Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Internet Router Reachability --> PIX--> logging server

Hi All,

Scenario:

I have a logging server with PVT ip in the LAn and I want the Internet router to log any events to theis server. There is PIX in between and Server can see PIX. On Internet router I configured a static route pointing to PIX outside interface. What else do I need to configure on PIX to allow the Internet router to send syslog messages to the Inside server.

Thank you

MS

9 REPLIES

Re: Internet Router Reachability --> PIX--> logging server

just creat a static NAT/PAT

the only thing u need to make sure about it is the port number that is used by ure syslog server

lets say it use tcp port number 3200

and ur inside server behind the pix is 10.1.1.1

do the following on the pix

static(inside, outside) tcp interface 3200 10.1.1.1 3200 netmask 255.255.255.255

then make ACL to permit that port going ot ur pix outsid einterface

access-list 100 permit tcp any interface eq 3200

apply this ACL to the pix outside interface in the inbound direction

access-group 100 in interface outside

asumeing in the above example the syslog port is 3200

use whaterver por or ports used by the syslog server

if u have more than port

creat the same static PAT as the above for each port number

good luck

please Rate if helpful

New Member

Re: Internet Router Reachability --> PIX--> logging server

Hi,

Thank you. I tried to implement a lab scenarios but not getting the alerts. The PIX is stopping the connection.

Please find the attached PIX & Router configs. The syslog server is 'Solarwinds Network Monitoring Syste and per doc the syslog messages uses udp:514.

Here are the messages from PIX log..:

106023: Deny udp src outside:63.15.25.237/52154 dst inside:SYSLOG/514 by access-group "OUTIN"

106023: Deny udp src outside:63.15.25.237/51663 dst inside:SYSLOG/514 by access-group "OUTIN"

106023: Deny udp src outside:63.15.25.237/51663 dst inside:SYSLOG/514 by access-group "OUTIN"

Please review and auggest.

Thank you

MS

Re: Internet Router Reachability --> PIX--> logging server

you have problem with ur OUTIN ACL

remove the following line

no access-list OUTIN permit udp 63.15.25.232 255.255.255.248 interface outside eq syslog

THEN

make it like

access-list OUTIN permit udp any interface outside eq syslog

good luck

please ifhelpful rate

New Member

Re: Internet Router Reachability --> PIX--> logging server

Ok..will give a shot. But using traffic from 'any' does not cause any security risk..?

Thanks

MS

Re: Internet Router Reachability --> PIX--> logging server

sure it is not secure

for more security then

put the exact source IP address

the mistake u have u have put the server it self as the source IP address while it should be the destination

and because u have static nat to the interface

u have to uase the interface as the destination

in tis case wen the packt come to the outside interface should be first permited by an ACL

then the ASA will into the NATing and will make static nating(maping ) to ur internal server

good luck

if helpful rate

New Member

Re: Internet Router Reachability --> PIX--> logging server

Ok.. I got lucky only when I used seperate public IP to for syslog server with Static NAT and worked well with both 'host ip & any'

Thank you for your time.

MS

Re: Internet Router Reachability --> PIX--> logging server

could u please post ur current config

New Member

Re: Internet Router Reachability --> PIX--> logging server

Straight forward. using public IP as logging host.

Please see the attached..

New Member

Re: Internet Router Reachability --> PIX--> logging server

PIX-conf missed in the above posting .refer to this...

138
Views
4
Helpful
9
Replies
CreatePlease to create content