cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
71126
Views
50
Helpful
4
Replies

Display users logged into firewall

jedavis
Level 4
Level 4

I want to see what administrative users are logged into a firewall, like "show user" in IOS.  I seem to have forgotten how to do this.  Or perhaps I never knew.  Can anyone provide the CLI command?

Thanks,

-Jeff

2 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Try the following commands

show ssh sessions

show asdm session

Hope this helps

- Jouni

View solution in original post

prateeve
Level 1
Level 1

Hi,

On ASA you could run following commands to check the ip's from which some one have logged in to the ASA:

show ssh sessions

To display information about the active SSH sessions on the ASA, use the show ssh sessions command in privileged EXEC mode.

show asdm sessions

To display a list of active ASDM sessions and their associated session IDs, use the

show asdm sessions command in privileged EXEC mode.

who

To display active Telnet administration sessions on the ASA, use the

who command in privileged EXEC mode.

To check through syslogs messages, like on snmp server or syslog server, you have configure following commands:

1  First we have to enable logging on ASA.

logging enable

2  Then we need to setup logging list with the syslog id’s which we want to see in the logging messages.

logging list cmds(name of logging list) message 111008

logging list cmds message 111009

logging list cmds message 111010

logging list cmds message 605005

Here, syslog messages specified above correspond to the following:

111008

Error Message    %ASA-5-111008: User user executed the command string

Explanation    The user entered any command, with the exception of a show command.

111009

Error Message    %ASA-7-111009:User user executed cmd:string 

Explanation    The user entered a command that does not modify the configuration. This message appears only for show commands.

111010

Error Message    %ASA-5-111010: User username, running application-name from IP ip  
addr, executed cmd

Explanation    A user made a configuration change.

username—The user making the configuration change

application-name—The application that the user is running

ip addr—The IP address of the management station

cmd—The command that the user has executed

605005

Error Message    %ASA-6-605005: Login permitted from source-address/source-port to 
interface:destination/service for user "username"

The following form of the message appears when the user logs in to the console:

Login permitted from serial to console for user "username"

Explanation    A user was authenticated successfully, and a management session started.

source-address—Source address of the login attempt

source-port—Source port of the login attempt

interface—Destination management interface

destination—Destination IP address

service—Destination service

username—Destination management interface

3. Commands to configure ASA to send logs to syslog server.

- Prateek Verma

View solution in original post

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Try the following commands

show ssh sessions

show asdm session

Hope this helps

- Jouni

prateeve
Level 1
Level 1

Hi,

On ASA you could run following commands to check the ip's from which some one have logged in to the ASA:

show ssh sessions

To display information about the active SSH sessions on the ASA, use the show ssh sessions command in privileged EXEC mode.

show asdm sessions

To display a list of active ASDM sessions and their associated session IDs, use the

show asdm sessions command in privileged EXEC mode.

who

To display active Telnet administration sessions on the ASA, use the

who command in privileged EXEC mode.

To check through syslogs messages, like on snmp server or syslog server, you have configure following commands:

1  First we have to enable logging on ASA.

logging enable

2  Then we need to setup logging list with the syslog id’s which we want to see in the logging messages.

logging list cmds(name of logging list) message 111008

logging list cmds message 111009

logging list cmds message 111010

logging list cmds message 605005

Here, syslog messages specified above correspond to the following:

111008

Error Message    %ASA-5-111008: User user executed the command string

Explanation    The user entered any command, with the exception of a show command.

111009

Error Message    %ASA-7-111009:User user executed cmd:string 

Explanation    The user entered a command that does not modify the configuration. This message appears only for show commands.

111010

Error Message    %ASA-5-111010: User username, running application-name from IP ip  
addr, executed cmd

Explanation    A user made a configuration change.

username—The user making the configuration change

application-name—The application that the user is running

ip addr—The IP address of the management station

cmd—The command that the user has executed

605005

Error Message    %ASA-6-605005: Login permitted from source-address/source-port to 
interface:destination/service for user "username"

The following form of the message appears when the user logs in to the console:

Login permitted from serial to console for user "username"

Explanation    A user was authenticated successfully, and a management session started.

source-address—Source address of the login attempt

source-port—Source port of the login attempt

interface—Destination management interface

destination—Destination IP address

service—Destination service

username—Destination management interface

3. Commands to configure ASA to send logs to syslog server.

- Prateek Verma

Thank you for the (very) thorough awnser Prateek!  I will make use of that logging list.

-Jeff

jedavis
Level 4
Level 4

That's it!

Thanks Jouni

Review Cisco Networking for a $25 gift card