10-27-2013 01:48 AM - last edited on 03-25-2019 04:27 PM by ciscomoderator
hi everybody,
we have a print server 2008r2 set up in our network, and the shared path is \\172.20.1.85\printer.
the printer ip is 172.20.5.134. all other access rules are working fine except the one highlighted below in red. we want to block direct acess to this printer but only allow printing through the print server.. there is perfect connectivity between the 172.20.1.x lan and 172.20.5.x lan. any suggestions please.
Extended IP access list 101
10 permit ip host 172.20.5.15 host 172.20.1.135
20 permit ip host 172.20.5.15 host 172.20.1.140
30 permit ip host 172.20.5.15 host 172.20.1.145
40 permit ip host 172.20.5.20 host 172.20.1.135
50 permit ip host 172.20.5.20 host 172.20.1.140
60 permit ip host 172.20.5.20 host 172.20.1.145
70 permit ip host 172.20.5.129 host 172.20.1.135
80 permit ip host 172.20.5.129 host 172.20.1.140
90 permit tcp host 172.20.5.130 host 172.20.1.145 eq www
100 permit tcp host 172.20.5.130 host 172.20.1.145 eq 443
110 permit tcp host 172.20.5.10 host 172.20.1.145 eq www
120 permit tcp host 172.20.5.10 host 172.20.1.145 eq 443
125 deny ip any host 172.20.5.134
140 deny ip any 172.20.1.128 0.0.0.127 (178 matches)
150 deny ip any 172.20.2.0 0.0.0.127 (4 matches)
160 deny ip any 172.20.2.128 0.0.0.127 (319 matches)
170 deny ip any 172.20.3.0 0.0.0.63
180 deny ip any 172.20.3.64 0.0.0.63
190 deny ip any 172.20.3.128 0.0.0.127
200 deny ip any 172.20.4.0 0.0.0.127
210 deny ip any 172.20.4.128 0.0.0.127
220 permit udp any any eq bootpc
230 permit udp any any eq bootps (727 matches)
240 permit udp host 0.0.0.0 host 255.255.255.255
250 permit ip any any (29978 matches)
Solved! Go to Solution.
10-28-2013 05:12 AM
Where is this applied? In lines above it, you state to permit hosts on the 172.20.5.x subnet going to something, but this lines states to deny anything going to 172.20.5.134. I'm assuming that this is either inbound on an svi that has the 172.20.5.x subnet? Check the direction of the line. You may need to change it to "deny ip host 172.20.5.134 any".
HTH,
John
*** Please rate all useful posts ***
10-28-2013 12:11 AM
Direct access means,Printer will be accessed through http or https console right ?
If it is the case,then put a access list blocking http or https packet.
Can you share the direct access concept of printer in your Environment
10-28-2013 05:12 AM
Where is this applied? In lines above it, you state to permit hosts on the 172.20.5.x subnet going to something, but this lines states to deny anything going to 172.20.5.134. I'm assuming that this is either inbound on an svi that has the 172.20.5.x subnet? Check the direction of the line. You may need to change it to "deny ip host 172.20.5.134 any".
HTH,
John
*** Please rate all useful posts ***
10-28-2013 11:58 AM
thanks john.. got it working finally..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide