Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is it possible to route syslog traffic through Management Interface ?

Hello Everyone,

I have my ASA(5512 running 9.0 (2) ) at X.X.2.20 and my syslog server is at X.X.3.16. will it be possible to send the syslog traffic through my management interface ?

i.e.,  logging host management X.X.3.16  

will this be possible or should I mention my Inside interface for logging ?

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Is it possible to route syslog traffic through Management Interf

The short answer is yes, but this is going to depend on the routing topology and IPS environment.   On older ASA hardware without IPS, you can turn off "management-only", which would allow secondary uses such as logging.  On new 5512-x hardware with IPS, you can't, and the logging has to go via some other interface.  If the firewall only has one IP address then it is presumably running in transparent mode; there would have to be a connected router or layer-3 switch which could forward packets from the x.x.2 subnet to x.x.3 subnet.  Also, management interfaces tend to be lower bandwidth than the main interfaces; depending on your traffic levels this is probably not a further obstacle.

Personally, I run my ASA 5525-x firewalls in routed mode, and am lucky enough to be able to put syslog servers on-link with them via connected interfaces.  However, as long as the routing topology will deliver the packets, the syslog server can be anywhere, even upstream of the outside interface.  An example configuration which might work in the situation you are describing:

  interface management0/0

    nameif management

    no management-only

    security-level 100

    ip address x.x.2.20 255.255.255.0

  logging host management x.x.3.16

-- Jim Leinweber, WI State Lab of Hygiene

Super Bronze

Is it possible to route syslog traffic through Management Interf

Hi,

If the Syslog server is located at the Branch office and Branch office network is located behind your "inside" interface then you could use the "inside" interface in the "logging" command to send the Syslog through that interface.

- Jouni

5 REPLIES
Super Bronze

Is it possible to route syslog traffic through Management Interf

Hi,

Where is the Syslog server IP located according to the ASA routing table?

- Jouni

New Member

Is it possible to route syslog traffic through Management Interf

Hello Jouni,

my syslog server is at one location (Branch office) and the firewall is at main Office.

this is my topology

Firewall<----------->Internal Router<----------->branch office router------->syslog server

the main office has X.X.2.0 network and the branch office has 3.0 network.

I am sure that I can't use the management network to route the syslog traffic but is there any way to do it. And will it be ok if I mention Inside Interface instead of Management in the command   "logging host inside X.X.3.16" to router the syslog traffic to the server or is there any extra configuration.

thanks

--

Raj

Super Bronze

Is it possible to route syslog traffic through Management Interf

Hi,

If the Syslog server is located at the Branch office and Branch office network is located behind your "inside" interface then you could use the "inside" interface in the "logging" command to send the Syslog through that interface.

- Jouni

Is it possible to route syslog traffic through Management Interf

The short answer is yes, but this is going to depend on the routing topology and IPS environment.   On older ASA hardware without IPS, you can turn off "management-only", which would allow secondary uses such as logging.  On new 5512-x hardware with IPS, you can't, and the logging has to go via some other interface.  If the firewall only has one IP address then it is presumably running in transparent mode; there would have to be a connected router or layer-3 switch which could forward packets from the x.x.2 subnet to x.x.3 subnet.  Also, management interfaces tend to be lower bandwidth than the main interfaces; depending on your traffic levels this is probably not a further obstacle.

Personally, I run my ASA 5525-x firewalls in routed mode, and am lucky enough to be able to put syslog servers on-link with them via connected interfaces.  However, as long as the routing topology will deliver the packets, the syslog server can be anywhere, even upstream of the outside interface.  An example configuration which might work in the situation you are describing:

  interface management0/0

    nameif management

    no management-only

    security-level 100

    ip address x.x.2.20 255.255.255.0

  logging host management x.x.3.16

-- Jim Leinweber, WI State Lab of Hygiene

New Member

Is it possible to route syslog traffic through Management Interf

Hello James,

Thank you for the response. I am working on the Old ASA without IPS and It is running in Routed mode.

it is not letting me to push the command  "no management-only". I think I need to use the inside interface to router this traffic.

yet I am curious to know if we can still use the management interface to router this traffic.

Thanks for your help.

--

Raj

504
Views
0
Helpful
5
Replies