Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

TFTP/SYSLOG from ASA via Site 2 Site IPSEC tunnel

Hi everyone,

I am having issues getting my ASA 5540 at site A, to pass TFTP and SYSLOG from itself across the IPSEC tunnel to our SYSMON servers (Syslog and TFTP) that live at site B. I have followed the suggestions of other threads and I am still not getting anywhere. Here is a quick topology diagram

Site A                                                  Site B

=====                                                 =====

Cisco ASA 5540 <--- ISPSEC Tunnel---> Cisco ASA 5540 > Ubuntu Server for TFTP and SYSLOG

IP: 2.2.2.2                                            IP: 3.3.3.2             IP: 192.168.8.103

Here is a pertinent config snip:

ASA Version 8.4(2)

!

interface GigabitEthernet0/0

description DC 10MB Drop

nameif OUTSIDE

security-level 0

ip address 2.2.2.2 255.255.255.0 standby 2.2.2.3

!

interface GigabitEthernet0/2

nameif HOSTED

security-level 80

ip address 10.168.1.15 255.255.0.0 standby 10.168.1.13

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

object network NET-HOSTED

subnet 10.168.0.0 255.255.0.0

description HIO Hosted Servers

!

object-group network NET-HQ

description HQ Networks

network-object 192.168.8.0 255.255.255.0

network-object 192.168.6.0 255.255.255.0

!

access-list ACL-HQ-VPN extended permit ip object NET-HOSTED object-group NET-HQ

!

logging enable

logging timestamp

logging standby

logging buffered debugging

logging trap warnings

logging history warnings

logging asdm informational

logging facility 19

logging host HOSTED 192.168.8.103

nat (HOSTED,OUTSIDE) source static NET-HOSTED NET-HOSTED destination static NET-HQ NET-HQ

!

route OUTSIDE 0.0.0.0 0.0.0.0 2.2.2.1 1

route OUTSIDE 192.168.8.0 255.255.255.0 3.3.3.2 1

!

management-access HOSTED

!

tftp-server HOSTED 192.168.8.103 /site-a-gw-01/startup.txt

Please Help!!

6 REPLIES

Re: TFTP/SYSLOG from ASA via Site 2 Site IPSEC tunnel

hello

try adding the following command - syslog messages from asa will then have source ip of HOSTED interface and will be matched by your vpn acl

logging device-id ipaddress HOSTED

hth

andy

New Member

TFTP/SYSLOG from ASA via Site 2 Site IPSEC tunnel

Hi Andy

I added the suggested line and it does not appear to have changed the logging behavior at all. Do you have any other suggestions to fix this and the TFTP (so "wr net" works)?

thanks,

M

TFTP/SYSLOG from ASA via Site 2 Site IPSEC tunnel

hello there

change:

logging host HOSTED 192.168.8.103

to

logging host OUTSIDE 192.168.8.103

as for tftp traffic, have you tried adding tftp traffic from 2.2.2.2 to 192.168.8.103 to your vpn traffic acl's?

hth

andy

New Member

TFTP/SYSLOG from ASA via Site 2 Site IPSEC tunnel

Correct me if I am wrong.

I changed:

logging host HOSTED 192.168.8.103

to

logging host OUTSIDE 192.168.8.103

should I then change:

logging device-id ipaddress HOSTED

to

logging device-id ipaddress OUTSIDE

as well?

I have tried both ways and still do not see any logs showing up. I can and have always been able to get logs from a host in the HOSTED network over the VPN, just the ASA will not send its logs over the VPN.

Perplexed,

M

TFTP/SYSLOG from ASA via Site 2 Site IPSEC tunnel

my apologies. your original line:

logging host HOSTED 192.168.8.103

should be correct for sending syslog down the vpn tunnel

the logging device-id ipaddress command doesn't affect the source ip of the syslog pkts - it just includes a device-id in the syslog message

andy

New Member

TFTP/SYSLOG from ASA via Site 2 Site IPSEC tunnel

Hi,

You should add 2.2.2.2<->"Syslog Server IP" into crypo ACL. ASA cannot source syslog from inside interface to VPN builded from outside. So you have to add one more IPSec SA to encapsulate traffic from outside to syslog server.

See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml#vpn

In the same case  I configured syslog server (syslog-ng based) in HOSTED network, working as relay, taking messages from ASA and sending them to remote sever.

1310
Views
0
Helpful
6
Replies
CreatePlease to create content