ASA 5505 NAT traffic coming in from the VPN from one LAN ip to another

We have an ASA 5505.  We have a server at a remote site printing to a printer on the LAN across the VPN.  It is printing fine however due to limitations in the software I need 2 different printer IP addresses on the LAN in order to print all document types.  Rather than have 2 printers I would like to use the ASA5505 to NAT a 2nd IP address over to the same printer thereby making the server on the remote LAN believe there are 2 printers at different IP addresses however in actuality there is just the one printer.

On the asa I created a static NAT rule on the inside interface and entered the ip addresses however there appears to be an exemption for the VPN traffic so the NAT is not being applied.

Does anyone know if what I ask is possible and how to go about Natting the incoming VPN traffic?  I was using ASDM to configure the rule.
LVL 2
YMartinAsked:
Who is Participating?
 
kevinhsiehCommented:
Okay, that sucks. The idea is to make one physical print device look like more than one printer to your software, correct?  The only way to do that is if the network on the interface on the print device can support some sort of multiple personalities be either listening on multiple ports, use multiple IP addresses, or use multiple queue names. The ASA can't make a single IP address/port look like two IP address/port pairs. It just can't, not connecting to the same device on the other side of that NAT.
0
 
kevinhsiehCommented:
The printer would need to be able to listen on a second IP address and or port. I doubt that it can. However, with Windows you can setup multiple printers that go to the same physical print device. You create a new printer/print queue, tell it to go to the same printer port, and change the print settings as needed for the other types of documents. We do this all the time with color copiers where we have one shared printer that is color, another that is black and white, and they go to the same device.
0
 
ffleismaSenior Network EngineerCommented:
Are you using ASA on both sites? And which of ASA are you running (older than 8.3/8.3 and above)?

be glad to show you how the NATing over the VPN will be done via ASDM once I get a picture of which device you are using (for remote site and local site) and which software version, since NATing on the ASA will be different for pre 8.3 and 8.3 above.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
YMartinAuthor Commented:
I only have direct access to the ASA at the site with the printer which is running ASDM 5.2.

On windows server I would be limited to the number of NICs on the server.  While I may be able to set this up using windows as a proxy the ASA would be more ideal.

The ASA should upon receiving a packet off the VPN destined for .50 change the destination to .51.  If the reply packets going back out the VPN from the printer should also come from .50 not .51

I could SSH onto the ASA if needed however I usually work with ASDM for NAT/ACL

Remember there will be legitimate traffic going to .51 as well which should not be affected by the NAT.
nat.png
asdm.png
0
 
kevinhsiehCommented:
I still believe that the ASA is the wrong place to try to do this. If the server and physical print device were on the same LAN how would we do this? I say the answer is multiple logical printers using the same port, unless I am totally misunderstanding the goal.

See https://social.technet.microsoft.com/forums/windowsserver/en-US/c7e10a19-288c-4a53-9e01-6d7a4274f1ce/multiple-ports-for-same-ip-address-print-device
0
 
YMartinAuthor Commented:
Thanks for the help so far.

The printers are printed to based on IP address not printer share name.  I am not saying that it would not work however there are quite a few other factors which come into play using Windows Server which is why I was leaning towards the ASA solution.  

The software (out of my control) is printing to the IP directly.  Using Windows server I believe I would need to either ensure that the print server role is answering correctly on the IP of one of the server nics and I would be limited to the NICs on the server.  If the software printed to shared printers on the server there would be no issue however we are told IP address is the only option so my options are to provide them 2 ip addresses and manage NAT on my end or get 2 printers.  They must have 2 ip addresses for the 2 types of documents they are printing.  

They are loading the printer driver into their system and printing directly to the printer.
0
 
YMartinAuthor Commented:
Could the ASA listen for inbound traffic to 192.168.1.50 off the VPN and translate all packets over to 192.168.1.51 and possibly change the source IP to something else and then a 2nd rule to listen for packets sent to the altered source IP (ASA IP?) and NAT it back to the original sender and change the source IP back to 192.168.1.50?

That is kind of what I was thinking.  Based on my understanding of NAT this should be possible.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.