Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Audit

I have set up a VPN tunnel, using IPSEC, between 2 sites using the Internet as the backbone. I am using a Cisco 7200 and Cisco 3640 to form the VPN tunnel.


1.Is it possible to restrict the number of users using this VPN tunnel to access the resources in the main site.I am currently emplying NAT to do this. But is there a better solution.

2. Can I audit the users using the VPN tunnel.

Thanks in advance!


Re: VPN Audit

1. It's possible to use your AAA server to "authorize" only specific users access to the other site.

2. What type of auditing are you looking to do? You can have your AAA server do some accounting as well.

Community Member

Re: VPN Audit

Could you give me a sample how to configure authorizing and accounting?


Community Member

Re: VPN Audit

Here are the entries for AAA that I have in my 2600 that is used as a RAS server. The last line is the one that gives me accounting entries for Start Stop and bytes transferred, etc. These entries will not work for a PIX. Does anyone have the entries necessary to do accounting through AAA on a PIX VPN solution?

aaa new-model

aaa authentication login default tacacs+ local

aaa authentication ppp default if-needed tacacs+

aaa authorization network default tacacs+

aaa accounting network default start-stop tacacs+

Community Member

Re: VPN Audit

The Syntax is very different on the PIX. Use the ’aaa accounting include’ command with the ‘acctg_service’ option. With ‘acctg_service’ you can specify the protocol/port for accounting. The default of any only runs accounting output on all TCP services. To get accounting for esp or udp and other protocols you must specify them verbatim.

Community Member

Re: VPN Audit

One option you have is to restrict users via your access-list if you don’t want them using tunneling. If your concern is too many users using tunneling at one time I’d look into doing some traffic shaping and queuing with QoS. I know IOS has that capability. I haven’t had to do any of that on my network but maybe someone else here has.

CreatePlease to create content