cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
665
Views
0
Helpful
6
Replies

AnyConnect VPN Client FAQ

ashleybabajee
Level 1
Level 1

Hi ,

 

i want to know/monitor what the users did or accessed once they have log in via VPN using Cisco ASA.

Want to get the login/logout , durantion, what they accessed for ex. RDP or any services.

 

Please advise.

 

regards

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

SSL VPN login and logout creates a syslog entry. You can parse those in an external syslog tool to get the first bits you are asking about.

 

Exactly what was accessed requires analysis of the individual tcp connections or udp flows. While you can do it with ASA informational syslogs (level 6), they are all mixed in with every other flow through the firewall and it can be difficult to separate the VPN users from everything else the ASA generates.

Thanks Marvin,

 

Is there any third party hardware/software capable of doing that ?

we need to know what our administrators are doing when connected through VPN, like for ex. to which IP addres they are connected and which protocol like SSH, RDP or others.

 

Kindly advise.

 

You can extract the information in one of two ways:

1. syslog level 6 messages as noted earlier. Those would go to a 3rd party syslog tool like Splunk, Kiwi syslog analyzer etc.

2. Netflow records to a netflow analyzer like Cisco Stealthwatch or 3rd party tool like Solarwinds Netflow Traffic Analyzer.

Generallly speaking, the more you pay for those external tools the more capability they will have for parsing and visualizing the information. At the high end they can become quite expensive (US$10,000 to over $100,000). Basic syslog is free but you will just have a flat text file of what address connected to which other adress using what tcp or udp port. It is then up to you to make sense of that.

Thanks Marvin,
Heard about Splunk, will check Stealth watch also.

hi,

you can use show vpn-sessiondb anyconnect to know the user's source public IP, protocol, encryption and hashing protocols, etc. see example below.

 

# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : admin Index : 39926
Assigned IP : 172.1.1.1 Public IP : 162.1.1.1
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 1241441645 Bytes Rx : 635943314
Group Policy : GP-VPN Tunnel Group : GP-VPN
Login Time : 09:03:53 CDT Sun Sep 17 2017
Duration : 3d 16h:52m:40s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

Hi John,
I know about this command, what i want is to get what they are doing after VPN connection, like for ex. if they are SSH-ing or RDP-ing to any server or devices.
Thanks
Review Cisco Networking for a $25 gift card