https://community.cisco.com/t5/network-security/access-inside-network-printer-from-dmz/m-p/2230156#M349944 <HTML><HEAD></HEAD><BODY><P>I will give it a try and keep you posted of the results.</P><P></P><P>d</P></BODY></HTML> Tue, 14 May 2013 18:32:52 GMT Douglas Sensenig 2013-05-14T18:32:52Z https://community.cisco.com/t5/network-security/access-inside-network-printer-from-dmz/m-p/2230154#M349941 <P>Hi</P><P></P><P>I have been spinning my wheels trying to figure out how to allow users in the DMZ, who have their own Internet connection, to access a printer on the Inside network but nothing else.</P><P></P><P>ASA software 9.1.1</P><P>DMZ: 10.10.10.0/24</P><P>DMZ interface IP: 10.10.10.1</P><P>DMZ security level: 50</P><P>Inside: 192.168.0.0/24</P><P>Inside Interface IP: 192.168.0.1</P><P>Inside Security Level: 100</P><P>Printer: 192.168.0.51/24</P><P></P><P>I created an ACL to allow the 10.10.10.0/24 subnet access to the printer (192.168.0.51). I did not include a port # in the ACL as I was unsure of the port # used by the printer. What other steps do I need to take to resolve this issue? Static NAT, port redirect,etc?</P><P></P><P>Thanks in advance for your time and help.</P><P></P><P>Douglas</P> Tue, 12 Mar 2019 01:43:10 GMT https://community.cisco.com/t5/network-security/access-inside-network-printer-from-dmz/m-p/2230154#M349941 Douglas Sensenig 2019-03-12T01:43:10Z https://community.cisco.com/t5/network-security/access-inside-network-printer-from-dmz/m-p/2230155#M349942 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am not 100% sure on your setup BUT it seems to me that you are implying the the default route for the DMZ hosts points to somewhere else than the ASA DMZ interface IP address?</P><P></P><P>I guess one option would be to NAT the "inside" printer to a "DMZ" network address.</P><P></P><P>This would essentially mean that even though DMZ hosts default gateway might be somewhere else than on the ASA, if they were actually to connect to an IP address on their directly connected network they would simply ARP for the MAC address of that destination IP address and the connection would be forwarded from the connecting host directly to the ASA.</P><P></P><P>So you could consider something like this</P><P></P><P><STRONG>object network PRINTER</STRONG></P><P><STRONG> host 192.168.0.51</STRONG></P><P><STRONG> nat (inside,dmz) static 10.10.10.51</STRONG></P><P></P><P>The NAT IP address used could naturally be something else IF the above IP address is already in use on the DMZ</P><P></P><P>Let me know if this works for you. If there is some problems we can use some commands to test if the rule works correctly or if there is some other problems.</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Ask more if needed</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 14 May 2013 18:22:18 GMT https://community.cisco.com/t5/network-security/access-inside-network-printer-from-dmz/m-p/2230155#M349942 Jouni Forss 2013-05-14T18:22:18Z https://community.cisco.com/t5/network-security/access-inside-network-printer-from-dmz/m-p/2230156#M349944 <HTML><HEAD></HEAD><BODY><P>I will give it a try and keep you posted of the results.</P><P></P><P>d</P></BODY></HTML> Tue, 14 May 2013 18:32:52 GMT https://community.cisco.com/t5/network-security/access-inside-network-printer-from-dmz/m-p/2230156#M349944 Douglas Sensenig 2013-05-14T18:32:52Z