ASA 5505 Syslog configuration.

Unanswered Question
May 29th, 2009

syslog configuration.

unable to getting logs from server.....

I am getting error in ASA5505-FW#sh logging as mentioned below.

May 29 2009 02:08:19 172.26.8.254 : %ASA-3-710003: TCP access denied by ACL from

172.26.8.3/1594 to inside:172.26.8.254/23

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Fri, 05/29/2009 - 05:33

Where are your acl's at on the firewall? Do you have your firewall configured in transparent mode?

HTH,

John

Kureli Sankar Fri, 05/29/2009 - 17:01

May 29 2009 02:08:19 172.26.8.254 : %ASA-3-710003: TCP access denied by ACL from 172.26.8.3/1594 to inside:172.26.8.254/23

So you are unable to telnet from 172.26.8.3 PC to the ASA's inside interface 172.26.8.254? You do not have the line "telnet 0 0 inside"

You need help with that or do you need help with configuring a syslog server.

Flow this link for configuring syslog server.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1064726

If you need assistance to configure the asa for telnet access pls. read here.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1054101

ntmanjunath Mon, 06/01/2009 - 22:18

I have done the configuration as per the ulr.The same error is getting. Please check the configuration and confirm anything needs to update.

interface Vlan1

nameif inside

security-level 100

ip address 172.26.8.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.97.37.221 255.255.255.0

!

interface Vlan3

no nameif

no security-level

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

ftp mode passive

clock timezone IST 5 30

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 100 extended permit tcp any host 10.97.37.229 eq 3389

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit tcp any host 10.97.37.229 eq 445

access-list 100 extended permit tcp any host 10.97.37.221 eq telnet

access-list 100 extended permit tcp any host 10.97.37.229 eq ftp

access-list nonat extended permit ip any 192.168.200.0 255.255.255.192

access-list split_tunnel standard permit 172.26.8.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging standby

logging console alerts

logging monitor informational

logging buffered errors

logging trap errors

logging history emergencies

logging asdm informational

logging mail alerts

logging device-id ipaddress inside

logging host inside 172.26.8.3

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.200.1-192.168.200.62 mask 255.255.255.192

ip audit attack action

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.97.37.229 172.26.8.3 netmask 255.255.255.255

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 10.97.37.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

snmp-server host inside 172.26.8.3 community Airtel

no snmp-server location

no snmp-server contact

snmp-server community Airtel

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec transform-set airtel esp-3des esp-sha-hmac

crypto dynamic-map bharti 10 set transform-set airtel

crypto dynamic-map bharti 10 set security-association lifetime seconds 288000

crypto dynamic-map bharti 10 set reverse-route

crypto map bharti 10 ipsec-isakmp dynamic bharti

crypto map bharti interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp nat-traversal 20

telnet 172.26.8.0 255.255.255.0 inside

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config inside

!

ntp server 172.26.8.3

group-policy VPNclient internal

group-policy VPNclient attributes

dns-server value 10.40.10.1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

default-domain value netsol.com

username manju password sa8Cy29xTh/4YFVH encrypted

tunnel-group IPsecVPN type ipsec-ra

tunnel-group IPSecVPN type ipsec-ra

tunnel-group VPNclient type ipsec-ra

tunnel-group VPNclient general-attributes

address-pool vpnpool

default-group-policy VPNclient

tunnel-group VPNclient ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

Actions

This Discussion