cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1504
Views
0
Helpful
13
Replies

Syslog over VPN with NAT

jarridgraham
Level 1
Level 1

Hi, what I have is a asa box sending the syslogs over the vpn, that part works, have the vpn up , management interface set to inside and all is well, however when I use a static nat to change the network behind the asa to a new IP scheme it no longer works. I have a bunch of sites and they all have overlapping networks. The NAT and the VPNs and all work fine except I loose the ability to contact the asa by the new IP. I am guessing it does not NAT it's own traffic I don't have any way to know.

Thanks,

Jarrid Graham

13 Replies 13

Jennifer Halim
Cisco Employee
Cisco Employee

Correct, the ASA does not NAT its own interface IP by design.

Yes that does make sense, kind of reminds me of how I was never able to do the dhcp relay over vpn. Is it sending it out the outside interface with the inside IP or any idea if it is possible, or even though I don't want to is to write a syslog redirector and run in on a pc.

If you have other interfaces which do not have the overlapping address, you can always use the other interfaces and include that in the crypto ACL.

And you can always specify the interface within the syslog command and it will source the syslog from that interface:

eg:

logging host dmz 10.10.10.10

Let me see if I have this right, most of my asa units are the base units, so I can make a new interface , restrict flow to say inside then add a nat exempt  for it and add it to the  cryptomap to send it over, then add the command like you specified with the remote syslog server. If this is the case then I may have another problem, that is the other end point in a linux box running in openswan, but I'll figure that part out.

Spot on, you got that absolutely correct.

Alright I guess my next problem is when I assign the new interface to an ethernet port I don't have any that the link is up on or need to be really, I keep getting that my new interface in shutdown, I issued the no shutdown command but I still get that of course it is down along with the line protocol.

Yes, you would need to connect it to something which is up, maybe connect it to a switch with that VLAN configured to bring the interface up.

Well thanks for all the help but I am not going to be able to use this method, I am not going to be able to connect a cable at all the sites, I don't know If I can just wire an RJ-45 as a loopback plug maybe but still not a good method. Also when I reconfigure my linux box with both the networks it does not add the second network and I loose ASDM, I guess I shouldnt have changed the management interface. Is there any other method, what I was wondering does it send the syslog with the asa outside interface IP to the remote syslog IP, if so can or would a NAT static with the orig. working on the outside with the asa IP and the dest of the syslog translating to a single IP on the VPN network back on the outside interface... seems like a simple thing to ask to do, I kind of understand what is going on but seems there needs to be a check box to say this syslog server is over a vpn and it takes care of all the magic.

Yes, you can send the syslog with the ASA outside interface through the VPN, however, you would need to add the ASA outside interface IP to your crypto ACL.

Is the site-to-site between 2 ASA?

well no, basically all the remote sites are asa units and my end is the linux box, so far I have pretty much been able to do whatever I need but just have to test more sometimes to get it working, I can just tell most of the time traffic does not go in the tunnel but I am sure it is sometime that can be fugured out, I'll try with the outside throught the vpn. Can that be natted or you just have to send it as is with the source IP of the outside and fix it on the other end. I sadly dont have another asa to work with for testing so it makes it a little harder.

If your linux server is the VPN server, and you advised earlier that it can't add additional subnet in the crypto ACL, then you won't be able to add the ASA outside interface into the crypto ACL, right? Maybe time to change the linux server to another ASA

Ha! this is true but then it would just work and all would be well   I hope to have a test asa on they way, Sometimes it can be a bad idea testing stuff on a device 200 miles away. I think I can add the second address but since I have never tried that I am not sure but I'll figure it out. I am mostly you were able to confirm that my thoughts on the process were pretty close at least. I do thank you for your time for the moment I have used a tcp redirector on a pc at the site, while this works it is just another piece of software to keep up with.

Thanks

Jarrid

No problem.. let us know how it goes after your testing.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: