10-15-2010 08:49 AM - edited 02-21-2020 04:07 AM
Hi All,
I have a small problem regarding ASA and syslogs. I have a site-to-site tunnel between a local ASA and a remote ASA. Behind the local ASA I have a central syslog server (which does not have the ASA as a default gateway) which collects messages from all network devices and I want it to get the messages from the remote ASA as well.
The tunnel protects traffic between the local networks behind each ASA, which includes the remote ASA Inside interface as well. The problem is that if I specify on the remote ASA my syslog server it does not go through the VPN tunnel. The remote ASA sees my syslog server as being "outside" so then it uses the outside IP address as source-interface for the syslog message. Which of course does not go through the tunnel. As far as I can tell there is no way to configure the source interface for logging on the ASA, as you can do on a normal IOS router.
I found some documents explaining this setup on CCO but they all suggest that I extend the access-list for the interesting traffic to allow UDP/514 traffic from the remote PIX outside interface to my local syslog server. This is not something that I want to do as I would get into routing complication in my local network with public IP address of the remote ASA.
Any suggestions ? I thought I could use some sort of NAT on the remote ASA so that all traffic for my local network sourced by the remote PIX is translated to the inside interface, which in theory should make the packet go via the tunnel. I didn't manage so far.
Any help is appreciated.
Best regards,
Stefan
Solved! Go to Solution.
10-15-2010 11:29 AM
You can define the interface the ASA is going to use to send the logs "logging host
Make sure you also do "management-access
Then the ASA should source the syslogs from the inside interface which is probably encrypted with the crypto ACL.
I hope it helps.
PK
10-15-2010 11:29 AM
You can define the interface the ASA is going to use to send the logs "logging host
Make sure you also do "management-access
Then the ASA should source the syslogs from the inside interface which is probably encrypted with the crypto ACL.
I hope it helps.
PK
10-15-2010 11:39 AM
That is not really true, the interface mentioned in the "logging host
I am gonna give the management-access command a try though, thanks for the suggestion.
Regards,
Stefan
02-15-2015 06:35 AM
I have it working for 10 sites.
logging host inside x.x.x.x <= Where x.x.x.x is your syslog server IP across VPN
management-access inside
Hope this helps.
10-18-2010 03:03 AM
Just an update to my problem. Configuring the inside interface as "managament-access" didn't help.
Trying to understand the problem I kept reading the info on CCO about the "logging host" command on the ASA and according to the explanation, the interface name is where the syslog server resides:
interface_name
Specifies the interface on which the syslog server resides.
Which in my case would be the Outside, i.e. behind the VPN. So logically the command should be "logging host outside
In any case, now it works. Thanks!
Regards,
Stefan
10-18-2010 06:02 AM
Yup, you need the management-access command, and the host inside for the logging. The doc is right because it refers what the command in general. But for VPN it slightly different, the ASA knows that inside to your server is going to be encrypted, so even though the command says inside it send over the VPN. Practically the other VPN endpoint side is your inside also, so that is the idea behind it.
I am glad it is solved now.
PK
02-10-2014 10:45 AM
Did you try your self and does it work? I am able to poll remote ASA over the tunnel using management-access inside command. However I get warning message when doing logging command.
See below.
ASA(config)# sh run | in management
management-access inside
ASA(config)# sh run | in snmp-ser
snmp-server host inside 172.24.100.98 community *****
admin@Mgmt01:~$ snmpwalk -c dummy -v 2c 192.168.175.1
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco Adaptive Security Appliance Version 8.4(7)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.745
iso.3.6.1.2.1.1.3.0 = Timeticks: (39904100) 4 days, 14:50:41.00
However I get warning message for the logging:
ASA(config)# logging host inside 172.24.100.98
WARNING: configured logging host interface conflicts with route table entry
ASA(config)#
I am troubleshooting log server to see if the syslog messages come through on otherend of not.
08-11-2017 08:37 AM
>WARNING: configured logging host interface conflicts with route table entry
I was also having this issue and treated this warning message as "this won't work". I ignored the message and it worked :)
10-31-2014 03:59 AM
I am having the same issue. Can you post your "working" configuration
for sending syslogs to a syslog server over vpn tunnel?
Thanks
09-27-2024 05:01 PM
We started getting logs from our FW to our syslog server after adding this line to the FW:
logging trap notifications
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide