I have been spinning my wheels trying to figure out how to allow users in the DMZ, who have their own Internet connection, to access a printer on the Inside network but nothing else.
ASA software 9.1.1
DMZ interface IP: 10.10.10.1
DMZ security level: 50
Inside Interface IP: 192.168.0.1
Inside Security Level: 100
I created an ACL to allow the 10.10.10.0/24 subnet access to the printer (192.168.0.51). I did not include a port # in the ACL as I was unsure of the port # used by the printer. What other steps do I need to take to resolve this issue? Static NAT, port redirect,etc?
I am not 100% sure on your setup BUT it seems to me that you are implying the the default route for the DMZ hosts points to somewhere else than the ASA DMZ interface IP address?
I guess one option would be to NAT the "inside" printer to a "DMZ" network address.
This would essentially mean that even though DMZ hosts default gateway might be somewhere else than on the ASA, if they were actually to connect to an IP address on their directly connected network they would simply ARP for the MAC address of that destination IP address and the connection would be forwarded from the connecting host directly to the ASA.
So you could consider something like this
object network PRINTER
nat (inside,dmz) static 10.10.10.51
The NAT IP address used could naturally be something else IF the above IP address is already in use on the DMZ
Let me know if this works for you. If there is some problems we can use some commands to test if the rule works correctly or if there is some other problems.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...