Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
507
Views
0
Helpful
5
Replies

VPN monitoring

ramonzammit82
Level 1
Level 1

‎01-27-2014 06:39 AM

Hi all

I have CISCO equipment set to allow VPN access from the Internet. I wish to know when users log on the internal network etc.

Is there a way how I can do this? maybe via e-mail notification etc?

Thanks a lot

Labels:
0 Helpful
5 Replies 5

Akar Periwal
Level 1
Level 1

‎01-28-2014 01:19 AM

Are you using Cisco Device for VPN termination? If you are which cisco device you are using?

0 Helpful

ramonzammit82
Level 1
Level 1
In response to Akar Periwal

‎01-28-2014 01:28 AM

The devices are these:

Cisco Router 2901

Cisco Switch 2960s

0 Helpful

Akar Periwal
Level 1
Level 1
In response to ramonzammit82

‎01-28-2014 01:40 AM

So are you terminating your VPN on 2901?

0 Helpful

ramonzammit82
Level 1
Level 1
In response to Akar Periwal

‎01-28-2014 01:57 AM

Precisely - I want to know when users log on by means of an e-mail notification. Ideally even when they disconnect too.

0 Helpful

Akar Periwal
Level 1
Level 1
In response to ramonzammit82

‎01-28-2014 02:05 AM

You need to enable logging for this then you can use EEM for Sending the login alert to you mailbox:

You can configure it like this:

1.) Enable logging

2.) you must identify the log message. e.g while if you connect to the VPN server via VPN client, the log message is:

JAN 27 13:28:13.227: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up

If you want the username also with mail then you must identify the log message which contain the userID.

3.) you must define the email variables:

Ciscozine(config)#event manager environment _email_to your-to-mail@domain.com
Ciscozine(config)#event manager environment _email_server your.mail.server
Ciscozine(config)#event manager environment _email_from your-from-mail@domain.com

After that, it is possible define the ‘applet’, the ‘event’ and the ‘action’:

4.) Send email when you are connected to the router via IPSEC session

Ciscozine(config)#event manager applet CheckVPN
Ciscozine(config-applet)#event syslog pattern "LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access.*up"
Ciscozine(config-applet)#action 1.0 cli command "enable"
Ciscozine(config-applet)#action 1.5 cli command "sh crypto ipsec sa | i local crypto"
Ciscozine(config-applet)#action 2.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: VPN User connected" body "Connection:\n$_cli_result"
Ciscozine(config-applet)#action 2.5 syslog priority 5 msg "VPN UP - Mail Sent"

Remember: In EEM 3.0 for Cisco IOS Release 12.4(22)T, the server-address argument includes an optional username and password along with the fully qualified domain name of the e-mail server to be   used to forward the e-mail. The e-mail server name can be in any one of   the following template formats:

  • username:password@host
  • username@host
  • host

Remember: EEM has pre-defined variables:

  • $_event_type: The event type that triggered the event.
  • $_event_pub_time: The time at which the event type was published. Environmental Variables Available for SNMP Events
  • $_syslog_msg: The syslog message that caused the event to be published.

Hope this will help. Please rate the post if you find it helpfull.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents