cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4800
Views
0
Helpful
36
Replies

Bypass NAT for single printer IP

Jamie Joh
Level 1
Level 1

Hi all,

I posted a while ago that we were having problems translating an IP for a printer (located here https://supportforums.cisco.com/message/4099013#4099013)

We still haven't been able to get it working and thought about another approach which is to leave the printer IP as a 10.100.x.x IP and instead set up the ASA to bypass the NAT for this IP so it doesn't get translated.

Is this possible and how would i go about doing it?

Many thanks

Jamie

36 Replies 36

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Would need more information related to this. Are you doing this on an ASA firewall? What software version is it running on? Towards which interface should the printer be visible with its own IP address? Is there only a certain network towards which the printer should show up with its original IP address?

Generally this is configured with NAT0 / Identity NAT but the format depends on your software level if you are using ASA.

- Jouni

We are on ASA 5510 8.3+.

We originally tried to translate the printer so anything received on the 10.100.104.20 address would get translated to its 172.29.x.x address but we can't seem to get it working so the other option is to change the printer to 10.100.104.20 and stop this address from the NAT.

Our ASA address is 10.100.104.2 and apparently we have IPs up to .24

MAny thanks

Hi,

But I still dont know the actual setup.

Where should the host 10.100.104.20 be visible with its own IP address?

Where are the hosts located which need to be able to connect to this host with its original IP addresses?

If we do the wrong configuration it might override some NAT behaviour that is needed for this host.

For example if we did this configuration then the host would show up towards any other network behind different ASA interface with its own IP address. (If we presume the host is located behind an interface called "inside")

object network PRINTER

host 10.100.104.20

nat (inside,any) 1 source static PRINTER PRINTER

But I would rather know more about the actual setup and current ASA configuration to determine what configuration is needed

- Jouni

Its a very strange setup.

We are a school located on a council network. Our admin users use a virtual desktop to login to a council computer which has a printer pointing to the IP address of 10.100.104.20, however this printer is on our site located behind the firewall so isn't accessible as our ASA is setup to NAT all of our 172.29 local ip addresses.

So i believe the printer would be located on the Inside interface and our outside interface is 10.100.104.1/24

Many thanks

Hi,

If your ASA firewalls "outside" interface is actual connected to some other network and not directly to the Internet then it would seem to me that you could use

object network PRINTER

host 10.100.104.20

nat (inside,outside) 1 source static PRINTER PRINTER

Though this would indeed mean that the PRINTER would communicate through this interface always with its own IP address which might potentially affect connectivity to the Internet for the PRINTER. That is, if it needs that connectivity.

If this NAT needs to apply only to some destination network behind the "outside" interface then we need to define that network or multiple networks in the "nat" configuration.

In this case we would need to have this kind of configuration

object network PRINTER

host 10.100.104.20

object network PRINTER-USER-NETWORKS

network-object

network-object

nat (inside,outside) 1 source static PRINTER PRINTER destination static PRINTER-USER-NETWORKS PRINTER-USER-NETWORKS

- Jouni

Yes technically we would be on another network outside our ASA.

Just tried the top settings and created a network object but the print still wouldn't come through, as soon as we plug the printer on the network outside of the ASA the print comes through fine!

Pulling my hair out over this!

Hi,

I have to say again that its very hard to give any help regarding this matter if we have no idea of the actual setup.

To form any kind of picture of your network setup we would need to see the ASA configurations to determine where the actual networks are located and how the current NAT/ACL configurations have been done.

Also, I am abit confused about the fact that you have placed the Printer behind your ASA but you are using an IP address that according to the above posts are actually located behind the "outside" interface? (the IP address for which you want to do NAT0) This naturally can't work as the traffic would never be forwarded even past the ASA if the actual network is connected to the "outside" interface. In that case there would need to be a Static NAT rather than NAT0 since it seems that the local IP address is something completely different than 10.100.104.20.

We would need to see some configurations and know the network/subnet from which users are trying to connect to the Printer when its behind your ASA.

- Jouni

I've managed to get the sh run from the firewall, hopefully this helps.

