Oh,

And forgot to answer the other question.

You can use a single public IP address to both provide Internet access to LAN users with Dynamic PAT and also configure Static PAT like you have shown in your post.

These dont rule eachother out.

- Jouni

Hi,

The configuration you mentioned

static(inside,outside) UDP 200.x.x.1  syslog 192.168.50.1 syslog

static(inside,outside) UDP 200.x.x.2 syslog 192.168.60.1 syslog

Are Static PAT which in other words means Static Port Address Translation. Or even a more common name used for this type of NAT is Port Forwarding.

So if we take the 2 Static PAT configurations above

Site 1

static(inside,outside) udp 200.x.x.1  syslog 192.168.50.1 syslog

• Would forward any Syslog traffic coming towards the public IP address of 200.x.x.1 to the inside IP address of 192.168.50.1

Site 2

static(inside,outside) udp 200.x.x.2 syslog 192.168.60.1 syslog

• Would forward any Syslog traffic coming towards the public IP address of 200.x.x.2 to the inside IP address of 192.168.60.1

The above coupled with the needed ACLs on each sites "outside" interfaces would allow you to send Syslog from one site to the Syslog server on the other site. Naturally you also need the "logging" configurations so that the ASA knows where to send the Syslogs.

But I would again have to say that I would personally rather transfer this Syslog traffic through a L2L VPN connection between the sites so the Syslogs wouldnt be visible to anyone else on the public network.

- Jouni

Hi,

You dont need 2 Static PAT configurations on both sites. You just need a single Static PAT configuration on each site to enable the local Syslog server to be reached through the Internet.

So if Site 1 has a Syslog server with the IP address of 192.168.50.1 then you configure a Static PAT configuration for that on its local firewall and if the Site 2 has a Syslog server with the IP address of 192.168.60.1 then you configure a Static PAT configuration for that on its local firewall

Are you using the "outside" interface IP address on each site OR do you have spare public IP addresses that can be used only for the Syslog servers?

If you only have the single public IP address of the ASA "outside" interface then you have to use Static PAT. If you have spare IP addresses then you can use Static NAT

Static PAT using the "outside" interface IP address would be configured with

Site 1

static (inside,outside) udp interface syslog 192.168.50.1 syslog netmask 255.255.255.255

Site 2

static (inside,outside) udp interface syslog 192.168.60.1 syslog netmask 255.255.255.255

I think you should probably try sending some logs through the Internet first and when that is working correctly then it will be easier to handle the L2L VPN configurations to support sending the logs through the VPN connection.

With regards to the bidirectionality of the NAT. Notice that we are talking about UDP and sending Syslogs. The other ASA will send Syslogs through the other ASA to the Syslog server there. The UDP traffic only has to go through the remote site ASA and since we are talking about UDP traffic there is no bidirectional traffic in Syslogs case. The Syslog server doesnt need to send anything to the ASA (to my knowledge atleast)

The Static PAT should work just fine for you. As I said, if you have spare public IP address that we can dedicate for each Syslog server on each site THEN you can also use Static NAT.

- Jouni

Hi,

Ok, so you say that you have a spare public IP address to be dedicated to ONLY be used for the Syslog server then you can configure Static NAT instead of Static PAT

So the Static NAT configuration would be

static (inside,outside) 200.x.x.x  192.168.50.1 netmask 255.255.255.255

Then you would have to have an ACL rule permitting the inbound Syslog traffic from the remote site

access-list OUTSIDE-IN permit udp host y.y.y.y host 200.x.x.x eq syslog

Where

• y.y.y.y = Is the public IP address of the remote site ASA. The remote ASA will use its "outside" interface IP address as the source for the syslog messages it sends.
• 200.x.x.x = Is the public IP address used for the Syslog server Static NAT

Presuming ofcourse your current "outside" interface ACL is named OUTSIDE-IN. You naturally use the name of the ACL you have in use.

So the above are the configurations on Site A. This enable Site B ASA to send Syslogs to server at Site A.

For the same to work for Syslogs from Site A ASA to Site B Syslog server you need configurations on Site B ASA also.

static (inside,outside) 200.x.x.x  192.168.60.1 netmask 255.255.255.255

access-list OUTSIDE-IN permit udp host y.y.y.y host 200.x.x.x eq syslog

Where

• y.y.y.y = Is the public IP address of  the remote site ASA. The remote ASA will use its "outside" interface IP  address as the source for the syslog messages it sends.
• 200.x.x.x = Is the public IP address used for the Syslog server Static NAT

- Jouni

Hi Mahesh,

Yes, ofcourse the public IP addresses are different on the sites. I guess I could have changed the IP addresses a bit in the configuration commands I mentioned. For example 200.x.x.x and 200.y.y.y.

So as I said it would probably be best that you first configure the Static NAT (as you seem to have spare public IP address that you can dedicate to the Syslog server on each site) and configure ACLs that allow the traffic from the other ASAs public IP address.

