03-13-2013 09:36 AM - edited 03-11-2019 06:13 PM
Hi, I have the senario below
192.168.1.0/24 (192.168.1.5 log server) firewall(A) --------------tunnel -------switches-------- firewall(B) 192.168.2.0/24
Can I send logs from the switches to the firewall B and then to the firewall(A) via the tunnel with some nating or port forwarding configuration in firewall(B)?
Thanks in advance
Mike
Solved! Go to Solution.
03-26-2013 11:47 AM
The issue is missing configuration on the other end, the output is not showing any SA for traffic coming from the switch, which happens when both units don't have the same interesting traffic configured.
It also explains the reason why it works when we translate the Sw's IP to an internal IP, it works because the side is going to encryp internal IPs, not the Sw's IP.
Makes sense?
03-13-2013 11:34 AM
Assuming a layer 3 switch, i would :
- configure the switch to route to firewall B as a next hop to access the log server IP
- configure some policy outside nat on the ASA for the the log traffic coming from the switch to be PATed (possibly to the interface IP)
- adding the natted IP to the interesting traffic of VPN tunnel at firewall B
- ensuring that the natted IP is part of the interesting traffic at firwall A.
Hope this helps
Mashal
03-13-2013 11:59 AM
They are layer 2 switches,
I configured the switches to send logs to (firewall b) public ip staticly nated to a private IP on the Firewall A but that doesn't work, I know the Idea but I don't know how to configure it!!
Mike
03-13-2013 08:37 PM
Try:
same-security-traffic permit intra-interface
03-13-2013 08:49 PM
you can NAT from outside (real IP of the switch) to outside (inside the VPN tunnel)
you have to allow same-security-traffic permit intra-interface
assuming your switch IP is 2.2.2.10 and you want to nat it to 192.168.2.10 (as if it was on the inside network), here's the config on firewall B:
object network INSIDE
subnet 192.168.2.0 255.255.255.0
object network VPN
subnet 192.168.1.0 255.255.255.0
object network SWITCH
host 2.2.2.10
object network SWITCH_NAT
host 192.168.2.10
nat (inside,outside) source static INSIDE INSIDE destination static VPN VPN no-proxy-arp
nat (outside,outside) source static SWITCH SWITCH_NAT destination static VPN VPN no-proxy-arp
The first is nonat for normal VPN traffic and the second is NAT for switch.
All you need on firewall A is the equivalent nonat but the networks will be reversed (its inside as source and VPN as destination)
After a ping fron inside (B) to VPN and from switch to VPN, we have the following xlates and we get a reply:
ciscoasa(config)# show xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from outside:2.2.2.10 to outside:192.168.2.10
flags s idle 0:01:06 timeout 0:00:00
NAT from inside:192.168.2.0/24 to outside:192.168.2.0/24
flags sI idle 0:00:59 timeout 0:00:00
hope that helps,
Patrick
03-14-2013 07:02 AM
Hi,
I already enabled same-security-traffic permit intra-interface but no luck below is my configuration (it has alot of unwanted configuration because its just a test firewall)
Also Do I need to do any configuraation in the firewall A, its a UDP syslog msg so its a one direction traffic??
ASA Version 8.2(4)
!
hostname test-asa5520-fw
domain-name XXXXXXXXXX
names
name 192.168.18.0 ISP1VPN
name 192.168.19.0 ISP2VPN
name 172.25.3.0 firewalla_Private
name 172.25.100.5 File-Server
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.25.100.1 255.255.255.0
!
interface GigabitEthernet0/1
description ISP1
nameif ISP1
security-level 0
ip address X.x.x.6 255.255.255.0
!
interface GigabitEthernet0/2
description ISP2
shutdown
nameif ISP2
security-level 0
shutdown
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
shutdown
!
interface Management0/0
nameif wguest
security-level 90
ip address 192.168.1.1 255.255.255.0
shutdown
!
