Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1240
Views
0
Helpful
6
Replies

Using ACL for printing over the internet

Go to solution
geir
Level 1
Level 1

‎05-13-2022 05:42 AM - edited ‎05-13-2022 05:46 AM

Hi

 

I got this NAT that works great.

 

ip nat inside source static tcp 192.168.38.50 9100 interface GigabitEthernet8 9100

 

I need to limit this to accepting prints from just one IP, if I understand it rigt I have to set up an ACL to achive that?

 

access-list 100 remark PRINT

access-list 100 permit tcp host 192.168.38.50 eq 9100 host 81.167.215.20 eq 9100

access-list 100 deny tcp any any eq 9100

access-list 100 permit ip any any

 

interface GigabitEthernet8

ip nat outside

ip access-group 100 in

 

The deny works, but not ther permit!!!

 

Thank you for helping

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to geir

‎05-13-2022 07:00 AM

 

access-list 100 permit tcp host 81.167.215.20 host <gi0/8 interface IP address> eq 9100

 

Jon

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Flavio Miranda
VIP
VIP

‎05-13-2022 05:55 AM

Hi

 The deny works because you using only the port and any IP. The permit is failing probably because you need to use the NATed IP address and not the real IP address.

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-13-2022 06:19 AM

 

You have a printer internally using 192.168.38.50 and you have translated it to 81.167.215.20 and now you want to allow an IP from outside to connect to it ? 

 

If this is so then your permit line in the acl should be - 

 

access-list 100 permit tcp host <IP from outside>  host 81.167.215.20 eq 9100

 

Jon

0 Helpful

Go to solution
geir
Level 1
Level 1
In response to Jon Marshall

‎05-13-2022 06:49 AM

Hi

 

I have a printer on the local lan 192.168.38.50.

 

This NAT works great, so you can print over the internet to the local LAN

ip nat inside source static tcp 192.168.38.50 9100 interface GigabitEthernet8 9100

 

GigabitEthernet8 is the WAN port for the router

 

81.167.215.20 is the IP on the internet where the print is sendt from

I want the NAT converted to access-list 100 so I permit only print sendt from 81.167.215.20

 

Geir

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to geir

‎05-13-2022 07:00 AM

 

access-list 100 permit tcp host 81.167.215.20 host <gi0/8 interface IP address> eq 9100

 

Jon

0 Helpful

Go to solution
geir
Level 1
Level 1
In response to Jon Marshall

‎05-13-2022 07:40 AM - edited ‎05-13-2022 07:49 AM

Hi

 

Thank you, it work.

 

There is only one issue. gi0/8 is a DHCP interface, what happens when the ISP changes the IP ? Or is the way to solve this automaticly?

 

interface GigabitEthernet8

description PrimaryWANDesc_$ETH-WAN$

ip dhcp client update dns server none

ip ddns update hostname aaros1.dyndns.org

ip ddns update ccp_ddns1

ip address dhcp client-id GigabitEthernet8

ip access-group 100 in

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to geir

‎05-13-2022 07:48 AM

 

I am not sure there is an "interface" keyword you can use in acl so no I think you would have to update unless you have a spare public IP you could use. 

 

Unless someone else knows a solution. 

 

Jon

0 Helpful
Customers Also Viewed These Support Documents