Bypass NAT for single printer IP - Page 3

Jamie Joh · ‎12-03-2013

Hi all,

I posted a while ago that we were having problems translating an IP for a printer (located here https://supportforums.cisco.com/message/4099013#4099013)

We still haven't been able to get it working and thought about another approach which is to leave the printer IP as a 10.100.x.x IP and instead set up the ASA to bypass the NAT for this IP so it doesn't get translated.

Is this possible and how would i go about doing it?

Many thanks

Jamie

Jamie Joh · ‎12-04-2013

Still no luck after that.

In theory if the translation was working shouldn't a ping sent to 10.100.104.20 be picked up by 172.29.8.20? Because at the moment i get no response.

Many thanks

Jouni Forss · ‎12-04-2013

Gah,

Could you add this for the ICMP and test again

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

There should not be many things that would cause problems for an incoming connection. You need Static NAT and a rule allowing the traffic you are testing. To automatically allow ICMP return traffic the above configurations are usually needed. In your case you should not need anything added to routing with regards to this since the LAN network is directly connected to the ASA.

- Jouni

Jamie Joh · ‎12-04-2013

Still not working!

I've just tried translating another 10.100 IP address to one of our web servers and it works fine!

I think we've decided just to stick another switch in and have the printer outside of the firewall as its starting to make us go insane!

One more thing if you wouldn't mind, does it look like our port 52221, 52222 and HTTPs are open according to that top log?

Thank you so much for your help.

Jouni Forss · ‎12-04-2013

Hi,

I think the problem with the printer might be some simple thing you/we have not noticed. Naturally can't see the whole network and don't know everything related to the connection between the hosts its harder to determine the problem.

I would need to see the current configuration to determine the situation with the above ports. It seemed to me in the configuration you posted this was allowed from behind the "outside" to your internal network from a single public source IP address. The problem is though that only your Printer had a Static NAT but no other device so no other device could be reached with those ports since there was no NAT configuration for other hosts on your LAN.

Its too bad if we have to leave this as unsolved. I am pretty sure if I knew the whole setup a bit better we could determine what the problem is.

- Jouni

Jamie Joh · ‎12-04-2013

Yeah its really frustrating that we can't solve it.

Regarding the ports, we have a piece of software that apparently needs to communicate on 52221, 52222 and HTTPS (443) but it still doesn't seem to communicate. Apparently that IP in the config is the source but i wouldn't mind opening those ports globally for all IPs.

Here is the current config.

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.100.104.2 255.255.248.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.29.8.1 255.255.248.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa845-k8.bin

ftp mode passive

object network any-inside

subnet 0.0.0.0 0.0.0.0

object network TSTC-Printing

host 172.29.8.20

object service tcp_9100

service tcp source eq 9100 destination eq 9100

object network TCSC-Printing

object network PRINTER

host 10.100.104.20

object network Portico

host 172.29.8.46

object network Eportal

host 172.29.8.36

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq 52221

port-object eq 52222

port-object eq https

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host 172.29.8.20 eq 9100

access-list outside_access_in remark Form Pearson Exam Software

access-list outside_access_in extended permit tcp host 212.62.15.118 any object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit object tcp_9100 any host 10.100.104.20

access-list outside_access_in extended permit ip any object TSTC-Printing

access-list outside_access_in extended permit ip any object Portico

access-list outside_access_in extended permit ip any object Eportal

access-list PRINTER-CAPTURE extended permit ip host 10.100.104.20 any

access-list PRINTER-CAPTURE extended permit ip any host 10.100.104.20

pager lines 24

logging enable

logging timestamp

logging monitor informational

logging buffered informational

logging trap informational

logging asdm informational

logging host inside 172.29.10.226 format emblem

mtu outside 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

!

object network any-inside

nat (inside,outside) dynamic interface

object network TSTC-Printing

nat (inside,outside) static 10.100.104.20

object network Portico

nat (inside,outside) static 10.100.104.5

object network Eportal

nat (inside,outside) static 10.100.104.4

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.100.104.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable 1234

http 192.168.1.0 255.255.255.0 management

http 172.29.8.0 255.255.248.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 172.29.8.0 255.255.248.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.10-192.168.1.20 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username password encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

Many thanks

Jouni Forss · ‎12-04-2013

Hi,

Seems you currently have 3 devices for which Static NAT is configured.

object network TSTC-Printing

nat (inside,outside) static 10.100.104.20

object network Portico

nat (inside,outside) static 10.100.104.5

object network Eportal

nat (inside,outside) static 10.100.104.4

You have also allowed all traffic to these hosts from "any" address behind the "outside" interface.

No other hosts can be reached through the ASA from behind the "outside" interface since they dont have their own NAT IP address.

Your hosts behind the "inside" interface should also be able to form connections towards any destination IP address on any destination port. All the hosts behind "inside" will be visible to the towards the "outside" interface and its networks with the NAT IP address 10.100.104.2 since you have configured Dynamic PAT using the ASAs "outside" interface.

Dynamic PAT is done with this configuration in the above output

object network any-inside

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

Naturally there is also the question what other device is between your LAN and the External/Public network? All your addresses a from a private range so there is a firewall/gateway device somewhere further in the network that also control traffic to and from the Internet.

My current doubts related to the Printer issue is that if we truly got all the traffic during the testing to the ASA. If that was all then it would seem to me that there just have to be some problem with the network setup in general.

- Jouni

Jamie Joh · ‎12-05-2013

Apologies for the late reply.

So you reckon that any software installed on our PCs should be able to access any ports? I know we are behind another firewall but we put the request in and apparently they have opened those following ports but we still cannot connect using this piece of software so i just wanted to make sure our firewall wouldn't be blocking access.

Many thanks