Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1314
Views
0
Helpful
1
Replies

Access list and remote printing

soumik1979
Level 1
Level 1

‎07-10-2010 12:34 AM - edited ‎03-11-2019 11:09 AM

Dear all

My organization has a leaased line internet that is connected to router , then asa 5510 .From ASA 5510 it is distributed to LAN.NATING is done in ASA.

The IP range is 120.125.51.128/27.The router interface IP is 120.125.51.129.The out side interface of  ASA 5510 is 120.125.51.147 .Nating is done on 120.125.51.148 on ASA.Inside interface of ASA is 192.168.0.111.The other public IP s are used in web server , other devices and few are free.Now I want

1) I want to ad an access list in ASA so that only the permitted users can access giving the gateway 192.168.0.111.

I have tried

access-list inside permit tcp host x.x.x.x any eq smtp

access-list inside deny tcp any any eq smtp

access-list inside permit ip any any

access-group inside in interface inside

access-list inside deny tcp host 192.168.0.91 any eq 80
access-list inside permit ip any any
access-group inside in interface inside

But here only one IP blocked.If we add several IP  only the first IP is blocked.Rest IPs still get internet through gateway.

2) One of our printer has IP 192.168.0.123.I want that user will print to this printer through internet

Can any body help me regarding that ....

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-10-2010 01:01 AM

1) If you would like to deny specific ip address on specific ports, you would need to configure those deny statements before the "permit ip any any" statement as access-list is checked from top to bottom.

From your example, you would need to configure the following:

access-list inside permit tcp host x.x.x.x any eq smtp

access-list  inside deny tcp any any eq smtp

access-list inside deny tcp host 192.168.0.91 any eq 80

access-list inside permit ip any any

All the "deny" ACL needs to be on top of the last line "access-list inside permit ip any any".

If you check the ACL by: "sh run access-list inside" command, it will show you order.

2) If you would like user from the internet to use printer with private ip address of 192.168.0.123, you would need to configure static NAT to translate the private ip to one of your spare public ip address.

Example:

static (inside,outside) 120.125.51.x 192.168.0.123 netmask 255.255.255.255

And also, on the outside access-list, you would need to permit the printer traffic inbound towards the public ip address.

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card