Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access list and remote printing

Dear all

My organization has a leaased line internet that is connected to router , then asa 5510 .From ASA 5510 it is distributed to LAN.NATING is done in ASA.

The IP range is 120.125.51.128/27.The router interface IP is 120.125.51.129.The out side interface of  ASA 5510 is 120.125.51.147 .Nating is done on 120.125.51.148 on ASA.Inside interface of ASA is 192.168.0.111.The other public IP s are used in web server , other devices and few are free.Now I want

1) I want to ad an access list in ASA so that only the permitted users can access giving the gateway 192.168.0.111.

I have tried

access-list inside permit tcp host x.x.x.x any eq smtp

access-list inside deny tcp any any eq smtp

access-list inside permit ip any any

access-group inside in interface inside

access-list inside deny tcp host 192.168.0.91 any eq 80
access-list inside permit ip any any
access-group inside in interface inside

But here only one IP blocked.If we add several IP  only the first IP is blocked.Rest IPs still get internet through gateway.

2) One of our printer has IP 192.168.0.123.I want that user will print to this printer through internet

Can any body help me regarding that ....

1 REPLY
Super Bronze

Re: Access list and remote printing

1) If you would like to deny specific ip address on specific ports, you would need to configure those deny statements before the "permit ip any any" statement as access-list is checked from top to bottom.

From your example, you would need to configure the following:

access-list inside permit tcp host x.x.x.x any eq smtp

access-list  inside deny tcp any any eq smtp

access-list inside deny tcp host 192.168.0.91 any eq 80

access-list inside permit ip any any

All the "deny" ACL needs to be on top of the last line "access-list inside permit ip any any".

If you check the ACL by: "sh run access-list inside" command, it will show you order.

2) If you would like user from the internet to use printer with private ip address of 192.168.0.123, you would need to configure static NAT to translate the private ip to one of your spare public ip address.

Example:

static (inside,outside) 120.125.51.x 192.168.0.123 netmask 255.255.255.255

And also, on the outside access-list, you would need to permit the printer traffic inbound towards the public ip address.

Hope that helps.

473
Views
0
Helpful
1
Replies