Solved

Cisco ASA alert on VPN

Posted on 2013-05-22
4
1,402 Views
Last Modified: 2013-06-06
Hello,

I'm trying to setup an alert on successful VPN login attempts on my ASA 5520. I've not gotten far.

I have Clientless SSL VPN access enabled and working. I see the syslog events when some one logs in and out of the VPN.

How can I set up an email alert to be sent to me when this happens? I have alerts coming to me for critical events and I'd like to add this to my list.

Thank you.
0
Comment
Question by:netcmh
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39189733
Below are the commands I used to send email alerts when the primary default route failed (triggered via SLA). I found the syslog error ID (622001) and changed the level to error, created a logging group with that message, and tied that group to the logging mail commands. You would just need to change this to the syslog error ID(s) that you see during logon/logoff. You may need to add an exception on your email server to allow the ASA to send the email.


logging enable
logging list InternetSLA message 622001
logging console errors
logging buffered informational
logging asdm informational
logging mail InternetSLA
logging from-address ASAFIREWALL@company.com
logging recipient-address chris@company.com level errors
logging message 622001 level errors

sla monitor 1
type echo protocol ipIcmpEcho x.x.x.5 interface outside
sla monitor schedule 1 life forever start-time now

smtp-server 172.20.0.10
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39190664
0
 
LVL 20

Author Comment

by:netcmh
ID: 39190765
So, I already have alerts coming to me on critical events.

What I need is the ability to track VPN logins, in addition to the existing:

logging enable
logging timestamp
logging asdm-buffer-size 500
logging console errors
logging monitor debugging
logging buffered warnings
logging trap notifications
logging asdm warnings
logging mail alerts
logging from-address CiscoASA@mycompany.com
logging recipient-address admin@mycompany.com level errors
logging host inside NetAdminPC
logging class vpn trap informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 505013
no logging message 505015
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020

How do I proceed?

Thanks
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 39191517
You have logging mail set to alerts. A VPN login is more than likely classified as informational versus an alert. Capture the logon/logoff messages in the syslog, and the message will include the message ID number. Then you can manually change the level of that syslog entry to alert and it will be included in the email.

Let's say the syslog id is 99989

logging message 99989 level alerts

would change the level of that entry and qualify it for your syslog email.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now