Needing to send print jobs to internal LAN from DMZ

I have done this before, but I cannot find my mistake in the configuration.

I am trying to have a printer on the Internal LAN of our network setup so that those workstations on a DMZ LAN can print to it.  That is all I want them to have access to.

I tried the configuration below, but it is not working.  What am I not seeing or missing?

Thank you in advance.
Jeff



interface GigabitEthernet0/1.10
 description Workforce Development Training Rooms
 vlan 10
 nameif GK-WFD
 security-level 50
 ip address 10.0.21.10 255.255.255.0
!
interface GigabitEthernet0/1.21
 description VLAN subinterface for RO Office
 vlan 21
 nameif GK-Systems
 security-level 100
 ip address 172.21.1.10 255.255.0.0



object network GK-CPY-RO-2
 host 172.21.21.6
 description This is the Ricoh Copier on the 3rd floor of the Regional Office
object network GK-CPY-RO-2-DMZ
 host 10.0.21.33
 description This is the DMZ PAT IP address for the Training room to print to Ricoh on 3rd Floor


access-list GKY-WFD-PRINTING extended permit ip object GKY-CPY-LOURO-2 object GKY-CPY-LOURO-2-DMZ

object network GKY-CPY-RO-2
 nat (GK-Systems,GK-WFD) static GKY-CPY-RO-2-DMZ
jgrammer42Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Member_8093523Commented:
hi
for security reasons i would not give DMZ access to LAN even for only print jobs
why not connect your printer to DMZ and give your LAN access to the printer ? this is only an outgoing connection
with a bit of development know how you could also leave your printer in LAN and let your workstations in DMZ print to file
a job executed from LAN checks for print files and send this files to the printer for real printing
br
Andre
0
Pete LongTechnical ConsultantCommented:
GKY-CPY-LOURO-2 You have not told us what this is, I assume its the host(s) that want to print?

Your ACL allows access to - > GKY-CPY-LOURO-2-DMZ

Two problems, ONE this is not the NAT object you created thats GK-CPY-RO-2-DMZ?

TWO You allow traffic to the translated IP anyway your ACL should look like

!
access-list GKY-WFD-PRINTING extended permit ip object GKY-CPY-LOURO-2 object GK-CPY-RO-2
!
access-group GKY-WFD-PRINTING in interface GK-WFD
!

WARNING: before executing the access-group command, read my warning here.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jgrammer42Author Commented:
Pete Long,
Please forgive me, I had meant to edit that config snippet  before posting; because I had done a cut&paste and I had accidentally done a search and replace for security reasons and it replaced an invalid entry.

Here is the REAL config snippet.

interface GigabitEthernet0/1.10
 description Workforce Development Training Rooms
 vlan 10
 nameif GK-WFD
 security-level 50
 ip address 10.0.21.10 255.255.255.0
!
interface GigabitEthernet0/1.21
 description VLAN subinterface for RO Office
 vlan 21
 nameif GK-Systems
 security-level 100
 ip address 172.21.1.10 255.255.0.0



object network GK-CPY-RO-2
 host 172.21.21.6
 description This is the Ricoh Copier on the 3rd floor of the Regional Office
object network GK-CPY-RO-2-DMZ
 host 10.0.21.33
 description This is the DMZ PAT IP address for the Training room to print to Ricoh on 3rd Floor


access-list GK-WFD-PRINTING extended permit ip object GK-CPY-LOURO-2 object GK-CPY-LOURO-2-DMZ

object network GK-CPY-RO-2
 nat (GK-Systems,GK-WFD) static GK-CPY-RO-2-DMZ
0
jgrammer42Author Commented:
I was able to get this up and running.  thank you,
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASA

From novice to tech pro — start learning today.