Bypass NAT for single printer IP

Unanswered Question
Dec 3rd, 2013
User Badges:

Hi all,


I posted a while ago that we were having problems translating an IP for a printer (located here https://supportforums.cisco.com/message/4099013#4099013)


We still haven't been able to get it working and thought about another approach which is to leave the printer IP as a 10.100.x.x IP and instead set up the ASA to bypass the NAT for this IP so it doesn't get translated.


Is this possible and how would i go about doing it?


Many thanks


Jamie

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Tue, 12/03/2013 - 07:03
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Would need more information related to this. Are you doing this on an ASA firewall? What software version is it running on? Towards which interface should the printer be visible with its own IP address? Is there only a certain network towards which the printer should show up with its original IP address?


Generally this is configured with NAT0 / Identity NAT but the format depends on your software level if you are using ASA.


- Jouni

Jamie Joh Tue, 12/03/2013 - 07:09
User Badges:

We are on ASA 5510 8.3+.


We originally tried to translate the printer so anything received on the 10.100.104.20 address would get translated to its 172.29.x.x address but we can't seem to get it working so the other option is to change the printer to 10.100.104.20 and stop this address from the NAT.


Our ASA address is 10.100.104.2 and apparently we have IPs up to .24


MAny thanks

Jouni Forss Tue, 12/03/2013 - 07:14
User Badges:
  • Super Bronze, 10000 points or more

Hi,


But I still dont know the actual setup.


Where should the host 10.100.104.20 be visible with its own IP address?


Where are the hosts located which need to be able to connect to this host with its original IP addresses?


If we do the wrong configuration it might override some NAT behaviour that is needed for this host.


For example if we did this configuration then the host would show up towards any other network behind different ASA interface with its own IP address. (If we presume the host is located behind an interface called "inside")


object network PRINTER

host 10.100.104.20


nat (inside,any) 1 source static PRINTER PRINTER


But I would rather know more about the actual setup and current ASA configuration to determine what configuration is needed


- Jouni

Jamie Joh Tue, 12/03/2013 - 07:21
User Badges:

Its a very strange setup.


We are a school located on a council network. Our admin users use a virtual desktop to login to a council computer which has a printer pointing to the IP address of 10.100.104.20, however this printer is on our site located behind the firewall so isn't accessible as our ASA is setup to NAT all of our 172.29 local ip addresses.


So i believe the printer would be located on the Inside interface and our outside interface is 10.100.104.1/24


Many thanks

Jouni Forss Tue, 12/03/2013 - 07:25
User Badges:
  • Super Bronze, 10000 points or more

Hi,


If your ASA firewalls "outside" interface is actual connected to some other network and not directly to the Internet then it would seem to me that you could use


object network PRINTER

host 10.100.104.20


nat (inside,outside) 1 source static PRINTER PRINTER


Though this would indeed mean that the PRINTER would communicate through this interface always with its own IP address which might potentially affect connectivity to the Internet for the PRINTER. That is, if it needs that connectivity.


If this NAT needs to apply only to some destination network behind the "outside" interface then we need to define that network or multiple networks in the "nat" configuration.


In this case we would need to have this kind of configuration


object network PRINTER

host 10.100.104.20


object network PRINTER-USER-NETWORKS

network-object

network-object


nat (inside,outside) 1 source static PRINTER PRINTER destination static PRINTER-USER-NETWORKS PRINTER-USER-NETWORKS



- Jouni

Jamie Joh Tue, 12/03/2013 - 07:51
User Badges:

Yes technically we would be on another network outside our ASA.


Just tried the top settings and created a network object but the print still wouldn't come through, as soon as we plug the printer on the network outside of the ASA the print comes through fine!


Pulling my hair out over this!

Jouni Forss Tue, 12/03/2013 - 08:34
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I have to say again that its very hard to give any help regarding this matter if we have no idea of the actual setup.


To form any kind of picture of your network setup we would need to see the ASA configurations to determine where the actual networks are located and how the current NAT/ACL configurations have been done.


