08-05-2008 05:34 PM
Hi All,
Scenario:
I have a logging server with PVT ip in the LAn and I want the Internet router to log any events to theis server. There is PIX in between and Server can see PIX. On Internet router I configured a static route pointing to PIX outside interface. What else do I need to configure on PIX to allow the Internet router to send syslog messages to the Inside server.
Thank you
MS
08-05-2008 06:41 PM
just creat a static NAT/PAT
the only thing u need to make sure about it is the port number that is used by ure syslog server
lets say it use tcp port number 3200
and ur inside server behind the pix is 10.1.1.1
do the following on the pix
static(inside, outside) tcp interface 3200 10.1.1.1 3200 netmask 255.255.255.255
then make ACL to permit that port going ot ur pix outsid einterface
access-list 100 permit tcp any interface eq 3200
apply this ACL to the pix outside interface in the inbound direction
access-group 100 in interface outside
asumeing in the above example the syslog port is 3200
use whaterver por or ports used by the syslog server
if u have more than port
creat the same static PAT as the above for each port number
good luck
please Rate if helpful
08-06-2008 12:20 PM
Hi,
Thank you. I tried to implement a lab scenarios but not getting the alerts. The PIX is stopping the connection.
Please find the attached PIX & Router configs. The syslog server is 'Solarwinds Network Monitoring Syste and per doc the syslog messages uses udp:514.
Here are the messages from PIX log..:
106023: Deny udp src outside:63.15.25.237/52154 dst inside:SYSLOG/514 by access-group "OUTIN"
106023: Deny udp src outside:63.15.25.237/51663 dst inside:SYSLOG/514 by access-group "OUTIN"
106023: Deny udp src outside:63.15.25.237/51663 dst inside:SYSLOG/514 by access-group "OUTIN"
Please review and auggest.
Thank you
MS
08-06-2008 06:19 PM
you have problem with ur OUTIN ACL
remove the following line
no access-list OUTIN permit udp 63.15.25.232 255.255.255.248 interface outside eq syslog
THEN
make it like
access-list OUTIN permit udp any interface outside eq syslog
good luck
please ifhelpful rate
08-06-2008 06:41 PM
Ok..will give a shot. But using traffic from 'any' does not cause any security risk..?
Thanks
MS
08-06-2008 07:32 PM
sure it is not secure
for more security then
put the exact source IP address
the mistake u have u have put the server it self as the source IP address while it should be the destination
and because u have static nat to the interface
u have to uase the interface as the destination
in tis case wen the packt come to the outside interface should be first permited by an ACL
then the ASA will into the NATing and will make static nating(maping ) to ur internal server
good luck
if helpful rate
08-07-2008 04:49 AM
Ok.. I got lucky only when I used seperate public IP to for syslog server with Static NAT and worked well with both 'host ip & any'
Thank you for your time.
MS
08-07-2008 04:54 AM
could u please post ur current config
08-07-2008 09:10 AM
08-07-2008 09:13 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide