06-11-2019 07:54 AM
I have a wan router(70.70.70.129) from where I need to access a syslog server on inside with its real ip address(192.168.1.192).
I have setup an access list on outside int:
access-list outside_acl extended permit udp host 70.70.70.129 host 192.168.1.192 eq syslog
with this so far I get the Nat reverse path failure
now if I add a nat rule:
inside outside 192.168.1.192 any any 192.168.1.192
everything works except the syslog server loose access to internet, I am confuse in what I need to add to enable both, access to internet and access to the server via its private ip address.
Solved! Go to Solution.
06-13-2019 04:07 AM - edited 06-13-2019 04:09 AM
I have lab this up. .
!
object network SYS-LOG
host 10.10.1.192
nat (inside,outside) source static interface service 514 514
!
access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog
access-list outside_acl in interface outside
!
packet tracer input outside udp 1.1.1.129 12345 1.1.1.30 514
06-11-2019 08:30 AM
Hi
Can you share your config please?
I would remove the nat you put in place and change to something like:
Object network SYSLOG-SRV
host 192.168.1.192
nat (inside, outside) static 70.70.70.129 service udp 514 514
Also when you’ve done this, please run a packet-tracer and paste the output:
packet-tracer input outside udp 8.8.8.8 1234 70.70.70.129 514
06-11-2019 11:55 PM - edited 06-12-2019 06:35 AM
would be great if you could share the config of your firewall. mean time please have look on this config.
object network syslog_server
host 192.168.1.192
!
nat (inside,outside) static interface
!
access-list outside_acl extended permit udp any host 192.168.1.192 eq 514
!
access-group outside_acl in interface outside
06-12-2019 05:32 AM
Hi thank for your answers, I am trying to sanitized the config since is very extend and I dont have permission to post it in its entirely.
Meanwhile whats the nat (inside,outside) static interface does, its missing something ? whats the difference from the one I have nat (inside,outside) static 192.168.1.192 no-proxy-arp
06-12-2019 06:34 AM - edited 06-12-2019 06:38 AM
Hi
the below rule,
nat (inside,outside) static interface
if traffic coming from inside interface and going toward outside network use the outside interface ip address (i.e 82.1.5.4).
Now coming to your nat rule
nat (inside,outside) static 192.168.1.192 no-proxy-arp
you saying if traffic coming from inside and going toward outside network use address 192.168.1.192. in this case address 192.168.1.192 is your inside address and this address cant be routed out due to RFC 1918.
now you have two choices,
Step 1.
=====
Object network syslog_server
host 192.168.1.192
nat (inside, outside) static 70.70.70.129 service udp 514 514
access-list outside_acl extended permit udp any host 192.168.1.192 eq 514
access-group outside_acl in interface outside
(Note. if you need to access the syslog server from outside than you need to define the ACL as i mentioned)
OR
Step2
====
object network syslog_server
host 192.168.1.192
!
nat (inside,outside) static interface
access-list outside_acl extended permit udp any host 192.168.1.192 eq 514
access-group outside_acl in interface outside
(Note. if you need to access the syslog server from outside than you need to define the ACL as i mentioned)
now I do not know what is your public ip address. so you can use the command nat (in,out) static interface. this will use your firewall outside interface ip address. the choice is yours.
06-12-2019 08:05 AM - edited 06-13-2019 06:55 AM
this have been given to me very redacted/"sanitized".
my syslog server = mon002 = 10.10.1.192
my wan router is connected to my outside interface with ip 1.1.1.129
I need for my wan router to access my syslog server, there is an ip route in my wan router to route traffic destined to 10.10.1.192 through 1.1.1.130
hostname Firewall ! interface Ethernet0/0 speed 1000 duplex full nameif outside security-level 0 ip address 1.1.1.130 255.255.255.224 ! interface Ethernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 10.10.8.1 255.255.255.0 ! access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog arp timeout 14400 no arp permit-nonconnected ! object network obj-10.10.1.0 nat (inside,outside) dynamic og_global_outside-1 nat (aruba,outside) dynamic og_global_outside-1 object network ob-10.10.1.192 nat (inside,outside) static 10.10.1.192 no-proxy-arp access-group outside_acl in interface outside access-group inside_acl in interface inside access-group bppr_acl in interface bppr access-group aruba_access_in in interface aruba route outside 0.0.0.0 0.0.0.0 1.1.1.129 1 http server enable snmp-server host inside 10.10.1.192 community public version 2c no snmp-server location no snmp-server contact snmp-server community public sysopt connection tcpmss 1460
06-12-2019 11:34 AM - edited 06-12-2019 12:02 PM
object network mon001
host 10.10.1.192
description PRTG monitoring
nat (inside,outside) static interface
!
access-list outside_acl extended permit udp host any host 10.10.1.192 eq syslog
(or)
access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog
!
access-group outside_acl in interface outside
!
packet-tracer input outside udp 1.1.1.129 1234 1.1.1.129 syslog
or if you like you can move your nat rule into section 1.
nat (inside,outside) source static mon001 interface
!
access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog
!
access-group outside_acl in interface outside
!
packet-tracer input outside udp 1.1.1.129 1234 1.1.1.129 syslog
06-12-2019 02:24 PM - edited 06-12-2019 02:39 PM
when enable the nat rule, what the below error really means is all traffic from 10.10.1.192 ?
nat (inside,outside) source static ms001mon002 interface
WARNING: All traffic destined to the IP address of the outside interface is bein g redirected.
WARNING: Users may not be able to access any service enabled on the outside inte rface.
anyways am still getting the error
ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection for udp src outside 1.1.1.129 dst inside 10.10.1.192/514 denied due to NAT reverse path failure.
06-12-2019 06:36 PM
06-13-2019 04:07 AM - edited 06-13-2019 04:09 AM
I have lab this up. .
!
object network SYS-LOG
host 10.10.1.192
nat (inside,outside) source static interface service 514 514
!
access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog
access-list outside_acl in interface outside
!
packet tracer input outside udp 1.1.1.129 12345 1.1.1.30 514
06-13-2019 06:52 AM
@Sheraz.Salim @Francesco Molino
First thansk for the support, help and patience.
reading your suggestions I realized my error, In the NAT rule I had created I leave any instead of specifying the port 514
now internet on the monitoring tool and the syslog are working !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide