cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


235
Views
0
Helpful
3
Replies
Beginner

Upgrade ASA 5505 ipbase 8.2.1 to 8.2.5 broke my external printer

I have a printer sitting on an outside interface e0/7 that external vendors were able to print to prior to an ISP IP address change and IOS upgrade.

We upgraded our IOS from 8.2.1 to 8.2.5. The printer wasn't changed so the MAC address mapping is still correct on the ISP translation list.

The ISP issues DHCP MAC reservations for static IP address assignment. My printer doesn't seem to be getting the DHCP assignment now.           

Here is the before and after config. I'm just wondering since this worked prior to changeing the IP and IOS changes if there is another command I need since upgrading from 8.2.1 to 8.2.5. The DHCP IP address is assigned and is working on my e0/0 vlan2 outside interface.

Config that worked prior to the IP and IOS change.


hostname hrh
domain-name hrh.com
enable password
passwd
multicast-routing
names
name 10.200.200.0 TestNet
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.8 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast
ospf authentication null
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
ospf network point-to-point non-broadcast
ospf authentication null
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 2
!


boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name lynden.com
same-security-traffic permit inter-interface
object-group network DM_INLINE_NETWORK_1
network-object 10.20.20.20 255.255.255.252
network-object 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 TestNet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any host 192.168.1.1
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 TestNet 255.255.255.0
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 172.31.100.0 255.255.255.0

access-list outside_access_in extended permit icmp any host 75.75.75.75

access-list outside_access_in extended permit ip any host 75.75.75.75

access-list inside_access_in extended permit ip any any
access-list printer_access_in extended permit ip any any
access-list printer_access_in extended permit icmp 10.20.20.20 255.255.255.252 192.168.1.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.10.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host inside 10.10.10.242
logging permit-hostdown
mtu inside 1500
mtu outside 1500

ip local pool ACVPN_IPs 192.168.1.248-192.168.1.249 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
router ospf 200
log-adj-changes


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside 10.10.1.216 poll community ***** version 2c
snmp-server location hrh
snmp-server contact Netcom
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer y.y.y.y
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer z.z.z.z
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp

console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.10.10 source inside
tftp-server inside 10.10.0.0 c:\
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy testli internal
group-policy testli attributes
vpn-tunnel-protocol IPSec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy lilcal internal
group-policy lilcal attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy lilcocal_policy internal
group-policy lilcocal_policy attributes
vpn-tunnel-protocol IPSec svc webvpn
webvpn
  url-list none
  svc ask enable

vpn-group-policy DfltGrpPolicy
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *
tunnel-group z.z.z.z type ipsec-l2l
tunnel-group z.z.z.z ipsec-attributes
pre-shared-key *
tunnel-group ACVPN type remote-access
tunnel-group ACVPN general-attributes
address-pool ACVPN_IPs
dhcp-server 192.168.1.8
tunnel-group ACVPN webvpn-attributes
group-alias ACVPN enable
group-url https://192.168.1.8 enable
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class global-class
  inspect http

class inspection_default
  inspect dns preset_dns_map
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect http

!
service-policy global_policy global
prompt hostname context

New config where the printer plugged into port e0/7 now doesn't work.

hostname hrh
domain-name hrh.com
enable password
passwd
multicast-routing
names
name 10.200.200.0 TestNet
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.8 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast
ospf authentication null
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
ospf network point-to-point non-broadcast
ospf authentication null
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 2
!
!
boot system disk0:/asa825-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name lynden.com
same-security-traffic permit inter-interface
object-group network DM_INLINE_NETWORK_1
network-object 10.20.20.20 255.255.255.252
network-object 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 TestNet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.31.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any host 192.168.1.1
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 TestNet 255.255.255.0
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 172.31.100.0 255.255.255.0

access-list outside_access_in extended permit icmp any host 85.85.85.85

access-list outside_access_in extended permit ip any host 85.85.85.85

access-list inside_access_in extended permit ip any any
access-list printer_access_in extended permit ip any any
access-list printer_access_in extended permit icmp 10.20.20.20 255.255.255.252 192.168.1.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.10.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host inside 10.10.10.242
logging permit-hostdown
mtu inside 1500
mtu outside 1500

ip local pool ACVPN_IPs 192.168.1.248-192.168.1.249 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
router ospf 200
log-adj-changes


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00


timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside 10.10.1.216 poll community ***** version 2c
snmp-server location hrh
snmp-server contact Netcom
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer y.y.y.y
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer z.z.z.z
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp

console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.10.10 source inside
tftp-server inside 10.10.0.0 c:\
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy testli internal
group-policy testli attributes
vpn-tunnel-protocol IPSec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy lilcal internal
group-policy lilcal attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy lilcocal_policy internal
group-policy lilcocal_policy attributes
vpn-tunnel-protocol IPSec svc webvpn
webvpn
  url-list none
  svc ask enable

vpn-group-policy DfltGrpPolicy
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *****
tunnel-group z.z.z.z type ipsec-l2l
tunnel-group z.z.z.z ipsec-attributes
pre-shared-key *****
tunnel-group ACVPN type remote-access
tunnel-group ACVPN general-attributes
address-pool ACVPN_IPs
dhcp-server 192.168.1.8
tunnel-group ACVPN webvpn-attributes
group-alias ACVPN enable
group-url https://192.168.1.8 enable
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class global-class
  inspect http


  inspect icmp

class inspection_default
  inspect dns preset_dns_map
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect http

  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

3 REPLIES 3
Rising star

Upgrade ASA 5505 ipbase 8.2.1 to 8.2.5 broke my external printer

Hello,

It general, you need to reboot (or clear arp) on ASA and upstream router after the IP change. As you already bounced ASA(during IOS upgrade), check if it is possible to reboot ISP router and if not, clear ARP on the same.

Also, if you have a spare IP in new public IP range, you can assign it to a laptop and connect  it directly to ASA (in the same VLAN as printer) and test it as well.

Thx

MS

Highlighted
Beginner

Upgrade ASA 5505 ipbase 8.2.1 to 8.2.5 broke my external printer

I tried  reloading the ASA but to no avail. The ISP cleared their ARP cache as well.While I had the ISP online and they didn't see the printers DHCP request.

Of course this is all remote but I can see the interface state change when I have the users turn the printer off then on. When I plug the printer into the local LAN it obtains a local DHCP address and I can access it.

So I'm thinking the printers DHCP request is being blocked at the ASA or somthing else is causing the issue. I am at a loss.

Rising star

Upgrade ASA 5505 ipbase 8.2.1 to 8.2.5 broke my external printer

Have you tried by disabling 'inspect ip-options' ?

Thx

MS