• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 762
  • Last Modified:

Router and syslog server

Hello,
Please find attached diagram, I have Cisco router and ASA firewall, I need to send syslog messages from the router to the syslog server, which is directly attached to the firewall via switch. Now, I can ping from the syslog server to the router, but I can't ping from the router to the syslog server. How can I enable traffic to flow from the router to the syslog server.
network diagram
0
omar07
Asked:
omar07
  • 6
  • 5
  • 2
  • +1
1 Solution
 
rauenpcCommented:
You need to add that traffic to the outside interface acl to permit traffic initiated from the router to the syslog server. The other requirement is either a nat to be defined or a nat exemption (no nat).

Another option is to create a sub interface on the router, another interface on the firewall, and use that to pass traffic. The first options are usually easier.
0
 
fgasimzadeCommented:
Post you config pls
0
 
omar07Author Commented:
I tried this config;
access-list syslog-messages extended permit ip host 209.165.135.1 any (router attached to outside int)
access-group syslog-messages in int outside

static (users,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
and it still not working.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
fgasimzadeCommented:
You need to create a static NAT for your log server with a dedicated Outside IP address

static (users,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 - this is not correct

static (users,outside) outside_ip_address log_server_ip netmask 255.255.255.255 - this is how it should be
0
 
omar07Author Commented:
I tried the following config in the ASA.
access-list syslog-messages extended permit ip host 209.165.135.1 any (the ip of the router)
access-group syslog-messages in int outside

static (users,outside) 290.165.135.1 192.168.220.1 netmask 255.255.255.255

still not working, I can't even ping from the router to the syslog sever
0
 
Chris DentPowerShell DeveloperCommented:
For this to work you need:

1. An inbound NAT / PAT rule from interface outside to users. For example:

static (users,outside) udp 1.2.3.1 514 192.168.220.1 514 netmask 255.255.255.255

Or:

static (users,outside) 1.2.3.1 192.168.220.1 netmask 255.255.255.255

Where 1.2.3.1 is an IP you can present on your firewall (or the interface IP). Alternatively, you can present this on the interface IP as follows:

static (users,outside) udp interface 514 192.168.220.1 514 netmask 255.255.255.255

2. An access rule applying to inbound traffic on the outside interface:

access-list acl_outside_in permit udp host 2.3.4.2 host 1.2.3.1 eq 514
access-group acl_outside_in in interface outside

Where 2.3.4.2 is the router IP and 1.2.3.1 is the address you're using in the NAT rule to present syslog on the outside interface. Obviously you can make the ACL name whatever you please.

Logging should show you hits on the rule if it's actually getting that far.

Chris
0
 
omar07Author Commented:
Hello,
I tried the following:
static (users,outside) interface syslog_server netmask 255.255.255.255
 access-list acl_outside_in extended permit ip host router_ip host syslog_server
 access-list acl_outside_in extended permit ip any any
 access-group acl_outside_in in interface outside
I still can't ping from the router to the syslog server.
I'd like to note, that I'm configuring global outside and insdie nat for internet connection.

Thanks
0
 
Chris DentPowerShell DeveloperCommented:
This rule won't work if "syslog_server" is the private IP:

 access-list acl_outside_in extended permit ip host router_ip host syslog_server

Cisco firewalls process access lists first, then perform NAT.

However, this one should be catching:

 access-list acl_outside_in extended permit ip any any

So, are you getting any hits on that rule (show access-list acl_outside_in)? Have you got any log entries to do with the inbound traffic (show log)?

I forget if it applies, but we may as well consider it. What security levels have you applied to each of the interfaces this is to traverse?

Chris
0
 
omar07Author Commented:
Hello,
The syslog server is private ip address, and the outside interface of the firewall is 0 and the users is 90. I configured the following in the firewall:

static (users,outside) interface syslog-server netmask 255.255.255.255
access-list acl_outside_in extended permit ip any any
access-group acl_outside_in in interface outside

and I did not get any hit count on the access-list rule, when I ping to the syslog-server, however I can ping the outside interface of the firewall.
0
 
Chris DentPowerShell DeveloperCommented:
You'll never be able to ping the syslog server IP from outside, I only say this because you're differentiating that from pinging the firewall IP. I've attached a little diagram to to attempt to help.

I think PAT might be significantly easier to debug here than NAT considering we're sharing the interface IP. Can you set it up to translate TCP/99 (arbitrary choice on my part) to TCP/22 (SSH):

static (users,outside) tcp interface 99 syslog-server 22 netmask 255.255.255.255

Using 99 here frees us from potential conflicts with the firewall, it may be listening for SSH connections depending on your configuration.

Then from outside (the router if possible) telnet to the public IP (of your ASA) on port 99 and see if you get a connection.

Once you're done that, review the access-list hit counter, and see if you're getting anything in the NAT table (show xlate). Logs may show you traffic being dropped so you should review those when you can.

Finally, I made the assumption that you have something listening on TCP/22 on the syslog server. Ultimately it doesn't particularly matter whether you do or not, as long as we're able to see the flow being permitted by the firewall.

Chris
NAT.png
0
 
omar07Author Commented:
Hello,
Now, I'm able to get hits on the access list rule, but first I had to add route in the router to the log server, something like ip route syslog-server firewall-interface 1, after that I started to get hit counts on the access-list :access-list acl_outside_in extended permit udp host router-ip host syslog-server eq syslog log
0
 
Chris DentPowerShell DeveloperCommented:
Excellent, that is good news. It looks like you're not using the NAT rule in that case, but that's fine. You might consider killing the inbound NAT rule if you're routing in like that.

Chris
0
 
omar07Author Commented:
I'm still getting this error, or shall I post new question since I alreay closed this case.

Feb 03 2013 14:10:43: %ASA-5-305013: Asymmetric NAT rules matched for forward an
d reverse flows; Connection for udp src outside:router-ip/64661 dst users:log-server/514
denied due to NAT reverse path failure
0
 
Chris DentPowerShell DeveloperCommented:
If you've set up routing from the router to 192.168.1.220 you can kill off the inbound NAT rule as you're not using it. That should get rid of the error message above as well.

Chris
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 6
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now