ASA Version 8.4(4)1

!

hostname TSTC-FW

enable password  encrypted

passwd encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.100.104.2 255.255.248.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.29.8.1 255.255.248.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa845-k8.bin

ftp mode passive

object network any-inside

subnet 0.0.0.0 0.0.0.0

object network TSTC-Printing

host 172.29.8.20

object service tcp_9100

service tcp source eq 9100 destination eq 9100

object network TCSC-Printing

object network TSTCPrint2

host 10.100.104.20

object network TSTCPrint

host 10.100.104.20

object network PRINTER

host 10.100.104.20

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq 52221

port-object eq 52222

port-object eq https

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host 172.29.8.20 eq 9100

access-list outside_access_in remark Form Pearson Exam Software

access-list outside_access_in extended permit tcp host 212.62.15.118 any object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit object tcp_9100 any host 10.100.104.20

pager lines 24

logging enable

logging timestamp

logging monitor informational

logging buffered informational

logging trap informational

logging asdm informational

logging host inside 172.29.10.226 format emblem

mtu outside 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static PRINTER PRINTER

!

object network any-inside

nat (inside,outside) dynamic interface

object network TSTC-Printing

nat (inside,outside) static 10.100.104.20 service tcp 9100 9100

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.100.104.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable 1234

http 192.168.1.0 255.255.255.0 management

http 172.29.8.0 255.255.248.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 172.29.8.0 255.255.248.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.10-192.168.1.20 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username  password  encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Hi,

It seems to me that you have the internal network of 172.29.8.0/21 and the external network is 10.100.104.0/21

Pretty large for a single network/subnet.

So it would seem to me that you are probably looking to do Static NAT for your internal Printer 172.29.8.20 to the NAT IP address 10.100.104.20 ?

If so, do these changes

Remove the original NAT I suggested

no nat (inside,outside) source static PRINTER PRINTER

Go under the below "object" and remove the NAT configuration and add a new one

object network TSTC-Printing

  no nat (inside,outside) static 10.100.104.20 service tcp 9100 9100

  nat (inside,outside) static 10.100.104.20

Then just to be sure for testing purposes allow all services to this host with the following ACL addition

access-list outside_access_in permit ip any object TSTC-Printing

Then test the connections. Make sure that the Printer truly has your local IP address 172.29.8.20 on it with the correct default gateway and mask.

- Jouni

That is definitely what we were originall trying to do, translate any print jobs sent to 10.100.104.20 to our printer with the IP of 172.29.8.20 but it never seemed to work!

I've added your config to the firewall, what sort of settings should i be putting into the packet tracer to make sure it gets through ok?

Your help is really appreciated, thank you.

Hi,

I am not quite sure about the ports used by the Printers. The most common I see should be TCP/515 and TCP/9100 though I am not certain

You could try for example

packet-tracer input outside tcp 10.100.104.100 12345 10.100.104.20 515

and

packet-tracer input outside tcp 10.100.104.100 12345 10.100.104.20 9100

The reason why I used the source address from the same network is that I presume that the requirement was that the network behind the "outside" interface should see these hosts as if they were belonging to the same network as them.

Let us know if it works when you have had the chance to test things out

- Jouni

That seems to pass the packet trace fine.

Is there anyway to test that any packet being sent to 10.100.104.20 is infact being translated correctly to 172.29.8.20?

Many thanks

Hi,

The NAT we configured above should handle it already. Its Static NAT that binds these IP addresses 1:1.

You can try this command though

show xlate local 172.29.8.20

Hope this helps

- Jouni

Hi,

Have you been able to confirm if this works? I guess if the printer replies to ICMP then the easiest way to test general connectivity would be to ICMP from behind the "outside" interface.

But as I said, there should be no problems related to the configurations if you changed the configurations I mentioned.

If the users behind "outside" interface are all part of the 10.100.104.0/21 network then there should be no problems for the traffic to get forwarded to the ASA and then to the Printer when using the destination IP address 10.100.104.20. I assume you have confirmed that that IP address can be used from the network range.

- Jouni

Review Cisco Networking for a $25 gift card