cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1283
Views
0
Helpful
7
Replies
kerry.kielty
Beginner

Who is VPNing into my network?

Hi,

I have a question from my boss. He would like to know if there is a way to find out the ip address of a person VPNing into our network. Let's say Joe Smith is VPNed in from home and his carrier is cox communications. How would I go about finding out what his ip address (the ip issued to him by cox) is? Is that even possible? If it is possible, is there a way to create a list of ip addresses of everyone that has ever VPNed into our network? We are using a Cisco ASA 5520 and Cisco VPN Client.

Thanks,
Kerry

7 REPLIES 7
manish arora
Frequent Contributor

try :-

sh vpn-sessiondb remote

or if you are using webvpn

sh vpn-sessiondb webvpn

helpful link :-

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s7_72.html#wp1135352

Manish

hobbe
Rising star

Yes it is possible

This is one of the reasons you have the syslog server for.

Enable syslog and setup a syslog server so that you can save it for the future and you will know who have logged on and from what ip and what they did and so on. the more you log the more information you have. you might not need it right now but who knows when you might need it.

You can also go in to the asdm monitor section or use the cli and check who is online right now.

Good luck

HTH

I do have syslog running, but it would be impossible to try and look thru all of the logs to find something that looked like an outside ip address. But thank you for your response.

If you already have syslog up and running.

are you comfortable with grep ?

if your syslog is on a windows machine there is a free GNU grep.

The grep command makes you able to filter through the whole syslog file/s for specific parameters such as "login" or VPN or whatever is in the string.

and then put all of that out to another file (if you want to) so if you do a search for "username" then you will find all the rows in the syslog that tells you username, that way you will also find out when, who and so on.

if the syslog is a *nix then most likely you have it already installed.

So now you have syslog and the grep command you can find anything you want in the syslog files.

Good luck

HTH

If you are running version 8.2 you could make use of the Smart Call Home feature to regularly email yourself VPN stats. See below:

https://supportforums.cisco.com/docs/DOC-14958

On another post I came across a reference to VPNTTG, http://www.vpnttg.com/ that allows you to graph VPN useage per IP address. You need Linux skills however to install it.

Please remember to rate all posts that are helpful.

Hello,

In addition to the above posts, if your existing syslog supports 'email' feature, you can create a alert/filer rule that matches user successful login (messages / message id) and have syslog email that entire message to you. This is basic configuration on Syslog and you need to enable proper 'logging' option on ASA (you may already done this).

hth

MS

Jonathan Tomlin
Beginner

I concur with using syslog data!

We had the same problem this month, so I wrote a little program that hangs onto a "tail -f" of a syslog file from the ASA!  It parses each incoming syslog line for specific log entries that relate to VPN connections and disconnections.  Then it simply pulls the info outta the log entry and slaps it into a DB.  I then built an HTML page for organizing and displaying the data as useful information.

I did this in a couple of days, albeit just for fun.  Check with your developers to see if they can help you out!  It's nice having custom accounting in a database that I can now manipulate to my needs (or that of managers).  I set up an /etc/init.d file, regestered it in chkconfig, and customized my logrotate so I don't have to worry about it.

It's not top notch but turns out, it's really fun just to watch.  Maybe someone has something better (and FREE), I'd like to know!

Check it out:

To find remote vpn disconnects:

cat [logfile] | grep "%ASA-4-113019"

Entries will show as such:

Apr  7 13:35:49 asa-1 Apr 07 2011 13:35:49: %ASA-4-113019: Group = XXXXX, Username = XXXXXX, IP = [outside_ip], Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:08m:03s, Bytes xmt: 1764,

Create
Recognize Your Peers
Content for Community-Ad