https://community.cisco.com/t5/network-security/nat-issue/m-p/861837#M973441 <P>I have a need for our internet router to send syslog to a server on the inside interface of a PIX firewall. The internet router connects to the outside interface of the PIX. The interface on the router that faces the PIX has an ip of 5.5.5.5 and the outside interface of the PIX is 5.5.5.6. The host address of the inside syslog server is 10.1.1.100, which is off the inside interface on the PIX.</P><P></P><P>currently the PIX is configured with a NAT (1) 0.0.0.0 0.0.0.0 with a global statement that uses the "interface" (outside address of PIX, or 5.5.5.6). The syslog server 10.1.1.100 has a need for internet connectivity for things like web updates, etc. I'd like to keep it so that it uses the existing NAT when connecting to the Internet. However, I need a way for the internet router to send its syslog through to the inside server. I figure I could do a static, but that would end up translating all traffic from my syslog host, and I was hoping to just translate it when the router initiated to it and had syslog data to send. Obviously the router does not know about the 10.1.1.x network, so I need a way to get it back into the inside network, without affecting any internet traffic that is initiated from the syslog server. How can I best accomplisth this?</P> Mon, 11 Mar 2019 11:27:22 GMT matthewmphc 2019-03-11T11:27:22Z https://community.cisco.com/t5/network-security/nat-issue/m-p/861837#M973441 <P>I have a need for our internet router to send syslog to a server on the inside interface of a PIX firewall. The internet router connects to the outside interface of the PIX. The interface on the router that faces the PIX has an ip of 5.5.5.5 and the outside interface of the PIX is 5.5.5.6. The host address of the inside syslog server is 10.1.1.100, which is off the inside interface on the PIX.</P><P></P><P>currently the PIX is configured with a NAT (1) 0.0.0.0 0.0.0.0 with a global statement that uses the "interface" (outside address of PIX, or 5.5.5.6). The syslog server 10.1.1.100 has a need for internet connectivity for things like web updates, etc. I'd like to keep it so that it uses the existing NAT when connecting to the Internet. However, I need a way for the internet router to send its syslog through to the inside server. I figure I could do a static, but that would end up translating all traffic from my syslog host, and I was hoping to just translate it when the router initiated to it and had syslog data to send. Obviously the router does not know about the 10.1.1.x network, so I need a way to get it back into the inside network, without affecting any internet traffic that is initiated from the syslog server. How can I best accomplisth this?</P> Mon, 11 Mar 2019 11:27:22 GMT https://community.cisco.com/t5/network-security/nat-issue/m-p/861837#M973441 matthewmphc 2019-03-11T11:27:22Z https://community.cisco.com/t5/network-security/nat-issue/m-p/861838#M973443 <HTML><HEAD></HEAD><BODY><P>Give this a shot...</P><P></P><P>Router</P><P>logging 10.1.1.100</P><P></P><P>PIX</P><P>access-list nonat permit ip host 10.1.1.100 host 5.5.5.5</P><P>nat (inside) 0 access-list nonat</P><P></P><P>access-list outside_access_in permit udp host 5.5.5.5 host 10.1.1.100 eq syslog</P><P>access-group outside_access_in in interface outside</P><P></P><P>Hope it helps. Please rate helpful posts.</P><P></P><P>edit: Oh and one more thing, the outside router will need a route to the syslog server. Something like...</P><P></P><P>ip route 10.1.1.100 255.255.255.255 5.5.5.6</P></BODY></HTML> Thu, 18 Oct 2007 19:13:05 GMT https://community.cisco.com/t5/network-security/nat-issue/m-p/861838#M973443 acomiskey 2007-10-18T19:13:05Z