This could prove difficult to

Jonas Kohn · ‎10-28-2015

As a Cisco ASA (55xx-X, 8.2 - 9.4) administrator I'm very interested in identifying

a uniqe AnyConnect session which opens sometimes a connection

to some maleware Server.

The problem in this case for me, is that I can't configure some userfull

packet-capture.

Situation:

Users connect with AnyConnect to the public IP address of a Cisco ASA

from the public internet, and connect back into the internet with the

the same ASA public IP:

nat (outside,outside) source dynamic ANYCONNECT_POOL interface

So now I don't know how to figure out (log) which anyconnect Session

opens a TCP connection to a specific public IP (let's say 17.142.160.59:80)

With capture I would only see the pub. NAT IP (outside interface).

If I do some explicit logging for AnyConnect session (logging message 722051)

I should be able to see when which user connects but, I need to get a Log

entry like 'AnyConnect Session X.X.X.X opened a connection to [MALWARE Server IP].

Thank you

Marius Gunnerud · ‎10-28-2015

This could prove difficult to do since the traffic doesn't pass through an SFR module or another firewall before going to the internet. I mean difficult to catch the traffic if it only connects sometimes. If you have the malware server IP you could do a show conn | in <malware server IP> find the private IP that has a connection to the server and then do a show vpn-sessiondb anyconnect filter a-ipaddress <VPN IP>.

The tough part is catching the culprit as the connection happens. Unfortunately the EEM functionality on the ASA is so far very limited so this cant be used

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Log/Identify AnyConnect Session for specific Conection