Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2297
Views
0
Helpful
5
Replies

Cisco ASA won't send Syslog out management interface

markcis76h
Level 1
Level 1

‎11-20-2013 08:46 PM - edited ‎03-11-2019 08:07 PM

I have been trying to get my ASA to send syslog out of the management interface without any luck. When I do a packet tracer it says that the global implicit deny rule is blocking it, but I tried to add a permit all in front of it and it still blocks it. Everything is configured correctly from what I can tell and the static routes and routing are correct. This has me baffled. Does anyone know what might be causing this or what I should look at in the config to get this working?

Labels:
0 Helpful
5 Replies 5

Marius Gunnerud
VIP
VIP

‎11-21-2013 12:29 AM

Have you removed the management-only command from the interface?

interface mgmt0/0

no management-only

--

Please rate all helpful posts.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Marius Gunnerud
VIP
VIP
In response to Marius Gunnerud

‎11-21-2013 12:30 AM

If you have removed that command, please post a full sanitized running config of your ASA,

--

Please rate all helpful posts.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

markcis76h
Level 1
Level 1
In response to Marius Gunnerud

‎11-22-2013 01:27 AM

Yes, we removed the management-only command and have tried pretty much everything.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to markcis76h

‎11-22-2013 01:36 AM

could you please post a full sanitized running config of your ASA.

--

Please rate all helpful posts.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

naveenrawat007
Level 1
Level 1

‎11-23-2013 02:17 PM

Hi Mark,
      Talking of packet tracer, it would give you correct output for a through the box traffic, not for to the box or from the box traffic.

So firstly we have two questions:

1) Is this a through the box traffic, then you need to permit the traffic through ACL(if from lower sec level to higher) and add a NAT statement(depending on the ASA IOS Version you are using anything above 8.2.5 wont require a NAT).
2) If this is a syslog from the firewall scenario, then you need to make sure to get the following logging configuration on ASA

-enable logging
-logging host management X.X.X.X --------(X.X.X.X is the ip of the syslog server)
-logging trap debugging ----------(debugging is the level, you could use any other too, but to check would sugest this one)


-Further if you have already sorted out till here, get us the following outputs:

-show run
-show logging
-show logging queue

      

Hope it helps

Cheers,

Naveen

Please Rate Helpful posts.

Hope it helps Cheers, Naveen Please Rate Helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card