Also, I am abit confused about the fact that you have placed the Printer behind your ASA but you are using an IP address that according to the above posts are actually located behind the "outside" interface? (the IP address for which you want to do NAT0) This naturally can't work as the traffic would never be forwarded even past the ASA if the actual network is connected to the "outside" interface. In that case there would need to be a Static NAT rather than NAT0 since it seems that the local IP address is something completely different than 10.100.104.20.


We would need to see some configurations and know the network/subnet from which users are trying to connect to the Printer when its behind your ASA.


- Jouni

Jamie Joh Wed, 12/04/2013 - 01:32
User Badges:

I've managed to get the sh run from the firewall, hopefully this helps.


ASA Version 8.4(4)1

!

hostname TSTC-FW

enable password  encrypted

passwd encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.100.104.2 255.255.248.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.29.8.1 255.255.248.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa845-k8.bin

ftp mode passive

object network any-inside

subnet 0.0.0.0 0.0.0.0

object network TSTC-Printing

host 172.29.8.20

object service tcp_9100

service tcp source eq 9100 destination eq 9100

object network TCSC-Printing

object network TSTCPrint2

host 10.100.104.20

object network TSTCPrint

host 10.100.104.20

object network PRINTER

host 10.100.104.20

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq 52221

port-object eq 52222

port-object eq https

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host 172.29.8.20 eq 9100

access-list outside_access_in remark Form Pearson Exam Software

access-list outside_access_in extended permit tcp host 212.62.15.118 any object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit object tcp_9100 any host 10.100.104.20

pager lines 24

logging enable

logging timestamp

logging monitor informational

logging buffered informational

logging trap informational

logging asdm informational

logging host inside 172.29.10.226 format emblem

mtu outside 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static PRINTER PRINTER

!

object network any-inside

nat (inside,outside) dynamic interface

object network TSTC-Printing

nat (inside,outside) static 10.100.104.20 service tcp 9100 9100

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.100.104.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable 1234

http 192.168.1.0 255.255.255.0 management

http 172.29.8.0 255.255.248.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 172.29.8.0 255.255.248.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.10-192.168.1.20 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username  password  encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Jouni Forss Wed, 12/04/2013 - 01:41
User Badges:
  • Super Bronze, 10000 points or more

Hi,


It seems to me that you have the internal network of 172.29.8.0/21 and the external network is 10.100.104.0/21


Pretty large for a single network/subnet.


So it would seem to me that you are probably looking to do Static NAT for your internal Printer 172.29.8.20 to the NAT IP address 10.100.104.20 ?


If so, do these changes


Remove the original NAT I suggested


no nat (inside,outside) source static PRINTER PRINTER


Go under the below "object" and remove the NAT configuration and add a new one


object network TSTC-Printing

  no nat (inside,outside) static 10.100.104.20 service tcp 9100 9100


  nat (inside,outside) static 10.100.104.20


Then just to be sure for testing purposes allow all services to this host with the following ACL addition


access-list outside_access_in permit ip any object TSTC-Printing


Then test the connections. Make sure that the Printer truly has your local IP address 172.29.8.20 on it with the correct default gateway and mask.


- Jouni

Jamie Joh Wed, 12/04/2013 - 02:12
User Badges:

That is definitely what we were originall trying to do, translate any print jobs sent to 10.100.104.20 to our printer with the IP of 172.29.8.20 but it never seemed to work!


I've added your config to the firewall, what sort of settings should i be putting into the packet tracer to make sure it gets through ok?


Your help is really appreciated, thank you.

Jouni Forss Wed, 12/04/2013 - 02:15
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I am not quite sure about the ports used by the Printers. The most common I see should be TCP/515 and TCP/9100 though I am not certain


You could try for example


packet-tracer input outside tcp 10.100.104.100 12345 10.100.104.20 515


and


packet-tracer input outside tcp 10.100.104.100 12345 10.100.104.20 9100


The reason why I used the source address from the same network is that I presume that the requirement was that the network behind the "outside" interface should see these hosts as if they were belonging to the same network as them.


Let us know if it works when you have had the chance to test things out


- Jouni

Jamie Joh Wed, 12/04/2013 - 02:24
User Badges:

That seems to pass the packet trace fine.


