On the ACL that you have

stevenmorgan · ‎09-06-2015

I have a ASA 5505 with Security Plus license running IOS 9.0(2). I need to print from computers on one VLAN to a printer on a different VLAN. Both VLANs are configured on the same ASA. The VLAN network I need to print from is also configured on an Aironet WiFi access point. This VLAN is a guest wireless. The VLAN with the printer I need to print to is the inside VLAN. I would like to only allow access to the printer.

Karsten Iwen · ‎09-06-2015

On the ACL that you have configured on the guest-interface, there you have to allow the communication to the printer with the relevant ports for your printer (could be tcp/515 and/or tcp/9100).

stevenmorgan · ‎09-06-2015

I have only one ACL for the guest VLAN and that is for blocking outgoing SMTP. Thank you for replying however, I don't feel configuring the ACL is the answer. I've uploaded a copy of the ASA config file.

Karsten Iwen · ‎09-07-2015

You are right, your guests already have full access to your internal network. But as you write that you only want to allow traffic to the printer, that's probably not what you wanted. To change that you have to replace the second line in the "Outbound-Guest" ACL with specific permit entries.

But again, printing should work with this config.

Although one problem could be caused by your NAT-config. You can replace the line

nat (inside,any) source static any any destination static obj-172.16.1.0 obj-172.16.1.0 no-proxy-arp

by

nat (inside,outside) source static any any destination static obj-172.16.1.0 obj-172.16.1.0 no-proxy-arp route-lookup

If you only test with PING, then you should make ICMP statefully inspected:

policy-map global_policy
 class inspection_default
  inspect icmp

ASA 5505 Accessing printer on different VLAN