Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT issue

I have a need for our internet router to send syslog to a server on the inside interface of a PIX firewall. The internet router connects to the outside interface of the PIX. The interface on the router that faces the PIX has an ip of and the outside interface of the PIX is The host address of the inside syslog server is, which is off the inside interface on the PIX.

currently the PIX is configured with a NAT (1) with a global statement that uses the "interface" (outside address of PIX, or The syslog server has a need for internet connectivity for things like web updates, etc. I'd like to keep it so that it uses the existing NAT when connecting to the Internet. However, I need a way for the internet router to send its syslog through to the inside server. I figure I could do a static, but that would end up translating all traffic from my syslog host, and I was hoping to just translate it when the router initiated to it and had syslog data to send. Obviously the router does not know about the 10.1.1.x network, so I need a way to get it back into the inside network, without affecting any internet traffic that is initiated from the syslog server. How can I best accomplisth this?


Re: NAT issue

Give this a shot...




access-list nonat permit ip host host

nat (inside) 0 access-list nonat

access-list outside_access_in permit udp host host eq syslog

access-group outside_access_in in interface outside

Hope it helps. Please rate helpful posts.

edit: Oh and one more thing, the outside router will need a route to the syslog server. Something like...

ip route