09-18-2014 05:51 AM
Hello,
I am using Cisco ASA firewall to connect remote users to Data Centers.
I want to capture only below mentioned two types of logs and save it to a Server.
# Who logged in through VPN.
# They accessed with servers in inside network.
Please provide me an overview, how I can filter only those two messages and send it to remote server.
Thanks in advance
09-19-2014 03:59 AM
hi,
you can use the show vpn-sessiondb command (can add keyword "detail") to check who's logged via VPN while the show conn lists inbound/outbound accessed IPs.
09-22-2014 09:35 PM
Hello John,
"show vpn-sessiondb detail " command provides output of VPN Session Summary and Tunnels Summary.
Is there any command by which I can check which usernames are presently loggedin/Accessing VPN?
09-22-2014 10:50 PM
hi,
you can use the same command but specify which VPN type you want to see, either webvpn (aka SSL VPN), anyconnect or RA VPN.
see sample below:
ciscoasa# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : anyconnect-user Index : 1
Assigned IP : 10.1.1.10 Public IP : 192.168.1.17
Protocol : IKEv2 IPsecOverNatT Clientless
License : AnyConnect Premium
Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256 Clientless: (1)RC4
Hashing : IKEv2: (1)SHA1 IPsecOverNatT: (1)SHA1 Clientless: (1)SHA1
Bytes Tx : 51620 Bytes Rx : 98124
Group Policy : GroupPolicy_ANYCONNECT-PROF
Tunnel Group : ANYCONNECT-PROF
Login Time : 16:28:49 SGT Tue May 13 2014
Duration : 0h:03m:45s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
09-19-2014 11:10 AM
Besides the show commands John mentioned (those won't send out to an external server), you can check for the syslog message generated during login (varies per the type of VPN that's setup). Typically that's a level 5 or 6 syslog message. You can setup the ASA to send that message only (or elevate its priority and send all messages of say priority 4 or higher).
You can't easily capture what servers were accessed unless you filter out all the level 6 tcp connections and udp flow messages. We generally don't recommend logging at that level unless you're troubleshooting or are required to do so for regulatory or legal reasons.
09-22-2014 10:11 AM
Hello Marvin & John,
Those inputs are really very much helpful for me. I assume periodic output of those two commands provided by john will partially solve my requirement.
I need some more light on how to filter and interpret "level 6 tcp connection and udp flow messages" for troubleshooting and some audit purpose. Please guide me.
09-22-2014 10:22 AM
Some example (not exhaustive) syslog messages generated for TCP and UDP taffic passing through an ASA are:
%ASA-6-302013: Built outbound TCP connection...
%ASA-6-302015: Built outbound UDP connection
So to capture those two you would do something like:
logging message 302013 level errors
logging message 302015 level errors
That raises their severity level from 6 (= informational, default for that message) to 3 (= errors).
Then you tell your logging filters to filter on severity 3:
logging trap errors
and finally tell which host to send messages to:
logging host <interface you want to send from> <syslog server address>
09-22-2014 09:44 PM
Yes Marvin, That is correct.
In my infrastructure, same firewall is being used for site to site connectivity between 2 DCs.
So there are so many connection open by the servers itself for their predefined communication with servers of another DC.
Is there any way to filter connections initiated by VPN users only?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: