Results 1 to 6 of 6
  1. #1
    Untanglit
    Join Date
    Nov 2009
    Posts
    24

    Default Make internal syslog server visible to cisco router?

    Hi Everyone,

    I have a Cisco 1801 IOS router feeding my Untangle box. On the internal network is a UDP (port 514) Kiwi Syslog daemon.
    I'd like the Router to be able to send logging information to the Kiwi box, but obviously the internal network is not visible to it.

    Setup

    Cisco 1801: PPPoA ASDL link NAT'd to 192.168.1.2 (router IP 192.168.1.1).

    Untangle: Outside IP static at 192.168.1.2, inside IP 192.168.158.88

    Syslog Server: On inside network at IP 192.168.158.100


    My network-fu is not the greatest, would a static route work or would I simply end up bypassing the firewall?

  2. #2
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,371

    Default

    In router mode you need to create bypass rules in the firewall app, or ACL in Cisco lenguage :-)

  3. #3
    Untanglit
    Join Date
    Nov 2009
    Posts
    24

    Default

    Thanks for the reply, unfortunately making a Untangle firewall rule to pass all traffic on any port to any port from 192.168.1.1 (router) to 192.168.158.100 (Syslog Server) does not work. The router is unable to ping 192.168.158.100.

    Was what you meant by ACL was to use the Cisco to route port 514 traffic to one of the FEX ports and then join that to my internal switches to bypass the Untangle box completely?

    Edit:

    To avoid confusion; I'm using the Cisco 1801 router as purely a modem. There is an ACL that passes ALL traffic through to the Untangle box, really it's only a NAT modem in this config rather than a router.
    Last edited by Jon_Starr; 11-26-2009 at 03:01 AM.

  4. #4
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,371

    Default

    waht is the configuration of the inside port of cisco?
    ip:192.168.1.1
    mask:255.255.255.0
    default gateway?
    or maybe you need to put a static route: route 192.168.158.0 mask 255.255.255.0 192.168.1.2

  5. #5
    Untanglit
    Join Date
    Nov 2009
    Posts
    24

    Default

    Its probably easier if I post the Cisco config (some sensitive stuff redacted):

    Code:
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname <REMOVED>
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 <REMOVED>
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    no ip source-route
    !
    !
    ip cef
    !
    !
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name <REMOVED>
    ip name-server 208.67.220.220
    ip name-server 208.67.222.222
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    !
    crypto pki trustpoint TP-self-signed-2157131881
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-2157131881
     revocation-check none
     rsakeypair TP-self-signed-2157131881
    !
    !
    crypto pki certificate chain TP-self-signed-2157131881
     certificate self-signed 01 nvram:IOS-Self-Sig#3101.cer
    username administrator privilege 15 secret 5 <REMOVED>
    !
    !
    !
    !
    !
    !
    interface FastEthernet0
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     duplex auto
     speed auto
    !
    interface BRI0
     no ip address
     encapsulation hdlc
     shutdown
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    !
    interface FastEthernet5
    !
    interface FastEthernet6
    !
    interface FastEthernet7
    !
    interface FastEthernet8
    !
    interface ATM0
     no ip address
     no atm ilmi-keepalive
     pvc 0/38
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
     dsl operating-mode auto
    !
    interface Vlan1
     no ip address
    !
    interface Dialer0
     ip address negotiated
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     dialer pool 1
     ppp chap hostname <REMOVED>-dsl@fast
     ppp chap password 7 <REMOVED>
    !
    ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    !
    !
    no ip http server
    no ip http secure-server
    ip nat inside source static 192.168.1.2 78.143.213.<REMOVED>
    !
    access-list 10 remark *** VTY ACCESS LIST ***
    access-list 10 permit 192.168.1.0 0.0.0.255
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
     privilege level 15
     transport output telnet
    line aux 0
     transport output telnet
    line vty 0 4
     access-class 10 in
     privilege level 15
     transport input telnet ssh
    line vty 5 15
     access-class 10 in
     privilege level 15
     transport input telnet ssh
    !
    !
    webvpn context Default_context
     ssl authenticate verify all
     !
     no inservice
    !
    end
    Dialer0 is the DSL interface and FastEthernet0 is the port on the Cisco that connects to the Untangle box. FastEthernet0 has an IP of 192.168.1.1 and the port on Untangle that it connects to has a static IP of 192.168.1.2.

    I'm reading the Cisco guide to see how to stuff a static route in it now.

    Edit:

    I used 'ip route 192.168.158.0 255.255.255.0 192.168.1.2' to forward packets for the 192.168.158.x network to the Untangle box.

    I can now successfully ping 192.168.158.88 which is the inside interface of the Untangle box.
    However I can't ping anything deeper inside the network.

    Any ideas?
    Last edited by Jon_Starr; 11-26-2009 at 05:49 AM.

  6. #6
    Untanglit
    Join Date
    Nov 2009
    Posts
    24

    Default

    Bump. Nobody has any ideas?

    In summary I have a Cisco router in front of my Unfuddle box (acting as a NAT modem) that I want to be able to talk to my internal network (so it can send its logs to a Syslog server).

    I have added a static route to the router that sends all traffic destined for the internal network to the Unfuddle outside interface.

    The router can now see the Unfuddle inside interface but no further into the internal network.

    I'm not sure why the traffic isn't being routed any further, can anyone help?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2