cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1618
Views
0
Helpful
5
Replies

VPN Audit

dilip
Level 1
Level 1

I have set up a VPN tunnel, using IPSEC, between 2 sites using the Internet as the backbone. I am using a Cisco 7200 and Cisco 3640 to form the VPN tunnel.

Questions:

1.Is it possible to restrict the number of users using this VPN tunnel to access the resources in the main site.I am currently emplying NAT to do this. But is there a better solution.

2. Can I audit the users using the VPN tunnel.

Thanks in advance!

5 Replies 5

a-vazquez
Level 6
Level 6

1. It's possible to use your AAA server to "authorize" only specific users access to the other site.

2. What type of auditing are you looking to do? You can have your AAA server do some accounting as well.

Could you give me a sample how to configure authorizing and accounting?

Thanks.

ptroyer
Level 1
Level 1

Here are the entries for AAA that I have in my 2600 that is used as a RAS server. The last line is the one that gives me accounting entries for Start Stop and bytes transferred, etc. These entries will not work for a PIX. Does anyone have the entries necessary to do accounting through AAA on a PIX VPN solution?

aaa new-model

aaa authentication login default tacacs+ local

aaa authentication ppp default if-needed tacacs+

aaa authorization network default tacacs+

aaa accounting network default start-stop tacacs+

The Syntax is very different on the PIX. Use the ’aaa accounting include’ command with the ‘acctg_service’ option. With ‘acctg_service’ you can specify the protocol/port for accounting. The default of any only runs accounting output on all TCP services. To get accounting for esp or udp and other protocols you must specify them verbatim.

lisa.hall
Level 2
Level 2

One option you have is to restrict users via your access-list if you don’t want them using tunneling. If your concern is too many users using tunneling at one time I’d look into doing some traffic shaping and queuing with QoS. I know IOS has that capability. I haven’t had to do any of that on my network but maybe someone else here has.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: