cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
306
Views
10
Helpful
1
Replies

Pix Firewall Logging Problem

tonny_ecmyy
Level 1
Level 1

Hi there...

I have problem here with logging message, i want to configure my server to receive syslog from the pix, and add this command

logging host inside 192.168.1.2 tcp/1468

when i entered this command, i can't browse the internet,what is the problem actually?..here is my config, any help would be appreciated, Thanks

Tonny

access-list 100 permit ip host 192.168.1.9 192.168.100.0 255.255.255.0

access-list outside_access_in deny icmp any any

access-list outside_access_in deny tcp any any

access-list outside_access_in deny udp any any

pager lines 24

logging on

logging monitor debugging

logging buffered debugging

logging trap debugging

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.0.0.0

ip address inside 192.168.1.1 255.255.255.0

ip audit name ATTACKPOLICY attack action alarm drop

ip audit name INTRUDERINFO info action alarm drop

ip audit interface outside INTRUDERINFO

ip audit interface outside ATTACKPOLICY

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.100.1-192.168.100.254

pdm location 192.168.1.9 255.255.255.255 inside

pdm location 192.168.1.2 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list 100

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server AuthPIX protocol tacacs+

aaa-server AuthPIX (inside) host 192.168.1.2 TacacsKey timeout 10

aaa-server AuthOut protocol tacacs+

url-server (inside) vendor websense host 192.168.1.2 timeout 5 protocol TCP vers

ion 1

aaa authentication ssh console AuthPIX

http server enable

http 192.168.1.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.1.2 c:\cisco

floodguard enable

sysopt connection permit-ipsec

auth-prompt reject You're not authorized

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication LOCAL

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup **** address-pool vpnpool

vpngroup **** split-tunnel 100

vpngroup **** idle-time 4800

vpngroup **** password ********

telnet 192.168.1.2 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

console timeout 0

username xxx password xxxxxx

privilege 2

username xxx password xxxxxx

privilege 15

privilege show level 10 command access-list

privilege configure level 11 command access-list

privilege clear level 12 command access-list

1 Reply 1

sachinraja
Level 9
Level 9

Hi tonny,

There will be problems if you are going to do a syslog , and there is no syslog server on the inside. make sure you enable the syslog on the configured server on the particular port. The NAT translations might not happen if this is wrongly configured.

If you are using TCP as the logging transport protocol, the PIX Firewall stops passing traffic as a security measure if any of the following error conditions occur: the PIX Firewall is unable to reach the syslog server; the syslog server is misconfigured (such as with PFSS, for example); or the disk is full. (UDP-based logging does not prevent the PIX Firewall from passing traffic if the syslog server fails.)

To enable the PIX Firewall to pass traffic again, do the following:

--------------------------------------------------------------------------------

Step 1 Identify and correct the syslog server connectivity, misconfiguration, or disk space error condition.

Step 2 Enter the command logging host inside 10.1.1.1 tcp/1468 to enable the logging again.

Alternately, you can change the logging to default logging on UDP/514 by issuing the command logging host inside 10.1.1.1. UDP-based logging passes traffic even if the syslog server fails.

Its always better to enable the syslog on the switches by doing a SPAN. The command to do that is as follows:

switch(config)#monitor session 1 source interface *** (interface where the PIX inside is connected)

switch(config)#monitor session 1 destination interface *** (interface where the syslog server is connected)

Hope this helps..

Raj

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: