Solved

Router and syslog server

Posted on 2013-01-27
16
663 Views
Last Modified: 2013-02-03
Hello,
Please find attached diagram, I have Cisco router and ASA firewall, I need to send syslog messages from the router to the syslog server, which is directly attached to the firewall via switch. Now, I can ping from the syslog server to the router, but I can't ping from the router to the syslog server. How can I enable traffic to flow from the router to the syslog server.
network diagram
0
Comment
Question by:omar07
  • 6
  • 5
  • 2
  • +1
16 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38825695
You need to add that traffic to the outside interface acl to permit traffic initiated from the router to the syslog server. The other requirement is either a nat to be defined or a nat exemption (no nat).

Another option is to create a sub interface on the router, another interface on the firewall, and use that to pass traffic. The first options are usually easier.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38825756
Post you config pls
0
 

Author Comment

by:omar07
ID: 38825774
I tried this config;
access-list syslog-messages extended permit ip host 209.165.135.1 any (router attached to outside int)
access-group syslog-messages in int outside

static (users,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
and it still not working.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38825796
You need to create a static NAT for your log server with a dedicated Outside IP address

static (users,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 - this is not correct

static (users,outside) outside_ip_address log_server_ip netmask 255.255.255.255 - this is how it should be
0
 

Author Comment

by:omar07
ID: 38825961
I tried the following config in the ASA.
access-list syslog-messages extended permit ip host 209.165.135.1 any (the ip of the router)
access-group syslog-messages in int outside

static (users,outside) 290.165.135.1 192.168.220.1 netmask 255.255.255.255

still not working, I can't even ping from the router to the syslog sever
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 38834600
For this to work you need:

1. An inbound NAT / PAT rule from interface outside to users. For example:

static (users,outside) udp 1.2.3.1 514 192.168.220.1 514 netmask 255.255.255.255

Or:

static (users,outside) 1.2.3.1 192.168.220.1 netmask 255.255.255.255

Where 1.2.3.1 is an IP you can present on your firewall (or the interface IP). Alternatively, you can present this on the interface IP as follows:

static (users,outside) udp interface 514 192.168.220.1 514 netmask 255.255.255.255

2. An access rule applying to inbound traffic on the outside interface:

access-list acl_outside_in permit udp host 2.3.4.2 host 1.2.3.1 eq 514
access-group acl_outside_in in interface outside

Where 2.3.4.2 is the router IP and 1.2.3.1 is the address you're using in the NAT rule to present syslog on the outside interface. Obviously you can make the ACL name whatever you please.

Logging should show you hits on the rule if it's actually getting that far.

Chris
0
 

Author Comment

by:omar07
ID: 38838518
Hello,
I tried the following:
static (users,outside) interface syslog_server netmask 255.255.255.255
 access-list acl_outside_in extended permit ip host router_ip host syslog_server
 access-list acl_outside_in extended permit ip any any
 access-group acl_outside_in in interface outside
I still can't ping from the router to the syslog server.
I'd like to note, that I'm configuring global outside and insdie nat for internet connection.

Thanks
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 38839009
This rule won't work if "syslog_server" is the private IP:

 access-list acl_outside_in extended permit ip host router_ip host syslog_server

Cisco firewalls process access lists first, then perform NAT.

However, this one should be catching:

 access-list acl_outside_in extended permit ip any any

So, are you getting any hits on that rule (show access-list acl_outside_in)? Have you got any log entries to do with the inbound traffic (show log)?

I forget if it applies, but we may as well consider it. What security levels have you applied to each of the interfaces this is to traverse?

Chris
0
 

Author Comment

by:omar07
ID: 38846148
Hello,
The syslog server is private ip address, and the outside interface of the firewall is 0 and the users is 90. I configured the following in the firewall:

static (users,outside) interface syslog-server netmask 255.255.255.255
access-list acl_outside_in extended permit ip any any
access-group acl_outside_in in interface outside

and I did not get any hit count on the access-list rule, when I ping to the syslog-server, however I can ping the outside interface of the firewall.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 38846612
You'll never be able to ping the syslog server IP from outside, I only say this because you're differentiating that from pinging the firewall IP. I've attached a little diagram to to attempt to help.

I think PAT might be significantly easier to debug here than NAT considering we're sharing the interface IP. Can you set it up to translate TCP/99 (arbitrary choice on my part) to TCP/22 (SSH):

static (users,outside) tcp interface 99 syslog-server 22 netmask 255.255.255.255

Using 99 here frees us from potential conflicts with the firewall, it may be listening for SSH connections depending on your configuration.

Then from outside (the router if possible) telnet to the public IP (of your ASA) on port 99 and see if you get a connection.

Once you're done that, review the access-list hit counter, and see if you're getting anything in the NAT table (show xlate). Logs may show you traffic being dropped so you should review those when you can.

Finally, I made the assumption that you have something listening on TCP/22 on the syslog server. Ultimately it doesn't particularly matter whether you do or not, as long as we're able to see the flow being permitted by the firewall.

Chris
NAT.png
0
 

Author Comment

by:omar07
ID: 38848189
Hello,
Now, I'm able to get hits on the access list rule, but first I had to add route in the router to the log server, something like ip route syslog-server firewall-interface 1, after that I started to get hit counts on the access-list :access-list acl_outside_in extended permit udp host router-ip host syslog-server eq syslog log
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 38848296
Excellent, that is good news. It looks like you're not using the NAT rule in that case, but that's fine. You might consider killing the inbound NAT rule if you're routing in like that.

Chris
0
 

Author Comment

by:omar07
ID: 38848440
I'm still getting this error, or shall I post new question since I alreay closed this case.

Feb 03 2013 14:10:43: %ASA-5-305013: Asymmetric NAT rules matched for forward an
d reverse flows; Connection for udp src outside:router-ip/64661 dst users:log-server/514
denied due to NAT reverse path failure
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 38848445
If you've set up routing from the router to 192.168.1.220 you can kill off the inbound NAT rule as you're not using it. That should get rid of the error message above as well.

Chris
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now