Task 4: Configuring Logging
To help protect your network configuration, it is important to log events that are happening
on the network. This log information provides valuable insight into what is happening on
the network, especially when the network is being attacked or proved. The following steps
outline the commands necessary to enable logging at the three locations:
Step 1 Enable logging on HQ-PIX to the logging server:
logging on
logging trap informational
logging host DMZ 172.16.31.7
Step 2 Enable logging on HOU-PIX:
logging on
logging trap informational
logging host outside 172.16.31.7
Example 20-4 Access List on the HQ PIX
access-list acl-out permit tcp any host 192.168.1.4 eq smtp
access-list acl-out permit tcp any host 192.168.1.5 eq www
access-list acl-out permit tcp any host 192.168.1.6 eq ftp
access-list acl-out permit udp any host 192.168.1.8 eq 514
access-group acl-out in interface outside
Example 20-5 TACACS+ Configuration
aaa-server TACACS+ (inside) host 10.10.10.7 tacpass
aaa authentication include ftp inside 0.0.0.0 0.0.0.0 TACACS+
Task 5: Configuring a VPN Between HQ and Remote Sites 633
Step 3 Enable logging on MN-PIX:
logging on
logging trap informational
logging host outside 172.16.31.7NOTE Sending logging information from Houston and Minneapolis to the actual logging
server IP address (172.16.31.7) prevents the logging traffic from traversing the Internet in
the clear. Sending the logging traffic through the VPN tunnel prevents the logging
information from being observed on the Internet, but the real IP address (172.16.31.7) is
reachable only when the VPN tunnel is active.