cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
451
Views
4
Helpful
9
Replies

Internet Router Reachability --> PIX--> logging server

fortis123
Level 1
Level 1

Hi All,

Scenario:

I have a logging server with PVT ip in the LAn and I want the Internet router to log any events to theis server. There is PIX in between and Server can see PIX. On Internet router I configured a static route pointing to PIX outside interface. What else do I need to configure on PIX to allow the Internet router to send syslog messages to the Inside server.

Thank you

MS

9 Replies 9

Marwan ALshawi
VIP Alumni
VIP Alumni

just creat a static NAT/PAT

the only thing u need to make sure about it is the port number that is used by ure syslog server

lets say it use tcp port number 3200

and ur inside server behind the pix is 10.1.1.1

do the following on the pix

static(inside, outside) tcp interface 3200 10.1.1.1 3200 netmask 255.255.255.255

then make ACL to permit that port going ot ur pix outsid einterface

access-list 100 permit tcp any interface eq 3200

apply this ACL to the pix outside interface in the inbound direction

access-group 100 in interface outside

asumeing in the above example the syslog port is 3200

use whaterver por or ports used by the syslog server

if u have more than port

creat the same static PAT as the above for each port number

good luck

please Rate if helpful

Hi,

Thank you. I tried to implement a lab scenarios but not getting the alerts. The PIX is stopping the connection.

Please find the attached PIX & Router configs. The syslog server is 'Solarwinds Network Monitoring Syste and per doc the syslog messages uses udp:514.

Here are the messages from PIX log..:

106023: Deny udp src outside:63.15.25.237/52154 dst inside:SYSLOG/514 by access-group "OUTIN"

106023: Deny udp src outside:63.15.25.237/51663 dst inside:SYSLOG/514 by access-group "OUTIN"

106023: Deny udp src outside:63.15.25.237/51663 dst inside:SYSLOG/514 by access-group "OUTIN"

Please review and auggest.

Thank you

MS

you have problem with ur OUTIN ACL

remove the following line

no access-list OUTIN permit udp 63.15.25.232 255.255.255.248 interface outside eq syslog

THEN

make it like

access-list OUTIN permit udp any interface outside eq syslog

good luck

please ifhelpful rate

Ok..will give a shot. But using traffic from 'any' does not cause any security risk..?

Thanks

MS

sure it is not secure

for more security then

put the exact source IP address

the mistake u have u have put the server it self as the source IP address while it should be the destination

and because u have static nat to the interface

u have to uase the interface as the destination

in tis case wen the packt come to the outside interface should be first permited by an ACL

then the ASA will into the NATing and will make static nating(maping ) to ur internal server

good luck

if helpful rate

Ok.. I got lucky only when I used seperate public IP to for syslog server with Static NAT and worked well with both 'host ip & any'

Thank you for your time.

MS

could u please post ur current config

Straight forward. using public IP as logging host.

Please see the attached..

PIX-conf missed in the above posting .refer to this...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: