Can ASA send it's syslogs over it's own IPsec tunnel?

GRAEME DANIELSON · ‎11-07-2006

I'd like to send syslogs etc sourced on an ASA to a destination that is connected via an IPsec tunnel on the ASA sourcing the traffic. Is this possible?

I'd have to have a a no-nat matching the traffic and also "same-security-traffic permit intra-interface". But which interface would I put on my "logging host" statement?

Appreciate any pointers

trmccart · ‎11-08-2006

* Yes, the ASA can source traffic which can be sent over an IPSec tunnel.

* For a syslog, you will want to create a site-to-site VPN connection (as opposed to configuring the ASA as a VPN head-end).

* You will not need the 'same-security-traffic permit intra-interface' command -- the syslog traffic is being source from the ASA itself -- the syslog traffic is not being sourced 'from an interface'.

* You will not need the 'no-nat' command either. Once again the syslog traffic is not traversing from one interface to another interface; therefore, an xlate will not be created.

* When configuring your site-to-site VPN tunnel, you must specify 'interesting' traffic which is to be encrypted. Traffic from the ASA to the Syslog server should be marked as interesting (by matching the ACL which defines interesting traffic).

* you specific the interface off which the syslog server resides in the 'logging host' command.

In other words:

* say your syslog server has IP address 1.1.1.1 which resides on the Internet.

* say your outside interface on your ASA has an ip address of 200.200.200.200

* say your syslog server is located at a remote operations center which reside on the Internet. You will create a VPN tunnel from the remote operations center to your ASA (site-to-site tunnel). Create an ACL for interesting traffic that says to 'permit ip host 200.200.200.200 host 1.1.1.1' to mark traffic as interesting from the ASA to the syslog server.

* you will specify the outside interface in your 'logging host' command.

THINGS YOU DON'T NEED:

Because the syslog traffic is not transitting from one interface to another interface:

* you do not need to configure an ACL to permit syslog traffic to leave the ASA to go to the syslog server

* you do not need to configure NAT. An xlate is not required.

Let me know if this gets you going. I would be happy to set this up in a lab environment to provide you a sample configuration if you need it. I don't have a syslog server but could demonstrate this by running administrative traffic to and from the ASA via the VPN tunnel.

Regards,

Troy

GRAEME DANIELSON · ‎11-09-2006

Yep that did it. Thanks for the great post!

It still doesn't quite "compute" in my head that the src IP address of the pkts are the outside interface address of the crypto peer and this address is also the src address in the crypto map. I guess I need to understand the order of operations inside the PIX/ASA better.

As a side note would this approach also be required for router IOS? Actually now I think about it the logging cmd on IOS doesn't _require_ an interface parameter so things must be a little different under the covers.

thanks again

clyde.a.huffman.ctr@mail.mil · ‎06-25-2019

I have this problem and I opened a ticket and nobody answers me :-( https://community.cisco.com/t5/routing/asa-syslogs-sent-over-a-vpn-tunnel-l2l/m-p/3872392/highlight/false#M316562

Did you get your syslog to go through the L2L IPSEC tunnel? Thanks Allan

cvonhausen1 · ‎06-04-2024

Yes, Syslog over L2L. Executing the following on the remote side fixed the issue on my case:

no logging trap <LEVEL>
logging trap <LEVEL>

Christian