Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
0
Helpful
6
Replies

AnyConnect VPN Client FAQ

ashleybabajee
Level 1
Level 1

‎09-20-2017 01:15 AM - edited ‎02-21-2020 06:20 AM

Hi ,

 

i want to know/monitor what the users did or accessed once they have log in via VPN using Cisco ASA.

Want to get the login/logout , durantion, what they accessed for ex. RDP or any services.

 

Please advise.

 

regards

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-20-2017 03:46 AM

SSL VPN login and logout creates a syslog entry. You can parse those in an external syslog tool to get the first bits you are asking about.

 

Exactly what was accessed requires analysis of the individual tcp connections or udp flows. While you can do it with ASA informational syslogs (level 6), they are all mixed in with every other flow through the firewall and it can be difficult to separate the VPN users from everything else the ASA generates.

0 Helpful

ashleybabajee
Level 1
Level 1
In response to Marvin Rhoads

‎09-20-2017 04:13 AM

Thanks Marvin,

 

Is there any third party hardware/software capable of doing that ?

we need to know what our administrators are doing when connected through VPN, like for ex. to which IP addres they are connected and which protocol like SSH, RDP or others.

 

Kindly advise.

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ashleybabajee

‎09-20-2017 04:23 AM

You can extract the information in one of two ways:

1. syslog level 6 messages as noted earlier. Those would go to a 3rd party syslog tool like Splunk, Kiwi syslog analyzer etc.

2. Netflow records to a netflow analyzer like Cisco Stealthwatch or 3rd party tool like Solarwinds Netflow Traffic Analyzer.

Generallly speaking, the more you pay for those external tools the more capability they will have for parsing and visualizing the information. At the high end they can become quite expensive (US$10,000 to over $100,000). Basic syslog is free but you will just have a flat text file of what address connected to which other adress using what tcp or udp port. It is then up to you to make sense of that.

0 Helpful

ashleybabajee
Level 1
Level 1
In response to Marvin Rhoads

‎09-20-2017 11:29 PM

Thanks Marvin,
Heard about Splunk, will check Stealth watch also.
0 Helpful

johnlloyd_13
Level 9
Level 9
In response to ashleybabajee

‎09-21-2017 12:01 AM

hi,

you can use show vpn-sessiondb anyconnect to know the user's source public IP, protocol, encryption and hashing protocols, etc. see example below.

 

# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : admin Index : 39926
Assigned IP : 172.1.1.1 Public IP : 162.1.1.1
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 1241441645 Bytes Rx : 635943314
Group Policy : GP-VPN Tunnel Group : GP-VPN
Login Time : 09:03:53 CDT Sun Sep 17 2017
Duration : 3d 16h:52m:40s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

0 Helpful

ashleybabajee
Level 1
Level 1
In response to johnlloyd_13

‎09-21-2017 12:10 AM

Hi John,
I know about this command, what i want is to get what they are doing after VPN connection, like for ex. if they are SSH-ing or RDP-ing to any server or devices.
Thanks
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card