Is there anyway to test that any packet being sent to 10.100.104.20 is infact being translated correctly to 172.29.8.20?


Many thanks

Jouni Forss Wed, 12/04/2013 - 02:41
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The NAT we configured above should handle it already. Its Static NAT that binds these IP addresses 1:1.


You can try this command though


show xlate local 172.29.8.20


Hope this helps


- Jouni

Jouni Forss Wed, 12/04/2013 - 03:21
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Have you been able to confirm if this works? I guess if the printer replies to ICMP then the easiest way to test general connectivity would be to ICMP from behind the "outside" interface.


But as I said, there should be no problems related to the configurations if you changed the configurations I mentioned.


If the users behind "outside" interface are all part of the 10.100.104.0/21 network then there should be no problems for the traffic to get forwarded to the ASA and then to the Printer when using the destination IP address 10.100.104.20. I assume you have confirmed that that IP address can be used from the network range.


- Jouni

Jamie Joh Wed, 12/04/2013 - 03:49
User Badges:

Hi,


No unfortunately it didn't work.


I checked the xlate and its definitely translating the IPs. We currently have the printer connected outside the firewall with the proper IP of 10.100.104.20, 255.255.255.0 and 10.100.104.1 as the gateway, prints fine.

As soon as i connect it to the firewall, IP address 172.29.8.20, 255.255.248.0 and 172.29.8.1 as the gateway the prints just do not get through.


According to our council the print spoolers are on the IP address 172.23.60.73.


So frustrating!


Many thanks

Jouni Forss Wed, 12/04/2013 - 03:58
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Since you have been switching the Printer with the IP address 10.100.104.20 directly to the network outside of the ASA and then moving it behind the ASA and doing NAT for the local IP address to 10.100.104.20 that could mean that some upstream router might have an ARP information that pairs IP address 10.100.104.20 to the MAC address of the actual printer.


When you move the Printer behind the ASA and use the NAT then the Printer would be visible to the upstream router with the MAC address of the ASA as the ASA is doing the NAT.


In other words the upstream router would have the Printer MAC address in the ARP table (IP/MAC address pair) and couldnt therefore pass the traffic onto the ASA.


I would suggest changing the IP address for the NAT to 10.100.104.21 for example or any other IP address that you can use from the range and then trying connections again.


If you are using the NAT configuration I suggested then these changes should be enough


Go under the "object" configuration mode and then remove the current "nat" command and enter a new one.


object network TSTC-Printing

no nat (inside,outside) static 10.100.104.20

nat (inside,outside) static 10.100.104.21


This would naturally mean the tests should be towards this new IP address. This should probably tell us if ARP is the problem (because you have had the printer directly with the NAT IP address on the network outside of ASA)


- Jouni

Jamie Joh Wed, 12/04/2013 - 04:06
User Badges:

The weird thing is i gave a completely different printer the 10.100.104.20 address and plugged it outside the network and it worked fine so im thinking the mac address maybe ok, but as soon as i change that printers IP to 172.29.8.20 and put it behind the firewall.. nothing!


At a loss now as to what it could be, the ASA couldn't be blocking anything else could it? They've definetely said that the printers use port 9100.


Many thanks

Jouni Forss Wed, 12/04/2013 - 04:10
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Well you could configure a traffic capture on the ASA I guess


access-list PRINTER-CAPTURE permit ip host 10.100.104.20 any

access-list PRINTER-CAPTURE permit ip any host 10.100.104.20


capture PRINTER-CAPTURE type raw-data access-list PRINTER-CAPTURE interface outside buffer 1000000


Then you should ask them to test the connection when the Printer is behind the ASA


Then you could use the following command to check if anything has hit the capture


show capture


If something has hit the capture you could use this command to show the contents of the capture on the CLI


show capture PRINTER-CAPTURE


These should tell us if the traffic from the testers is arriving to the ASA


- Jouni

Jamie Joh Wed, 12/04/2013 - 04:29
User Badges:

Ok i just plugged in the 172.29 printer behind the firewall, did a test print which failed, did the printer capture and its coming up with the following:


3 packets captured



   1: 04:58:38.515277 10.100.104.20.138 > 255.255.255.255.138:  udp 201

   2: 05:01:09.341870 10.100.104.2.56538 > 10.100.104.20.161:  udp 78

   3: 05:01:09.345105 10.100.104.20.161 > 10.100.104.2.56538:  udp 81

3 packets shown


Many thanks

Jouni Forss Wed, 12/04/2013 - 04:37
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The first capture UDP packet is a broadcast related to some Windows service. It wont go through the firewall.


