10-29-2004 10:07 AM - edited 03-09-2019 09:16 AM
I have what I think is a simple question.
I have an IP printer located inside the firewall but outside the dmz. I need to set up printing to that printer from servers inside the dmz.
Can anyone help?
Thanks....
10-29-2004 10:37 AM
I have the same request. I create a static translation and open port 9100 for HP jetdirect. Today I have a request for 5001 but the printer had an SDLC conversion card. Who knows what that means.
10-29-2004 12:03 PM
access-list acl_dmz permit tcp any host PrinterIP-Inside eq 9100
# This allows all DMZ hosts to connect to inside networks printer with TCP port 9100
access-group acl_dmz in interface dmz
#Apply access-list to dmz interface
static (inside,dmz) Inside-Network Inside-Network netmask 255.255.255.0
# This will diable NAT between Inside and DMZ interface, use Private IP for Printer !
I don't know your general setup with your other access-list, please don't forget that after an access-list with the permit statement follows a general deny any any. This will not block traffic from the outside (internet) if there are public services but will block all other outgoing DMZ traffic.
sincerely
Patrick
10-29-2004 12:45 PM
Thanks for the help, Patrick. I'm an amature at this so bear with me.
Corresponding to your commands, mine are:
access-list dmz_in permit tcp any host 10.72.8.13 eq 9100
and
access-group dmz_in in interface dmz
(already in place)
The static command throws me, though. What do you mean by 'Inside-Network Inside-Network'? Already in place, I have:
static (inside,dmz) 10.72.8.0 10.72.8.0 netmask 255.255.254.0 0 0
Is this not sufficient or am I missing something.
Ben
10-29-2004 05:53 PM
Sounds good! Your config is ok and should work.
What is the problem. Do you have error messages?
sincerely
Patrick
10-30-2004 09:04 AM
The only error I get is when the print job times out. It says:
"There was an error found when printing the document "Test Page" to IP_10.72.8.13. Do you want to retry or cancel the job?"
I have no trouble reaching this printer from servers and workstations outside the dmz and I've installed it on multiple servers inside the dmz but can't seem to reach it. I also have a different printer located inside the dmz and have no trouble printing to it. Sounds like something else must be interfering with my config.
What else can I provide that would help you out?
Thanks, Ben
11-01-2004 05:18 AM
Your printer might be using other ports?
check your PIX if you have hitcounts in the dmz access-list.
show access-list dmz_in
Check the logg for xlate errors of blocked coennections.
conf t
logg on
logg buff wa
show logg
Use the capture command to sniff an interface and to see what ports are uses from a specific host.
access-list printer permit ip any host 10.72.8.13
capture printer1 access-list printer interface dmz
show capture printer1 access-list printer detail
sincerely
Patrick
11-01-2004 06:26 AM
*Your printer might be using other ports?
Open ports: 21, 23, 25, 80, 110, 280, 389, 515, 631, 1002, 1720, 9100
_____
*check your PIX if you have hitcounts in the dmz access-list.
*show access-list dmz_in
access-list dmz_in; 2 elements
access-list dmz_in line 1 permit ip any any (hitcnt=12344)
access-list dmz_in line 2 permit tcp any host 10.72.8.13 eq 9100 (hitcnt=0)
_____
*Check the logg for xlate errors of blocked coennections.
*conf t
*logg on
*logg buff wa
*show logg
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: enabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level warnings, 0 messages logged
Trap logging: level critical, 6036 messages logged
Logging to dmz 170.94.216.120 tcp/1468
History logging: level errors, 21930 messages logged
Device ID: disabled
_____
*Use the capture command to sniff an interface and to see what ports are uses from a specific host.
*access-list printer permit ip any host 10.72.8.13
*capture printer1 access-list printer interface dmz
*show capture printer1 access-list printer detail
0 packet captured
0 packet shown
_____
Thanks again . . .
11-01-2004 07:18 AM
Your access-list in the DMZ permit any any IP.
access-list dmz_in line 1 permit ip any any (hitcnt=12344)
So all hosts in the DMZ can access any hosts in the inside on any port.
The seconds line will never be checked because all packets pass on line one.
access-list dmz_in line 2 permit tcp any host 10.72.8.13 eq 9100 (hitcnt=0)
And line 2
To the logging and capture command:
Do you tryed to print in the same time as you applied the capture command ? There should be at least a few packets.
sincerely
PAtrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide