cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1554
Views
0
Helpful
3
Replies

ASA 5505 Accessing printer on different VLAN

stevenmorgan
Level 1
Level 1

I have a ASA 5505 with Security Plus license running IOS 9.0(2). I need to print from computers on one VLAN to a printer on a different VLAN. Both VLANs are configured on the same ASA. The VLAN network I need to print from is also configured on an Aironet WiFi access point. This VLAN is a guest wireless. The VLAN with the printer I need to print to is the inside VLAN. I would like to only allow access to the printer.

3 Replies 3

On the ACL that you have configured on the guest-interface, there you have to allow the communication to the printer with the relevant ports for your printer (could be tcp/515 and/or tcp/9100).

I have only one ACL for the guest VLAN and that is for blocking outgoing SMTP. Thank you for replying however, I don't feel configuring the ACL is the answer. I've uploaded a copy of the ASA config file.

You are right, your guests already have full access to your internal network. But as you write that you only want to allow traffic to the printer, that's probably not what you wanted. To change that you have to replace the second line in the "Outbound-Guest" ACL with specific permit entries.

But again, printing should work with this config.

Although one problem could be caused by your NAT-config. You can replace the line 

nat (inside,any) source static any any destination static obj-172.16.1.0 obj-172.16.1.0 no-proxy-arp

by 

nat (inside,outside) source static any any destination static obj-172.16.1.0 obj-172.16.1.0 no-proxy-arp route-lookup

If you only test with PING, then you should make ICMP statefully inspected:

policy-map global_policy
 class inspection_default
  inspect icmp
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: