Allow seperate interface access to a single host on inside interface

Answered Question
Aug 16th, 2008
User Badges:

I'm using a Cisco PIX 515E running ASA 8.0(3) - two separate networks, one on each interface…


I intentionally have a separate network on the 'wireless' interface because I share the wireless with my neighbor and don't want him on my 'inside' LAN. I occasionally want to use the wireless myself, but only need access to my printer at 192.168.21.6


How can I allow the wireless interface access to 192.168.21.6 (just port tcp/udp 9100 I believe). I experimented with static commands, but could not get it to work? Must I create a separate IP such as 192.168.22.6 and map that to 192.168.21.6 on the inside interface in order to print?




Attachment: 
Correct Answer by Farrukh Haroon about 8 years 11 months ago

static (inside,wireless) tcp 192.168.22.6 9100 192.168.21.6 9100 netmask 255.255.255.255


You ACLs already permit ALL IP traffic between the zones (except the RISKY PORTS) so no need to change that to make this work.


You can also do Identity Static wherein Wireless Users can access the printer using its original address. But that will create problems with the neighbor :).


Please rate if helpful.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Farrukh Haroon Sat, 08/16/2008 - 12:57
User Badges:
  • Red, 2250 points or more

static (inside,wireless) tcp 192.168.22.6 9100 192.168.21.6 9100 netmask 255.255.255.255


You ACLs already permit ALL IP traffic between the zones (except the RISKY PORTS) so no need to change that to make this work.


You can also do Identity Static wherein Wireless Users can access the printer using its original address. But that will create problems with the neighbor :).


Please rate if helpful.


Regards


Farrukh

john-paul.maure... Sat, 08/16/2008 - 16:26
User Badges:

Can you describe what the problem might be if I did the Identity Static method? What would that config look like?


Can you also explain why, if my ACLs permit all traffic between the interfaces, why I can't then use the printer already as-is? I also have a DNS server on the inside interface, and I was unable to use that from the wireless LAN, must I also provide a static statement with UDP port 53 for that to work?


Thanks for your help!

Farrukh Haroon Sat, 08/16/2008 - 18:15
User Badges:
  • Red, 2250 points or more

If you use reguar 'Static Identity NAT', it will be a one to one mapping for ALL ports (this means you have to adjust your ACL to only allow DNS , Printer). Right now your Access-Control is aided by the 'nat-control' command.


You cannot use the printer because you have nat-control command. This means to successfully pass traffic from lower security zone to higher security zone you need the ACL entry coupled with a 'Static' translation or exemption for the traffic flow. Since your translations are limited to particular ports the two zones cannot communicate.


Yes you would need a similar translation for DNS.


Regards


Farrukh

Actions

This Discussion