01-24-2019 03:21 AM - edited 02-21-2020 08:41 AM
Hello,
I'm stuck and don't know where to start.
I Have an Cisco ASA5506X with 4 VLAN's with different security levels.
VLAN 10 192.168.230.x/24
Security level 100
VLAN 2 192.168.2.x/24
Security level 70
VLAN 3 192.168.3.x/24
Security level 50
In VLAN 10 i have a printer (192.168.230.10)
What i want is that the users/hosts, who are in VLAN 2 and 3 can also print to this printer.
The ASA5506X is running v9.8
The switch i'm using is an 2960 Layer 2. The printer is connected to an access port and the asa to an trunk
I don't know how to accomplish this. Please advise.
Solved! Go to Solution.
01-24-2019 03:56 AM
Typo! :) add 'ip':
access-list VLAN2_IN extended permit ip 192.168.3.0 255.255.255.0 host 192.168.230.10
01-24-2019 03:33 AM
Hi there,
Since VLANs 2 and 3 are at a lower security level you need to explicitly permit traffic from those subnets to the printer.
Without have sight of your full config I have made some assumptions with the following config, but it should be easy to follow and re-edit to suit your existing setup:
! int vlan2 name-if VLAN2 ! int vlan3 name-if VLAN3 ! access-list VLAN2_IN extended permit 192.168.2.0 255.255.255.0 host 192.168.230.10 ! ! access-list VLAN3_IN extended permit 192.168.3.0 255.255.255.0 host 192.168.230.10 ! access-group VLAN2_IN in interface VLAN2 access-group VLAN3_IN in interface VLAN3 !
Please share the full ASA config if you are not sure.
cheers,
Seb.
01-24-2019 03:40 AM - edited 01-24-2019 03:41 AM
interface GigabitEthernet1/1
description WAN Interface
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1/2
description LAN Interface
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.1
vlan 10
nameif vlan10
security-level 100
ip address 192.168.230.254 255.255.255.0
!
interface GigabitEthernet1/2.2
vlan 2
nameif VLAN2
security-level 75
ip address 192.168.3.254 255.255.255.0
!
interface GigabitEthernet1/2.3
vlan 3
nameif VLAN3
security-level 50
ip address 192.168.2.254 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Mailserver
host 192.168.230.2
description Exchange Server VLAN1 Interface
object service HTTPS
service tcp source eq https
object service SMTP
service tcp source eq smtp
object network Printer_Boven
host 192.168.230.10
description Samsung Color Printer
object network VLAN10_Subnet
subnet 192.168.230.0 255.255.255.0
object network VLAN2_Subnet
subnet 192.168.3.0 255.255.255.0
object network VLAN3_Subnet
subnet 192.168.2.0 255.255.255.0
object-group service Mailserver_Services
service-object tcp destination eq smtp
service-object tcp destination eq https
access-list outside_inside extended permit icmp any any echo
access-list outside_inside extended permit udp any any range 33434 33523
access-list outside_inside extended permit icmp any any time-exceeded
access-list outside_inside extended permit icmp any any source-quench
access-list outside_inside extended permit icmp any any echo-reply
access-list outside_inside extended permit icmp any any unreachable
access-list outside_in extended permit tcp any object Mailserver_LAN eq smtp
access-list outside_in extended permit tcp any object Mailserver_LAN eq https
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu vlan10 1500
mtu VLAN2 1500
mtu VLAN3 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (vlan10,outside) source static Mailserver_LAN interface service SMTP SMTP
nat (vlan10,outside) source static Mailserver_LAN interface service HTTPS HTTPS
!
nat (vlan10,outside) after-auto source dynamic any interface
nat (VLAN2,outside) after-auto source dynamic any interface
nat (VLAN3,outside) after-auto source dynamic any interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable 8443
http 192.168.230.0 255.255.255.0 vlan10
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev2 enable outside client-services port 444
telnet timeout 5
no ssh stricthostkeycheck
ssh 83.98.239.41 255.255.255.255 outside
ssh 192.168.230.0 255.255.255.0 vlan10
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.3.1-192.168.3.250 VLAN2
dhcpd dns 8.8.8.8 8.8.4.4 interface VLAN2
dhcpd domain fpfinance.local interface VLAN2
dhcpd option 3 ip 192.168.3.254 interface VLAN2
dhcpd enable VLAN2
!
dhcpd address 192.168.2.1-192.168.2.250 VLAN3
dhcpd dns 8.8.8.8 8.8.4.4 interface VLAN3
dhcpd domain events2move.local interface VLAN3
dhcpd option 3 ip 192.168.2.254 interface VLAN3
dhcpd enable VLAN3
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 444
enable outside
cache
disable
error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
username admin password ******************************** privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
01-24-2019 03:35 AM - edited 01-24-2019 03:40 AM
make sure from the switch port going to firewall is on trunk
!
SW
!
interface gigx/x
switchport trun encaq dot1q
switchport mode trunk
no shut
!
----------------------------------
ASA
!
interface gig1/1
no shut
!
interface gig1/1.10
vlan 10
nameif inside
ip address 192.168.230.x 255.255.255.0
!
interface gig1/1.2
vlan 2
nameif dmz1
security-level 50
ip address 192.168.2.x 255.255.255.0
!
interface gig1/1.3
vlan 3
nameif dmz2
security-level 50
ip address 192.168.3.x 255.255.255.0
!
same-security-traffic permit inter-interface
!
access-list DMZ1_IN extended permit 192.168.2.0 255.255.255.0 host 192.168.230.X
!
!
access-list DMZ2_IN extended permit 192.168.3.0 255.255.255.0 host 192.168.230.X
!
access-group DMZ2_IN in interface interface gig1/1.2
access-group DMZ3_IN in interface interface gig1/1.3
01-24-2019 03:50 AM
When i try to add the Access-list command, it seems that they are not complete?
Access-list VLAN2_IN extended permit 192.168.3.0 255.255.255.0 host 192.168.230. ^10
ERROR: % Invalid input detected at '^' marker.
01-24-2019 03:56 AM
Typo! :) add 'ip':
access-list VLAN2_IN extended permit ip 192.168.3.0 255.255.255.0 host 192.168.230.10
01-24-2019 04:09 AM
Seb,
Thank you so much!!! You saved my day :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide