12-03-2013 06:55 AM - edited 03-11-2019 08:12 PM
Hi all,
I posted a while ago that we were having problems translating an IP for a printer (located here https://supportforums.cisco.com/message/4099013#4099013)
We still haven't been able to get it working and thought about another approach which is to leave the printer IP as a 10.100.x.x IP and instead set up the ASA to bypass the NAT for this IP so it doesn't get translated.
Is this possible and how would i go about doing it?
Many thanks
Jamie
12-03-2013 07:03 AM
Hi,
Would need more information related to this. Are you doing this on an ASA firewall? What software version is it running on? Towards which interface should the printer be visible with its own IP address? Is there only a certain network towards which the printer should show up with its original IP address?
Generally this is configured with NAT0 / Identity NAT but the format depends on your software level if you are using ASA.
- Jouni
12-03-2013 07:09 AM
We are on ASA 5510 8.3+.
We originally tried to translate the printer so anything received on the 10.100.104.20 address would get translated to its 172.29.x.x address but we can't seem to get it working so the other option is to change the printer to 10.100.104.20 and stop this address from the NAT.
Our ASA address is 10.100.104.2 and apparently we have IPs up to .24
MAny thanks
12-03-2013 07:14 AM
Hi,
But I still dont know the actual setup.
Where should the host 10.100.104.20 be visible with its own IP address?
Where are the hosts located which need to be able to connect to this host with its original IP addresses?
If we do the wrong configuration it might override some NAT behaviour that is needed for this host.
For example if we did this configuration then the host would show up towards any other network behind different ASA interface with its own IP address. (If we presume the host is located behind an interface called "inside")
object network PRINTER
host 10.100.104.20
nat (inside,any) 1 source static PRINTER PRINTER
But I would rather know more about the actual setup and current ASA configuration to determine what configuration is needed
- Jouni
12-03-2013 07:21 AM
Its a very strange setup.
We are a school located on a council network. Our admin users use a virtual desktop to login to a council computer which has a printer pointing to the IP address of 10.100.104.20, however this printer is on our site located behind the firewall so isn't accessible as our ASA is setup to NAT all of our 172.29 local ip addresses.
So i believe the printer would be located on the Inside interface and our outside interface is 10.100.104.1/24
Many thanks
12-03-2013 07:25 AM
Hi,
If your ASA firewalls "outside" interface is actual connected to some other network and not directly to the Internet then it would seem to me that you could use
object network PRINTER
host 10.100.104.20
nat (inside,outside) 1 source static PRINTER PRINTER
Though this would indeed mean that the PRINTER would communicate through this interface always with its own IP address which might potentially affect connectivity to the Internet for the PRINTER. That is, if it needs that connectivity.
If this NAT needs to apply only to some destination network behind the "outside" interface then we need to define that network or multiple networks in the "nat" configuration.
In this case we would need to have this kind of configuration
object network PRINTER
host 10.100.104.20
object network PRINTER-USER-NETWORKS
network-object
network-object
nat (inside,outside) 1 source static PRINTER PRINTER destination static PRINTER-USER-NETWORKS PRINTER-USER-NETWORKS
- Jouni
12-03-2013 07:51 AM
Yes technically we would be on another network outside our ASA.
Just tried the top settings and created a network object but the print still wouldn't come through, as soon as we plug the printer on the network outside of the ASA the print comes through fine!
Pulling my hair out over this!
12-03-2013 08:34 AM
Hi,
I have to say again that its very hard to give any help regarding this matter if we have no idea of the actual setup.
To form any kind of picture of your network setup we would need to see the ASA configurations to determine where the actual networks are located and how the current NAT/ACL configurations have been done.
Also, I am abit confused about the fact that you have placed the Printer behind your ASA but you are using an IP address that according to the above posts are actually located behind the "outside" interface? (the IP address for which you want to do NAT0) This naturally can't work as the traffic would never be forwarded even past the ASA if the actual network is connected to the "outside" interface. In that case there would need to be a Static NAT rather than NAT0 since it seems that the local IP address is something completely different than 10.100.104.20.
We would need to see some configurations and know the network/subnet from which users are trying to connect to the Printer when its behind your ASA.
