ
crypto isakmp nat-traversal 30
http server enable
http 192.168.0.0 255.255.255.0 inside
http redirect outside 80
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 wireless
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.100-192.168.0.20 0 inside
dhcpd dns 4.2.2.1 4.2.2.2 interface inside
dhcpd enable inside
dhcpd address 192.168.2.100-192.168.2.20 0 Wireless
dhcpd dns 4.2.2.1 4.2.2.2 interface Wireless
dhcpd enable Wireless
Inside Interface: 192.168.0.0/24
Wireless Interface (DMZ): 192.168.2.0/24
Printer IP: 192.168.0.20/24
How can I print to a printer from the Wireless (DMZ) to the Inside interface?
hostname test-fw
domain-name abc.com
enable password cmxu3gie7plFdPq/ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan12
nameif Wireless
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd cmxu3gie7plFdPq/ encrypted
boot system disk0:/asa722-k8.bin
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name abc.com
same-security-traffic permit intra-interface
access-list Internet extended permit icmp any any
access-list Internet extended permit icmp any any echo-reply
access-list Internet extended permit icmp any any unreachable
access-list Internet extended permit icmp any any time-exceeded
access-list Wireless extended permit icmp any any
access-list Wireless extended permit icmp any any echo-reply
access-list Wireless extended permit icmp any any unreachable
access-list Wireless extended permit icmp any any time-exceeded
***access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any
asdm image disk0:/asdm-611.bin
no asdm history enable
global (outside) 1 interface
global (Wireless) 1 192.168.2.190-192.168.2.19
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Wireless) 1 0.0.0.0 0.0.0.0
***static (inside,wireless) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group Internet in interface outside
access-group Wireless in interface DMZ
crypto isakmp nat-traversal 30
http server enable
http 192.168.0.0 255.255.255.0 inside
http redirect outside 80
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 wireless
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.100-192.168.0.20
dhcpd dns 4.2.2.1 4.2.2.2 interface inside
dhcpd enable inside
dhcpd address 192.168.2.100-192.168.2.20
dhcpd dns 4.2.2.1 4.2.2.2 interface Wireless
dhcpd enable Wireless
I doubt that that will work. The above configuration will NAT all traffic FROM the 192.168.0.24-address destined TO the same addess, and that doesnt make sense.
Instead do this:
static (inside,dmz) 192.168.0.24 192.168.0.25 255.255.255.0
and of course
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0
Best regards
Kvistofta
Instead do this:
static (inside,dmz) 192.168.0.24 192.168.0.25 255.255.255.0
and of course
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0
Best regards
Kvistofta
ASKER
What is 192.168.0.25? I understand 0.24 is the printer IP. I thought passing from the DMZ to the Inside, the same address is used?
Sorry, typo from me. It should be
static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0
/Kvistofta
static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0
/Kvistofta
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So, this is all I need to add?
static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0
Do I need to use this statement as well:
access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any
Thanks. I will make sure you receive credit.
static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0
Do I need to use this statement as well:
access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any
Thanks. I will make sure you receive credit.
ASKER
How do I give you credit
I think you have to ask an EE administrator or moderator. I dunno.
/Kvistofta
/Kvistofta
ASKER
Resolved
global (inside) 0 access-list nonat
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0
This will create a nonat from the printer to the DMZ. Apply the nonat. Then adds an ACL item to allow any wireless lan device to connect to the printer (all open).