Syslog and Port Redirects

SOLVED
GaryJ
Here to help

Syslog and Port Redirects

Hi,

We have a few port redirects and it doesn't seem to log the flows on the Syslog server. The device has just been switched from Bridge mode to Routed mode and the logging doesn't seem to be as informative.

In bridge mode it would log port forwards from our previous firewall as flows, but now there is no logging. Should it be logging flows?

 

Also the outbound rules are no longer logging in the syslog as deny, where none of these have changed?

Thanks

Gary

1 ACCEPTED SOLUTION
BrechtSchamp
Kind of a big deal

I assume you've setup the port forwarding on the MX too now (which will be necessary if you've switched it to router mode).

 

Port forwards are logged for me. It looks like this:

1 1579706966.680145555 MX1 ip_flow_start src=95.x.x.x dst=192.168.x.254 protocol=tcp sport=x dport=x translated_dst_ip=10.x.x.x translated_port=x

 

95.x.x.x is the public IP of the device on the outside requesting to communicate with my internal resource.

192.168.x.254 is the WAN IP of the MX performing the port forwarding.

10.x.x.x is the internal IP of the device to which the traffic is forwarded.

 

My MX is in router mode.

View solution in original post

5 REPLIES 5
BrechtSchamp
Kind of a big deal

I assume you've setup the port forwarding on the MX too now (which will be necessary if you've switched it to router mode).

 

Port forwards are logged for me. It looks like this:

1 1579706966.680145555 MX1 ip_flow_start src=95.x.x.x dst=192.168.x.254 protocol=tcp sport=x dport=x translated_dst_ip=10.x.x.x translated_port=x

 

95.x.x.x is the public IP of the device on the outside requesting to communicate with my internal resource.

192.168.x.254 is the WAN IP of the MX performing the port forwarding.

10.x.x.x is the internal IP of the device to which the traffic is forwarded.

 

My MX is in router mode.

Hi,

Thank you for your reply. Yes all the same port forwarding rules have been set up again (as it cleared those but kept the outgoing rules when I switched it over). I didn't notice but in your example where yours shows "MX1" ours only shows our WiFi AP names, there are none for the MX at all since I switched it over. Looking back I can see it used to log the MX flows.

 

Ive tried factory defaulting it this morning and getting the settings pushed down to it again. Ive tried removing and re-adding the syslog server, which is receiving but only "WiFi" flows, urls, events. On the syslog settings it is currently set to send out "Flows, URLs, Security Events, Appliance event log, Switch event log, Air Marshal events and Wireless event log". On the Firewall settings Inbound firewall logging is enabled and all of our 23 outbound rules all have logging enabled.

 

I cant find any other logging options that might need turning on? We are currently on MX14.45.

Thanks

Gary

BrechtSchamp
Kind of a big deal

Hmm okay. I'm on MX 15.23. The APs that you're seeing logs from, are they in the same network as your MX? If not, it's possible that you just have the wrong IP configured in the general settings of the network.

Yes the AP's are all in the same network and organisation as the MX. Same subnet, no fancy VLANs or routing. They are also literally plugged in to the MX, same as the Syslog server.

I haven't been brave enough to put the "beta" firmwares on, I did notice there is an updated Stable release candidate so will try updating it to 14.50 tonight.

Gary

Ive managed to fix the issue. It wasn't with the MX it was with the Syslog server. There was a setting to specify source and the MX's IP address had changed from when it was in bridge mode to now be our gateway device.

Many frustrating hours later. It was quite interesting as I'd never noticed that it shows the device name, normally there are that many MX records you never see the WiFi ones. At least some good has come out of this little challenge.

Gary

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels