04-14-2008 08:35 AM - edited 03-11-2019 05:30 AM
I have a situation where a user on a vlan needs to recieve scanned items from a large multifunction copier/printer/scanner to a file share on his computer. Here is the scenario: Using SMB, the copier is able to see shared folders that reside on the network. Folks are able to scan documents directly to these shared folders on their computers. The problem is that users on a different vlan would like that functionality as well but obviously cannot because the ASA does not allow that traffic to pass. With that said, is there a way to allow SMB through the ASA to a different vlan? For example, the copier is on 192.168.1.x and the PC on 192.168.20.x.
Thanks!
John
04-14-2008 12:55 PM
John, the question for you would be: Where, does 192.168.x and 192.168.20.x seats in relation to ASA firewall inside interface, are there subnets being routed through ASA meaning does 192.168.1.x and 192.168.20.x have unique interface in firewall? if this is so you should be able to permision smb tcp 139 and/or netbios ports.
Anyways, provide some more information these two subnets topology.
Rgds
Jorge
04-14-2008 01:04 PM
Jorge,
The printer/copier is on the native vlan (inside int) and the PC on vlan 5 (inside int). So, IOW they are both on the inside.
Thanks!
04-14-2008 04:01 PM
Ok, so printer is in vlan 1 subnet 192.168.1.x , and you have vlan 5 svi confiured, if so what is the security level of vlan 5 192.168.20.x in asa?
if I understand this correcty both subnets then are routed by asa5505 , and I suspect they are both using same sec level if so both nets should be able to talk to each other without any access rules as long you have same-security-traffic permit inter-interface statemet in firewall, any traffic including udp/tcp traffic should flow without the use of acls, please confirm this is the scenario.
-Jorge
04-15-2008 07:26 AM
Jorge,
vlan 5 has a security level of 5 and the native vlan 100. I have a NAT rule setup so that the folks on the 5 vlan can print to the printer on the natvie vlan (192.168.1.x) however, file sharing from the printer to the PC does not work. Here are the nat rules:
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 KW-VPN 255.255.255.0
nat (Escrow) 0 access-list Escrow_nat0_outbound_1
nat (Escrow) 1 192.168.5.0 255.255.255.0
nat (Mortgage) 0 access-list Mortgage_nat0_outbound_1
nat (Mortgage) 1 192.168.10.0 255.255.255.0
nat (MCA) 0 access-list MCA_nat0_outbound_1
nat (MCA) 1 192.168.15.0 255.255.255.0
nat (Staff) 0 access-list Staff_nat0_outbound_1
nat (Staff) 1 192.168.20.0 255.255.255.0
nat (Prop_Mgmt) 1 192.168.40.0 255.255.255.0
Thanks for your help!
John
04-15-2008 02:27 PM
You can try these , create object group for SMB or netbios ports
e.i
object-group service Printer_server
port-object eq 137
port-object eq 138
port-object eq 139
then allow 192.168.20.0 subnet or the subnet pertaining to vlan 5 to browse printer on 192.168.1.0 subnet.
e.i
access-list VLAN5_access_in permit tcp 192.168.20.0 255.255.255.0 host
access-group vlan5_access_in in interface vlan5
04-17-2008 01:02 PM
Hey Jorge,
Thanks for the help. I made the changes you suggested, went to the copy machine and did a Browse to find the computer on vlan20, and I could not see it.Here is what I added:
#Staff is vlan20 (sorry I told you 5)
access-group Staff_access_in in interface Staff
access-list Staff_access_in extended permit tcp 192.168.20.0 255.255.255.0 host 192.168.1.165 object-group scanner
access-list Staff_access_in extended permit ip any any
object-group service scanner tcp
description Scan documents from Canon copier to shared folders on PC's
port-object eq 137
port-object eq 138
port-object eq netbios-ssn
Staff (Vlan20) has a security level of 20
The way this works is from the copier, one uses Browse to find the shared folder on the users PC. In this case the shared folder is on 192.168.20.47 and the copier is on 192.168.1.165.
Is this even possible?
Thanks for all your assistance.
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: