I have been spinning my wheels trying to figure out how to allow users in the DMZ, who have their own Internet connection, to access a printer on the Inside network but nothing else.
ASA software 9.1.1
DMZ interface IP: 10.10.10.1
DMZ security level: 50
Inside Interface IP: 192.168.0.1
Inside Security Level: 100
I created an ACL to allow the 10.10.10.0/24 subnet access to the printer (192.168.0.51). I did not include a port # in the ACL as I was unsure of the port # used by the printer. What other steps do I need to take to resolve this issue? Static NAT, port redirect,etc?
Thanks in advance for your time and help.
I am not 100% sure on your setup BUT it seems to me that you are implying the the default route for the DMZ hosts points to somewhere else than the ASA DMZ interface IP address?
I guess one option would be to NAT the "inside" printer to a "DMZ" network address.
This would essentially mean that even though DMZ hosts default gateway might be somewhere else than on the ASA, if they were actually to connect to an IP address on their directly connected network they would simply ARP for the MAC address of that destination IP address and the connection would be forwarded from the connecting host directly to the ASA.
So you could consider something like this
object network PRINTER
nat (inside,dmz) static 10.10.10.51
The NAT IP address used could naturally be something else IF the above IP address is already in use on the DMZ
Let me know if this works for you. If there is some problems we can use some commands to test if the rule works correctly or if there is some other problems.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers
Ask more if needed