Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

vpn concentrator accounting

Posted on 2006-03-24
3
Medium Priority
?
370 Views
Last Modified: 2008-01-09
I have a cisco 7200 VPN concentrator version 12.4(7)

I will post the configs at the bottom of file.

I am able to get authentication and authorization to the AAA server. In fact I get accounting from the telnet sessions as people log into the device.
I am missing the accounting logs when people VPN into one of the profiles that rides a different vrf.

Here are the configs of the box.

##########################
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname c7206-3
!
boot-start-marker
boot system flash disk2:c7200-ik9s-mz.124-7.bin
boot system flash disk2:c7200-ik9s-mz.124-1c.bin
boot-end-marker
!
!
redundancy inter-device
 scheme standby client-vpn
!
!
redundancy
logging buffered 65535 debugging
no logging console
enable <key>
!
aaa new-model
!
!
!
aaa group server tacacs+ vpn-dmz
 server ACS1
 server ACS2
 ip vrf forwarding vpn-dmz
 ip tacacs source-interface Ethernet0/0
!
aaa authentication login default local
aaa authentication login vpn-dmz group vpn-dmz
aaa authentication login friend group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization network default local
aaa authorization network vpn-dmz group vpn-dmz
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network vpn-dmz start-stop group vpn-dmz
aaa accounting connection default start-stop group tacacs+
aaa accounting connection vpn-dmz start-stop group vpn-dmz
!
aaa session-id common
!
resource policy
!
!
no ip source-route
!
!
ip cef
ip tcp synwait-time 5
no ip domain lookup
ip domain name biz.net
!
!
<text removed>

ip vrf vpn-dmz
 rd 192.168.3.5:<some#>
 route-target export 192.168.3.25:<some#>
 route-target import 192.168.3.25:<some#>
!
<test removed>
!
ip ssh rsa keypair-name <name>
ip ssh version 2
!
!
!
<crypto pki certificate info >

username name privilege key
!
!
controller ISA 1/1
!
controller ISA 2/1
!
crypto logging session
!
crypto isakmp identity dn
crypto isakmp keepalive 10
!
crypto isakmp client configuration group vpn-dmz
 key <key>
 dns 14.5.10.8 141.116.2.169
 pool vpn-dmz
!

crypto isakmp profile vpn-dmz
   vrf vpn-dmz
   match identity group vpn-dmz
   client authentication list vpn-dmz
   isakmp authorization list default
   client configuration address respond
!
!
crypto ipsec transform-set vpn-dmz
!
!
crypto dynamic-map vpn-dmz 10
 set security-association lifetime seconds 28800
 set transform-set vpn-dmz
 set isakmp-profile vpn-dmz
 reverse-route remote-peer
!
!
!
crypto map client-vpn 10 ipsec-isakmp dynamic vpn-dmz
!
!
!
!
interface Loopback0
 description management loopback
 ip address 192.168.2.2 255.255.255.255
!
!
interface Ethernet0/0
 ip vrf forwarding vpn-dmz
 ip address 192.168.2.3 <MASK>
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
!
 !
 address-family ipv4 vrf vpn-dmz
 redistribute static
 neighbor groupName peer-group
 neighbor groupName send-community
 neighbor groupName soft-reconfiguration inbound
 neighbor groupName distribute-list default-only in
 neighbor groupName route-map groupName out
 neighbor <IP> remote-as 65100
 neighbor <IP> peer-group groupName neighbor <IP> activate
 neighbor <IP> remote-as 65100
 neighbor <IP> peer-group groupName
 neighbor <IP> activate
 no synchronization
 exit-address-family
 !
 !
ip local pool vpn-dmz 192.168.1.1 192.168.1.127

ip route 0.0.0.0 0.0.0.0 192.168.1.9
!
no ip http server
no ip http secure-server
ip tacacs source-interface Loopback0
!
!
ip prefix-list groupName description "Address pool for vpn-dmz"
ip prefix-list groupName seq 5 permit 192.168.1.0/25 le 32
ip prefix-list groupName seq 100 deny 0.0.0.0/0 le 32

logging trap notifications
logging source-interface Loopback0
logging <log server>
!
tacacs-server host ACS1
tacacs-server host ACS2
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key <key>
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
end
#####################################
0
Comment
Question by:rpereda
  • 2
3 Comments
 

Author Comment

by:rpereda
ID: 16334784
Solution for this problem is to add accounting to the crypto isakmp profile. This was accompanied by pointing this profile to the vrf.
0
 

Author Comment

by:rpereda
ID: 16364877
*********
Please CLOSE
*********

crypto isakmp profile vpn-dmz
   vrf vpn-dmz
   match identity group vpn-dmz
   client authentication list vpn-dmz
   isakmp authorization list default
   client configuration address respond
   accounting vpn-dmz
0
 

Accepted Solution

by:
EE_AutoDeleter earned 0 total points
ID: 16460033
rpereda,
Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.

EE_AutoDeleter
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question