10-21-2010 11:21 AM - edited 03-12-2019 06:01 PM
We have six 5510s. On one of them, we need to be able to monitor whenever a remote VPN client connects to one of our servers on a specific TCP port. What do I need to do/have to be able to receive real-time notification of connect/disconnect messages? Thanx!
Solved! Go to Solution.
10-21-2010 08:12 PM
What PK suggested is a good idea but, the permit tcp any host server_IP will grab all the requests coming to the server and not just VPN ones.
Pls. specify the source IP address as well. If the remote subnet or vpn ip subnet address is 10.10.0.0/24 make the acl look like this.
access-l log-acl permit tcp 10.10.0.0 255.255.255.0 host
access-l log-acl permit ip any any <-------- you want that, don't forget it because you will drop all other traffic
access-group log-acl out interface dmz <----- apply it outbound
10-22-2010 06:41 AM
You can still do it. You can have the ASA send emails when it sees the syslog from the ACL
logging list my_critical_messages message
logging mail my_critical_messages
logging recipient-address email_address
logging from-address email_address
smtp-server ip_address
You can't send IM alerts. An alternative is to have a script parse yous syslogs as they come (tail cmd) and alert you.
PK
10-21-2010 02:59 PM
One way to do it is to put an outbound ACL on the interface that the server is hanging off of. Let's say it is the dmz.
access-l log-acl permit tcp any host
log access-l log-acl permit ip any any <-------- you want that, don't forget it because you will drop all other traffic
access-group log-acl out interface dmz <----- apply it outbound
Then you will be generating a syslog every time someone connects to the server ip. You can send syslogs to a syslog server and monitor for it.
I hope it helps.
PK
10-21-2010 08:12 PM
What PK suggested is a good idea but, the permit tcp any host server_IP will grab all the requests coming to the server and not just VPN ones.
Pls. specify the source IP address as well. If the remote subnet or vpn ip subnet address is 10.10.0.0/24 make the acl look like this.
access-l log-acl permit tcp 10.10.0.0 255.255.255.0 host
access-l log-acl permit ip any any <-------- you want that, don't forget it because you will drop all other traffic
access-group log-acl out interface dmz <----- apply it outbound
10-22-2010 05:50 AM
Thank you for your responses! I already have a SYSLOG server configured and I can search for the specific port, but what I needed was for a way to get instant notification via some other means (like email or IM) when a specific port was being accessed. Thank you for your assistance!
10-22-2010 06:41 AM
You can still do it. You can have the ASA send emails when it sees the syslog from the ACL
logging list my_critical_messages message
logging mail my_critical_messages
logging recipient-address email_address
logging from-address email_address
smtp-server ip_address
You can't send IM alerts. An alternative is to have a script parse yous syslogs as they come (tail cmd) and alert you.
PK
10-22-2010 06:51 AM
Excellent technique . . . I will apply that. Thanks, again!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: