topic Re: AnyConnect VPN Client FAQ in Network Security

AnyConnect VPN Client FAQ

ashleybabajee — Fri, 21 Feb 2020 14:20:08 GMT

Hi ,

i want to know/monitor what the users did or accessed once they have log in via VPN using Cisco ASA.

Want to get the login/logout , durantion, what they accessed for ex. RDP or any services.

Please advise.

regards

Re: AnyConnect VPN Client FAQ

Marvin Rhoads — Wed, 20 Sep 2017 10:46:50 GMT

SSL VPN login and logout creates a syslog entry. You can parse those in an external syslog tool to get the first bits you are asking about.

Exactly what was accessed requires analysis of the individual tcp connections or udp flows. While you can do it with ASA informational syslogs (level 6), they are all mixed in with every other flow through the firewall and it can be difficult to separate the VPN users from everything else the ASA generates.

Re: AnyConnect VPN Client FAQ

ashleybabajee — Wed, 20 Sep 2017 11:13:53 GMT

Thanks Marvin,

Is there any third party hardware/software capable of doing that ?

we need to know what our administrators are doing when connected through VPN, like for ex. to which IP addres they are connected and which protocol like SSH, RDP or others.

Kindly advise.

Re: AnyConnect VPN Client FAQ

Marvin Rhoads — Wed, 20 Sep 2017 11:23:42 GMT

You can extract the information in one of two ways:

1. syslog level 6 messages as noted earlier. Those would go to a 3rd party syslog tool like Splunk, Kiwi syslog analyzer etc.

2. Netflow records to a netflow analyzer like Cisco Stealthwatch or 3rd party tool like Solarwinds Netflow Traffic Analyzer.

Generallly speaking, the more you pay for those external tools the more capability they will have for parsing and visualizing the information. At the high end they can become quite expensive (US$10,000 to over $100,000). Basic syslog is free but you will just have a flat text file of what address connected to which other adress using what tcp or udp port. It is then up to you to make sense of that.

Re: AnyConnect VPN Client FAQ

ashleybabajee — Thu, 21 Sep 2017 06:29:54 GMT

Thanks Marvin,
Heard about Splunk, will check Stealth watch also.

Re: AnyConnect VPN Client FAQ

johnlloyd_13 — Thu, 21 Sep 2017 07:01:53 GMT

hi,

you can use show vpn-sessiondb anyconnect to know the user's source public IP, protocol, encryption and hashing protocols, etc. see example below.

# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : admin Index : 39926
Assigned IP : 172.1.1.1 Public IP : 162.1.1.1
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 1241441645 Bytes Rx : 635943314
Group Policy : GP-VPN Tunnel Group : GP-VPN
Login Time : 09:03:53 CDT Sun Sep 17 2017
Duration : 3d 16h:52m:40s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

Re: AnyConnect VPN Client FAQ

ashleybabajee — Thu, 21 Sep 2017 07:10:07 GMT

Hi John,
I know about this command, what i want is to get what they are doing after VPN connection, like for ex. if they are SSH-ing or RDP-ing to any server or devices.
Thanks