The second 2 UDP packets are SNMP traffic back and forth from the Printer.


No traffic related to the ports you mentioned.


I am not sure of all the roles of the ports that Windows uses but could the broadcast message from the host 10.100.104.138 be related to the test?


It seems though that the SNMP traffic is both ways but I dont see anything else there other than the broadcast that might be unrelated also.


- Jouni

Jouni Forss Wed, 12/04/2013 - 04:39
User Badges:
  • Super Bronze, 10000 points or more

Also,


I presume you had the capture configured BEFORE you did any tests?


- Jouni

Jamie Joh Wed, 12/04/2013 - 04:45
User Badges:

Yes i configured the capture, then did a test print, then did a show capture.


I've since put the 10.100.104.20 printer back outside of the firewall and did another capture, seems to still be getting some hits.


4: 05:10:41.985926 10.100.104.20.138 > 255.255.255.255.138:  udp 201

   5: 05:10:41.987131 10.100.104.20.137 > 255.255.255.255.137:  udp 68

   6: 05:10:42.219394 10.100.104.20.137 > 255.255.255.255.137:  udp 68

   7: 05:10:42.488835 10.100.104.20.137 > 255.255.255.255.137:  udp 68

   8: 05:11:09.450767 10.100.104.2.56538 > 10.100.104.20.161:  udp 78

   9: 05:11:09.454245 10.100.104.20.161 > 10.100.104.2.56538:  udp 81

  10: 05:14:41.004836 10.100.104.20.138 > 255.255.255.255.138:  udp 201

  11: 05:19:39.758673 10.100.104.20.138 > 255.255.255.255.138:  udp 201

  12: 05:21:08.559571 10.100.104.2.56538 > 10.100.104.20.161:  udp 78

  13: 05:21:08.563828 10.100.104.20.161 > 10.100.104.2.56538:  udp 81

13 packets shown


I believe SNMP may be disabled on the councils end but like i say it still seems to print fine when not behind the ASA.


Many thanks

Jouni Forss Wed, 12/04/2013 - 04:58
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I actually managed to read the capture wong since it lists the ports right after the IP address. There is no IP address 10.100.104.138 as it was actually 10.100.104.20.138


Actually now that I look at it closer, it seems to me that there is traffic from behind the "inside" interface of your ASA towards that destination IP address?



   8: 05:11:09.450767 10.100.104.2.56538 > 10.100.104.20.161:  udp 78

   9: 05:11:09.454245 10.100.104.20.161 > 10.100.104.2.56538:  udp 81

  12: 05:21:08.559571 10.100.104.2.56538 > 10.100.104.20.161:  udp 78


And this traffic is birectional and not broadcast. The IP address 10.100.104.2 is your "outside" interface IP address with which ALL your internal hosts show up to the hosts behind the "outside" interface.


If you had taken the Printer of the "outside" network when this traffic was captured then it would seem to me that there is a device behind the "outside" interface with the IP address 10.100.104.20 already?


These packets in the capture would seem to point that there was still a device with IP address 10.100.104.20 in the network when that capture was taken


   4: 05:10:41.985926 10.100.104.20.138 > 255.255.255.255.138:  udp 201

   5: 05:10:41.987131 10.100.104.20.137 > 255.255.255.255.137:  udp 68

   6: 05:10:42.219394 10.100.104.20.137 > 255.255.255.255.137:  udp 68

   7: 05:10:42.488835 10.100.104.20.137 > 255.255.255.255.137:  udp 68

  10: 05:14:41.004836 10.100.104.20.138 > 255.255.255.255.138:  udp 201

  11: 05:19:39.758673 10.100.104.20.138 > 255.255.255.255.138:  udp 201


This is because we see a broadcast on the ASA to destination address 255.255.255.255 from the IP address 10.100.104.20


When the Printer is behind the "inside" interface can you do so that you clear the ARP on the ASA with the command "clear arp" and then send ICMP to the IP address 10.100.104.20 with the command "ping 10.100.104.20" and then view the arp with "show arp | inc 10.100.104.20" command.


