Allow printing from Lan based network printers to specific computers in DMZ

After having my previous question answered successfully:

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_27484317.html

I now need to allow the computers in the DMZ to print to IP printers that are on the regular network.  One of them is a Canon (192.168.128.59) and the other is an HP (192.168.128.111).  Looking at the print drivers, they are using RAW / 9100.

So far I have tried creating static ROUTEs for both printer IPs...same as was done in the initial setup in the question above.  I have also added an ASA dmz rule to allow port 9100.

What else am I missing?

Thank you!
lor1974Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robert Sutton JrSenior Network ManagerCommented:
Can any of the computers in question view/discover these networked printers on the LAN? Can you post a sanitized copy of your running config?
0
lor1974Author Commented:
The current setup consists of:

DMZ computer I am testing on = 192.168.100.50

The computer has the following ROUTE command for communication with a server on the network

ROUTE -p ADD 192.168.128.10 MASK 255.255.255.255 192.168.100.1
(DMZ gateway (ISA) = 192.168.100.1)

I added the same ROUTE commands for the IP addresses of the printers (59, 111)

I have the following for the ASA:

access-list dmz_inside extended permit tcp host 192.168.100.50 any eq 9100

I also have an access rule in ISA to allow all traffic between all the required systems.








0
Robert Sutton JrSenior Network ManagerCommented:
And you have the following command entered(Im assuming)?
access-group DMZ_inside in interface DMZ
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

lor1974Author Commented:
yes

it is only a question of what is needed to get the printing to work...the setup is fine otherwise.

Thanks!
0
lor1974Author Commented:
I got it working by adding a static (inside,dmz) command for each printer ip & and a permit ip any host rule for the printer addresses.

My concern now is that permit ip rule is a security hole.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robert Sutton JrSenior Network ManagerCommented:
How so? They are coming in from your trusted network(Inside).
0
lor1974Author Commented:
Just a general concern that I inadvertently open a security hole since this is not my area of expertise.

Thanks
0
lor1974Author Commented:
I got it working by using advice that I found in other threads
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.