cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2056
Views
0
Helpful
7
Replies

Needs to Trace user activity through firewall.

Santanu Mandal
Level 1
Level 1

Hello, 

I am using Cisco ASA firewall to connect remote users to Data Centers.

I want to capture only below mentioned two types of logs and save it to a Server.

# Who logged in through VPN.

# They accessed with servers in inside network.

Please provide me an overview, how I can filter only those two messages and send it to remote server.

 

Thanks in advance

7 Replies 7

johnlloyd_13
Level 9
Level 9

hi,

you can use the show vpn-sessiondb command (can add keyword "detail") to check who's logged via VPN while the show conn lists inbound/outbound accessed IPs.

 

Hello John,

"show vpn-sessiondb detail " command provides output of VPN Session Summary and Tunnels Summary.

Is there any command by which I can check which usernames are presently loggedin/Accessing VPN?

 

hi,

you can use the same command but specify which VPN type you want to see, either webvpn (aka SSL VPN), anyconnect or RA VPN.

see sample below:

ciscoasa# show vpn-sessiondb anyconnect
Session Type: AnyConnect

Username     : anyconnect-user        Index        : 1
Assigned IP  : 10.1.1.10              Public IP    : 192.168.1.17
Protocol     : IKEv2 IPsecOverNatT Clientless
License      : AnyConnect Premium
Encryption   : IKEv2: (1)AES256  IPsecOverNatT: (1)AES256  Clientless: (1)RC4
Hashing      : IKEv2: (1)SHA1  IPsecOverNatT: (1)SHA1  Clientless: (1)SHA1
Bytes Tx     : 51620                  Bytes Rx     : 98124
Group Policy : GroupPolicy_ANYCONNECT-PROF
Tunnel Group : ANYCONNECT-PROF
Login Time   : 16:28:49 SGT Tue May 13 2014
Duration     : 0h:03m:45s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Marvin Rhoads
Hall of Fame
Hall of Fame

Besides the show commands John mentioned (those won't send out to an external server), you can check for the syslog message generated during login (varies per the type of VPN that's setup). Typically that's a level 5 or 6 syslog message. You can setup the ASA to send that message only (or elevate its priority and send all messages of say priority 4 or higher).

You can't easily capture what servers were accessed unless you filter out all the level 6 tcp connections and udp flow messages. We generally don't recommend logging at that level unless you're troubleshooting or are required to do so for regulatory or legal reasons.

Hello Marvin & John, 

Those inputs are really very much helpful for me. I assume periodic output of those two commands provided by john will partially solve my requirement. 

I need some more light on how to filter and interpret "level 6 tcp connection and udp flow messages" for troubleshooting and some audit purpose. Please guide me.

Some example (not exhaustive) syslog messages generated for TCP and UDP taffic passing through an ASA are:

%ASA-6-302013: Built outbound TCP connection...

%ASA-6-302015: Built outbound UDP connection

So to capture those two you would do something like:

logging message 302013 level errors

logging message 302015 level errors

That raises their severity level from 6 (= informational, default for that message) to 3 (= errors).

Then you tell your logging filters to filter on severity 3:

logging trap errors

and finally tell which host to send messages to:

logging host <interface you want to send from> <syslog server address>

Yes Marvin, That is correct.

In my infrastructure, same firewall is being used for site to site connectivity between 2 DCs.

So there are so many connection open by the servers itself for their predefined communication with servers of another DC.

Is there any way to filter connections initiated by VPN users only?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: