09-15-2009 07:48 PM - edited 03-11-2019 09:15 AM
Hello all,
I have created 3 vlans on my ASA 5505,
5,10,15,and 20
They are on Interface 0/4 and trunked to a switch port which is also configured as a trunk. All works great....EXCEPT
I have a printer on VLAN 20 (192.168.20.15) that folks on VLAN 5 and 15 need to print to. I have the vlans on the same security level and configured same-security-traffic-permit.
I am missing something very elementary, I'm sure. Can someone please provide the key to this puzzle?
Thanks!
John
09-16-2009 01:18 AM
Hi,
Try adding routes to all other interfaces similar to route inside. Check the gateway of the printer if still not responding
Thanks
AP
09-16-2009 01:46 AM
Your issue appears to be NAT
Either created a nat0 for the vlan's or configure a static network nat.
HTH>
09-16-2009 05:37 AM
Thanks! created the following and now my users cannot get to the Internet
nat (Chappell) 0 access-list Chappell_access_in
nat (Burton) 0 access-list Burton_access_in
I already have the static access-list setup as follows for allowing access to the printer
static (User-Vlan,Burton) 192.168.20.15 192.168.20.15 netmask 255.255.255.255
static (User-Vlan,Chappell) 192.168.20.15 192.168.20.15 netmask 255.255.255.255
My route is
route inside 192.168.0.0 255.255.0.0 192.168.1.1 1
I'm stuck!
John
09-16-2009 05:43 AM
That is because you are using the wrong acl - at the end of the acls you are saying ip any any = do not nat anything - when you use these acl's with the no-nat config.
Remove:-
nat (Chappell) 0 access-list Chappell_access_in
nat (Burton) 0 access-list Burton_access_in
Config the below:-
access-list no-vlan-nat permit ip 192.168.5.0 255.255.255.0 host 192.168.20.15
access-list no-vlan-nat permit ip 192.168.15.0 255.255.255.0 host 192.168.20.15
nat (Chappell) 0 access-list no-vlan-nat
nat (Burton) 0 access-list no-vlan-nat
HTH>
09-16-2009 06:04 AM
Thanks! Would that be the same for a VPN use? VPN is 192.168.30.0
access-list no-vlan-nat permit ip 192.168.30.0 255.255.255.0 host 192.168.20.15
Thanks you! I'll try this now.
09-16-2009 06:07 AM
No - for VPN use you have to do a couple of things.....but why would you want remote VPN clients to print to a printer they are remote from?
09-16-2009 06:13 AM
I asked the same thing. Apparently the broker has an office at home and wants to print contracts on this printer for his staff when he is out of the office. I could use access to the vlan for RDP though.
09-16-2009 06:20 AM
Then all you need to do is add the remote VPN IP subnet to the interface no-nat access-list and it will be ok.
09-16-2009 06:26 AM
Thank you! I'll give it a shot. NAT always messes me up. Need to study it more.
09-16-2009 11:10 AM
So it would look like this, right?
access-list no-vlan-nat extended permit ip 192.168.30.0 255.255.255.0 host 192.168.20.0
VPN IP is 192.168.30.x
Thanks again for all your assisstance.
09-17-2009 01:03 AM
Yes - and you need to make sure the 192.168.20.0 subnet is in the encryption domain list for the remote vpn user.
09-17-2009 05:43 AM
That did not work. I cannot access the 20 network. Do I need a NAT 0 for VPN as well? That does not sound right. I should be able to access all the vlan's when I VPN in.
09-17-2009 07:20 AM
OK - lets debug the config, attach the config with all sensitive info removed.
09-17-2009 07:26 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: