Its not a clean way but I guess the only way.

I was hoping it would do like NetScreen firewalls where you can tell the firewall to source the syslog from inside interface even though the destination is somewhere on outside. That way you don't have to fiddle with interesting traffic.

Hopefully some customer with good leverage submitted a PERS to cisco ;-).. I always wondered why companies don't put "Wish List" link on their website. They can collect a lot of good ideas for free :-)

Thank,

Sam

By the way the example URL has a little mistake in it. The ACL should be like below.

access-list 101 permit tcp host 192.168.1.2 eq 161 host 172.18.124.112

access-list 101 permit udp host 192.168.1.2 eq 161 host 172.18.124.112

access-list 101 permit tcp host 192.168.1.2 host 172.18.124.112 eq 162

access-list 101 permit udp host 192.168.1.2 host 172.18.124.112 eq 162

access-list 101 permit udp host 192.168.1.2 host 172.18.124.112 eq 514

For traps and syslog ACL is correct. However the replies for snmpget would be in reverse port order. e.g. main site making calls to public IP of remote box on port 161.

I am surprized it worked for Cisco engineer who wrote the document and posted in configuration example.

^^agreed

also what are these for then on the local pix

access-list 101 permit tcp host 172.18.124.112 host 192.168.1.2 eq 162

access-list 101 permit udp host 172.18.124.112 host 192.168.1.2 eq 162

access-list 101 permit udp host 172.18.124.112 host 192.168.1.2 eq 514

the snmp/syslog server is not sending traps or syslog to remote pix

^^Thats for IOS, he's got asa/pix.

I agree with you if this was a router. These are ASA5505s and PIX-506s. There is no such command as "logging source-interface".

Detroit-ASA5505(config)# logging ?

configure mode commands/options:

asdm Set logging level or list for ASDM

asdm-buffer-size Specify ASDM logging buffer size

buffer-size Specify logging memory buffer size

buffered Set buffer logging level or list

class Specify logging event class

console Set console logging level or list

debug-trace Enable logging of redirect debug-trace output to

syslog

device-id Specify the device-id to be included in all

non-EMBLEM formatted syslog messages

emblem Enable logging Emblem format on all output

supported destinations

enable Enable logging to all output supported destinations

facility Specify the syslog facility, the default is 20

flash-bufferwrap Save logging buffer to flash when buffer

wrap-around

flash-maximum-allocation Specify logging maximum flash space allocation

flash-minimum-free Specify logging minimum flash free space threshold

from-address Specify the from address for the mail logging

ftp-bufferwrap Save logging buffer using FTP when buffer

wrap-around

ftp-server Specify FTP server parameters

history Set the SNMP message level or list for sending

syslog traps

host Send syslog messages to a host

list Specify logging event list

mail Set mail logging level or list

message Specify a message to be allowed

monitor Specify that syslog messages appear on Telnet

sessions to the Firewall console

permit-hostdown Allow new connection even if TCP syslog server is

down

queue Specify queue size for storing syslog messages,

default is 512, 0 means unlimited (subject to

available memory)

rate-limit Specify logging rate-limit parameters

recipient-address Specify the mail logging recipient address and

level

standby Enable logging on standby unit with failover

enabled, warning: this option causes twice as much

traffic on the syslog server

timestamp Enable logging timestamp on syslog messages

trap Set logging level or list for syslog server

hello,

you have to configure the management access interface on the inside LAN and it should works...

management-access