ASA FAQ: How can I specify the ASA source interface for syslogs sent over a VPN tunneI?

Available Languages

Download Options

  • PDF     (77.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (121.8 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (103.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 18, 2020
Document ID:116171

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure the Cisco Adaptive Security Appliance (ASA) in order to send syslogs over a LAN-to-LAN VPN tunnel and source those syslogs from the inside interface IP address.

    How can I specify the ASA source interface for syslogs sent over a VPN tunnel?

    In order to specify the interface from which to source the syslog traffic sent over the tunnel, enter the management-access command.

    If your system has this topology and configuration, enter the commands that follow.

    ASA# show run logging
logging enable
logging timestamp
logging trap debugging
logging host outside 198.51.100.123

    This configuration attempts to source the syslog traffic from the ASA's outside IP address. This requires that the outside IP address be added to the crypto access-list in order to encrypt the traffic over the tunnel. This configuration change might not be optimal, especially if traffic sourced from the inside interface IP address destined to the syslog server subnet is already set to be encypted by the crypto access-list.

    The ASA can be configured to source the syslog traffic destined to the server to be sent over the VPN tunnel from the interface specified with the management-access command. 

    In order to implement this configuration for this specific example, first remove the current logging host configuration:

    no logging host outside 198.51.100.123

    Reinsert the logging server with the inside interface specified, and the management-access command:

    logging host inside 198.51.100.123
management-access inside
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products