SNMP trapping/syslog on border routers

Discussion in 'Cisco' started by CPJ, Jul 16, 2003.

  1. CPJ

    CPJ Guest

    Hello,
    I am looking for options to manage two Cisco Catalyst 2924 switches, a
    Cisco 3620 router, and several workstations on the outside of a PIX
    firewall. We would like to log messages and traps from these hosts to
    a management station on the inside of the PIX. We cannot open SNMP
    and syslog communications on the PIX due too secruity concerns.

    I am looking for ways to securely manage and trap SNMP and syslog
    messages on the internal management station. I see the following
    options (without opening ports on the firewall):

    1. Install a management station on the public segment on the outside
    of the PIX and periodically download log information to an internal
    log server FROM that internal log server.

    2. Open ports for SNMP and syslog on the firewall (least desireable
    option).

    3. Use the FW feature set on the border router and configure a tunnel
    between it and the PIX. Use a private address on a loopback interface
    on that router to send all management traffic from through the tunnel.
    Furthermore, use VLAN tagging on that loopback interface to make it a
    member of the management VLAN internally. I guess my question here
    is, does the PIX support VLAN tagging on IPSEC tunnel addresses?

    Anyone who has configured a similar situation, please let me know how
    you have accomplished this.

    Thanks,
    Chris
    CPJ, Jul 16, 2003
    #1
    1. Advertising

  2. In article <>,
    CPJ <> wrote:
    :I am looking for ways to securely manage and trap SNMP and syslog
    :messages on the internal management station. I see the following
    :eek:ptions (without opening ports on the firewall):

    :3. Use the FW feature set on the border router and configure a tunnel
    :between it and the PIX.

    Yes, that could work.

    : Use a private address on a loopback interface
    :eek:n that router to send all management traffic from through the tunnel.

    Yes, you can select syslog source interface in IOS these days.

    : Furthermore, use VLAN tagging on that loopback interface to make it a
    :member of the management VLAN internally.

    I'm not sure. That -might- work; I've never thought about that before.

    : I guess my question here
    :is, does the PIX support VLAN tagging on IPSEC tunnel addresses?

    Hmmm, yes, in a way it does. If you have a PIX 515, 515E, 525, or 535,
    and you have PIX 6.3(1) software, then you could configure a virtual
    interface on the outside physical interface, and you could in theory
    terminate the tunnel at that virtual interface. All traffic going
    out of the virtual interface will be tagged, even if it's IPSec traffic.
    --
    Strange but true: there are entire WWW pages devoted to listing
    programs designed to obfuscate HTML.
    Walter Roberson, Jul 16, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Illusion

    Syslog or SNMP traps?

    Illusion, Oct 31, 2003, in forum: Cisco
    Replies:
    3
    Views:
    15,361
    Pete Mainwaring
    Nov 4, 2003
  2. Marco Roda

    SNMP traps / SYSLOG documentation

    Marco Roda, Oct 11, 2004, in forum: Cisco
    Replies:
    1
    Views:
    768
    Michael Janke
    Oct 12, 2004
  3. Koolkat
    Replies:
    0
    Views:
    392
    Koolkat
    Apr 11, 2006
  4. Replies:
    0
    Views:
    376
  5. Teotwawki

    Trapping printet reports

    Teotwawki, Sep 5, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    450
    Teotwawki
    Sep 7, 2004
Loading...

Share This Page