Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Cisco ASA won't send Syslog out management interface

I have been trying to get my ASA to send syslog out of the management interface without any luck. When I do a packet tracer it says that the global implicit deny rule is blocking it, but I tried to add a permit all in front of it and it still blocks it. Everything is configured correctly from what I can tell and the static routes and routing are correct. This has me baffled. Does anyone know what might be causing this or what I should look at in the config to get this working?

Everyone's tags (3)
5 REPLIES
VIP Green

Re: Cisco ASA won't send Syslog out management interface

Have you removed the management-only command from the interface?

interface mgmt0/0

no management-only

--

Please rate all helpful posts.

--

Please remember to rate and select a correct answer
VIP Green

Re: Cisco ASA won't send Syslog out management interface

If you have removed that command, please post a full sanitized running config of your ASA,

--

Please rate all helpful posts.

--

Please remember to rate and select a correct answer
New Member

Cisco ASA won't send Syslog out management interface

Yes, we removed the management-only command and have tried pretty much everything.

VIP Green

Cisco ASA won't send Syslog out management interface

could you please post a full sanitized running config of your ASA.

--

Please rate all helpful posts.

--

Please remember to rate and select a correct answer
New Member

Re: Cisco ASA won't send Syslog out management interface

Hi Mark,
      Talking of packet tracer, it would give you correct output for a through the box traffic, not for to the box or from the box traffic.

So firstly we have two questions:

1) Is this a through the box traffic, then you need to permit the traffic through ACL(if from lower sec level to higher) and add a NAT statement(depending on the ASA IOS Version you are using anything above 8.2.5 wont require a NAT).
2) If this is a syslog from the firewall scenario, then you need to make sure to get the following logging configuration on ASA

-enable logging
-logging host management X.X.X.X --------(X.X.X.X is the ip of the syslog server)
-logging trap debugging ----------(debugging is the level, you could use any other too, but to check would sugest this one)


-Further if you have already sorted out till here, get us the following outputs:

-show run
-show logging
-show logging queue

      

Hope it helps

Cheers,

Naveen

Please Rate Helpful posts.

Hope it helps Cheers, Naveen Please Rate Helpful posts.
988
Views
0
Helpful
5
Replies
CreatePlease to create content