Access list and remote printing

Unanswered Question
Jul 10th, 2010
User Badges:

Dear all


My organization has a leaased line internet that is connected to router , then asa 5510 .From ASA 5510 it is distributed to LAN.NATING is done in ASA.

The IP range is 120.125.51.128/27.The router interface IP is 120.125.51.129.The out side interface of  ASA 5510 is 120.125.51.147 .Nating is done on 120.125.51.148 on ASA.Inside interface of ASA is 192.168.0.111.The other public IP s are used in web server , other devices and few are free.Now I want



1) I want to ad an access list in ASA so that only the permitted users can access giving the gateway 192.168.0.111.


I have tried



access-list inside permit tcp host x.x.x.x any eq smtp


access-list inside deny tcp any any eq smtp


access-list inside permit ip any any


access-group inside in interface inside



access-list inside deny tcp host 192.168.0.91 any eq 80
access-list inside permit ip any any
access-group inside in interface inside


But here only one IP blocked.If we add several IP  only the first IP is blocked.Rest IPs still get internet through gateway.



2) One of our printer has IP 192.168.0.123.I want that user will print to this printer through internet



Can any body help me regarding that ....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 07/10/2010 - 01:01
User Badges:
  • Cisco Employee,

1) If you would like to deny specific ip address on specific ports, you would need to configure those deny statements before the "permit ip any any" statement as access-list is checked from top to bottom.


From your example, you would need to configure the following:

access-list inside permit tcp host x.x.x.x any eq smtp

access-list  inside deny tcp any any eq smtp

access-list inside deny tcp host 192.168.0.91 any eq 80

access-list inside permit ip any any


All the "deny" ACL needs to be on top of the last line "access-list inside permit ip any any".


If you check the ACL by: "sh run access-list inside" command, it will show you order.


2) If you would like user from the internet to use printer with private ip address of 192.168.0.123, you would need to configure static NAT to translate the private ip to one of your spare public ip address.

Example:

static (inside,outside) 120.125.51.x 192.168.0.123 netmask 255.255.255.255


And also, on the outside access-list, you would need to permit the printer traffic inbound towards the public ip address.


Hope that helps.

Actions

This Discussion