08-16-2008 09:15 AM - edited 03-10-2019 01:38 PM
I'm using a Cisco PIX 515E running ASA 8.0(3) - two separate networks, one on each interfaceâ¦
I intentionally have a separate network on the 'wireless' interface because I share the wireless with my neighbor and don't want him on my 'inside' LAN. I occasionally want to use the wireless myself, but only need access to my printer at 192.168.21.6
How can I allow the wireless interface access to 192.168.21.6 (just port tcp/udp 9100 I believe). I experimented with static commands, but could not get it to work? Must I create a separate IP such as 192.168.22.6 and map that to 192.168.21.6 on the inside interface in order to print?
Solved! Go to Solution.
08-16-2008 12:57 PM
static (inside,wireless) tcp 192.168.22.6 9100 192.168.21.6 9100 netmask 255.255.255.255
You ACLs already permit ALL IP traffic between the zones (except the RISKY PORTS) so no need to change that to make this work.
You can also do Identity Static wherein Wireless Users can access the printer using its original address. But that will create problems with the neighbor :).
Please rate if helpful.
Regards
Farrukh
08-16-2008 12:57 PM
static (inside,wireless) tcp 192.168.22.6 9100 192.168.21.6 9100 netmask 255.255.255.255
You ACLs already permit ALL IP traffic between the zones (except the RISKY PORTS) so no need to change that to make this work.
You can also do Identity Static wherein Wireless Users can access the printer using its original address. But that will create problems with the neighbor :).
Please rate if helpful.
Regards
Farrukh
08-16-2008 04:26 PM
Can you describe what the problem might be if I did the Identity Static method? What would that config look like?
Can you also explain why, if my ACLs permit all traffic between the interfaces, why I can't then use the printer already as-is? I also have a DNS server on the inside interface, and I was unable to use that from the wireless LAN, must I also provide a static statement with UDP port 53 for that to work?
Thanks for your help!
08-16-2008 06:15 PM
If you use reguar 'Static Identity NAT', it will be a one to one mapping for ALL ports (this means you have to adjust your ACL to only allow DNS , Printer). Right now your Access-Control is aided by the 'nat-control' command.
You cannot use the printer because you have nat-control command. This means to successfully pass traffic from lower security zone to higher security zone you need the ACL entry coupled with a 'Static' translation or exemption for the traffic flow. Since your translations are limited to particular ports the two zones cannot communicate.
Yes you would need a similar translation for DNS.
Regards
Farrukh
08-17-2008 08:14 AM
Thank you very much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide