I have a cisco pix 525 with IOS 8 on it.
It is configured for remote access. I want to get email notifications when someone successfully logs into the VPN. I have looked and it doesn't really seem to be a decipherable way to do this.
Any help would be appreciated, a break down of what is required or even what commands need to be run to accomplish this.
As a side note, the port of the remote server for smtp is 587 as Comcast, one of the worst companies that exists, is blocking 25 and 26.
Your Pix with ASA software 8.0 supports sending syslog messages to an e-mail destination.
You would choose the syslog message number(s) that is (or are) generated by user authentication ( I think it's 113004 if you're using a AAA server and 113012 for locally authenticated users - reference) and define it (them) in a message list.
Then setup your syslog to send events matching that message list to your desired e-mail destination.
Here's a link to the relevant section of the configuration guide.
i looked into this a little bit. i have done the following:
logging host inside 10.1.1.1
logging list THCLogList level debugging class vpn
logging trap THCLogList
logging mail debugging THCLogList
logging recipient-address firstname.lastname@example.org
logging from-address email@example.com
my questions would be:
1. can the pix serve as the sys log server? its just a unix box right? my thought is yes and the ip that is there is of the inside port of the pix.
2. no where in the documentation do i see where you can set a custom smtp port. what am i missing?
3. i don't see any where the documentation to specify the password to authenticate with, or any of the other settings, like SSL etc.
4. the smtp server is at an external location, so its not on the same network. its hosted in a data center in texas
When we log to the firewall itself, that's a logging buffer (limited size) and not a logging host.
E-mailing log events is a very basic function and not used very often in my experience. It does not support authentication or changing the default port. As long it is an address reachable via the default smtp port, it can be used.
Even the more full featured Smart call home (SCH) support varies by platform. As of right now, only data center products (Nexus and MDS) have built-in the ability to modify the default smtp port to something other than 25. E-mail SCH is unauthenticated only.
I missed what you were saying in your original post about the e-mail server tcp port. In that case, you'll likely have to proxy via an external host. You could probably hack together a simple mail relay (or syslog to mail handler) working on a Raspberry Pi or similar tiny Linux device.
I do believe 113019 is the disconnect message. That's what I see on one of my ASAs. I am not seeing the 113012 for login but do see a 750006 message. (SA up) You should watch yours and validate the message IDs. (You may need to crank up the logging level to 6 temporarily to make sure you capture the relevant ones.)
So using the IDs I see you would use the following syntax in your config:
logging list VPN-Event-List_1 message 113012
logging list VPN-Event-List_2 message 750006
logging list VPN-Event-List level Informational
smtp-server <your server address>
logging from-address <from field you want the ASA to show as>
logging recipient-address <destination email> level Informational
logging mail VPN-Event-List_1
logging mail VPN-Event-List_2
Please rate helpful replies and mark when answered. Thanks.