Allow seperate interface access to a single host on inside interface

Answered Question
Aug 16th, 2008

I'm using a Cisco PIX 515E running ASA 8.0(3) - two separate networks, one on each interface…

I intentionally have a separate network on the 'wireless' interface because I share the wireless with my neighbor and don't want him on my 'inside' LAN. I occasionally want to use the wireless myself, but only need access to my printer at 192.168.21.6

How can I allow the wireless interface access to 192.168.21.6 (just port tcp/udp 9100 I believe). I experimented with static commands, but could not get it to work? Must I create a separate IP such as 192.168.22.6 and map that to 192.168.21.6 on the inside interface in order to print?

Attachment: 
I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 3 months ago

static (inside,wireless) tcp 192.168.22.6 9100 192.168.21.6 9100 netmask 255.255.255.255

You ACLs already permit ALL IP traffic between the zones (except the RISKY PORTS) so no need to change that to make this work.

You can also do Identity Static wherein Wireless Users can access the printer using its original address. But that will create problems with the neighbor :).

Please rate if helpful.

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Farrukh Haroon Sat, 08/16/2008 - 12:57

static (inside,wireless) tcp 192.168.22.6 9100 192.168.21.6 9100 netmask 255.255.255.255

You ACLs already permit ALL IP traffic between the zones (except the RISKY PORTS) so no need to change that to make this work.

You can also do Identity Static wherein Wireless Users can access the printer using its original address. But that will create problems with the neighbor :).

Please rate if helpful.

Regards

Farrukh

john-paul.maure... Sat, 08/16/2008 - 16:26

Can you describe what the problem might be if I did the Identity Static method? What would that config look like?

Can you also explain why, if my ACLs permit all traffic between the interfaces, why I can't then use the printer already as-is? I also have a DNS server on the inside interface, and I was unable to use that from the wireless LAN, must I also provide a static statement with UDP port 53 for that to work?

Thanks for your help!

Farrukh Haroon Sat, 08/16/2008 - 18:15

If you use reguar 'Static Identity NAT', it will be a one to one mapping for ALL ports (this means you have to adjust your ACL to only allow DNS , Printer). Right now your Access-Control is aided by the 'nat-control' command.

You cannot use the printer because you have nat-control command. This means to successfully pass traffic from lower security zone to higher security zone you need the ACL entry coupled with a 'Static' translation or exemption for the traffic flow. Since your translations are limited to particular ports the two zones cannot communicate.

Yes you would need a similar translation for DNS.

Regards

Farrukh

Actions

This Discussion