通过 VPN 隧道的 Cisco ASA 系统日志

通过 VPN 隧道的 Cisco ASA 系统日志

我正在努力让我的 Cisco 设备将系统日志数据发送到 VPN 隧道后面运行的远程服务器。远程端的系统日志 IP 为 10.1.1.161。10.23.2.0 是本地子网。从 10.1.1.160 进行的 SNMP 轮询似乎有效,但我无法从 10.23.2.0 -> 10.1.1.161 获取数据。以下是我的配置,我很可能做错了什么。

谢谢你的时间。

: Saved
:
ASA Version 8.4(3)
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description LAN
 nameif inside
 security-level 100
 ip address 10.23.2.1 255.255.255.0
!
interface Vlan2
 description WAN
 nameif outside
 security-level 0
 ip address 94.198.190.90 255.255.255.252
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name avanta.co.uk
object network obj-10.23.2.0
 subnet 10.23.2.0 255.255.255.0
object network obj-10.1.1.0
 subnet 10.1.1.0 255.255.255.0
object network obj-10.47.2.0
 subnet 10.47.2.0 255.255.255.0
object network obj_any
 subnet 0.0.0.0 0.0.0.0
access-list crypto extended permit ip 10.23.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list crypto extended permit ip 10.23.2.0 255.255.255.0 10.47.2.0 255.255.255.0
access-list NAT0 extended permit ip 10.23.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NAT0 extended permit ip 10.23.2.0 255.255.255.0 10.47.2.0 255.255.255.0
access-list from_outside extended permit icmp any any echo
access-list 101 extended permit ip 10.23.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 101 extended permit udp host 94.198.190.90 host 10.1.1.161 eq syslog
access-list 101 extended permit udp host 94.198.190.90 host 10.1.1.2 eq 5999
pager lines 24
logging enable
logging buffer-size 16096
logging buffered warnings
logging history notifications
logging asdm warnings
logging host outside 10.1.1.161
logging host outside 10.1.1.2 17/5999
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-10.23.2.0 obj-10.23.2.0 destination static obj-10.1.1.0 obj-10.1.1.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.23.2.0 obj-10.23.2.0 destination static obj-10.1.1.0 obj-10.1.1.0 no-proxy-arp
nat (inside,any) source static obj-10.23.2.0 obj-10.23.2.0 destination static obj-10.47.2.0 obj-10.47.2.0 no-proxy-arp
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 94.198.190.89 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.23.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 10.1.1.160 poll community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
crypto ipsec ikev1 transform-set DES-MD5 esp-des esp-md5-hmac
crypto map AVA_tunnel 10 match address crypto
crypto map AVA_tunnel 10 set peer 88.211.50.154
crypto map AVA_tunnel 10 set ikev1 transform-set DES-MD5
crypto map AVA_tunnel interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.23.2.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 88.211.50.154 type ipsec-l2l
tunnel-group 88.211.50.154 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
!
policy-map global_policy
 class class-default
  inspect icmp
!

答案1

我发现一个常见的错误是不包含“日志陷阱”配置命令。

无论是否通过 VPN 执行日志记录,我们都可以将此内容记录到客户 ASA 上的系统日志服务器中:

logging enable
logging buffer-size 102400
logging buffered notifications
logging trap notifications
logging asdm notifications
logging host inside <IP of syslog server>
management-access inside

答案2

您的设备正在尝试将系统日志流量发送到外部接口,而这不会被 VPN 隧道的策略捕获。

改用logging host inside 10.1.1.161

答案3

如上所述,您需要指定日志记录的源接口

日志记录源接口(接口例如 vlan 1)

相关内容