Needing to send print jobs to internal LAN from DMZ

I have done this before, but I cannot find my mistake in the configuration.

I am trying to have a printer on the Internal LAN of our network setup so that those workstations on a DMZ LAN can print to it.  That is all I want them to have access to.

I tried the configuration below, but it is not working.  What am I not seeing or missing?

Thank you in advance.
Jeff



interface GigabitEthernet0/1.10
 description Workforce Development Training Rooms
 vlan 10
 nameif GK-WFD
 security-level 50
 ip address 10.0.21.10 255.255.255.0
!
interface GigabitEthernet0/1.21
 description VLAN subinterface for RO Office
 vlan 21
 nameif GK-Systems
 security-level 100
 ip address 172.21.1.10 255.255.0.0



object network GK-CPY-RO-2
 host 172.21.21.6
 description This is the Ricoh Copier on the 3rd floor of the Regional Office
object network GK-CPY-RO-2-DMZ
 host 10.0.21.33
 description This is the DMZ PAT IP address for the Training room to print to Ricoh on 3rd Floor


access-list GKY-WFD-PRINTING extended permit ip object GKY-CPY-LOURO-2 object GKY-CPY-LOURO-2-DMZ

object network GKY-CPY-RO-2
 nat (GK-Systems,GK-WFD) static GKY-CPY-RO-2-DMZ
jgrammer42Asked:
Who is Participating?
 
Pete LongTechnical ConsultantCommented:
GKY-CPY-LOURO-2 You have not told us what this is, I assume its the host(s) that want to print?

Your ACL allows access to - > GKY-CPY-LOURO-2-DMZ

Two problems, ONE this is not the NAT object you created thats GK-CPY-RO-2-DMZ?

TWO You allow traffic to the translated IP anyway your ACL should look like

!
access-list GKY-WFD-PRINTING extended permit ip object GKY-CPY-LOURO-2 object GK-CPY-RO-2
!
access-group GKY-WFD-PRINTING in interface GK-WFD
!

WARNING: before executing the access-group command, read my warning here.
0
 
Member_8093523Commented:
hi
for security reasons i would not give DMZ access to LAN even for only print jobs
why not connect your printer to DMZ and give your LAN access to the printer ? this is only an outgoing connection
with a bit of development know how you could also leave your printer in LAN and let your workstations in DMZ print to file
a job executed from LAN checks for print files and send this files to the printer for real printing
br
Andre
0
 
jgrammer42Author Commented:
Pete Long,
Please forgive me, I had meant to edit that config snippet  before posting; because I had done a cut&paste and I had accidentally done a search and replace for security reasons and it replaced an invalid entry.

Here is the REAL config snippet.

interface GigabitEthernet0/1.10
 description Workforce Development Training Rooms
 vlan 10
 nameif GK-WFD
 security-level 50
 ip address 10.0.21.10 255.255.255.0
!
interface GigabitEthernet0/1.21
 description VLAN subinterface for RO Office
 vlan 21
 nameif GK-Systems
 security-level 100
 ip address 172.21.1.10 255.255.0.0



object network GK-CPY-RO-2
 host 172.21.21.6
 description This is the Ricoh Copier on the 3rd floor of the Regional Office
object network GK-CPY-RO-2-DMZ
 host 10.0.21.33
 description This is the DMZ PAT IP address for the Training room to print to Ricoh on 3rd Floor


access-list GK-WFD-PRINTING extended permit ip object GK-CPY-LOURO-2 object GK-CPY-LOURO-2-DMZ

object network GK-CPY-RO-2
 nat (GK-Systems,GK-WFD) static GK-CPY-RO-2-DMZ
0
 
jgrammer42Author Commented:
I was able to get this up and running.  thank you,
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.