Need to get Local IP address

thejaucan · ‎05-23-2017

Hi Fellows,

We recently had a security issue in our Network. We do remote support using VPN to USA Clients, Someone has downloaded movie which is not allowed and the client detected this. But we found the user who has downloaded, but the credentials of that user is known my multiple people. So we want figure out if we can find out the Local LAN IP address from which they have downloaded.

Thanks,

Ravi.

Marvin Rhoads · ‎05-24-2017

It depends - have you been gathering syslogs and/or netflow data and saving it on an extrnal server?

If so, you should be able to get the data from there. If not, it is most likely not available from the VPN server (ASA or IOS router) itself anymore.

thejaucan · ‎05-25-2017

Hi Marvin,

Thank you for the response, please guide which logs to be monitored here.

Thanks,

Ravitheja.

Marvin Rhoads · ‎05-25-2017

If it is a remote access VPN then you can see the client IP address in syslog message ID 722033 (a level 5 or "notification" message) as follows:

May 26 2017 00:54:32 xxx-asa-5512 : %ASA-5-722033: Group <xxxCLIENTPOLICY> User <marvin.rhoads> IP <175.142.244.252> First TCP SVC connection established for SVC session.

You would need to have at least the following to get messages of that level:

logging trap notifications
logging host <interface> <syslog server address>

If it is a site-site VPN then you would only see the local IP address in a TCP connection record (or UDP flow). Those are a different message which is a level 6 (informational) It probably would not be practical to retrieve it that way as those are very very verbose records that easily run to 100s of thousands or millions per day.