Internet Router Reachability --> PIX--> logging server

Unanswered Question
Aug 5th, 2008

Hi All,


I have a logging server with PVT ip in the LAn and I want the Internet router to log any events to theis server. There is PIX in between and Server can see PIX. On Internet router I configured a static route pointing to PIX outside interface. What else do I need to configure on PIX to allow the Internet router to send syslog messages to the Inside server.

Thank you


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Marwan ALshawi Tue, 08/05/2008 - 18:41

just creat a static NAT/PAT

the only thing u need to make sure about it is the port number that is used by ure syslog server

lets say it use tcp port number 3200

and ur inside server behind the pix is

do the following on the pix

static(inside, outside) tcp interface 3200 3200 netmask

then make ACL to permit that port going ot ur pix outsid einterface

access-list 100 permit tcp any interface eq 3200

apply this ACL to the pix outside interface in the inbound direction

access-group 100 in interface outside

asumeing in the above example the syslog port is 3200

use whaterver por or ports used by the syslog server

if u have more than port

creat the same static PAT as the above for each port number

good luck

please Rate if helpful

fortis123 Wed, 08/06/2008 - 12:20


Thank you. I tried to implement a lab scenarios but not getting the alerts. The PIX is stopping the connection.

Please find the attached PIX & Router configs. The syslog server is 'Solarwinds Network Monitoring Syste and per doc the syslog messages uses udp:514.

Here are the messages from PIX log..:

106023: Deny udp src outside: dst inside:SYSLOG/514 by access-group "OUTIN"

106023: Deny udp src outside: dst inside:SYSLOG/514 by access-group "OUTIN"

106023: Deny udp src outside: dst inside:SYSLOG/514 by access-group "OUTIN"

Please review and auggest.

Thank you


Marwan ALshawi Wed, 08/06/2008 - 18:19

you have problem with ur OUTIN ACL

remove the following line

no access-list OUTIN permit udp interface outside eq syslog


make it like

access-list OUTIN permit udp any interface outside eq syslog

good luck

please ifhelpful rate

fortis123 Wed, 08/06/2008 - 18:41

Ok..will give a shot. But using traffic from 'any' does not cause any security risk..?



Marwan ALshawi Wed, 08/06/2008 - 19:32

sure it is not secure

for more security then

put the exact source IP address

the mistake u have u have put the server it self as the source IP address while it should be the destination

and because u have static nat to the interface

u have to uase the interface as the destination

in tis case wen the packt come to the outside interface should be first permited by an ACL

then the ASA will into the NATing and will make static nating(maping ) to ur internal server

good luck

if helpful rate

fortis123 Thu, 08/07/2008 - 04:49

Ok.. I got lucky only when I used seperate public IP to for syslog server with Static NAT and worked well with both 'host ip & any'

Thank you for your time.



This Discussion