External Router Sending Syslog To Internal Syslog Server

unionbancorpit · ‎05-19-2005

We have an external 2610 router with an Internet connection. The Ethernet port of the router is connected to a 4000 switch on our External VLAN (VLAN 100). The PIX has three interfaces, External, DMZ and Internal. We have a working syslog server (Kiwi Syslog on a Windows server) on the internal network. What is best practice for sending syslog messages to the internal server? I was thinking I could set up a static translation on the PIX and configure the router to send syslog to that address, the PIX would translate it to the internal address and send it to the syslog server. Is there a better/more secure way to do it? I don't want to put another server on the outside VLAN for syslog.

froggy3132000 · ‎05-22-2005

That is exactly how I do it. Static Nat to internal syslog server, than an access-list allowing only the firewall to that IP. Also, I have a client who I have set up an interface just for management purposes. You could do that as well.

unionbancorpit · ‎05-26-2005

Thanks. I tried it and am having a few problems. The IPs are just examples

Internet T1 is connected to my Router, fastethernet port of router (12.1.1.1) is connected to external vlan on core switch. - Firewall is connected to external and internal vlans on core switch -Syslog Server is connected to internal vlan on core switch.

On the Firewall I created a static Nat

(static 12.1.1.2 10.1.1.5).

firewall has an ACL called "outside_access_in" and I modified that acl

(permit udp host 12.1.1.1 host 12.1.1.2 eq 514).

Then I configured the router to log to 12.1.1.2 using Local6 as the facility.

I am not getting syslog messages from the router. The firewall is successfully logging to the syslog server. I'm probably overlooking something really simple but any suggestions would be appreciated.