Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1029
Views
0
Helpful
5
Replies

TCP Port Monitor/Alert

Go to solution
pootboy69
Level 1
Level 1

‎10-21-2010 11:21 AM - edited ‎03-12-2019 06:01 PM

We have six 5510s.  On one of them, we need to be able to monitor whenever a remote VPN client connects to one of our servers on a specific TCP port.  What do I need to do/have to be able to receive real-time notification of connect/disconnect messages?  Thanx!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Panos Kampanakis

‎10-21-2010 08:12 PM

What PK suggested is a good idea but, the permit tcp any host server_IP will grab all the requests coming to the server and not just VPN ones.

Pls. specify the source IP address as well. If the remote subnet or vpn ip subnet address is 10.10.0.0/24 make the acl look like this.

access-l log-acl permit tcp 10.10.0.0 255.255.255.0 host eq 3389 log

access-l log-acl permit ip any any <-------- you want that, don't forget it because you will drop all other traffic

access-group log-acl out interface dmz  <----- apply it outbound

View solution in original post

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to pootboy69

‎10-22-2010 06:41 AM

You can still do it. You can have the ASA send emails when it sees the syslog from the ACL

logging list my_critical_messages message 
logging mail 
my_critical_messages










 logging recipient-address email_address
 logging from-address email_address
 smtp-server ip_address

You can't send IM alerts. An alternative is to have a script parse yous syslogs as they come (tail cmd) and alert you.

PK

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-21-2010 02:59 PM

One way to do it is to put an outbound ACL on the interface that the server is hanging off of. Let's say it is the dmz.

access-l log-acl permit tcp any host  log
access-l log-acl permit ip any any <-------- you want that, don't forget it because you will drop all other traffic
access-group log-acl out interface dmz  <----- apply it outbound

Then you will be generating a syslog every time someone connects to the server ip. You can send syslogs to a syslog server and monitor for it.

I hope it helps.

PK

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Panos Kampanakis

‎10-21-2010 08:12 PM

What PK suggested is a good idea but, the permit tcp any host server_IP will grab all the requests coming to the server and not just VPN ones.

Pls. specify the source IP address as well. If the remote subnet or vpn ip subnet address is 10.10.0.0/24 make the acl look like this.

access-l log-acl permit tcp 10.10.0.0 255.255.255.0 host eq 3389 log

access-l log-acl permit ip any any <-------- you want that, don't forget it because you will drop all other traffic

access-group log-acl out interface dmz  <----- apply it outbound

0 Helpful

Go to solution
pootboy69
Level 1
Level 1
In response to Kureli Sankar

‎10-22-2010 05:50 AM

Thank you for your responses!  I already have a SYSLOG server configured and I can search for the specific port, but what I needed was for a way to get instant notification via some other means (like email or IM) when a specific port was being accessed.  Thank you for your assistance!

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to pootboy69

‎10-22-2010 06:41 AM

You can still do it. You can have the ASA send emails when it sees the syslog from the ACL

logging list my_critical_messages message 
logging mail 
my_critical_messages










 logging recipient-address email_address
 logging from-address email_address
 smtp-server ip_address

You can't send IM alerts. An alternative is to have a script parse yous syslogs as they come (tail cmd) and alert you.

PK

0 Helpful

Go to solution
pootboy69
Level 1
Level 1
In response to Panos Kampanakis

‎10-22-2010 06:51 AM

Excellent technique . . . I will apply that.  Thanks, again!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card