NAT issue

Unanswered Question
Oct 18th, 2007

I have a need for our internet router to send syslog to a server on the inside interface of a PIX firewall. The internet router connects to the outside interface of the PIX. The interface on the router that faces the PIX has an ip of 5.5.5.5 and the outside interface of the PIX is 5.5.5.6. The host address of the inside syslog server is 10.1.1.100, which is off the inside interface on the PIX.

currently the PIX is configured with a NAT (1) 0.0.0.0 0.0.0.0 with a global statement that uses the "interface" (outside address of PIX, or 5.5.5.6). The syslog server 10.1.1.100 has a need for internet connectivity for things like web updates, etc. I'd like to keep it so that it uses the existing NAT when connecting to the Internet. However, I need a way for the internet router to send its syslog through to the inside server. I figure I could do a static, but that would end up translating all traffic from my syslog host, and I was hoping to just translate it when the router initiated to it and had syslog data to send. Obviously the router does not know about the 10.1.1.x network, so I need a way to get it back into the inside network, without affecting any internet traffic that is initiated from the syslog server. How can I best accomplisth this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 10/18/2007 - 12:13

Give this a shot...

Router

logging 10.1.1.100

PIX

access-list nonat permit ip host 10.1.1.100 host 5.5.5.5

nat (inside) 0 access-list nonat

access-list outside_access_in permit udp host 5.5.5.5 host 10.1.1.100 eq syslog

access-group outside_access_in in interface outside

Hope it helps. Please rate helpful posts.

edit: Oh and one more thing, the outside router will need a route to the syslog server. Something like...

ip route 10.1.1.100 255.255.255.255 5.5.5.6

Actions

This Discussion