YMartin
asked on
ASA 5505 NAT traffic coming in from the VPN from one LAN ip to another
We have an ASA 5505. We have a server at a remote site printing to a printer on the LAN across the VPN. It is printing fine however due to limitations in the software I need 2 different printer IP addresses on the LAN in order to print all document types. Rather than have 2 printers I would like to use the ASA5505 to NAT a 2nd IP address over to the same printer thereby making the server on the remote LAN believe there are 2 printers at different IP addresses however in actuality there is just the one printer.
On the asa I created a static NAT rule on the inside interface and entered the ip addresses however there appears to be an exemption for the VPN traffic so the NAT is not being applied.
Does anyone know if what I ask is possible and how to go about Natting the incoming VPN traffic? I was using ASDM to configure the rule.
On the asa I created a static NAT rule on the inside interface and entered the ip addresses however there appears to be an exemption for the VPN traffic so the NAT is not being applied.
Does anyone know if what I ask is possible and how to go about Natting the incoming VPN traffic? I was using ASDM to configure the rule.
kevinhsieh
The printer would need to be able to listen on a second IP address and or port. I doubt that it can. However, with Windows you can setup multiple printers that go to the same physical print device. You create a new printer/print queue, tell it to go to the same printer port, and change the print settings as needed for the other types of documents. We do this all the time with color copiers where we have one shared printer that is color, another that is black and white, and they go to the same device.
Are you using ASA on both sites? And which of ASA are you running (older than 8.3/8.3 and above)?
be glad to show you how the NATing over the VPN will be done via ASDM once I get a picture of which device you are using (for remote site and local site) and which software version, since NATing on the ASA will be different for pre 8.3 and 8.3 above.
be glad to show you how the NATing over the VPN will be done via ASDM once I get a picture of which device you are using (for remote site and local site) and which software version, since NATing on the ASA will be different for pre 8.3 and 8.3 above.
ASKER
I only have direct access to the ASA at the site with the printer which is running ASDM 5.2.
On windows server I would be limited to the number of NICs on the server. While I may be able to set this up using windows as a proxy the ASA would be more ideal.
The ASA should upon receiving a packet off the VPN destined for .50 change the destination to .51. If the reply packets going back out the VPN from the printer should also come from .50 not .51
I could SSH onto the ASA if needed however I usually work with ASDM for NAT/ACL
Remember there will be legitimate traffic going to .51 as well which should not be affected by the NAT.
nat.png
asdm.png
On windows server I would be limited to the number of NICs on the server. While I may be able to set this up using windows as a proxy the ASA would be more ideal.
The ASA should upon receiving a packet off the VPN destined for .50 change the destination to .51. If the reply packets going back out the VPN from the printer should also come from .50 not .51
I could SSH onto the ASA if needed however I usually work with ASDM for NAT/ACL
Remember there will be legitimate traffic going to .51 as well which should not be affected by the NAT.
nat.png
asdm.png
I still believe that the ASA is the wrong place to try to do this. If the server and physical print device were on the same LAN how would we do this? I say the answer is multiple logical printers using the same port, unless I am totally misunderstanding the goal.
See https://social.technet.microsoft.com/forums/windowsserver/en-US/c7e10a19-288c-4a53-9e01-6d7a4274f1ce/multiple-ports-for-same-ip-address-print-device
See https://social.technet.microsoft.com/forums/windowsserver/en-US/c7e10a19-288c-4a53-9e01-6d7a4274f1ce/multiple-ports-for-same-ip-address-print-device
ASKER
Thanks for the help so far.
The printers are printed to based on IP address not printer share name. I am not saying that it would not work however there are quite a few other factors which come into play using Windows Server which is why I was leaning towards the ASA solution.
The software (out of my control) is printing to the IP directly. Using Windows server I believe I would need to either ensure that the print server role is answering correctly on the IP of one of the server nics and I would be limited to the NICs on the server. If the software printed to shared printers on the server there would be no issue however we are told IP address is the only option so my options are to provide them 2 ip addresses and manage NAT on my end or get 2 printers. They must have 2 ip addresses for the 2 types of documents they are printing.
They are loading the printer driver into their system and printing directly to the printer.
The printers are printed to based on IP address not printer share name. I am not saying that it would not work however there are quite a few other factors which come into play using Windows Server which is why I was leaning towards the ASA solution.
The software (out of my control) is printing to the IP directly. Using Windows server I believe I would need to either ensure that the print server role is answering correctly on the IP of one of the server nics and I would be limited to the NICs on the server. If the software printed to shared printers on the server there would be no issue however we are told IP address is the only option so my options are to provide them 2 ip addresses and manage NAT on my end or get 2 printers. They must have 2 ip addresses for the 2 types of documents they are printing.
They are loading the printer driver into their system and printing directly to the printer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Could the ASA listen for inbound traffic to 192.168.1.50 off the VPN and translate all packets over to 192.168.1.51 and possibly change the source IP to something else and then a 2nd rule to listen for packets sent to the altered source IP (ASA IP?) and NAT it back to the original sender and change the source IP back to 192.168.1.50?
That is kind of what I was thinking. Based on my understanding of NAT this should be possible.
That is kind of what I was thinking. Based on my understanding of NAT this should be possible.