12-03-2013 06:55 AM - edited 03-11-2019 08:12 PM
Hi all,
I posted a while ago that we were having problems translating an IP for a printer (located here https://supportforums.cisco.com/message/4099013#4099013)
We still haven't been able to get it working and thought about another approach which is to leave the printer IP as a 10.100.x.x IP and instead set up the ASA to bypass the NAT for this IP so it doesn't get translated.
Is this possible and how would i go about doing it?
Many thanks
Jamie
12-04-2013 06:19 AM
Still no luck after that.
In theory if the translation was working shouldn't a ping sent to 10.100.104.20 be picked up by 172.29.8.20? Because at the moment i get no response.
Many thanks
12-04-2013 06:25 AM
Gah,
Could you add this for the ICMP and test again
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
There should not be many things that would cause problems for an incoming connection. You need Static NAT and a rule allowing the traffic you are testing. To automatically allow ICMP return traffic the above configurations are usually needed. In your case you should not need anything added to routing with regards to this since the LAN network is directly connected to the ASA.
- Jouni
12-04-2013 07:56 AM
Still not working!
I've just tried translating another 10.100 IP address to one of our web servers and it works fine!
I think we've decided just to stick another switch in and have the printer outside of the firewall as its starting to make us go insane!
One more thing if you wouldn't mind, does it look like our port 52221, 52222 and HTTPs are open according to that top log?
Thank you so much for your help.
12-04-2013 08:06 AM
Hi,
I think the problem with the printer might be some simple thing you/we have not noticed. Naturally can't see the whole network and don't know everything related to the connection between the hosts its harder to determine the problem.
I would need to see the current configuration to determine the situation with the above ports. It seemed to me in the configuration you posted this was allowed from behind the "outside" to your internal network from a single public source IP address. The problem is though that only your Printer had a Static NAT but no other device so no other device could be reached with those ports since there was no NAT configuration for other hosts on your LAN.
Its too bad if we have to leave this as unsolved. I am pretty sure if I knew the whole setup a bit better we could determine what the problem is.
- Jouni
12-04-2013 08:16 AM
Yeah its really frustrating that we can't solve it.
Regarding the ports, we have a piece of software that apparently needs to communicate on 52221, 52222 and HTTPS (443) but it still doesn't seem to communicate. Apparently that IP in the config is the source but i wouldn't mind opening those ports globally for all IPs.
Here is the current config.
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.100.104.2 255.255.248.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.29.8.1 255.255.248.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa845-k8.bin
ftp mode passive
object network any-inside
subnet 0.0.0.0 0.0.0.0
object network TSTC-Printing
host 172.29.8.20
object service tcp_9100
service tcp source eq 9100 destination eq 9100
object network TCSC-Printing
object network PRINTER
host 10.100.104.20
object network Portico
host 172.29.8.46
object network Eportal
host 172.29.8.36
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 52221
port-object eq 52222
port-object eq https
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 172.29.8.20 eq 9100
access-list outside_access_in remark Form Pearson Exam Software
access-list outside_access_in extended permit tcp host 212.62.15.118 any object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object tcp_9100 any host 10.100.104.20
access-list outside_access_in extended permit ip any object TSTC-Printing
access-list outside_access_in extended permit ip any object Portico
access-list outside_access_in extended permit ip any object Eportal
access-list PRINTER-CAPTURE extended permit ip host 10.100.104.20 any
access-list PRINTER-CAPTURE extended permit ip any host 10.100.104.20
pager lines 24
logging enable
logging timestamp
logging monitor informational
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 172.29.10.226 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
!
object network any-inside
nat (inside,outside) dynamic interface
object network TSTC-Printing
nat (inside,outside) static 10.100.104.20
object network Portico
nat (inside,outside) static 10.100.104.5
object network Eportal
nat (inside,outside) static 10.100.104.4
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.100.104.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable 1234
http 192.168.1.0 255.255.255.0 management
http 172.29.8.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.29.8.0 255.255.248.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.10-192.168.1.20 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username password encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
Many thanks
12-04-2013 08:27 AM
Hi,
Seems you currently have 3 devices for which Static NAT is configured.
object network TSTC-Printing
nat (inside,outside) static 10.100.104.20
object network Portico
nat (inside,outside) static 10.100.104.5
object network Eportal
nat (inside,outside) static 10.100.104.4
You have also allowed all traffic to these hosts from "any" address behind the "outside" interface.
No other hosts can be reached through the ASA from behind the "outside" interface since they dont have their own NAT IP address.
Your hosts behind the "inside" interface should also be able to form connections towards any destination IP address on any destination port. All the hosts behind "inside" will be visible to the towards the "outside" interface and its networks with the NAT IP address 10.100.104.2 since you have configured Dynamic PAT using the ASAs "outside" interface.
Dynamic PAT is done with this configuration in the above output
object network any-inside
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
Naturally there is also the question what other device is between your LAN and the External/Public network? All your addresses a from a private range so there is a firewall/gateway device somewhere further in the network that also control traffic to and from the Internet.
My current doubts related to the Printer issue is that if we truly got all the traffic during the testing to the ASA. If that was all then it would seem to me that there just have to be some problem with the network setup in general.
- Jouni
12-05-2013 12:59 AM
Apologies for the late reply.
So you reckon that any software installed on our PCs should be able to access any ports? I know we are behind another firewall but we put the request in and apparently they have opened those following ports but we still cannot connect using this piece of software so i just wanted to make sure our firewall wouldn't be blocking access.
Many thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide