Showing results for 
Search instead for 
Did you mean: 


Pix Firewall Logging Problem

Hi there...

I have problem here with logging message, i want to configure my server to receive syslog from the pix, and add this command

logging host inside tcp/1468

when i entered this command, i can't browse the internet,what is the problem actually? is my config, any help would be appreciated, Thanks


access-list 100 permit ip host

access-list outside_access_in deny icmp any any

access-list outside_access_in deny tcp any any

access-list outside_access_in deny udp any any

pager lines 24

logging on

logging monitor debugging

logging buffered debugging

logging trap debugging

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x

ip address inside

ip audit name ATTACKPOLICY attack action alarm drop

ip audit name INTRUDERINFO info action alarm drop

ip audit interface outside INTRUDERINFO

ip audit interface outside ATTACKPOLICY

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool

pdm location inside

pdm location inside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list 100

nat (inside) 10 0 0

access-group outside_access_in in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server AuthPIX protocol tacacs+

aaa-server AuthPIX (inside) host TacacsKey timeout 10

aaa-server AuthOut protocol tacacs+

url-server (inside) vendor websense host timeout 5 protocol TCP vers

ion 1

aaa authentication ssh console AuthPIX

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside c:\cisco

floodguard enable

sysopt connection permit-ipsec

auth-prompt reject You're not authorized

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication LOCAL

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup **** address-pool vpnpool

vpngroup **** split-tunnel 100

vpngroup **** idle-time 4800

vpngroup **** password ********

telnet inside

telnet timeout 60

ssh timeout 5

console timeout 0

username xxx password xxxxxx

privilege 2

username xxx password xxxxxx

privilege 15

privilege show level 10 command access-list

privilege configure level 11 command access-list

privilege clear level 12 command access-list


Hi tonny,

There will be problems if you are going to do a syslog , and there is no syslog server on the inside. make sure you enable the syslog on the configured server on the particular port. The NAT translations might not happen if this is wrongly configured.

If you are using TCP as the logging transport protocol, the PIX Firewall stops passing traffic as a security measure if any of the following error conditions occur: the PIX Firewall is unable to reach the syslog server; the syslog server is misconfigured (such as with PFSS, for example); or the disk is full. (UDP-based logging does not prevent the PIX Firewall from passing traffic if the syslog server fails.)

To enable the PIX Firewall to pass traffic again, do the following:


Step 1 Identify and correct the syslog server connectivity, misconfiguration, or disk space error condition.

Step 2 Enter the command logging host inside tcp/1468 to enable the logging again.

Alternately, you can change the logging to default logging on UDP/514 by issuing the command logging host inside UDP-based logging passes traffic even if the syslog server fails.

Its always better to enable the syslog on the switches by doing a SPAN. The command to do that is as follows:

switch(config)#monitor session 1 source interface *** (interface where the PIX inside is connected)

switch(config)#monitor session 1 destination interface *** (interface where the syslog server is connected)

Hope this helps..


Content for Community-Ad