Pix 501 and network printers

[rhaddon]

Hello all,

I have setup a Pix 501 and the computers are getting the correct IP addressing but I can not get the printers to print. I have set the printers to a static ip and set the printers to the same address but they won't communicate with each other. I have aslo set the printers to auto obtain from dhcp and still nothing.

Any suggestions

Thanks

Randy Haddon

 

[NetworkGhost]

Can you ping the printer when you have the IP statically assigned?

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[rhaddon]

No I can not ping the printer when they have a static IP.

 

[Supergrrover]

What is the topology that you are using? (where the printers, users, firewall, vpn are relative to each other)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[rhaddon]

I have two users and two printers hooked into the 4 ports on the back of the PIX 501 device.

 

[Supergrrover]

What are the ip settings for the pcs and printers?
(IP, subnet mask, default gateway, etc.)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[rhaddon]

The ip for the pc are 10.70.0.45, 10.70.0.46 w/ mask of 255.255.255.0 and the printers are 10.70.0.73, 10.70.0.74 w/ the same mask.

Here is the running config for the PIX

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password AGSQD2hPbxuZxr31 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname LanguagePIX
domain-name osagetribe.org
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside xxx.xxx.xxx.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location xxx.xxx.xxx.0 255.255.255.0 inside
pdm location xxx.xxx.xxx.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 xxx.xxx.xxx.45-xxx.xxx.xxx.75 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 1 xxx.xxx.xxx.0 255.255.255.0 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http xxx.xxx.xxx.0 255.255.255.0 inside
http xxx.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address xxx.xxx.xxx.45-xxx.xxx.xxx.75 inside
dhcpd dns xxx.xxx.xxx.254
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

 

[rhaddon]

Forgot the gateway it is 10.70.0.1

 

[NetworkGhost]

How about a "show arp" from the pix when all the devices are connected. Should at least see the mac addresses of the printers.

When you ping'd the printer was it from the PIX or the PC? Have you done both? Possibly the PIX isnt negotiating the link settings correctly for the printer. Do you have nother switch you can plug the devices into and then link that switch to the Pix?

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[rhaddon]

Ok I ran the show arp and at first it did not show the printers. I then changed one printer to obtain the IP from DHCP and that did not work either. I then ran another show arp and it listed the printers and the pcs.

This is were it gets strange I can ping the gateway and the pcs from the printers, I can ping the gateway, printers , and the pcs from inside the pix.

I will have to find a small switch and see if that works.

here is the show arp:


LanguagePIX# sh arp
outside 192.168.254.254 0013.a3cd.2255
inside 10.70.0.49 0013.72d9.a11f
inside 10.70.0.50 0013.72d9.a148

LanguagePIX# ping 10.70.0.73
10.70.0.73 response received -- 0ms
10.70.0.73 response received -- 0ms
10.70.0.73 response received -- 0ms
LanguagePIX# ping 10.70.0.74
10.70.0.74 response received -- 0ms
10.70.0.74 response received -- 0ms
10.70.0.74 response received -- 0ms
LanguagePIX# ping 10.70.0.70
10.70.0.70 NO response received -- 1000ms
10.70.0.70 NO response received -- 1000ms
10.70.0.70 NO response received -- 1000ms
LanguagePIX# sh arp
outside 192.168.254.254 0013.a3cd.2255
inside 10.70.0.50 0013.72d9.a148
inside 10.70.0.51 0014.3846.ffcb
inside 10.70.0.49 0013.72d9.a11f
inside 10.70.0.74 0014.3846.ffcb
inside 10.70.0.73 0000.74ab.f9d1
LanguagePIX#

Thanks again for your help
Randy

 

[rhaddon]

I was albe to get a sitch and hooked it up to the pix and that solved the ploblem (kind of). Now i can print to the printers when I am not conected to the companies VPN but when I am connected to the VPN I can not print. I believe the problem is that are network is 10.0.0.0. My question is how do I configure the pix to allow the computers to print to the local printers while connected through the VPN. We are using a pix 515.

Thanks again for your help.

Randy

 

[rhaddon]

Got it figured out!!!!! I went into the properties of my network places and clicked on Advanced then selected advanced settings and under connections I changed the priority of the local area conection to the first spot instead of the VPN conection. I then rebooted the computer and logged back in and was able to print to the printers.

Now that I think about it I think that was the cause of my printing problems in the first place cause I was trying to print while the PCs were hooked up to the VPN connection.

Thanks for your help everyone.

Randy

 

[NetworkGhost]

Well Good. Would have been nice to know you had that

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080