Remote syslog

Tom4620 · ‎03-11-2003

I want to send syslog info from a remote pix506 to a Win2000 pc on a VPN that travels through a pix515. I set the logging on the 506 with the nat address of the Win2000 machine, but when I try to ping from the 506 it doesn't see it.

The Win2000 machine is a kiwi syslog server for the 515. I config the 506 on to facility 16 and the 515 to facility 20 . But if it isn't getting to it .....

Traffic is fine from the remote nat network to our corporate location. Obviously the 506pix can't translate the nat address from itself.

I tried:

where 64.64.64.64 is remote outside ip

172.172.172.172 is Win2000 nat ip

on the 506

access-list 100 permit ip 64.64.64.64 172.172.172.172. 255.255.255.0

and I get:

ERROR: Global address,mask <64.64.64.64,172.172.172.172> doesn't pair

Needless to say I am a novice , any ideas or right way to do this?

gfullage · ‎03-17-2003

The correct command is:

access-list 100 permit ip host 64.64.64.64 host 172.172.172.172

If the syslog server is behind the 515, and you have a LAN-to-LAN tunnel set up between the 506 and the 515, then include the following access-list in the 506 as part of your crypto ACL:

> access-list permit ip host host

and on the 515 do the opposite:

> access-list permit ip host host

That way everything from the outside address of the 506 (which will be where your syslog traffic is sourced from) going to the syslog server will be encrypted and sent over the tunnel.