Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2593
Views
0
Helpful
5
Replies

Write syslog of ASA 5505 to syslog server over VPN tunnel?

Go to solution
MJonkers
Level 1
Level 1

‎11-11-2009 04:42 AM - edited ‎02-21-2020 03:47 AM

Hi,

Is it possible to let the ASA 5505 write it's syslog messages to a syslog server on the central network where the ASA 5550 is? (over the ipsec tunnel?)

I tried this. The tunnel is up but I get the message Routing failed to locate next hop for udp from NP (ASA 5505 ip) to inside: (syslog server ip).

thx,

Marc

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cbeltranpnbrci
Level 1
Level 1
In response to MJonkers

‎11-20-2009 05:56 PM

Mjonkers,

I would like to suggest that you configure the inside interface as the management-access interface. Include the inside interface IP and syslog server IP address on the NAT 0 ACL and crypto ACLS.

You can checkout  the "management-access" when you want to managed an ASA on its inside interface through the VPN  7.2 command referrence below:

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/command/reference/m_72.html#wp1780826

I am currently running the VPN configuration on 8.2 and SNMP polling is working.

Hope this helps.

Thanks


View solution in original post

0 Helpful
5 Replies 5

Go to solution
acomiskey
Level 10
Level 10

‎11-11-2009 06:00 AM

Yes, this is possible. Since the source of the syslog messages will be the outside interface of the 5505, add this traffic to your crypto acl for the tunnel.

5505

access-list extended permit ip host <5505.outside.ip.address> host

logging host outside

5550

access-list extended permit ip host host <5505.outside.ip.address>

access-list extended permit ip host host <5505.outside.ip.address>

0 Helpful

Go to solution
MJonkers
Level 1
Level 1
In response to acomiskey

‎11-11-2009 10:51 PM

Hi I have no luck with this. There are no syslogs messages comming in from the asa 5505. Any suggestions.

thx,

Marc

0 Helpful

Go to solution
MJonkers
Level 1
Level 1
In response to acomiskey

‎11-11-2009 10:59 PM

the 5505 has internal 137.x.x.x, outside a 10.x.x.x natted on a adsl router wich has 85.x.x.x.

The 5550 has 137.x.x.x inside and an outher 137.x.x.x for the outside in an other vlan.

Which one must i use?

thx,

Marc

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to MJonkers

‎11-12-2009 06:05 AM

Could you post clean configs from both ASAs?

0 Helpful

Go to solution
cbeltranpnbrci
Level 1
Level 1
In response to MJonkers

‎11-20-2009 05:56 PM

Mjonkers,

I would like to suggest that you configure the inside interface as the management-access interface. Include the inside interface IP and syslog server IP address on the NAT 0 ACL and crypto ACLS.

You can checkout  the "management-access" when you want to managed an ASA on its inside interface through the VPN  7.2 command referrence below:

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/command/reference/m_72.html#wp1780826

I am currently running the VPN configuration on 8.2 and SNMP polling is working.

Hope this helps.

Thanks


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card