topic ASA Help With NAT for Printer in Network Security

ASA Help With NAT for Printer

rschember1 — Fri, 18 Oct 2024 17:32:24 GMT

I have a Guest network for internet access for guests and an Inside network. I would like the Guest network to be able to access a printer on the Inside network.

I have the following configuration:

object-group network Guest_Network_Printers
network-object host 10.10.50.55

object network Guest_Network_DHCP_Pool
range 10.20.30.101 10.20.30.254

access-list ACL_Guest extended permit ip object Guest_Network_DHCP_Pool object-group Guest_Network_Printers
access-list ACL_Guest extended deny ip any 10.10.50.0 255.255.255.0
access-list ACL_Guest extended permit ip any any

access-group ACL_Guest in interface Guest

This works fine. I'm able to ping 10.10.50.55 from the 10.20.30.101-254 range while keeping all other 10.10.50.0 devices restricted.

Now what I would like to do is set up a NAT from 10.20.30.55 to 10.10.50.55 so that this "fake" 10.20.30.55 IP can be used for printing from the Guest network. This will allow Windows to automatically detect the printer -- it currently does not detect it because it's not on the same subnet. I can add it manually, but that's not ideal.

How do I set up this translation?

Re: [Delete please]

Flavio Miranda — Fri, 18 Oct 2024 17:21:51 GMT

@rschember1

Static NAT.

Cisco ASA Static NAT Configuration (networklessons.com)

Re: [Delete please]

Aref Alsouqi — Fri, 18 Oct 2024 17:23:10 GMT

object-group network Guest_Network_Printers
network-object host 10.10.50.55
nat (inside,Guest) static 10.20.30.55

This should work. Alternatively you can add a manual static NAT similar to this:

object-group network Guest_Network_Printers_NAT
network-object host 10.20.30.55

nat (inside,Guest) source static Guest_Network_Printers Guest_Network_Printers_NAT destination static Guest_Network_DHCP_Pool Guest_Network_DHCP_Pool

I would also recommend denying the whole RFC1918 range for the guest network if possible rather than just the defined internal network 10.10.50.0/24.

Re: [Delete please]

rschember1 — Fri, 18 Oct 2024 18:53:37 GMT

@Aref Alsouqi - This worked perfectly, thank you!

I did have to create a network object for the NAT - I couldn't do it directly in the object group. And thank you for the tip on the RFC1918 range. This is the final working configuration:

object network obj-10.10.50.55-GuestNAT
host 10.10.50.55

object network obj-10.10.50.55-GuestNAT
nat (inside,Guest) static 10.20.30.55

object-group network Guest_Network_Printers
network-object object obj-10.10.50.55-GuestNAT

object network Guest_Network_DHCP_Pool
range 10.20.30.101 10.20.30.254

access-list ACL_Guest extended permit ip object Guest_Network_DHCP_Pool object-group Guest_Network_Printers
access-list ACL_Guest extended deny ip any 10.0.0.0 255.0.0.0
access-list ACL_Guest extended deny ip any 172.16.0.0 255.240.0.0
access-list ACL_Guest extended deny ip any 192.168.0.0 255.255.0.0
access-list ACL_Guest extended permit ip any any

access-group ACL_Guest in interface Guest

Re: [Delete please]

Aref Alsouqi — Fri, 18 Oct 2024 21:08:53 GMT

You are very welcome, and you’re right, I should’ve paid more attention when I copied/pasted the config snippet as the NAT statement goes under the network object not the object group as you figured out. Sorry about that.