Solved

CISCO ASA SNMP

Posted on 2009-04-06
13
3,393 Views
Last Modified: 2012-05-06
Hi,

I have a cisco ASA 5520 with 8.0(4)23 IOS and i am trying to pull all the users, groups, session details from ASA

I have upgraded from 8.0(3) as there were known issues

I am still not able to get the username associated with the connection
0
Comment
Question by:chandru_sol
13 Comments
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 24078913
Are you trying to see logged in admin users, or VPN users, or established TCP sessions, or something else?
0
 
LVL 12

Author Comment

by:chandru_sol
ID: 24079515
VPN Users logged in using CISCO VPN clients

regards
Chandru
0
 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 24086123
Hi,

You can easily accomplish this using a VPN Analyzer. Below are good examples;

Adventnet Firewall Analyzer      www.adventnet.com
FirePlotter      www.fireplotter.com
AlgoSec Firewall Analyzer      www.algosec.com
WallWatcher      www.wallwatcher.com
Firewall Analyzer      www.kdware.com
SawMill                www.sawmill.net
0
 
LVL 1

Expert Comment

by:rootcoolk
ID: 24087893
Enabling SNMP

The SNMP agent that runs on the security appliance performs two functions:

"Replies to SNMP requests from NMSs.

"Sends traps (event notifications) to NMSs.

To enable the SNMP agent and identify an NMS that can connect to the security appliance.

Step 1 Ensure that the SNMP server on the security appliance is enabled
hostname(config)# snmp-server enable

Step 2 To identify the IP address of the NMS that can connect to the security appliance.

hostname(config)# snmp-server host interface_name ip_address [trap | poll] [community
text] [version 1 | 2c] [udp-port port]


Specify trap or poll if you want to limit the NMS to receiving traps only or browsing (polling) only.

Step 3 To specify the community string,

hostname(config)# snmp-server community key

Step 4 (Optional) To set the SNMP server location or contact informatio

hostname(config)# snmp-server {contact | location} text

Step 5 To enable the security appliance to send traps to the NMS.

hostname(config)# snmp-server enable traps [all | syslog | snmp [trap] [...] |
entity [trap] [...] | ipsec [trap] [...] | remote-access [trap]]

The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). You can disable these traps using the no form of this command with the snmp keyword. However, the clear configure snmp-server command restores the default enabling of SNMP traps.

If you enter this command and do not specify a trap type, then the default is syslog. (The default snmp traps continue to be enabled along with the syslog trap.)

Traps for snmp include:

"authentication

"linkup

"linkdown

"coldstart

Traps for entity include:

"config-change

"fru-insert

"fru-remove

Traps for ipsec include:

"start

"stop

Traps for remote-access include:

"session-threshold-exceeded

Step 6 To enable system messages to be sent as traps to the NMS.

hostname(config)# logging history level

You must also enable syslog traps using the preceding snmp-server enable traps command.

Step 7 To enable logging, so system messages are generated and can then be sent to an NMS.

hostname(config)# logging enable

example:
hostname(config)# snmp-server host 192.168.3.2

hostname(config)# snmp-server location building 42

hostname(config)# snmp-server contact rootcoolk

hostname(config)# snmp-server community cisco







0
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 24087960
Hey thanks "uetian1707", I appreciate you jumping into my question!


From the CLI (without downloading and installing any software or relying on a GUI), you could just login to the ASA, go to enable mode, then type something like:
 sh ipsec sa det | grep current_peer

and get an output like:
      current_peer: 1.2.3.4, username: username1
      current_peer: 5.6.7.8, username: username2
      current_peer: 9.10.11.12, username: username3

(IPs/usernames are fakes of course, but the output is right from one of my ASAs)
(and the full command is  "show ipsec sa detail | grep current_peer". Check it out without the grep to see all the info in there, it's a lot!)
0
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 24087970
MAN there are a LOT of question stealers out today! Thanks Guys, way to go! With lots of extraneous information and overcomplicated pseudo solutions too, SWEET!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 12

Author Comment

by:chandru_sol
ID: 24093819
Thanks!

Can i get the information using OID as i am trying to get this information from our NMS?
0
 
LVL 8

Accepted Solution

by:
Nothing_Changed earned 500 total points
ID: 24101137
The current IPSEC VPN  peers are all leafs on .1.3.6.1.4.1.9.9.171.1.2.3.1.7. Thats in the CISCO-IPSEC-FLOW-MONITOR-MIB, you can get that here--> http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2&mibName=CISCO-IPSEC-FLOW-MONITOR-MIB
 I have not seen the usernames in there anywhere though.

Each polling or trap host must be individually configured in the ASA, something like this:
snmp-server host INSIDE 10.10.10.5 poll community TestTestTest version 2c  (this host can poll only, not get traps)

depending on your NMA, you could have it use a perl script to ssh to the asa, run the command above, and then parse the data. non-trivial but do-able. I believe Ciscoworks has that feature, but I'm not certain.

Another alternative is to parse syslog at your NMS to get what you want. As long as you are logging at 4 or higher, you'll see stuff like this:
Apr 06 2009 14:28:20: %ASA-3-713119: Group = TestTestTest, Username = wrsmith, IP = 1.2.3.4, PHASE 1 COMPLETED
Apr 06 2009 18:45:10: %ASA-4-113019: Group = TestTestTest, Username = wrsmith, IP = 1.2.3.4, Session disconnected. Session Type: IPsecOverNatT, Duration: 5h:47m:50s, Bytes xmt: 2104395, Bytes rcv: 1053432, Reason: User Requested

most syslog-aware systems can parse this to maintain a table of the current and past connections.
0
 
LVL 12

Author Comment

by:chandru_sol
ID: 24126102
Thanks!!

Is there any reason why the username is not displayed as part of the other SNMP strings?

regards
Chandru
0
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 24130251
No telling what reasoning goes into designing a MIB by any given vendor, and it MAY be in there somewhere, but I walked the mib to double check that perhaps it was in a MIB i didn't have loaded, but I saw no usernames in there anywhere.

But between polling the MIBs and parsing your syslog outputs in your NMS, you should be able to get what you want.
0
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 24482429
Any success in resolving this issue? Did I answer your question?
0
 
LVL 12

Author Comment

by:chandru_sol
ID: 24684829
Sorry for the delay in getting back to you on this?
I am still not able to get the usernames in SNMP or using OID?
Is there no way of getting this information? Can you let me know how to setup the syslog to get only the userlogin information?

regards
Chandru
0
 
LVL 12

Author Comment

by:chandru_sol
ID: 24771962
Hi,
Any update on this
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now