6

I've got a vendor that supports some specialized equipment, the network engineer before me set them up with remote access VPN terminating to a Cisco ASA 5510 so they can remotely administer/troubleshoot the system.

The requirements is to get alert/notification (E-mail or syslog) when the VPN connection is established and when it is disconnected. this is mainly for billing purposes i.e when they vendor claims they spent X hours doing work, we would like some verification method.

I'm hoping someone can point me in the right direction, or if there is a better way of doing this, I'm open to ideas ?

EDIT to show what I've attempted so far

This is the config I have on the ASA from when I tried it last time, didn't work.

logging enable  
logging timestamp  
logging buffered notifications  
logging trap critical  
logging history notifications  
logging asdm informational  
logging from-address [ASA email]  
logging recipient-address [myemail address] level critical  
logging host inside [syslog server]  
logging class vpn mail debugging  
logging class vpnc mail debugging
Mike Pennington
  • 29,876
  • 11
  • 78
  • 152
hyussuf
  • 467
  • 3
  • 11
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. – Ron Maupin Jan 05 '21 at 17:28

3 Answers3

3

You need logging mail -- see Cisco ASA 5500 Series Command Reference, 8.2 (or other version) -- to trigger the email.

logging list emaillogin level alerts class auth
logging mail emaillogin
! ^^^^^^^^^^^^^^^^^^^^^
logging from-address asa5510@example.com
logging recipient-address you@example.com level alerts
logging class auth mail alerts
Mike Pennington
  • 29,876
  • 11
  • 78
  • 152
generalnetworkerror
  • 7,094
  • 6
  • 32
  • 65
3

Expanding on generalnetworkerror's answer:

In addition to adding the mail server to send out mail from (smtp-server XXX.XXX.XXX.XXX), you must use logging level info for seeing when someone connects or if you just want when they disconnect (which has a duration in the message), use logging level warn. These are the email results from a lab ASA5505 running 8.4 using logging level info (1 line per email):

<166>%ASA-6-113009: AAA retrieved default group policy (anyconnect-split-policy) for user = your_vendor_account

<166>%ASA-6-113008: AAA transaction status ACCEPT : user = your_vendor_account

<164>%ASA-4-113019: Group = anyconnect-split-group, Username = your_vendor_account, IP = 70.210.XXX.XXX, Session disconnected. Session Type: SSL, Duration: 0h:02m:10s, Bytes xmt: 7490, Bytes rcv: 1210, Reason: User Requested

ASA-6: Info level

ASA-4: Warn level

The first two entries are from the login. The last is when I logged my phone out.

The ASA will complain about SMTP logging being inefficient and that you may overwhelm the SMTP server. However if you use the steps from generalnetworkerror, the logging is limited to "AUTH" entries and you shouldn't be overwhelmed.

some_guy_long_gone
  • 3,052
  • 1
  • 19
  • 30
2

Syslog is pretty much automatic. (they can be very verbose) You'll have to setup something to parse the syslog output (splunk, etc.) Also, if there's an authentication (accounting) system in place, you could look there for login/logout events.

Ricky
  • 31,438
  • 2
  • 43
  • 84
  • it is local username/passwd no AAA unfortunately. verbose is putting it mildly. I can setup alert on keyword in syslog to email me .. so that might be an idea, just have to find what the syslog message looks like – hyussuf Aug 23 '13 at 20:52