Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
10
Helpful
5
Replies

enable logging problem

habeeb_talal
Level 1
Level 1

‎06-24-2007 05:44 AM - edited ‎03-03-2019 05:34 PM

Hello,

I need help to solve this case, here are the details:

Router c3845:

interface GigabitEthernet0/0

ip address 212.x.x.106 255.255.255.252

!

interface GigabitEthernet0/1

ip address 88.x.x.1 255.255.255.192

!

ip route 0.0.0.0 0.0.0.0.0 g0/0

ip route 172.16.200.0 255.255.255.224 88.76.192.2

ip route 172.16.204.0 255.255.255.0 88.76.192.2

------------------------

cisco ASA:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 88.x.x.2 255.255.255.192

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.16.200.225 255.255.255.224

!

access-list w extended permit ip any any

access-list icmp extended permit icmp any any

access-list icmp extended permit icmp any any echo

access-list icmp extended permit icmp any any echo-reply

!

access-group w in int inside

access-group icmp in int outside

!

icmp permit any outside

icmp permit any inside

!

S 0.0.0.0 0.0.0.0 [1/0] via 88.76.192.2, outside

C 88.x.x.0 255.255.255.192 is directly connected, outside

C 172.16.200.224 255.255.255.224 is directly connected, inside

S 172.16.204.0 255.255.255.0 [1/0] via 172.16.200.226, inside

--------------------

Workstation: IP 172.16.204.27

I can ping the workstation from the ASA without any problems, i can send logging traps from the ASA to this workstation, the case is that i need to make the router send logging to this workstation

but i can't even ping this workstation from the router althoug there is a route to its subnet configured in the router.

so could anyone tell me where is the problem?

Thanks

Talal Habeeb

Labels:
0 Helpful
5 Replies 5

royalblues
Level 10
Level 10

‎06-24-2007 05:55 AM

Friend,

By default all traffic from a higher security interface to a lower security interface will get Natted.

you will have to define a staic nat for the workstation and send the router logs to the Natted public IP

eg.

on the ASA

static(inside,outside)88.76.192.3 172.16.204.27 netmask 255.255.255.255 0 0

router(config)#looging 88.76.192.3

router(config)#logging trap debugging

HTH, rate if it does

Narayan

habeeb_talal
Level 1
Level 1
In response to royalblues

‎06-24-2007 11:06 PM

Hello,

Thank you Narayan, it worked and i successfully ping the workstation from the router using the mapped IP address, but after a while it didn't work

and i cannot ping the workstation from the router although i didn't configure anything after the static map so what do you think about this problem?

Thanks

Talal Habeeb

0 Helpful

mahmoodmkl
Level 7
Level 7
In response to habeeb_talal

‎06-24-2007 11:34 PM

Hi

In addition to the above post u need to configure a access-list to allow connections from lower security to higher security interfaces.

Configure a access list permit the logging ports and apply it on outside interface.

Thanks

Mahmood

royalblues
Level 10
Level 10
In response to mahmoodmkl

‎06-24-2007 11:47 PM

Have you made any changes to the access-list you had posted?

can you repost your configuration?

Narayan

0 Helpful

habeeb_talal
Level 1
Level 1
In response to royalblues

‎06-25-2007 04:46 AM

Hello,

Thank you Narayan and Mahmood, as you said Mahmood i configured access-list and it is now working just fine.

Thanks

Talal Habeeb

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card