When the NAT and ACL are configured correctly then you could try adding the "logging" configurations and start confirming that Syslogs from each site arrive to the remote site Syslog server.

When you have confirmed that this configuration is working correctly THEN we could temporarily remove the logging to the remote site and start looking at the L2L VPN configurations required so that you have move the Syslog traffic to the L2L VPN between the 2 sites that you say already existed. So one step at a time.

Do you have enough information to configure the Static NAT for the Syslog server on each site?

When the NAT and ACL are done you should be able to use the command

logging host outside

The ASA might give a warning about the "security-level" value of the interface "outside" but this is to be expected as the ASA warns you that you are about to send Syslog information through an interface behind which the network is not secured by the ASA and in a sense secured.

- Jouni

Hi Mahesh,

I will answer here on the forums to your message.

The "logging" command you posted were a bit wrong.

The reason is that the other server is local and is naturally located on the "inside" BUT the other remote site Syslog server would need the interface set to "outside" as its located behind that interface.

My intention was to first get your NAT, ACL and Logging configurations in order for you to be confirm through Internet that the logs were arriving at the remote site server.

As soon as that is working you can temporarily disable the syslog sending to the remote site through "outside" and THEN we can start looking into adding the L2L VPN related configurations so you can have the ASAs send that syslog information to the remote site through a protected L2L VPN Connections.

I just try to keep the configurations changes as simple as possible and confirm that the basics are working before trying something more complicated.

- Jouni

Also,

On each ASA you will ofcourse have to use the Remote Syslog server public NAT IP address in the "logging" command.

- Jouni

Hi,

The IP addresses you mention in the message sent through the forums might be configured with Static NAT so you should look through your "show run static" on the ASA to find the translations

Or you have use "show run static | inc x.x.x.x" where the "x.x.x.x" is the public IP address

- Jouni

Hi Mahesh,

You should really try to post the answers and questions here on the discussion. It gets quite confusing reading the information on 2 different places.

So if I should suggest you which steps to take regarding this Syslog setup configuration

• Determine if the Syslog server on either side has a Static NAT or Static PAT configuration
  • Use the command "show xlate | inc "
  • On one site insert its local IP address and on the other site its syslog servers local IP address
• If you dont see any existing NAT configurations for these Syslog servers then determine if you have spare public IP addresses available that ARE NOT in any kind of use at the moment
• Configure typical Static NAT using the Syslog server local IP address and the spare public IP address on each site. So one Static NAT per site.
• On each site configure the "outside" ACL so that it allows Syslog traffic sourced from the Remote Sites ASAs "outside" interface IP address
• Configure the "logging host outside " to enable logging to the remote syslog server
• When the configurations are done, determine if the remote sites ASAs logs are arriving to the other sites Syslog server. Do this on both sites.
• If it doesnt work, then you have to troubleshoot and determine that the ASA is actually trying to send the syslog traffic and that the remote ASA is allowing this syslog connectiong through
• If things work, then we can look at changing this syslog information to go through a L2L VPN connection.

- Jouni

Hi,

So you are saying that both sites ASAs have Static NAT for the the sites Syslog server? If this is correct then the Syslog server can be reached from the Internet.

After this you would have to create an ACL rule on the "outside" interface ACL to allow syslog traffic from the remote sites ASAs "outside" interface IP address to the local syslog server public IP address. You would configure ACL rules on both sites to allow the other sites ASA to send Syslog to the public IP address of that sites Syslog server.

When that is done you could enable syslogging on each sites ASA (towards the other sites syslog server)

logging host outside

And if everything is fine, you should be able getting syslog messages from both ASA to both Syslog servers

And as I said before, after we confirm that the logs are going through from each site to the other then we could move this traffic to a L2L VPN connection.

In short these very first steps purpose is to

• Make sure that both sites have public IP address for the server configured
• Confirm that both sites have an ACL rule that allow the syslog messages coming from the other site
• Configure each ASA to send syslogs through the "outside" interface also to the other sites syslog server
• Eventually move this traffic to the L2L VPN between the sites

- Jouni

Hi Mahesh,

I had no idea that you have a L2L VPN/GRE connection through some other routers in the network. I presumed that you had a L2L VPN connection between the ASA firewalls directly. This again naturally changes the setup completely.

Does each of your ASA have a route towards the remote syslog server yet? Are you perhaps running dynamic routing between the sites as you are using IPsec + GRE?

What is the IP address/network of the interface of the ASA that has the route (or will have the route after configured) for the remote sites syslog server?

Basically you should first confirm that each site has a route towards the other sites syslog server network. You would also have to confirm that each site as a route for the network that is connected to the ASA interface from which you want to send the syslogs to the other site.

You should be able to use the "show route" command on the ASAs and "show ip route" command on the router side to determine if the routing information needed is already there. If not, then some additions to the routing have to be made for each ASA to be able to send syslog to the other side.

- Jouni