It should show if there is a device behind the "outside" interface that is already using that IP address.


- Jouni

Jamie Joh Wed, 12/04/2013 - 05:04
User Badges:

Ok will run that command in a second. Clearing the ARP won't have any affect on users currently logged in and using the internet will it?


Many thanks

Jouni Forss Wed, 12/04/2013 - 05:50
User Badges:
  • Super Bronze, 10000 points or more

Hi,


To my understanding clearing the ARP should not cause any problems. The ASA should send ARP request for the destination IP addresses right after clearing  the ARP.


- Jouni

Jamie Joh Wed, 12/04/2013 - 05:57
User Badges:

Ok, ive cleared the ARP, there is now no answer from the ping so it should be clear. Should i try a print again or is there something else i can do on the ASA?


Many thanks

Jouni Forss Wed, 12/04/2013 - 06:00
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Did you take the output of "show arp | inc 10.100.104.20" after your cleared the ARP and pinged that destination IP address? That was what I was after. The device might not reply to ICMP but it will answer to ARP requests. (If there is another device in the network with that IP address)


- Jouni

Jamie Joh Wed, 12/04/2013 - 06:01
User Badges:

Yep nothing is appearing after doing the show arp command.

Jouni Forss Wed, 12/04/2013 - 06:08
User Badges:
  • Super Bronze, 10000 points or more

Hi,


If the configuration was as suggested when the device was behind the ASA and the traffic was allowed then it doesnt seem like a problem with the ASA.


There seems to be something else wrong but I am not sure what. I dont know what the actual topology of the network is.


There should be nothing different with the Printer being NATed to the IP address towards the network segment that holds this subnet 10.100.104.0/21 or having the device directly in that network segment together with the ASA. If there is something perhaps related to broadcast traffic (which would mean users of the Printer would be in the same network 10.100.104.0/21) then that naturally stops at the ASA but not in the situation when the Printer is directly connected to the network 10.100.104.0/24


I don't know how much else can be determined from the ASA itself anymore.


We didnt see the traffic on the ASA with the capture that we were expecting and we dont know what is different in the situation when the printer is directly in the network. Unless ofcourse you capture that traffic from some switch to which the printer is connected when its outside the ASA.


- Jouni

Jamie Joh Wed, 12/04/2013 - 06:19
User Badges:

Still no luck after that.


In theory if the translation was working shouldn't a ping sent to 10.100.104.20 be picked up by 172.29.8.20? Because at the moment i get no response.


Many thanks

Jouni Forss Wed, 12/04/2013 - 06:25
User Badges:
  • Super Bronze, 10000 points or more

Gah,


Could you add this for the ICMP and test again


policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error


There should not be many things that would cause problems for an incoming connection. You need Static NAT and a rule allowing the traffic you are testing. To automatically allow ICMP return traffic the above configurations are usually needed. In your case you should not need anything added to routing with regards to this since the LAN network is directly connected to the ASA.


- Jouni

Jamie Joh Wed, 12/04/2013 - 07:56
User Badges:

Still not working!


I've just tried translating another 10.100 IP address to one of our web servers and it works fine!


I think we've decided just to stick another switch in and have the printer outside of the firewall as its starting to make us go insane!


One more thing if you wouldn't mind, does it look like our port 52221, 52222 and HTTPs are open according to that top log?


Thank you so much for your help.

Jouni Forss Wed, 12/04/2013 - 08:06
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I think the problem with the printer might be some simple thing you/we have not noticed. Naturally can't see the whole network and don't know everything related to the connection between the hosts its harder to determine the problem.


