ASA 5505 rule for copier/scanner

john.irizarry · ‎04-14-2008

I have a situation where a user on a vlan needs to recieve scanned items from a large multifunction copier/printer/scanner to a file share on his computer. Here is the scenario: Using SMB, the copier is able to see shared folders that reside on the network. Folks are able to scan documents directly to these shared folders on their computers. The problem is that users on a different vlan would like that functionality as well but obviously cannot because the ASA does not allow that traffic to pass. With that said, is there a way to allow SMB through the ASA to a different vlan? For example, the copier is on 192.168.1.x and the PC on 192.168.20.x.

Thanks!

John

JORGE RODRIGUEZ · ‎04-14-2008

John, the question for you would be: Where, does 192.168.x and 192.168.20.x seats in relation to ASA firewall inside interface, are there subnets being routed through ASA meaning does 192.168.1.x and 192.168.20.x have unique interface in firewall? if this is so you should be able to permision smb tcp 139 and/or netbios ports.

Anyways, provide some more information these two subnets topology.

Rgds

Jorge

Jorge Rodriguez

john.irizarry · ‎04-14-2008

Jorge,

The printer/copier is on the native vlan (inside int) and the PC on vlan 5 (inside int). So, IOW they are both on the inside.

Thanks!

JORGE RODRIGUEZ · ‎04-14-2008

Ok, so printer is in vlan 1 subnet 192.168.1.x , and you have vlan 5 svi confiured, if so what is the security level of vlan 5 192.168.20.x in asa?

if I understand this correcty both subnets then are routed by asa5505 , and I suspect they are both using same sec level if so both nets should be able to talk to each other without any access rules as long you have same-security-traffic permit inter-interface statemet in firewall, any traffic including udp/tcp traffic should flow without the use of acls, please confirm this is the scenario.

-Jorge

Jorge Rodriguez

john.irizarry · ‎04-15-2008

Jorge,

vlan 5 has a security level of 5 and the native vlan 100. I have a NAT rule setup so that the folks on the 5 vlan can print to the printer on the natvie vlan (192.168.1.x) however, file sharing from the printer to the PC does not work. Here are the nat rules:

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 KW-VPN 255.255.255.0

nat (Escrow) 0 access-list Escrow_nat0_outbound_1

nat (Escrow) 1 192.168.5.0 255.255.255.0

nat (Mortgage) 0 access-list Mortgage_nat0_outbound_1

nat (Mortgage) 1 192.168.10.0 255.255.255.0

nat (MCA) 0 access-list MCA_nat0_outbound_1

nat (MCA) 1 192.168.15.0 255.255.255.0

nat (Staff) 0 access-list Staff_nat0_outbound_1

nat (Staff) 1 192.168.20.0 255.255.255.0

nat (Prop_Mgmt) 1 192.168.40.0 255.255.255.0

Thanks for your help!

John

JORGE RODRIGUEZ · ‎04-15-2008

You can try these , create object group for SMB or netbios ports

e.i

object-group service Printer_server

port-object eq 137

port-object eq 138

port-object eq 139

then allow 192.168.20.0 subnet or the subnet pertaining to vlan 5 to browse printer on 192.168.1.0 subnet.

e.i

access-list VLAN5_access_in permit tcp 192.168.20.0 255.255.255.0 host object-group Printer_server

access-group vlan5_access_in in interface vlan5

Jorge Rodriguez

john.irizarry · ‎04-17-2008

Hey Jorge,

Thanks for the help. I made the changes you suggested, went to the copy machine and did a Browse to find the computer on vlan20, and I could not see it.Here is what I added:

#Staff is vlan20 (sorry I told you 5)

access-group Staff_access_in in interface Staff

access-list Staff_access_in extended permit tcp 192.168.20.0 255.255.255.0 host 192.168.1.165 object-group scanner

access-list Staff_access_in extended permit ip any any

object-group service scanner tcp

description Scan documents from Canon copier to shared folders on PC's

port-object eq 137

port-object eq 138

port-object eq netbios-ssn

Staff (Vlan20) has a security level of 20

The way this works is from the copier, one uses Browse to find the shared folder on the users PC. In this case the shared folder is on 192.168.20.47 and the copier is on 192.168.1.165.

Is this even possible?

Thanks for all your assistance.

John