Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2778
Views
0
Helpful
5
Replies

Is it possible to route syslog traffic through Management Interface ?

Go to solution
CSCO12318778
Level 1
Level 1

‎10-16-2013 07:45 AM - edited ‎03-11-2019 07:52 PM

Hello Everyone,

I have my ASA(5512 running 9.0 (2) ) at X.X.2.20 and my syslog server is at X.X.3.16. will it be possible to send the syslog traffic through my management interface ?

i.e.,  logging host management X.X.3.16  

will this be possible or should I mention my Inside interface for logging ?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
James Leinweber
Level 4
Level 4

‎10-16-2013 08:59 AM

The short answer is yes, but this is going to depend on the routing topology and IPS environment.   On older ASA hardware without IPS, you can turn off "management-only", which would allow secondary uses such as logging.  On new 5512-x hardware with IPS, you can't, and the logging has to go via some other interface.  If the firewall only has one IP address then it is presumably running in transparent mode; there would have to be a connected router or layer-3 switch which could forward packets from the x.x.2 subnet to x.x.3 subnet.  Also, management interfaces tend to be lower bandwidth than the main interfaces; depending on your traffic levels this is probably not a further obstacle.

Personally, I run my ASA 5525-x firewalls in routed mode, and am lucky enough to be able to put syslog servers on-link with them via connected interfaces.  However, as long as the routing topology will deliver the packets, the syslog server can be anywhere, even upstream of the outside interface.  An example configuration which might work in the situation you are describing:

  interface management0/0

    nameif management

    no management-only

    security-level 100

    ip address x.x.2.20 255.255.255.0

  logging host management x.x.3.16

-- Jim Leinweber, WI State Lab of Hygiene

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to CSCO12318778

‎10-16-2013 09:03 AM

Hi,

If the Syslog server is located at the Branch office and Branch office network is located behind your "inside" interface then you could use the "inside" interface in the "logging" command to send the Syslog through that interface.

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-16-2013 08:43 AM

Hi,

Where is the Syslog server IP located according to the ASA routing table?

- Jouni

0 Helpful

Go to solution
CSCO12318778
Level 1
Level 1
In response to Jouni Forss

‎10-16-2013 08:58 AM

Hello Jouni,

my syslog server is at one location (Branch office) and the firewall is at main Office.

this is my topology

Firewall<----------->Internal Router<----------->branch office router------->syslog server

the main office has X.X.2.0 network and the branch office has 3.0 network.

I am sure that I can't use the management network to route the syslog traffic but is there any way to do it. And will it be ok if I mention Inside Interface instead of Management in the command   "logging host inside X.X.3.16" to router the syslog traffic to the server or is there any extra configuration.

thanks

--

Raj

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to CSCO12318778

‎10-16-2013 09:03 AM

Hi,

If the Syslog server is located at the Branch office and Branch office network is located behind your "inside" interface then you could use the "inside" interface in the "logging" command to send the Syslog through that interface.

- Jouni

0 Helpful

Go to solution
James Leinweber
Level 4
Level 4

‎10-16-2013 08:59 AM

The short answer is yes, but this is going to depend on the routing topology and IPS environment.   On older ASA hardware without IPS, you can turn off "management-only", which would allow secondary uses such as logging.  On new 5512-x hardware with IPS, you can't, and the logging has to go via some other interface.  If the firewall only has one IP address then it is presumably running in transparent mode; there would have to be a connected router or layer-3 switch which could forward packets from the x.x.2 subnet to x.x.3 subnet.  Also, management interfaces tend to be lower bandwidth than the main interfaces; depending on your traffic levels this is probably not a further obstacle.

Personally, I run my ASA 5525-x firewalls in routed mode, and am lucky enough to be able to put syslog servers on-link with them via connected interfaces.  However, as long as the routing topology will deliver the packets, the syslog server can be anywhere, even upstream of the outside interface.  An example configuration which might work in the situation you are describing:

  interface management0/0

    nameif management

    no management-only

    security-level 100

    ip address x.x.2.20 255.255.255.0

  logging host management x.x.3.16

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful

Go to solution
CSCO12318778
Level 1
Level 1
In response to James Leinweber

‎10-16-2013 10:14 AM

Hello James,

Thank you for the response. I am working on the Old ASA without IPS and It is running in Routed mode.

it is not letting me to push the command  "no management-only". I think I need to use the inside interface to router this traffic.

yet I am curious to know if we can still use the management interface to router this traffic.

Thanks for your help.

--

Raj

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card