Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Can ASA send it's syslogs over it's own IPsec tunnel?

I'd like to send syslogs etc sourced on an ASA to a destination that is connected via an IPsec tunnel on the ASA sourcing the traffic. Is this possible?

I'd have to have a a no-nat matching the traffic and also "same-security-traffic permit intra-interface". But which interface would I put on my "logging host" statement?

Appreciate any pointers

Cisco Employee

Re: Can ASA send it's syslogs over it's own IPsec tunnel?

* Yes, the ASA can source traffic which can be sent over an IPSec tunnel.

* For a syslog, you will want to create a site-to-site VPN connection (as opposed to configuring the ASA as a VPN head-end).

* You will not need the 'same-security-traffic permit intra-interface' command -- the syslog traffic is being source from the ASA itself -- the syslog traffic is not being sourced 'from an interface'.

* You will not need the 'no-nat' command either. Once again the syslog traffic is not traversing from one interface to another interface; therefore, an xlate will not be created.

* When configuring your site-to-site VPN tunnel, you must specify 'interesting' traffic which is to be encrypted. Traffic from the ASA to the Syslog server should be marked as interesting (by matching the ACL which defines interesting traffic).

* you specific the interface off which the syslog server resides in the 'logging host' command.

In other words:

* say your syslog server has IP address which resides on the Internet.

* say your outside interface on your ASA has an ip address of

* say your syslog server is located at a remote operations center which reside on the Internet. You will create a VPN tunnel from the remote operations center to your ASA (site-to-site tunnel). Create an ACL for interesting traffic that says to 'permit ip host host' to mark traffic as interesting from the ASA to the syslog server.

* you will specify the outside interface in your 'logging host' command.


Because the syslog traffic is not transitting from one interface to another interface:

* you do not need to configure an ACL to permit syslog traffic to leave the ASA to go to the syslog server

* you do not need to configure NAT. An xlate is not required.

Let me know if this gets you going. I would be happy to set this up in a lab environment to provide you a sample configuration if you need it. I don't have a syslog server but could demonstrate this by running administrative traffic to and from the ASA via the VPN tunnel.



New Member

Re: Can ASA send it's syslogs over it's own IPsec tunnel?

Yep that did it. Thanks for the great post!

It still doesn't quite "compute" in my head that the src IP address of the pkts are the outside interface address of the crypto peer and this address is also the src address in the crypto map. I guess I need to understand the order of operations inside the PIX/ASA better.

As a side note would this approach also be required for router IOS? Actually now I think about it the logging cmd on IOS doesn't _require_ an interface parameter so things must be a little different under the covers.

thanks again

CreatePlease to create content