?
Solved

ASA Config - Access Printer from DMZ to Inside Interface

Posted on 2011-03-02
10
Medium Priority
?
1,184 Views
Last Modified: 2012-05-11
Here is my current config.

Inside Interface: 192.168.0.0/24
Wireless Interface (DMZ): 192.168.2.0/24
Printer IP: 192.168.0.20/24

How can I print to a printer from the Wireless (DMZ) to the Inside interface?


hostname test-fw
domain-name abc.com
enable password cmxu3gie7plFdPq/ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan12
 nameif Wireless
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd cmxu3gie7plFdPq/ encrypted
boot system disk0:/asa722-k8.bin
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name abc.com

same-security-traffic permit intra-interface

access-list Internet extended permit icmp any any
access-list Internet extended permit icmp any any echo-reply
access-list Internet extended permit icmp any any unreachable
access-list Internet extended permit icmp any any time-exceeded

access-list Wireless extended permit icmp any any
access-list Wireless extended permit icmp any any echo-reply
access-list Wireless extended permit icmp any any unreachable
access-list Wireless extended permit icmp any any time-exceeded
***access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any


asdm image disk0:/asdm-611.bin
no asdm history enable

global (outside) 1 interface
global (Wireless) 1 192.168.2.190-192.168.2.199 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0
nat (Wireless) 1 0.0.0.0 0.0.0.0

***static (inside,wireless) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group Internet in interface outside
access-group Wireless in interface DMZ

crypto isakmp nat-traversal  30

http server enable
http 192.168.0.0 255.255.255.0 inside
http redirect outside 80

telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 wireless
telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0


dhcpd auto_config outside
!
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 4.2.2.1 4.2.2.2 interface inside
dhcpd enable inside

dhcpd address 192.168.2.100-192.168.2.200 Wireless
dhcpd dns 4.2.2.1 4.2.2.2 interface Wireless
dhcpd enable Wireless

0
Comment
Question by:Aeroquinn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
10 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 35018192
access-list nonat extended permit ip 192.168.0.24 255.255.255.255 192.168.0.24 255.255.255.255

global (inside) 0 access-list nonat

access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0


This will create a nonat from the printer to the DMZ.   Apply the nonat.  Then adds an ACL item to allow any wireless lan device to connect to the printer (all open).
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35018402
I doubt that that will work. The above configuration will NAT all traffic FROM the 192.168.0.24-address destined TO the same addess, and that doesnt make sense.

Instead do this:
static (inside,dmz) 192.168.0.24 192.168.0.25 255.255.255.0
and of course
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0

Best regards
Kvistofta
0
 

Author Comment

by:Aeroquinn
ID: 35018507
What is 192.168.0.25? I understand 0.24 is the printer IP. I thought passing from the DMZ to the Inside, the same address is used?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 17

Expert Comment

by:Kvistofta
ID: 35018566
Sorry, typo from me. It should be

static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0

/Kvistofta



0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 2000 total points
ID: 35018588
...so what I am saying is that the accepted  answer is wrong because it bases its policy NAT upon an access-list that states traffic with the same ip address in both source and destination field, and that traffic could never exist.

If nat0 should be used, the access-list must be modified. Or use my static-command instead.

/Kvistofta
0
 

Author Comment

by:Aeroquinn
ID: 35018660
So, this is all I need to add?

static (inside,dmz) 192.168.0.24 192.168.0.24 255.255.255.0
access-list Wireless extended permit ip any 192.168.0.24 255.255.255.0

Do I need to use this statement as well:

access-list Wireless extended permit ip 192.168.2.0 255.255.255.0 any

Thanks. I will make sure you receive credit.

0
 

Author Comment

by:Aeroquinn
ID: 35023299
How do I give you credit
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35026121
I think you have to ask an EE administrator or moderator. I dunno.

/Kvistofta
0
 

Author Comment

by:Aeroquinn
ID: 35217700
Resolved
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question