Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2020
Views
0
Helpful
6
Replies

ASA 5506 How use an printer from an different VLAN

Go to solution
Robbert Tol
Level 1
Level 1

‎01-24-2019 03:21 AM - edited ‎02-21-2020 08:41 AM

Hello,

 

I'm stuck and don't know where to start.

I Have an Cisco ASA5506X with 4 VLAN's with different security levels.

VLAN 10 192.168.230.x/24

Security level 100

VLAN 2 192.168.2.x/24

Security level 70

VLAN 3 192.168.3.x/24

Security level 50

 

In VLAN 10 i have a printer (192.168.230.10)

What i want is that the users/hosts, who are in VLAN 2 and 3 can also print to this printer.

 

The ASA5506X is running v9.8

The switch i'm using is an 2960 Layer 2. The printer is connected to an access port and the asa to an trunk

 

I don't know how to accomplish this. Please advise.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Robbert Tol

‎01-24-2019 03:56 AM

Typo! :) add 'ip':

 

access-list VLAN2_IN extended permit ip 192.168.3.0 255.255.255.0 host 192.168.230.10

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-24-2019 03:33 AM

Hi there,

Since VLANs 2 and 3 are at a lower security level you need to explicitly permit traffic from those subnets to the printer.

 

Without have sight of your full config I have made some assumptions with the following config, but it should be easy to follow and re-edit to suit your existing setup:

!
int vlan2
  name-if VLAN2
!
int vlan3
  name-if VLAN3
!
access-list VLAN2_IN extended permit 192.168.2.0 255.255.255.0 host 192.168.230.10
!
!
access-list VLAN3_IN extended permit 192.168.3.0 255.255.255.0 host 192.168.230.10
!
access-group VLAN2_IN in interface VLAN2
access-group VLAN3_IN in interface VLAN3
!

Please share the full ASA config if you are not sure.

 

 

cheers,

Seb.

0 Helpful

Go to solution
Robbert Tol
Level 1
Level 1
In response to Seb Rupik

‎01-24-2019 03:40 AM - edited ‎01-24-2019 03:41 AM

interface GigabitEthernet1/1

description WAN Interface

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface GigabitEthernet1/2

description LAN Interface

no nameif

no security-level

no ip address

!             

interface GigabitEthernet1/2.1

vlan 10

nameif vlan10

security-level 100

ip address 192.168.230.254 255.255.255.0

!

interface GigabitEthernet1/2.2

vlan 2

nameif VLAN2

security-level 75

ip address 192.168.3.254 255.255.255.0

!

interface GigabitEthernet1/2.3

vlan 3

nameif VLAN3

security-level 50

ip address 192.168.2.254 255.255.255.0

!

interface GigabitEthernet1/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/6

shutdown     

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/7

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/8

shutdown

no nameif

no security-level

no ip address

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Mailserver

host 192.168.230.2

description Exchange Server VLAN1 Interface

object service HTTPS

service tcp source eq https

object service SMTP

service tcp source eq smtp

object network Printer_Boven

host 192.168.230.10

description Samsung Color Printer

object network VLAN10_Subnet

subnet 192.168.230.0 255.255.255.0

object network VLAN2_Subnet

subnet 192.168.3.0 255.255.255.0

object network VLAN3_Subnet

subnet 192.168.2.0 255.255.255.0

object-group service Mailserver_Services

service-object tcp destination eq smtp

service-object tcp destination eq https

access-list outside_inside extended permit icmp any any echo

access-list outside_inside extended permit udp any any range 33434 33523

access-list outside_inside extended permit icmp any any time-exceeded

access-list outside_inside extended permit icmp any any source-quench

access-list outside_inside extended permit icmp any any echo-reply

access-list outside_inside extended permit icmp any any unreachable

access-list outside_in extended permit tcp any object Mailserver_LAN eq smtp

access-list outside_in extended permit tcp any object Mailserver_LAN eq https

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu vlan10 1500

mtu VLAN2 1500

mtu VLAN3 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

nat (vlan10,outside) source static Mailserver_LAN interface service SMTP SMTP

nat (vlan10,outside) source static Mailserver_LAN interface service HTTPS HTTPS

!

nat (vlan10,outside) after-auto source dynamic any interface

nat (VLAN2,outside) after-auto source dynamic any interface

nat (VLAN3,outside) after-auto source dynamic any interface

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication login-history

http server enable 8443

http 192.168.230.0 255.255.255.0 vlan10

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

crypto ikev2 enable outside client-services port 444

telnet timeout 5

no ssh stricthostkeycheck

ssh 83.98.239.41 255.255.255.255 outside

ssh 192.168.230.0 255.255.255.0 vlan10

ssh timeout 30

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

 

dhcpd address 192.168.3.1-192.168.3.250 VLAN2

dhcpd dns 8.8.8.8 8.8.4.4 interface VLAN2

dhcpd domain fpfinance.local interface VLAN2

dhcpd option 3 ip 192.168.3.254 interface VLAN2

dhcpd enable VLAN2

!

dhcpd address 192.168.2.1-192.168.2.250 VLAN3

dhcpd dns 8.8.8.8 8.8.4.4 interface VLAN3

dhcpd domain events2move.local interface VLAN3

dhcpd option 3 ip 192.168.2.254 interface VLAN3

dhcpd enable VLAN3

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

port 444

enable outside

cache

  disable     

error-recovery disable

dynamic-access-policy-record DfltAccessPolicy

username admin password ******************************** privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎01-24-2019 03:35 AM - edited ‎01-24-2019 03:40 AM

make sure from the switch port going to firewall is on trunk
!
SW
!
interface gigx/x
 switchport trun encaq dot1q
 switchport mode trunk
 no shut
!
----------------------------------

ASA
!
interface gig1/1
 no shut
!
interface gig1/1.10
 vlan 10
 nameif inside
 ip address 192.168.230.x 255.255.255.0
!
interface gig1/1.2
 vlan 2
 nameif dmz1
 security-level 50
 ip address 192.168.2.x 255.255.255.0
!
interface gig1/1.3
 vlan 3
 nameif dmz2
 security-level 50
 ip address 192.168.3.x 255.255.255.0
!

same-security-traffic permit inter-interface

!



access-list DMZ1_IN extended permit 192.168.2.0 255.255.255.0 host 192.168.230.X
!
!
access-list DMZ2_IN extended permit 192.168.3.0 255.255.255.0 host 192.168.230.X
!
access-group DMZ2_IN in interface interface gig1/1.2
access-group DMZ3_IN in interface interface gig1/1.3

please do not forget to rate.
0 Helpful

Go to solution
Robbert Tol
Level 1
Level 1
In response to Sheraz.Salim

‎01-24-2019 03:50 AM

When i try to add the Access-list command, it seems that they are not complete? 

 

Access-list VLAN2_IN extended permit 192.168.3.0 255.255.255.0 host 192.168.230.                                        ^10

 

ERROR: % Invalid input detected at '^' marker.

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Robbert Tol

‎01-24-2019 03:56 AM

Typo! :) add 'ip':

 

access-list VLAN2_IN extended permit ip 192.168.3.0 255.255.255.0 host 192.168.230.10

 

0 Helpful

Go to solution
Robbert Tol
Level 1
Level 1
In response to Seb Rupik

‎01-24-2019 04:09 AM

Seb,

 

Thank you so much!!! You saved my day :-)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card