• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1195
  • Last Modified:

ASA Config - Access Printer from DMZ to Inside Interface

Here is my current config.

Inside Interface: 192.168.0.0/24
Wireless Interface (DMZ): 192.168.2.0/24
Printer IP: 192.168.0.20/24

How can I print to a printer from the Wireless (DMZ) to the Inside interface?


hostname test-fw
domain-name abc.com
enable password cmxu3gie7plFdPq/ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan12
 nameif Wireless
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd cmxu3gie7plFdPq/ encrypted
boot system disk0:/asa722-k8.bin
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name abc.com

same-security-traffic permit intra-interface

access-list Internet extended permit icmp any any
access-list Internet extended permit icmp any any echo-reply
access-list Internet extended permit icmp any any unreachable
access-list Internet extended permit icmp any any time-exceeded

access-list Wireless extended permit icmp any any
access-list Wireless extended permit icmp any any echo-reply
access-list Wireless extended permit icmp any any unreachable
access-list Wireless extended permit icmp any any time-exceeded
***access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any


asdm image disk0:/asdm-611.bin
no asdm history enable

global (outside) 1 interface
global (Wireless) 1 192.168.2.190-192.168.2.199 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0
nat (Wireless) 1 0.0.0.0 0.0.0.0

***static (inside,wireless) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group Internet in interface outside
access-group Wireless in interface DMZ

crypto isakmp nat-traversal  30

http server enable
http 192.168.0.0 255.255.255.0 inside
http redirect outside 80

telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 wireless
telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0


dhcpd auto_config outside
!
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 4.2.2.1 4.2.2.2 interface inside
dhcpd enable inside

dhcpd address 192.168.2.100-192.168.2.200 Wireless
dhcpd dns 4.2.2.1 4.2.2.2 interface Wireless
dhcpd enable Wireless

0
Aeroquinn
Asked:
Aeroquinn
  • 4
  • 4
1 Solution
 
MikeKaneCommented:
access-list nonat extended permit ip 192.168.0.24 255.255.255.255 192.168.0.24 255.255.255.255

global (inside) 0 access-list nonat

access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0


This will create a nonat from the printer to the DMZ.   Apply the nonat.  Then adds an ACL item to allow any wireless lan device to connect to the printer (all open).
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
I doubt that that will work. The above configuration will NAT all traffic FROM the 192.168.0.24-address destined TO the same addess, and that doesnt make sense.

Instead do this:
static (inside,dmz) 192.168.0.24 192.168.0.25 255.255.255.0
and of course
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0

Best regards
Kvistofta
0
 
AeroquinnAuthor Commented:
What is 192.168.0.25? I understand 0.24 is the printer IP. I thought passing from the DMZ to the Inside, the same address is used?
0
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Sorry, typo from me. It should be

static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0

/Kvistofta



0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
...so what I am saying is that the accepted  answer is wrong because it bases its policy NAT upon an access-list that states traffic with the same ip address in both source and destination field, and that traffic could never exist.

If nat0 should be used, the access-list must be modified. Or use my static-command instead.

/Kvistofta
0
 
AeroquinnAuthor Commented:
So, this is all I need to add?

static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0

Do I need to use this statement as well:

access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any

Thanks. I will make sure you receive credit.

0
 
AeroquinnAuthor Commented:
How do I give you credit
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
I think you have to ask an EE administrator or moderator. I dunno.

/Kvistofta
0
 
AeroquinnAuthor Commented:
Resolved
0

Featured Post

Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now