Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP Port Monitor/Alert

We have six 5510s.  On one of them, we need to be able to monitor whenever a remote VPN client connects to one of our servers on a specific TCP port.  What do I need to do/have to be able to receive real-time notification of connect/disconnect messages?  Thanx!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: TCP Port Monitor/Alert

What PK suggested is a good idea but, the permit tcp any host server_IP will grab all the requests coming to the server and not just VPN ones.

Pls. specify the source IP address as well. If the remote subnet or vpn ip subnet address is 10.10.0.0/24 make the acl look like this.

access-l log-acl permit tcp 10.10.0.0 255.255.255.0 host eq 3389 log

access-l log-acl permit ip any any <-------- you want that, don't forget it because you will drop all other traffic

access-group log-acl out interface dmz  <----- apply it outbound

Cisco Employee

Re: TCP Port Monitor/Alert

You can still do it. You can have the ASA send emails when it sees the syslog from the ACL

logging list my_critical_messages message 
logging mail 
my_critical_messages
 logging recipient-address email_address
 logging from-address email_address
 smtp-server ip_address

You can't send IM alerts. An alternative is to have a script parse yous syslogs as they come (tail cmd) and alert you.

PK

5 REPLIES
Cisco Employee

Re: TCP Port Monitor/Alert

One way to do it is to put an outbound ACL on the interface that the server is hanging off of. Let's say it is the dmz.

access-l log-acl permit tcp any host log

access-l log-acl permit ip any any <-------- you want that, don't forget it because you will drop all other traffic

access-group log-acl out interface dmz  <----- apply it outbound

Then you will be generating a syslog every time someone connects to the server ip. You can send syslogs to a syslog server and monitor for it.

I hope it helps.

PK

Cisco Employee

Re: TCP Port Monitor/Alert

What PK suggested is a good idea but, the permit tcp any host server_IP will grab all the requests coming to the server and not just VPN ones.

Pls. specify the source IP address as well. If the remote subnet or vpn ip subnet address is 10.10.0.0/24 make the acl look like this.

access-l log-acl permit tcp 10.10.0.0 255.255.255.0 host eq 3389 log

access-l log-acl permit ip any any <-------- you want that, don't forget it because you will drop all other traffic

access-group log-acl out interface dmz  <----- apply it outbound

New Member

Re: TCP Port Monitor/Alert

Thank you for your responses!  I already have a SYSLOG server configured and I can search for the specific port, but what I needed was for a way to get instant notification via some other means (like email or IM) when a specific port was being accessed.  Thank you for your assistance!

Cisco Employee

Re: TCP Port Monitor/Alert

You can still do it. You can have the ASA send emails when it sees the syslog from the ACL

logging list my_critical_messages message 
logging mail 
my_critical_messages
 logging recipient-address email_address
 logging from-address email_address
 smtp-server ip_address

You can't send IM alerts. An alternative is to have a script parse yous syslogs as they come (tail cmd) and alert you.

PK

New Member

Re: TCP Port Monitor/Alert

Excellent technique . . . I will apply that.  Thanks, again!

443
Views
0
Helpful
5
Replies
CreatePlease login to create content