Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Needs to Trace user activity through firewall.

Hello, 

I am using Cisco ASA firewall to connect remote users to Data Centers.

I want to capture only below mentioned two types of logs and save it to a Server.

# Who logged in through VPN.

# They accessed with servers in inside network.

Please provide me an overview, how I can filter only those two messages and send it to remote server.

 

Thanks in advance

7 REPLIES

hi,you can use the show vpn

hi,

you can use the show vpn-sessiondb command (can add keyword "detail") to check who's logged via VPN while the show conn lists inbound/outbound accessed IPs.

 

Community Member

Hello John,"show vpn

Hello John,

"show vpn-sessiondb detail " command provides output of VPN Session Summary and Tunnels Summary.

Is there any command by which I can check which usernames are presently loggedin/Accessing VPN?

 

hi,yes, you can use the same

hi,

you can use the same command but specify which VPN type you want to see, either webvpn (aka SSL VPN), anyconnect or RA VPN.

see sample below:

ciscoasa# show vpn-sessiondb anyconnect
Session Type: AnyConnect

Username     : anyconnect-user        Index        : 1
Assigned IP  : 10.1.1.10              Public IP    : 192.168.1.17
Protocol     : IKEv2 IPsecOverNatT Clientless
License      : AnyConnect Premium
Encryption   : IKEv2: (1)AES256  IPsecOverNatT: (1)AES256  Clientless: (1)RC4
Hashing      : IKEv2: (1)SHA1  IPsecOverNatT: (1)SHA1  Clientless: (1)SHA1
Bytes Tx     : 51620                  Bytes Rx     : 98124
Group Policy : GroupPolicy_ANYCONNECT-PROF
Tunnel Group : ANYCONNECT-PROF
Login Time   : 16:28:49 SGT Tue May 13 2014
Duration     : 0h:03m:45s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Hall of Fame Super Silver

Besides the show commands

Besides the show commands John mentioned (those won't send out to an external server), you can check for the syslog message generated during login (varies per the type of VPN that's setup). Typically that's a level 5 or 6 syslog message. You can setup the ASA to send that message only (or elevate its priority and send all messages of say priority 4 or higher).

You can't easily capture what servers were accessed unless you filter out all the level 6 tcp connections and udp flow messages. We generally don't recommend logging at that level unless you're troubleshooting or are required to do so for regulatory or legal reasons.

Community Member

Hello Marvin & John, Those

Hello Marvin & John, 

Those inputs are really very much helpful for me. I assume periodic output of those two commands provided by john will partially solve my requirement. 

I need some more light on how to filter and interpret "level 6 tcp connection and udp flow messages" for troubleshooting and some audit purpose. Please guide me.

Hall of Fame Super Silver

Some example (not exhaustive)

Some example (not exhaustive) syslog messages generated for TCP and UDP taffic passing through an ASA are:

%ASA-6-302013: Built outbound TCP connection...

%ASA-6-302015: Built outbound UDP connection

So to capture those two you would do something like:

logging message 302013 level errors

logging message 302015 level errors

That raises their severity level from 6 (= informational, default for that message) to 3 (= errors).

Then you tell your logging filters to filter on severity 3:

logging trap errors

and finally tell which host to send messages to:

logging host <interface you want to send from> <syslog server address>

Community Member

Yes Marvin, That is correct

Yes Marvin, That is correct.

In my infrastructure, same firewall is being used for site to site connectivity between 2 DCs.

So there are so many connection open by the servers itself for their predefined communication with servers of another DC.

Is there any way to filter connections initiated by VPN users only?

402
Views
0
Helpful
7
Replies
CreatePlease to create content