access-list acl_dmz permit tcp any host PrinterIP-Inside eq 9100

# This allows all DMZ hosts to connect to inside networks printer with TCP port 9100

access-group acl_dmz in interface dmz

#Apply access-list to dmz interface

static (inside,dmz) Inside-Network Inside-Network netmask 255.255.255.0

# This will diable NAT between Inside and DMZ interface, use Private IP for Printer !

I don't know your general setup with your other access-list, please don't forget that after an access-list with the permit statement follows a general deny any any. This will not block traffic from the outside (internet) if there are public services but will block all other outgoing DMZ traffic.

sincerely

Patrick

Thanks for the help, Patrick. I'm an amature at this so bear with me.

Corresponding to your commands, mine are:

access-list dmz_in permit tcp any host 10.72.8.13 eq 9100

and

access-group dmz_in in interface dmz

(already in place)

The static command throws me, though. What do you mean by 'Inside-Network Inside-Network'? Already in place, I have:

static (inside,dmz) 10.72.8.0 10.72.8.0 netmask 255.255.254.0 0 0

Is this not sufficient or am I missing something.

Ben

Sounds good! Your config is ok and should work.

What is the problem. Do you have error messages?

sincerely

Patrick

The only error I get is when the print job times out. It says:

"There was an error found when printing the document "Test Page" to IP_10.72.8.13. Do you want to retry or cancel the job?"

I have no trouble reaching this printer from servers and workstations outside the dmz and I've installed it on multiple servers inside the dmz but can't seem to reach it. I also have a different printer located inside the dmz and have no trouble printing to it. Sounds like something else must be interfering with my config.

What else can I provide that would help you out?

Thanks, Ben

Your printer might be using other ports?

check your PIX if you have hitcounts in the dmz access-list.

show access-list dmz_in

Check the logg for xlate errors of blocked coennections.

conf t

logg on

logg buff wa

show logg

Use the capture command to sniff an interface and to see what ports are uses from a specific host.

access-list printer permit ip any host 10.72.8.13

capture printer1 access-list printer interface dmz

show capture printer1 access-list printer detail

sincerely

Patrick

*Your printer might be using other ports?

Open ports: 21, 23, 25, 80, 110, 280, 389, 515, 631, 1002, 1720, 9100

_____

*check your PIX if you have hitcounts in the dmz access-list.

*show access-list dmz_in

access-list dmz_in; 2 elements

access-list dmz_in line 1 permit ip any any (hitcnt=12344)

access-list dmz_in line 2 permit tcp any host 10.72.8.13 eq 9100 (hitcnt=0)

_____

*Check the logg for xlate errors of blocked coennections.

*conf t

*logg on

*logg buff wa

*show logg

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: enabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level warnings, 0 messages logged

Trap logging: level critical, 6036 messages logged

Logging to dmz 170.94.216.120 tcp/1468

History logging: level errors, 21930 messages logged

Device ID: disabled

_____

*Use the capture command to sniff an interface and to see what ports are uses from a specific host.

*access-list printer permit ip any host 10.72.8.13

*capture printer1 access-list printer interface dmz

*show capture printer1 access-list printer detail

0 packet captured

0 packet shown

_____

Thanks again . . .

Your access-list in the DMZ permit any any IP.

access-list dmz_in line 1 permit ip any any (hitcnt=12344)

So all hosts in the DMZ can access any hosts in the inside on any port.

The seconds line will never be checked because all packets pass on line one.

access-list dmz_in line 2 permit tcp any host 10.72.8.13 eq 9100 (hitcnt=0)

And line 2

To the logging and capture command:

Do you tryed to print in the same time as you applied the capture command ? There should be at least a few packets.

sincerely

PAtrick