Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Best way to see remote users' internal IPs?

Unanswered Question

We need to see the internal IPs of our remote access users. Currently, our VPN Concentrator 3000 gives out addresses from an address pool. Groups are not configured to give addresses. (We use an RSA server for authentication, and all remote users employ RSA tokens). Is using the address pool the easiest way to manage the addresses? We've had no problems with it, except that I can't get those addresses to report to the syslog, where we can track them paired up with a user name. Does anyone know how? And is this the best way to issue internal IP addresses so they can report to syslog?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bwalchez Wed, 09/17/2003 - 06:37
User Badges:

Well you cannot configure the VPN concentrator as an DHCP server, else that might have solved your problem.

Success! I've worked it out with your suggestion to turn up logging to 1-5. By a process of elimination, I figured that IKE is the event that is needed to capture the assigned address, and that's all it took. You wouldn't think IKE would be the one, but it is. I can't see that it should matter which pool of addresses it pulls from - whether setup globally, or by group; but that could be possible. We're using 'by group' now, and we can see the 'Assigned Address'.

Just for clarity on this issue, what I've been looking for is one of the two addresses that can be seen in the Monitoring>Sessions screen in the column with "Assigned/Public IP Addresses". It's the 'Assigned' one I'm after, so that I can track usage on our internal systems. This address is almost always a private address these days.

Since we're also getting the Public address of the remote user as assigned by his ISP, I don't think that NAT is interfering in this case - our DMZ topology avoids it. But I can certainly see how it could.


This Discussion