I would need to see the current configuration to determine the situation with the above ports. It seemed to me in the configuration you posted this was allowed from behind the "outside" to your internal network from a single public source IP address. The problem is though that only your Printer had a Static NAT but no other device so no other device could be reached with those ports since there was no NAT configuration for other hosts on your LAN.


Its too bad if we have to leave this as unsolved. I am pretty sure if I knew the whole setup a bit better we could determine what the problem is.


- Jouni

Jamie Joh Wed, 12/04/2013 - 08:16
User Badges:

Yeah its really frustrating that we can't solve it.


Regarding the ports, we have a piece of software that apparently needs to communicate on 52221, 52222 and HTTPS (443) but it still doesn't seem to communicate. Apparently that IP in the config is the source but i wouldn't mind opening those ports globally for all IPs.


Here is the current config.


names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.100.104.2 255.255.248.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.29.8.1 255.255.248.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa845-k8.bin

ftp mode passive

object network any-inside

subnet 0.0.0.0 0.0.0.0

object network TSTC-Printing

host 172.29.8.20

object service tcp_9100

service tcp source eq 9100 destination eq 9100

object network TCSC-Printing

object network PRINTER

host 10.100.104.20

object network Portico

host 172.29.8.46

object network Eportal

host 172.29.8.36

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq 52221

port-object eq 52222

port-object eq https

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host 172.29.8.20 eq 9100

access-list outside_access_in remark Form Pearson Exam Software

access-list outside_access_in extended permit tcp host 212.62.15.118 any object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit object tcp_9100 any host 10.100.104.20

access-list outside_access_in extended permit ip any object TSTC-Printing

access-list outside_access_in extended permit ip any object Portico

access-list outside_access_in extended permit ip any object Eportal

access-list PRINTER-CAPTURE extended permit ip host 10.100.104.20 any

access-list PRINTER-CAPTURE extended permit ip any host 10.100.104.20

pager lines 24

logging enable

logging timestamp

logging monitor informational

logging buffered informational

logging trap informational

logging asdm informational

logging host inside 172.29.10.226 format emblem

mtu outside 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

!

object network any-inside

nat (inside,outside) dynamic interface

object network TSTC-Printing

nat (inside,outside) static 10.100.104.20

object network Portico

nat (inside,outside) static 10.100.104.5

object network Eportal

nat (inside,outside) static 10.100.104.4

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.100.104.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable 1234

http 192.168.1.0 255.255.255.0 management

http 172.29.8.0 255.255.248.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 172.29.8.0 255.255.248.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.10-192.168.1.20 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username password encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home


Many thanks

Jouni Forss Wed, 12/04/2013 - 08:27
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Seems you currently have 3 devices for which Static NAT is configured.


object network TSTC-Printing

nat (inside,outside) static 10.100.104.20

object network Portico

nat (inside,outside) static 10.100.104.5

object network Eportal

nat (inside,outside) static 10.100.104.4


You have also allowed all traffic to these hosts from "any" address behind the "outside" interface.


No other hosts can be reached through the ASA from behind the "outside" interface since they dont have their own NAT IP address.


Your hosts behind the "inside" interface should also be able to form connections towards any destination IP address on any destination port. All the hosts behind "inside" will be visible to the towards the "outside" interface and its networks with the NAT IP address 10.100.104.2 since you have configured Dynamic PAT using the ASAs "outside" interface.


Dynamic PAT is done with this configuration in the above output


object network any-inside

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface


Naturally there is also the question what other device is between your LAN and the External/Public network? All your addresses a from a private range so there is a firewall/gateway device somewhere further in the network that also control traffic to and from the Internet.


My current doubts related to the Printer issue is that if we truly got all the traffic during the testing to the ASA. If that was all then it would seem to me that there just have to be some problem with the network setup in general.


- Jouni

Jamie Joh Thu, 12/05/2013 - 00:59
User Badges:

Apologies for the late reply.


So you reckon that any software installed on our PCs should be able to access any ports? I know we are behind another firewall but we put the request in and apparently they have opened those following ports but we still cannot connect using this piece of software so i just wanted to make sure our firewall wouldn't be blocking access.


Many thanks

Actions

This Discussion