boot system disk0:/asa824-k8.bin
ftp mode passive
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server File-Server
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
service-object icmp echo
service-object icmp echo-reply
service-object icmp time-exceeded
service-object icmp unreachable
service-object tcp eq www
service-object tcp eq https
object-group service DM_INLINE_SERVICE_2
service-object icmp echo
service-object icmp echo-reply
service-object icmp time-exceeded
service-object icmp unreachable
service-object tcp eq www
service-object tcp eq https
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp echo
service-object icmp echo-reply
!!access-list XXXXX-vpn-isp1_splitTunnelAcl standard permit 172.25.18.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 ISP1VPN 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 ISP2VPN 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 firewalla_Private 255.255.255.0
! access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 192.168.5.0 255.255.255.240
access-list xxxxx-vpn-isp2_splitTunnelAcl standard permit 172.25.100.0 255.255.255.0
access-list ISP1_access_in remark permit ping over ISP1 network
access-list ISP1_access_in extended permit object-group DM_INLINE_SERVICE_2 any x.x.x.0 255.255.255.0
access-list ISP1_access_in remark permit ping over ISP1 network
! access-list ISP1_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list ISP1_access_in extended permit object-group DM_INLINE_SERVICE_3 any interface ISP1
access-list ISP1_access_in remark permit ping over ISP1 network
access-list ISP1_3_cryptomap extended permit ip 172.25.100.0 255.255.255.0 Firewalla_Private 255.255.255.0
access-list wguest_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 any
access-list ISP1_1_cryptomap extended permit ip 172.25.100.0 255.255.255.0 Firewalla_Private 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_mpc extended permit ip host y.y.y.y host 172.25.100.21 inactive
access-list global_mpc extended permit ip any any
access-list DefaultRAGroup_splitTunnelAcl standard permit 172.25.100.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 172.25.100.0 255.255.255.0
access-list cisco_splitTunnelAcl standard permit 172.25.100.0 255.255.255.0
pager lines 24
logging enable
logging trap notifications
logging asdm informational
logging facility 16
logging host inside 172.25.3.213
logging message 305013 level informational
logging message 733100 level informational
flow-export destination inside 172.25.3.53 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu inside 1500
mtu ISP1 1500
mtu ISP2 1500
mtu wguest 1500
ip local pool cisco 192.168.5.5-192.168.5.10 mask 255.255.255.0
no failover
failover lan unit primary
failover lan interface failover+stateful GigabitEthernet0/3
failover polltime unit 1 holdtime 10
failover key *****
failover link failover+stateful GigabitEthernet0/3
failover interface ip failover+stateful 1.1.1.1 255.255.255.252 standby 1.1.1.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
nat-control
global (ISP1) 1 interface
!global (ISP2) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.25.100.0 255.255.255.0
nat (wguest) 1 access-list wguest_nat_outbound
static (inside,ISP1) udp interface syslog 172.25.3.213 syslog netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group ISP1_access_in in interface ISP1
route ISP1 0.0.0.0 0.0.0.0 x.x.x.1 250
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host File-Server
key *****
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 wguest
http 172.25.100.0 255.255.255.0 inside
snmp-server host inside 172.25.3.52 poll community ***** version 2c
snmp-server host inside 172.25.100.31 poll community ***** version 2c
snmp-server host inside 172.25.3.213 community ***** version 2c
snmp-server host inside 172.25.3.53 poll community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
service resetoutside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set tans esp-aes esp-sha-hmac
crypto ipsec transform-set tans mode transport
crypto ipsec transform-set test esp-3des esp-md5-hmac
crypto ipsec transform-set test mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set test tans ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map ISP1_map 1 match address ISP1_1_cryptomap
crypto map ISP1_map 1 set pfs group1
crypto map ISP1_map 1 set peer z.z.z.130
crypto map ISP1_map 1 set transform-set ESP-3DES-SHA
!crypto map ISP1_map 3 match address ISP1_3_cryptomap
!crypto map ISP1_map 3 set pfs group1
!crypto map ISP1_map 3 set peer z.z.z.132
!crypto map ISP1_map 3 set transform-set ESP-3DES-SHA
crypto map ISP1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ISP1_map interface ISP1
!crypto map ISP2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
!crypto map ISP2_map interface ISP2
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
3082022b 30820194 a0030201 02020101 300d0609 2a864886 f70d0101 05050030
29312730 25060355 0403131e 74657374 2d617361 35353230 2d66772e 61676e65
742e7461 6d752e65 6475301e 170d3132 31323230 32313330 31355a17 0d313531
32323032 31333031 355a3029 31273025 06035504 03131e74 6573742d 61736135
3532302d 66772e61 676e6574 2e74616d 752e6564 7530819f 300d0609 2a864886
f70d0101 01050003 818d0030 81890281 8100ad7f 9f33a786 98cf927b d2a56eac
31501ab4 8d1f9be1 b3fb0b7b 8e6f09a0 ae267fd4 9e2b7124 72f0eeae b1d02ec0
8ecd3e23 7afdf508 193ee122 024d389b c61b5be3 a300f122 f948608d 362ce9b1
697499ba 90b89e41 162d5958 6e97beac 5d75451b e045acd0 d918daa5 14b90ec8
e46d20ab 122f3a4e d9c4b1c1 b19194d3 268b0203 010001a3 63306130 0f060355
1d130101 ff040530 030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603
551d2304 18301680 14230c55 9cf92cec f4e9aead 11ba6aac e077949b 6a301d06
03551d0e 04160414 230c559c f92cecf4 e9aead11 ba6aace0 77949b6a 300d0609
2a864886 f70d0101 05050003 8181002c f07ae7f8 a7740215 8f819622 f3a8e8a3
c0b9fb50 ef8d7472 606d1186 4cc686b7 9414bb35 7871c188 42c75eff 5fe05673
c2f8db46 7575f6a1 4a4f6419 a454fb3c 5069d284 34c5a7da acc8a784 0f1da7ba
f26df6b5 da08c1a9 67d09ddb c97b10ea 8641e345 01990efc 889051a6 a6d249b4
4b4d842b 5dd281a6 8ec8ef5c fa5fb1
quit
crypto isakmp enable ISP1
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp am-disable
!
