We need to see the internal IPs of our remote access users. Currently, our VPN Concentrator 3000 gives out addresses from an address pool. Groups are not configured to give addresses. (We use an RSA server for authentication, and all remote users employ RSA tokens). Is using the address pool the easiest way to manage the addresses? We've had no problems with it, except that I can't get those addresses to report to the syslog, where we can track them paired up with a user name. Does anyone know how? And is this the best way to issue internal IP addresses so they can report to syslog?
Success! I've worked it out with your suggestion to turn up logging to 1-5. By a process of elimination, I figured that IKE is the event that is needed to capture the assigned address, and that's all it took. You wouldn't think IKE would be the one, but it is. I can't see that it should matter which pool of addresses it pulls from - whether setup globally, or by group; but that could be possible. We're using 'by group' now, and we can see the 'Assigned Address'.
Just for clarity on this issue, what I've been looking for is one of the two addresses that can be seen in the Monitoring>Sessions screen in the column with "Assigned/Public IP Addresses". It's the 'Assigned' one I'm after, so that I can track usage on our internal systems. This address is almost always a private address these days.
Since we're also getting the Public address of the remote user as assigned by his ISP, I don't think that NAT is interfering in this case - our DMZ topology avoids it. But I can certainly see how it could.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :