Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2822
Views
0
Helpful
2
Replies

Access Inside network printer from DMZ

Douglas Sensenig
Level 1
Level 1

‎05-14-2013 11:06 AM - edited ‎03-11-2019 06:43 PM

Hi

I have been spinning my wheels trying to figure out how to allow users in the DMZ, who have their own Internet connection, to access a printer on the Inside network but nothing else.

ASA software 9.1.1

DMZ: 10.10.10.0/24

DMZ interface IP: 10.10.10.1

DMZ security level: 50

Inside: 192.168.0.0/24

Inside Interface IP: 192.168.0.1

Inside Security Level: 100

Printer: 192.168.0.51/24

I created an ACL to allow the 10.10.10.0/24 subnet access to the printer (192.168.0.51). I did not include a port # in the ACL as I was unsure of the port # used by the printer. What other steps do I need to take to resolve this issue? Static NAT, port redirect,etc?

Thanks in advance for your time and help.

Douglas

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎05-14-2013 11:22 AM

Hi,

I am not 100% sure on your setup BUT it seems to me that you are implying the the default route for the DMZ hosts points to somewhere else than the ASA DMZ interface IP address?

I guess one option would be to NAT the "inside" printer to a "DMZ" network address.

This would essentially mean that even though DMZ hosts default gateway might be somewhere else than on the ASA, if they were actually to connect to an IP address on their directly connected network they would simply ARP for the MAC address of that destination IP address and the connection would be forwarded from the connecting host directly to the ASA.

So you could consider something like this

object network PRINTER

host 192.168.0.51

nat (inside,dmz) static 10.10.10.51

The NAT IP address used could naturally be something else IF the above IP address is already in use on the DMZ

Let me know if this works for you. If there is some problems we can use some commands to test if the rule works correctly or if there is some other problems.

Hope this helps

Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers

Ask more if needed

- Jouni

0 Helpful

Douglas Sensenig
Level 1
Level 1
In response to Jouni Forss

‎05-14-2013 11:32 AM

I will give it a try and keep you posted of the results.

d

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card