telnet timeout 5
ssh scopy enable
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable ISP1
svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 172.25.100.5
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value XXXXXXXX
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 172.25.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
default-domain value xxxxxxxxxxxxxx
group-policy DfltGrpPolicy attributes
dns-server value 172.25.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value xxxxxxxxxxxxx
group-policy cisco internal
group-policy cisco attributes
dns-server value 172.25.100.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
default-domain value Xxxxxxxx
tunnel-group DefaultRAGroup general-attributes
address-pool cisco
authentication-server-group vpn
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group z.z.z.130 type ipsec-l2l
tunnel-group z.z.z.130 ipsec-attributes
pre-shared-key *****
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
address-pool cisco
authentication-server-group vpn LOCAL
default-group-policy cisco
tunnel-group cisco ipsec-attributes
trust-point test
!
class-map global-class
match access-list global_mpc
class-map inside-class
match access-list inside_mpc
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all htp
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns
inspect esmtp
inspect ils
inspect ip-options
inspect ipsec-pass-thru
inspect netbios
inspect pptp
class global-class
flow-export event-type all destination 172.25.3.53
policy-map inside-policy
class inside-class
police output 50000 1500
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt priority state hostname
03-14-2013 08:22 AM
on firewall A, you have to allow syslog (udp 514) from outside to the inside syslog server.
you also have to NAT the inside syslog server to a public IP (you can instead PAT the syslog UDP port if you don't have free IP addresses...)
03-14-2013 08:36 AM
my both private networkx via S2S tunnel are full access no restriction at all.
03-14-2013 10:17 AM
In my case the IPsec tunnel is between the firewalls, so I use identity NAT and just send the switch (and other host) syslog messages over the tunnel directly to the "real" (on-link) address of the final syslog server. Unix syslog servers can do fowarding; Cisco firewalls so far as I know will not.
-- Jim Leinweber, WI State Lab of Hygiene
03-14-2013 04:35 PM
static (inside,ISP1) udp interface syslog 172.25.3.213 syslog netmask 255.255.255.255
Is that the statement that is suppoused to take the traffic from the SWITCH and send it to the other side of the tunnel?
Well, that's incorrect, we are natting the external IP of the ASA not the SW's IP address.
it should look something like this.
static (inside,ISP1) udp <Sw's IP>syslog <an IP on the inside, not the server's IP> syslog netmask 255.255.255.255
Then, change this too:
logging host inside 172.25.3.213
Point it to the syslog server on the other side of the VPN tunnel. Also use the syslog's server IP on the SWITCH configuration to indicate where to send the traffic.
03-20-2013 09:18 AM
Sorry for long responds but I was so busy
That it does not work!, so how is the packet should forward to 172.25.3.213 if I natted it to IP inside (ex. 172.25.100.250) ??
switches send packets to the firewall public IP address and then I need that pack is forward to 172.25.3.213.
Thanks
Mike
03-20-2013 12:30 PM
The idea was to statically translate the source IP of the packet, from the sw's IP to an internal one, then the traffic will be sent to the server based on the dst IP in the packet.
But you want to do it differently, try this:
static (ISP1,ISP1) udp interface syslog 172.25.3.213 syslog netmask 255.255.255.255
nat (ISP1) 1 <sw's IP> 255.255.255.255
Then this:
no logging host inside 172.25.3.213
logging host ISP1 172.25.3.213
03-20-2013 01:32 PM
Either I don't understand you or you don't understand me LoL
Why do I need to change logging host, and why do I need to translate switch IP.
This is UDP and I care about one direction only from the switch to log server.
Log (172.25.3.213) ---- Firewall ---- tunnel --switch A (IP x.x.x.x ) (firewall public IP z.z.z.z)----- (172.25.100.0/24) network.
I need switch A IP x.x.x.x to send a log packet to log server, so the firewall should translate the destination from the firewall public IP (z.z.z.z) to 172.25.3.213 and send it after the firewall look for routing table for log server and route it via the tunnel.
I configured the switch log server is the firewall IP (z.z.z.z) because the switch has the default gateway router not the firewall.
Thanks
Mike
03-22-2013 06:53 AM
I just upgraded the firewal to 8.4.5, I did a small progress, that I can send the log to the log server but on private IP after twice nat. can I do it as its public IP, is the VPN tunnel forward the traffic if it is a public IP I tried to add my public subnet to crypto protected access list but that did not work.
03-22-2013 05:17 PM
Running 8.4, makes this easier.
We can change the source IP address to make the traffic look like it's coming from the inside, and change the destination IP address to forward to traffic that goes to the ASA's public IP to the syslog server on the other side.
network service syslog
service udp destination eq syslog
nat (outside,outside) source static
Using that command:
This
src:sw dst: ASA's public
becomes this:
src:int IP dst: syslog server
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: