Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
5
Helpful
4
Replies

Allow seperate interface access to a single host on inside interface

Go to solution
john-paul.maurer
Level 1
Level 1

‎08-16-2008 09:15 AM - edited ‎03-10-2019 01:38 PM

I'm using a Cisco PIX 515E running ASA 8.0(3) - two separate networks, one on each interface…

I intentionally have a separate network on the 'wireless' interface because I share the wireless with my neighbor and don't want him on my 'inside' LAN. I occasionally want to use the wireless myself, but only need access to my printer at 192.168.21.6

How can I allow the wireless interface access to 192.168.21.6 (just port tcp/udp 9100 I believe). I experimented with static commands, but could not get it to work? Must I create a separate IP such as 192.168.22.6 and map that to 192.168.21.6 on the inside interface in order to print?

Labels:
Preview file
4 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-16-2008 12:57 PM

static (inside,wireless) tcp 192.168.22.6 9100 192.168.21.6 9100 netmask 255.255.255.255

You ACLs already permit ALL IP traffic between the zones (except the RISKY PORTS) so no need to change that to make this work.

You can also do Identity Static wherein Wireless Users can access the printer using its original address. But that will create problems with the neighbor :).

Please rate if helpful.

Regards

Farrukh

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-16-2008 12:57 PM

static (inside,wireless) tcp 192.168.22.6 9100 192.168.21.6 9100 netmask 255.255.255.255

You ACLs already permit ALL IP traffic between the zones (except the RISKY PORTS) so no need to change that to make this work.

You can also do Identity Static wherein Wireless Users can access the printer using its original address. But that will create problems with the neighbor :).

Please rate if helpful.

Regards

Farrukh

0 Helpful

Go to solution
john-paul.maurer
Level 1
Level 1
In response to Farrukh Haroon

‎08-16-2008 04:26 PM

Can you describe what the problem might be if I did the Identity Static method? What would that config look like?

Can you also explain why, if my ACLs permit all traffic between the interfaces, why I can't then use the printer already as-is? I also have a DNS server on the inside interface, and I was unable to use that from the wireless LAN, must I also provide a static statement with UDP port 53 for that to work?

Thanks for your help!

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to john-paul.maurer

‎08-16-2008 06:15 PM

If you use reguar 'Static Identity NAT', it will be a one to one mapping for ALL ports (this means you have to adjust your ACL to only allow DNS , Printer). Right now your Access-Control is aided by the 'nat-control' command.

You cannot use the printer because you have nat-control command. This means to successfully pass traffic from lower security zone to higher security zone you need the ACL entry coupled with a 'Static' translation or exemption for the traffic flow. Since your translations are limited to particular ports the two zones cannot communicate.

Yes you would need a similar translation for DNS.

Regards

Farrukh

Go to solution
john-paul.maurer
Level 1
Level 1
In response to Farrukh Haroon

‎08-17-2008 08:14 AM

Thank you very much!

0 Helpful
Customers Also Viewed These Support Documents