Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

accounting on the PIX

Hello everyone.

I have a question about accounting on the PIX.

I understand that it old device, however we one. I want to logging any command which was executed during ssh session through accounting feature.

aaa accounting include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Auth

But it logged only amount of traffic pass-thru, not the activities. (Actually it perfectly work on other devices such as modern catalysts)

I have founded the question on this forums but at May 11, 2003 (https://supportforums.cisco.com/message/855167#855167)

They said that this feature does work on PIX.

We use last version IOS PIX Version 8.0(4) (11-AUG-2008)

May be someting has changed since 2003

I need exactly does this feature exist on the PIX or not?

Please, help me find out.

Best Regards,

Denis

2 REPLIES

Re: accounting on the PIX

Hi Denis,

you can try one thing, i guess it should work because according to the document:-

Configuring Command Accounting

You can send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI. If you customize the command privilege level using the privilege command (see the "Assigning Privilege Levels to Commands and Enabling Authorization" section),  you can limit which commands the security appliance accounts for by  specifying a minimum privilege level. The security appliance does not  account for commands that are below the minimum privilege level.

To enable command accounting, enter the following command:

hostname(config)# aaa accounting command [privilege level] server-tag

Where level is the minimum privilege level and server-tag is the name of the TACACS+ server group that to which the security  appliance should send command accounting messages. The TACACS+ server  group configuration must already exist. For information about  configuring a AAA server group, see the "Identifying AAA Server Groups and Servers" section on page 13-12.

As far as i know the AAA accounting available on PIX 7.x for Managing System Access is Command Accounting.
Please refer following link to configure Command accounting on the device for Administrative access, such as telnet, ssh etc. Here's a sample configuration for PIX 7.2:-

aaa accounting http console mytacgroup
aaa accounting serial console mytacgroup
aaa accounting telnet console mytacgroup
aaa accounting ssh console mytacgroup
aaa accounting enable console mytacgroup
aaa accounting command mytacgroup

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1059882

thanks,

Vinay

Thanks & Regards
Cisco Employee

Re: accounting on the PIX

Hi Denis,

It seems that you are looking to do command accounting for ssh sessions passing through the firewall. If that is the case then accounting information will only include when sessions  start and stop, username, the number of bytes that pass through the  security appliance for the session, the service used, and the duration  of each session.Unfortunately, for such sessions you will not be able to do command accounting.

Please refer to the link given below for more info:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1535516

However, it is possible to know the commands (besides show commands) executed by a user logging directly into the firewall by configuring command accounting using the following command:

aaa accounting command

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1535253

Hope it helps.

Thanks,

Amitashwa

243
Views
0
Helpful
2
Replies