ASA 5505 rule for copier/scanner

Unanswered Question
Apr 14th, 2008

I have a situation where a user on a vlan needs to recieve scanned items from a large multifunction copier/printer/scanner to a file share on his computer. Here is the scenario: Using SMB, the copier is able to see shared folders that reside on the network. Folks are able to scan documents directly to these shared folders on their computers. The problem is that users on a different vlan would like that functionality as well but obviously cannot because the ASA does not allow that traffic to pass. With that said, is there a way to allow SMB through the ASA to a different vlan? For example, the copier is on 192.168.1.x and the PC on 192.168.20.x.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Mon, 04/14/2008 - 12:55

John, the question for you would be: Where, does 192.168.x and 192.168.20.x seats in relation to ASA firewall inside interface, are there subnets being routed through ASA meaning does 192.168.1.x and 192.168.20.x have unique interface in firewall? if this is so you should be able to permision smb tcp 139 and/or netbios ports.

Anyways, provide some more information these two subnets topology.



john.irizarry Mon, 04/14/2008 - 13:04


The printer/copier is on the native vlan (inside int) and the PC on vlan 5 (inside int). So, IOW they are both on the inside.


JORGE RODRIGUEZ Mon, 04/14/2008 - 16:01

Ok, so printer is in vlan 1 subnet 192.168.1.x , and you have vlan 5 svi confiured, if so what is the security level of vlan 5 192.168.20.x in asa?

if I understand this correcty both subnets then are routed by asa5505 , and I suspect they are both using same sec level if so both nets should be able to talk to each other without any access rules as long you have same-security-traffic permit inter-interface statemet in firewall, any traffic including udp/tcp traffic should flow without the use of acls, please confirm this is the scenario.


john.irizarry Tue, 04/15/2008 - 07:26


vlan 5 has a security level of 5 and the native vlan 100. I have a NAT rule setup so that the folks on the 5 vlan can print to the printer on the natvie vlan (192.168.1.x) however, file sharing from the printer to the PC does not work. Here are the nat rules:

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1

nat (outside) 1 KW-VPN

nat (Escrow) 0 access-list Escrow_nat0_outbound_1

nat (Escrow) 1

nat (Mortgage) 0 access-list Mortgage_nat0_outbound_1

nat (Mortgage) 1

nat (MCA) 0 access-list MCA_nat0_outbound_1

nat (MCA) 1

nat (Staff) 0 access-list Staff_nat0_outbound_1

nat (Staff) 1

nat (Prop_Mgmt) 1

Thanks for your help!


JORGE RODRIGUEZ Tue, 04/15/2008 - 14:27

You can try these , create object group for SMB or netbios ports


object-group service Printer_server

port-object eq 137

port-object eq 138

port-object eq 139

then allow subnet or the subnet pertaining to vlan 5 to browse printer on subnet.


access-list VLAN5_access_in permit tcp host object-group Printer_server

access-group vlan5_access_in in interface vlan5

john.irizarry Thu, 04/17/2008 - 13:02

Hey Jorge,

Thanks for the help. I made the changes you suggested, went to the copy machine and did a Browse to find the computer on vlan20, and I could not see it.Here is what I added:

#Staff is vlan20 (sorry I told you 5)

access-group Staff_access_in in interface Staff

access-list Staff_access_in extended permit tcp host object-group scanner

access-list Staff_access_in extended permit ip any any

object-group service scanner tcp

description Scan documents from Canon copier to shared folders on PC's

port-object eq 137

port-object eq 138

port-object eq netbios-ssn

Staff (Vlan20) has a security level of 20

The way this works is from the copier, one uses Browse to find the shared folder on the users PC. In this case the shared folder is on and the copier is on

Is this even possible?

Thanks for all your assistance.



This Discussion