Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4153
Views
0
Helpful
6
Replies

Remote VPN Access Login Event Email Notification

jeff slansky
Level 1
Level 1

‎06-13-2014 03:46 PM

Hi,

 

I have a cisco pix 525 with IOS 8 on it.

It is configured for remote access. I want to get email notifications when someone successfully logs into the VPN. I have looked and it doesn't really seem to be a decipherable way to do this.

 

Any help would be appreciated, a break down of what is required or even what commands need to be run to accomplish this.

As a side note, the port of the remote server for smtp is 587 as Comcast, one of the worst companies that exists, is blocking 25 and 26.

 

Jeff

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-13-2014 04:44 PM

Your Pix with ASA software 8.0 supports sending syslog messages to an e-mail destination.

You would choose the syslog message number(s) that is (or are) generated by user authentication ( I think it's 113004 if you're using a AAA server and 113012 for locally authenticated users - reference) and define it (them) in a message list.

Then setup your syslog to send events matching that message list to your desired e-mail destination.

Here's a link to the relevant section of the configuration guide.

0 Helpful

jeff slansky
Level 1
Level 1
In response to Marvin Rhoads

‎06-13-2014 10:04 PM

hi,

i looked into this a little bit. i have done the following:

logging enable
logging timestamp
logging host inside 10.1.1.1
logging list THCLogList level debugging class vpn
logging trap THCLogList
logging mail debugging THCLogList
logging recipient-address xxx@yyyy.com

logging from-address xxx@yyyy.com
smtp-server xxx.xxx.xxx.xxx

 

my questions would be:

1. can the pix serve as the sys log server? its just a unix box right? my thought is yes and the ip that is there is of the inside port of the pix.

2. no where in the documentation do i see where you can set a custom smtp port. what am i missing?

3. i don't see any where the documentation to specify the password to authenticate with, or any of the other settings, like SSL etc.

4. the smtp server is at an external location, so its not on the same network. its hosted in a data center in texas

thanks

jeff

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jeff slansky

‎06-14-2014 07:53 AM

When we log to the firewall itself, that's a logging buffer (limited size) and not a logging host.

E-mailing log events is a very basic function and not used very often in my experience. It does not support authentication or changing the default port. As long it is an address reachable via the default smtp port, it can be used.

Even the more full featured Smart call home (SCH) support varies by platform. As of right now, only data center products (Nexus and MDS) have built-in the ability to modify the default smtp port to something other than 25. E-mail SCH is unauthenticated only.

I missed what you were saying in your original post about the e-mail server tcp port. In that case, you'll likely have to proxy via an external host. You could probably hack together a simple mail relay (or syslog to mail handler) working on a Raspberry Pi or similar tiny Linux device.

0 Helpful

jeff slansky
Level 1
Level 1
In response to Marvin Rhoads

‎06-16-2014 12:25 PM

Hi, Thanks for your help. I didn't think that it did support it. To go around the problem i setup a the SMTP service on my wins server. i have two futher questions: 1: i validated that your numbers on the syslog id's are correct. is there an associated disconnect message? i looked through the rest of the messages in that class and i think that it is 113019. is that correct? 2: what is the actual syntax that is required to get just those events? thanks again, jeff
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jeff slansky

‎06-16-2014 01:24 PM

You're welcome.

I do believe 113019 is the disconnect message. That's what I see on one of my ASAs. I am not seeing the 113012 for login but do see a 750006 message. (SA up) You should watch yours and validate the message IDs. (You may need to crank up the logging level to 6 temporarily to make sure you capture the relevant ones.)

So using the IDs I see you would use the following syntax in your config:

logging list VPN-Event-List_1 message 113012

logging list VPN-Event-List_2 message 750006

logging list VPN-Event-List level Informational

smtp-server <your server address>
logging from-address <from field you want the ASA to show as>
logging recipient-address <destination email> level Informational
logging mail VPN-Event-List_1

logging mail VPN-Event-List_2

Please rate helpful replies and mark when answered. Thanks.

0 Helpful

jeff slansky
Level 1
Level 1

‎06-16-2014 12:13 PM

Hi, Thanks for your help. I didn't think that it did support it. To go around the problem i setup a the SMTP service on my wins server. i have two futher questions: 1: i validated that your numbers on the syslog id's are correct. is there an associated disconnect message? i looked through the rest of the messages in that class and i dont see anything. 2: what is the actual syntax that is required to get just those events?
0 Helpful
Customers Also Viewed These Support Documents