Solved

Cisco ASA alert on VPN

Posted on 2013-05-22
4
1,378 Views
Last Modified: 2013-06-06
Hello,

I'm trying to setup an alert on successful VPN login attempts on my ASA 5520. I've not gotten far.

I have Clientless SSL VPN access enabled and working. I see the syslog events when some one logs in and out of the VPN.

How can I set up an email alert to be sent to me when this happens? I have alerts coming to me for critical events and I'd like to add this to my list.

Thank you.
0
Comment
Question by:netcmh
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
Below are the commands I used to send email alerts when the primary default route failed (triggered via SLA). I found the syslog error ID (622001) and changed the level to error, created a logging group with that message, and tied that group to the logging mail commands. You would just need to change this to the syslog error ID(s) that you see during logon/logoff. You may need to add an exception on your email server to allow the ASA to send the email.


logging enable
logging list InternetSLA message 622001
logging console errors
logging buffered informational
logging asdm informational
logging mail InternetSLA
logging from-address ASAFIREWALL@company.com
logging recipient-address chris@company.com level errors
logging message 622001 level errors

sla monitor 1
type echo protocol ipIcmpEcho x.x.x.5 interface outside
sla monitor schedule 1 life forever start-time now

smtp-server 172.20.0.10
0
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
So, I already have alerts coming to me on critical events.

What I need is the ability to track VPN logins, in addition to the existing:

logging enable
logging timestamp
logging asdm-buffer-size 500
logging console errors
logging monitor debugging
logging buffered warnings
logging trap notifications
logging asdm warnings
logging mail alerts
logging from-address CiscoASA@mycompany.com
logging recipient-address admin@mycompany.com level errors
logging host inside NetAdminPC
logging class vpn trap informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 505013
no logging message 505015
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020

How do I proceed?

Thanks
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
Comment Utility
You have logging mail set to alerts. A VPN login is more than likely classified as informational versus an alert. Capture the logon/logoff messages in the syslog, and the message will include the message ID number. Then you can manually change the level of that syslog entry to alert and it will be included in the email.

Let's say the syslog id is 99989

logging message 99989 level alerts

would change the level of that entry and qualify it for your syslog email.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now