Configuring Cisco ASA 5505 to allow Inbound Printing over the Internet Inbound on port 9300

I recently wrote a guide on how to allow printing inbound over the internet through a Cisco router While the principle is the same on a Cisco ASA as you would expect the configuration is somewhat different. Just as we did in the previous tutorial the intention of this guide is to is to allow printing from a Hosted Server to a spoke client site over the internet so again the things we need to consider are

Set up the printer object on the Server – it is important here to have the TCP/IP address to the WAN Address of your remote site
Enable traffic on that port i.e 9100 (if you have not changed it) Outbound through your firewall
Configure the device on the far side to allow and NAT the traffic to your printer – This is what this guide covers. On a Cisco Router, we need to do the following
1. Configure the Printer Object
2. Configure your Datacentre Object (Where the hosted Server is) on your local ASA
3. Create the Service Object on the Port that the inbound printer traffic will be coming in on
4. Configure The ACL
5. Configure NAT Translation

#!Create the object for the Printer   
object network obj_Printer_Main_Copier
host  192.168.5.242


#!Create an Object for the Source server, in this the WAN IP of the Data centre  
#!I have put a generic   IP here for demostration purposes 
object network obj_Company_DC_Firewall
 host 1234.5678.911.12


#! Create Service Object for our port on 9300     
object service obj-service9300
service tcp source eq 9300


#!Give a friendly name to the ACL 
access-list Daisy_access_in remark Port 9400 inbound for printing to Main Printer
#! Permit traffic from the DC Firewall to the destination Printer on port 9100
access-list Daisy_access_in 1 extended permit tcp object obj_CSCM_DC_Firewall object obj_Printer_Main_Copier eq 9100 
#! Important thing to note here is the figure  1 after the ACL Name as we need to make sure this is listed before the explicit deny all


#! NAT translation which may appear to some as the wrong way round as we come from Daisy - Internal (Read Right to left) 
#! The NAT Translation tells us the traffic comes in on 9300, translated to 9100 and send to the main copier    
nat (internal,Daisy) 1 source static obj_Printer_Main_Copier interface service obj_Service_Nat_Tcp_9100 obj-service9300
#! Then move priority up with 1 after brackets as per the above

#!Create the object for the Printer

object network obj_Printer_Main_Copier

host 192.168.5.242

#!Create an Object for the Source server, in this the WAN IP of the Data centre

#!I have put a generic IP here for demostration purposes

object network obj_Company_DC_Firewall

host 1234.5678.911.12

#! Create Service Object for our port on 9300

object service obj-service9300

service tcp source eq 9300

#!Give a friendly name to the ACL

access-list Daisy_access_in remark Port 9400 inbound for printing to Main Printer

#! Permit traffic from the DC Firewall to the destination Printer on port 9100

access-list Daisy_access_in 1 extended permit tcp object obj_CSCM_DC_Firewall object obj_Printer_Main_Copier eq 9100

#! Important thing to note here is the figure 1 after the ACL Name as we need to make sure this is listed before the explicit deny all

#! NAT translation which may appear to some as the wrong way round as we come from Daisy - Internal (Read Right to left)

#! The NAT Translation tells us the traffic comes in on 9300, translated to 9100 and send to the main copier

nat (internal,Daisy) 1 source static obj_Printer_Main_Copier interface service obj_Service_Nat_Tcp_9100 obj-service9300

#! Then move priority up with 1 after brackets as per the above

Leave a Reply