- Jouni
12-04-2013 01:32 AM
I've managed to get the sh run from the firewall, hopefully this helps.
ASA Version 8.4(4)1
!
hostname TSTC-FW
enable password encrypted
passwd encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.100.104.2 255.255.248.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.29.8.1 255.255.248.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa845-k8.bin
ftp mode passive
object network any-inside
subnet 0.0.0.0 0.0.0.0
object network TSTC-Printing
host 172.29.8.20
object service tcp_9100
service tcp source eq 9100 destination eq 9100
object network TCSC-Printing
object network TSTCPrint2
host 10.100.104.20
object network TSTCPrint
host 10.100.104.20
object network PRINTER
host 10.100.104.20
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 52221
port-object eq 52222
port-object eq https
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 172.29.8.20 eq 9100
access-list outside_access_in remark Form Pearson Exam Software
access-list outside_access_in extended permit tcp host 212.62.15.118 any object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object tcp_9100 any host 10.100.104.20
pager lines 24
logging enable
logging timestamp
logging monitor informational
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 172.29.10.226 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static PRINTER PRINTER
!
object network any-inside
nat (inside,outside) dynamic interface
object network TSTC-Printing
nat (inside,outside) static 10.100.104.20 service tcp 9100 9100
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.100.104.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable 1234
http 192.168.1.0 255.255.255.0 management
http 172.29.8.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.29.8.0 255.255.248.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.10-192.168.1.20 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username password encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
12-04-2013 01:41 AM
Hi,
It seems to me that you have the internal network of 172.29.8.0/21 and the external network is 10.100.104.0/21
Pretty large for a single network/subnet.
So it would seem to me that you are probably looking to do Static NAT for your internal Printer 172.29.8.20 to the NAT IP address 10.100.104.20 ?
If so, do these changes
Remove the original NAT I suggested
no nat (inside,outside) source static PRINTER PRINTER
Go under the below "object" and remove the NAT configuration and add a new one
object network TSTC-Printing
no nat (inside,outside) static 10.100.104.20 service tcp 9100 9100
nat (inside,outside) static 10.100.104.20
Then just to be sure for testing purposes allow all services to this host with the following ACL addition
access-list outside_access_in permit ip any object TSTC-Printing
Then test the connections. Make sure that the Printer truly has your local IP address 172.29.8.20 on it with the correct default gateway and mask.
- Jouni
12-04-2013 02:12 AM
That is definitely what we were originall trying to do, translate any print jobs sent to 10.100.104.20 to our printer with the IP of 172.29.8.20 but it never seemed to work!
I've added your config to the firewall, what sort of settings should i be putting into the packet tracer to make sure it gets through ok?
Your help is really appreciated, thank you.
12-04-2013 02:15 AM
Hi,
I am not quite sure about the ports used by the Printers. The most common I see should be TCP/515 and TCP/9100 though I am not certain
You could try for example
packet-tracer input outside tcp 10.100.104.100 12345 10.100.104.20 515
and
packet-tracer input outside tcp 10.100.104.100 12345 10.100.104.20 9100
The reason why I used the source address from the same network is that I presume that the requirement was that the network behind the "outside" interface should see these hosts as if they were belonging to the same network as them.
Let us know if it works when you have had the chance to test things out
- Jouni
12-04-2013 02:24 AM
That seems to pass the packet trace fine.
Is there anyway to test that any packet being sent to 10.100.104.20 is infact being translated correctly to 172.29.8.20?
Many thanks
12-04-2013 02:41 AM
Hi,
The NAT we configured above should handle it already. Its Static NAT that binds these IP addresses 1:1.
You can try this command though
show xlate local 172.29.8.20
Hope this helps
- Jouni
12-04-2013 03:21 AM
Hi,
Have you been able to confirm if this works? I guess if the printer replies to ICMP then the easiest way to test general connectivity would be to ICMP from behind the "outside" interface.
But as I said, there should be no problems related to the configurations if you changed the configurations I mentioned.
If the users behind "outside" interface are all part of the 10.100.104.0/21 network then there should be no problems for the traffic to get forwarded to the ASA and then to the Printer when using the destination IP address 10.100.104.20. I assume you have confirmed that that IP address can be used from the network range.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide